www.infradead.org Git - users/dwmw2/openconnect.git/commit

author	David Woodhouse <David.Woodhouse@intel.com>
	Mon, 4 Feb 2013 15:57:35 +0000 (15:57 +0000)
committer	David Woodhouse <David.Woodhouse@intel.com>
	Wed, 13 Feb 2013 21:02:54 +0000 (21:02 +0000)
commit	173c3143d6bb3856e7e68f50f06b6aca43551f93
tree	016b2e2fca2aa054c0607b813fc91f1326f79a75	tree
parent	bcc2f7f26216719504945c8ba670cb6fd5b07ce2	commit \| diff

Canonicalise hostname during authentication if necessary

Some people have round-robin servers, all addressed by the same hostname
but with different SSL certificates. Where we do the authentication (and
user-interactive approval of certificates) from a GUI via libopenconnect,
or with 'openconnect --authenticate', we end up being given the SHA1 on
the server's certificate and the non-interactive connection is going to
expect to see exactly that certificate. So if there is more than one
result in the original DNS lookup, *change* vpninfo->hostname to hold
the IP address that we actually connected to.

This means that the Host: header in what we send will be the numeric IP
address instead of the hostname, but that doesn't seem to hurt. It could
potentially, theoretically, break virtual hosts but I don't think that
kind of setup could ever existing in practice.

This also works only in the case where we're *not* connecting via a proxy.
We currently let the proxy do the DNS lookups *for* us, and we'd have to
do them locally and then ask the proxy for a connection by IP address
even for the *first* connection.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
(cherry picked from commit b0b4b34f5b3b397db1558c7c2c0b358db07c9964
and subsequent fix commit 3e6ecfa511ab29ed83aac6fc3a96080fffdf1635)