Allow specification of multiple certificate fingerprints on command-line via --servercert
Server certificates will be accepted if they match any of the provided fingerprints.
Behavior with --servercert
is otherwise unchanged; it still disables system trust
stores, meaning that only certificates matching the provided fingerprints will be
accepted if it is specified one or more times.
This will allow the use of --servercert
to non-interactively connect to a server which
has a non-trusted certificate and redirects to one or more other servers with non-trusted
certificates. (See #25 (closed) for a real case.)
Example: connecting to a VPN server which always redirects to one of two other servers. All 3 have misconfigured certs which can't easily be trusted by other means.
$ openconnect vpn.company.com \
--servercert [fingerprint of vpn.company.com] \
--servercert [fingerprint of vpn-01.company.com] \
--servercert [fingerprint of vpn-02.company.com]
POST https://vpn.company.com/
Connected to 1.1.1.1:443
SSL negotiation with vpn.company.com
Server certificate verify failed: signer not found
Connected to HTTPS on 1.1.1.1 with ciphersuite (TLS1.2)-(ECDHE-SECP384R1)-(RSA-SHA512)-(AES-256-GCM)
Got HTTP response: HTTP/1.0 302 Temporary moved
POST https://vpn-02.company.com/
Connected to 1.1.1.2:443
SSL negotiation with vpn-02.company.com
Server certificate verify failed: signer not found
Connected to HTTPS on vpn-02.company.com with ciphersuite (TLS1.2)-(ECDHE-SECP384R1)-(RSA-SHA512)-(AES-256-GCM)
XML POST enabled
Please enter your username and password.
Username:
Signed-off-by: Daniel Lenski dlenski@gmail.com
Edited by Daniel Lenski