Please sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix hostname canonicalisation to stop breaking certifcate checks
Commit b0b4b34 ('Canonicalise hostname during authentication if necessary') replaces the hostname with a bare IP address if necessary, so that reconnecting is guaranteed to get the *same* host from a round-robin and comparing the SSL cert with its previous SHA1 fingerprint (which is how we do it for two-stage connection for example from NetworkManager) is guaranteed to work. However, this breaks certificate auth when invoked in one-stage mode from the command line to authenticate *and* actually make the connection. When vpninfo->hostname is replaced with a bare IP address, that might not actually be what's listed in the certificate's Subject or Altname fields. So users have reported a certificate validation failure on *reconnecting* to the server which was acceptable the first time round when we looked it up by name. So, don't actually replace vpninfo->hostname at all. Introduce a new field vpninfo->unique_hostname which is returned by openconnect_get_hostname(), and leave vpninfo->hostname as it was. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
- Loading branch information
Showing with 13 additions and 4 deletions.