Changes - SailfishOS Open Build Service

Changes of Revision 7

[-] [+]	Changed	_service:tar_git:openfortivpn.changes
@@ -1,3 +1,6 @@ +* Wed Jan 29 2020 Alexey Andreev <a.andreev@omprussia.ru> - 1.10.0-mer +- [openfortivpn] Add cert skip check option + * Sat Nov 17 2018 Martin Hecht <mrbaseman@gmx.de> - 1.8.0 - [master] simple bug fix
[-] [+]	Changed	_service:tar_git:openfortivpn.spec ^
@@ -1,6 +1,6 @@ Name: openfortivpn Version: 1.10.0 -Release: 1%{?dist} +Release: mer Summary: Client for PPP+SSL VPN tunnel services Group: Applications/Internet
[-] [+]	Changed	_service ^
@@ -7,5 +7,4 @@ <param name="debian">N</param> <param name="dumb">N</param> </service> -</services> - +</services> \ No newline at end of file
[-] [+]	Changed	_service:tar_git:openfortivpn-1.10.0.tar.gz/src/config.c ^
@@ -57,6 +57,7 @@ .user_cert = NULL, .user_key = NULL, .insecure_ssl = -1, + .cert_skip_check = -1, .cipher_list = NULL, .min_tls = -1, .seclevel_1 = -1, @@ -361,6 +362,9 @@ continue; } cfg->insecure_ssl = insecure_ssl; + } else if (strcmp(key, "cert-skip-check") == 0) { + log_warn("Skipping cert check"); + cfg->cert_skip_check = 1; } else if (strcmp(key, "cipher-list") == 0) { free(cfg->cipher_list); cfg->cipher_list = strdup(val); @@ -499,6 +503,8 @@ } if (src->insecure_ssl != invalid_cfg.insecure_ssl) dst->insecure_ssl = src->insecure_ssl; + if (src->cert_skip_check != invalid_cfg.cert_skip_check) + dst->cert_skip_check = src->cert_skip_check; if (src->cipher_list) { free(dst->cipher_list); dst->cipher_list = src->cipher_list;
[-] [+]	Changed	_service:tar_git:openfortivpn-1.10.0.tar.gz/src/config.h ^
@@ -94,6 +94,7 @@ char user_cert; char user_key; int insecure_ssl; + int cert_skip_check; int min_tls; int seclevel_1; char *cipher_list;
[-] [+]	Changed	_service:tar_git:openfortivpn-1.10.0.tar.gz/src/main.c ^
@@ -129,6 +129,7 @@ " Also enable TLSv1.0 if applicable.\n" \ " If your server requires a specific cipher or protocol,\n" \ " consider using --cipher-list and/or --min-tls instead.\n" \ +" --cert-skip-check Skip incoming cert ssl check\n" \ " --cipher-list=<ciphers> Openssl ciphers to use. If default does not work\n" \ " you can try with the cipher suggested in the output\n" \ " of 'openssl s_client -connect <host:port>'\n" \ @@ -200,6 +201,7 @@ .user_cert = NULL, .user_key = NULL, .insecure_ssl = 0, + .cert_skip_check = 0, .min_tls = 0, .seclevel_1 = 0, .cipher_list = NULL, @@ -230,6 +232,7 @@ {"user-key", required_argument, 0, 0}, {"trusted-cert", required_argument, 0, 0}, {"insecure-ssl", no_argument, &cli_cfg.insecure_ssl, 1}, + {"cert-skip-check", no_argument, &cli_cfg.cert_skip_check, 1 }, {"cipher-list", required_argument, 0, 0}, #if OPENSSL_VERSION_NUMBER >= 0x10100000L {"min-tls", required_argument, 0, 0}, @@ -539,9 +542,7 @@ log_debug("One-time password = \"%s\"\n", cfg.otp); if (geteuid() != 0) { - log_error("This process was not spawned with root privileges, which are required.\n"); - ret = EXIT_FAILURE; - goto exit; + log_warn("This process was not spawned with root privileges, which are required.\n"); } do {
[-] [+]	Changed	_service:tar_git:openfortivpn-1.10.0.tar.gz/src/tunnel.c ^
@@ -676,6 +676,12 @@ subject = X509_NAME_oneline(subj, NULL, 0); issuer = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0); + if (tunnel->config->cert_skip_check > 0) { + log_debug("Skipped cert check\n"); + ret = 0; + goto free_cert; + } + log_error("Gateway certificate validation failed, and the certificate digest in not in the local whitelist. If you trust it, rerun with:\n"); log_error(" --trusted-cert %s\n", digest_str); log_error("or add this line to your config file:\n");