summaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
authorDavid Woodhouse <dwmw2@infradead.org>2010-11-19 18:52:38 +0100
committerSamuel Ortiz <sameo@linux.intel.com>2010-11-19 18:52:38 +0100
commit98b05f0ce35eac8a32d7cb992307f2e2f2f2a436 (patch)
treea4952a97f1e41f334639051ee3df49d81ef00523 /test
parent9a6f696c4473c7bce5d9faf860db7758e1ca4afc (diff)
downloadconnman-98b05f0ce35eac8a32d7cb992307f2e2f2f2a436.tar.gz
connman-98b05f0ce35eac8a32d7cb992307f2e2f2f2a436.tar.bz2
connman-98b05f0ce35eac8a32d7cb992307f2e2f2f2a436.zip
openconnect: Pass server certificate hash directly to openconnect
When we spawn openconnect to make a VPN connection, it obviously needs to validate the server's SSL certificate to protect against a MiTM attack. But it may not have full access to the user's CA chain, or the user may have manually accepted a dubious certificate. To allow for this, the GUI authentication dialog returns a SHA1 of the server's SSL certificate fingerprint, for the *specific* server that it managed to authenticate to. The intention is that this should be passed through to openconnect when it connects. That way, openconnect doesn't need to do any normal validation; it only needs to compare the certificate with what's expected. From openconnect v2.26, certificate validation is enabled by default; rather than only when a --cafile option is given. So it's important that we start passing the certificate fingerprint through, to avoid connection failures (which we don't currently detect and report gracefully, btw).
Diffstat (limited to 'test')
-rwxr-xr-xtest/connect-vpn4
1 files changed, 2 insertions, 2 deletions
diff --git a/test/connect-vpn b/test/connect-vpn
index 1575804e..383c3308 100755
--- a/test/connect-vpn
+++ b/test/connect-vpn
@@ -19,13 +19,13 @@ manager = dbus.Interface(bus.get_object("org.moblin.connman", "/"),
print "Attempting to connect service %s" % (sys.argv[3])
if sys.argv[1] == "openconnect":
- if (len(sys.argv) > 5):
+ if (len(sys.argv) > 6):
path = manager.ConnectProvider(({ "Type": "openconnect",
"Name": sys.argv[2],
"Host": sys.argv[3],
"VPN.Domain": sys.argv[4],
"OpenConnect.Cookie": sys.argv[5],
- "OpenConnect.CACert": sys.argv[6]}))
+ "OpenConnect.ServerCert": sys.argv[6]}))
else:
path = manager.ConnectProvider(({ "Type": "openconnect",
"Name": sys.argv[2],