From 98b05f0ce35eac8a32d7cb992307f2e2f2f2a436 Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Fri, 19 Nov 2010 18:52:38 +0100 Subject: [PATCH] openconnect: Pass server certificate hash directly to openconnect When we spawn openconnect to make a VPN connection, it obviously needs to validate the server's SSL certificate to protect against a MiTM attack. But it may not have full access to the user's CA chain, or the user may have manually accepted a dubious certificate. To allow for this, the GUI authentication dialog returns a SHA1 of the server's SSL certificate fingerprint, for the *specific* server that it managed to authenticate to. The intention is that this should be passed through to openconnect when it connects. That way, openconnect doesn't need to do any normal validation; it only needs to compare the certificate with what's expected. From openconnect v2.26, certificate validation is enabled by default; rather than only when a --cafile option is given. So it's important that we start passing the certificate fingerprint through, to avoid connection failures (which we don't currently detect and report gracefully, btw). --- plugins/openconnect.c | 8 +++++++- test/connect-vpn | 4 ++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/plugins/openconnect.c b/plugins/openconnect.c index 42192f6..f0d39a1 100644 --- a/plugins/openconnect.c +++ b/plugins/openconnect.c @@ -105,7 +105,7 @@ static int oc_notify(DBusMessage *msg, struct connman_provider *provider) static int oc_connect(struct connman_provider *provider, struct connman_task *task, const char *if_name) { - const char *vpnhost, *vpncookie, *cafile, *mtu; + const char *vpnhost, *vpncookie, *cafile, *certsha1, *mtu; int fd, err; vpnhost = connman_provider_get_string(provider, "Host"); @@ -120,6 +120,12 @@ static int oc_connect(struct connman_provider *provider, return -EINVAL; } + certsha1 = connman_provider_get_string(provider, + "OpenConnect.ServerCert"); + if (certsha1) + connman_task_add_argument(task, "--servercert", + (char *)certsha1); + cafile = connman_provider_get_string(provider, "OpenConnect.CACert"); mtu = connman_provider_get_string(provider, "VPN.MTU"); diff --git a/test/connect-vpn b/test/connect-vpn index 1575804..383c330 100755 --- a/test/connect-vpn +++ b/test/connect-vpn @@ -19,13 +19,13 @@ manager = dbus.Interface(bus.get_object("org.moblin.connman", "/"), print "Attempting to connect service %s" % (sys.argv[3]) if sys.argv[1] == "openconnect": - if (len(sys.argv) > 5): + if (len(sys.argv) > 6): path = manager.ConnectProvider(({ "Type": "openconnect", "Name": sys.argv[2], "Host": sys.argv[3], "VPN.Domain": sys.argv[4], "OpenConnect.Cookie": sys.argv[5], - "OpenConnect.CACert": sys.argv[6]})) + "OpenConnect.ServerCert": sys.argv[6]})) else: path = manager.ConnectProvider(({ "Type": "openconnect", "Name": sys.argv[2], -- 2.7.4