Skip to content
Permalink
Browse files
Don't abort Pulse connection for bad cert MD5
This happens in the wild and the official clients seem not to care. It's
a pointless check anyway. It's too late, and it's only MD5.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
  • Loading branch information
dwmw2 committed Apr 1, 2020
1 parent 9377c0e commit b02101eb6159f8dc4bf38c24039c70cb5ebbbb5f
Showing with 8 additions and 5 deletions.
  1. +7 −4 pulse.c
  2. +1 −1 www/changelog.xml
11 pulse.c
@@ -1693,10 +1693,13 @@ static int pulse_authenticate(struct openconnect_info *vpninfo, int connecting)
char md5buf[MD5_SIZE * 2 + 1];
get_cert_md5_fingerprint(vpninfo, vpninfo->peer_cert, md5buf);
if (avp_len != MD5_SIZE * 2 || strncasecmp(avp_p, md5buf, MD5_SIZE * 2)) {
vpn_progress(vpninfo, PRG_ERR,
_("Server certificate mismatch. Aborting due to suspected MITM attack\n"));
ret = -EPERM;
goto out;
/* This actually happens in the wild and the official clients don't seem to
* care. It's too late because we've already authenticated at this point,
* and it's only MD5 anyway. I find it hard to care. Just whine and continue
* anyway. */
vpn_progress(vpninfo, PRG_INFO,
_("WARNING: Server provided certificate MD5 does not match its actual certificate.\n"));
continue;
}
}
if (avp_vendor == VENDOR_JUNIPER2 && avp_code == 0xd65) {
@@ -15,7 +15,7 @@
<ul>
<li><b>OpenConnect HEAD</b>
<ul>
<li><i>No changelog entries yet</i></li>
<li>Don't abort Pulse connection when server-provided certificate MD5 doesn't match.</li>
</ul><br/>
</li>
<li><b><a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.06.tar.gz">OpenConnect v8.06</a></b>

0 comments on commit b02101e

Please sign in to comment.