• David Woodhouse's avatar
    Fix hostname canonicalisation to stop breaking certifcate checks · de24aad5
    David Woodhouse authored
    Commit b0b4b34f ('Canonicalise hostname during authentication if necessary')
    replaces the hostname with a bare IP address if necessary, so that
    reconnecting is guaranteed to get the *same* host from a round-robin and
    comparing the SSL cert with its previous SHA1 fingerprint (which is how we
    do it for two-stage connection for example from NetworkManager) is
    guaranteed to work.
    
    However, this breaks certificate auth when invoked in one-stage mode from
    the command line to authenticate *and* actually make the connection. When
    vpninfo->hostname is replaced with a bare IP address, that might not
    actually be what's listed in the certificate's Subject or Altname fields.
    So users have reported a certificate validation failure on *reconnecting*
    to the server which was acceptable the first time round when we looked it
    up by name.
    
    So, don't actually replace vpninfo->hostname at all. Introduce a new field
    vpninfo->unique_hostname which is returned by openconnect_get_hostname(),
    and leave vpninfo->hostname as it was.
    Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
    de24aad5
Name
Last commit
Last update
..
images Loading commit data...
inc Loading commit data...
styles Loading commit data...
.gitignore Loading commit data...
Makefile.am Loading commit data...
building.xml Loading commit data...
changelog.xml Loading commit data...
connecting.xml Loading commit data...
contribute.xml Loading commit data...
csd.xml Loading commit data...
download.xml Loading commit data...
features.xml Loading commit data...
gui.xml Loading commit data...
html.py Loading commit data...
index.xml Loading commit data...
mail.xml Loading commit data...
manual.xml Loading commit data...
menu1.xml Loading commit data...
menu2-features.xml Loading commit data...
menu2-started.xml Loading commit data...
menu2.xml Loading commit data...
nonroot.xml Loading commit data...
packages.xml Loading commit data...
platforms.xml Loading commit data...
technical.xml Loading commit data...
vpnc-script.xml Loading commit data...