Allow specification of multiple certificate fingerprints on command-line via --servercert (!162) · Merge requests · OpenConnect VPN projects / OpenConnect

Daniel Lenski requested to merge allow_multiple_servercert_arguments into master Jan 25, 2021

Server certificates will be accepted if they match any of the provided fingerprints.

Behavior with --servercert is otherwise unchanged; it still disables system trust stores, meaning that only certificates matching the provided fingerprints will be accepted if it is specified one or more times.

This will allow the use of --servercert to non-interactively connect to a server which has a non-trusted certificate and redirects to one or more other servers with non-trusted certificates. (See #25 (closed) for a real case.)

Example: connecting to a VPN server which always redirects to one of two other servers. All 3 have misconfigured certs which can't easily be trusted by other means.

$ openconnect vpn.company.com \
              --servercert [fingerprint of vpn.company.com] \
              --servercert [fingerprint of vpn-01.company.com] \
              --servercert [fingerprint of vpn-02.company.com] 

POST https://vpn.company.com/
Connected to 1.1.1.1:443
SSL negotiation with vpn.company.com
Server certificate verify failed: signer not found
Connected to HTTPS on 1.1.1.1 with ciphersuite (TLS1.2)-(ECDHE-SECP384R1)-(RSA-SHA512)-(AES-256-GCM)
Got HTTP response: HTTP/1.0 302 Temporary moved
POST https://vpn-02.company.com/
Connected to 1.1.1.2:443
SSL negotiation with vpn-02.company.com
Server certificate verify failed: signer not found
Connected to HTTPS on vpn-02.company.com with ciphersuite (TLS1.2)-(ECDHE-SECP384R1)-(RSA-SHA512)-(AES-256-GCM)
XML POST enabled
Please enter your username and password.
Username:

Signed-off-by: Daniel Lenski dlenski@gmail.com

Edited Jan 25, 2021 by Daniel Lenski

Allow specification of multiple certificate fingerprints on command-line via --servercert

Merge request reports