On Fri, 2015-07-10 at 22:01 +0000, brian m. carlson wrote: > Note that the certificate is in fact valid and verifies correctly, as > Firefox accepts it.
What CA is used to verify it? Debian unfortunately doesn't have a system-wide configuration for trusted CAs — the update-ca-certificates tool only works for OpenSSL and GnuTLS, and not for NSS. You really ought to be using p11-kit-trust and replacing the NSS libnssckbi.so library with it, to actually get consistency across all applications. > However, openconnect does not, and prompts. > Entering "si" displays the certificate, as does entering "sí" or "yes". > In fact, there's nothing I can enter that makes it accept the > certificate. > > I believe this is because the prompt uses U+0073 + U+0069 + U+0301, > whereas using the compose key I enter U+0073 + U+00ED. Since either > encoding is valid, you must use Unicode normalization to accept > either choice. As it is, the program is unusable in this locale. That seems... suboptimal :) I do seem to be able to work around it by cutting and pasting the sí from the prompt. Or by typing 's' 'i' then Ctrl-Shift-u-3-0-1. But I certainly accept that you shouldn't have to do so! A simple 'fix' might be just to change the translation to use the canonical form U+00ED for the í instead of U+0069 + U+0301. Is there a reason *not* to do that? -- David Woodhouse Open Source Technology Centre david.woodho...@intel.com Intel Corporation
smime.p7s
Description: S/MIME cryptographic signature
