On Fri, Aug 30, 2024, 1:42 PM Cline, Wade <wade.cl...@intel.com> wrote: > > On Fri, Aug 30, 2024 at 07:14:07PM +0200, Martin Pauly wrote: > > Hi all, > > > > we have encountered what we think might be a sloppy check of the server > > cert by the openconnect client. > > AFAIU, --cafile allows the user to pin the CA that has signed off the > > server cert to a certain root cert. > > This is supposed to enable a much stricter server identity check than one > > gets with the > > default behavior of trusting any known system cert (e.g. any of the root > > certs in /etc/ssl/certs). > > … > > Isn't '--cafile' for *additional* CAs and hence the above command includes > both the system certs and the T-Telesec cert (possibly redundantly)? > Wouldn't you want to explicitly specify the T-Telesec cert with '--cafile' > and '--no-system-trust' for the above test?
Thanks Wade, this is entirely correct. The additive effect of `--cafile` is intentional and is prominently mentioned in the OpenConnect manual page for both options, and has been for several years. Not sure how we can possibly be more explicit than what I added in https://gitlab.com/openconnect/openconnect/-/commit/ceab1765db11c15a18a0c605812dbc11afd63e8b, but happy for any additional suggestions. 😬 Thanks, Daniel _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
