Please sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Canonicalise hostname during authentication if necessary
Some people have round-robin servers, all addressed by the same hostname but with different SSL certificates. Where we do the authentication (and user-interactive approval of certificates) from a GUI via libopenconnect, or with 'openconnect --authenticate', we end up being given the SHA1 on the server's certificate and the non-interactive connection is going to expect to see exactly that certificate. So if there is more than one result in the original DNS lookup, *change* vpninfo->hostname to hold the IP address that we actually connected to. This means that the Host: header in what we send will be the numeric IP address instead of the hostname, but that doesn't seem to hurt. It could potentially, theoretically, break virtual hosts but I don't think that kind of setup could ever existing in practice. This also works only in the case where we're *not* connecting via a proxy. We currently let the proxy do the DNS lookups *for* us, and we'd have to do them locally and then ask the proxy for a connection by IP address even for the *first* connection. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
- Loading branch information