Improve saving an invalid certificate fingerprint to avoid the need to accept it every time
AbandonedPublic
Actions

Authored by enriquem on Jan 21 2019, 8:16 PM.

Details

Reviewers

Summary

The way an invalid certificate fingerprint is saved in the [vpn-secrets] section does not work in some cases. It is unconditionally saved with a key certificate:host:port when the user accepts the invalid certificate. If the address contains square brackets, this will not work well. Besides, tagging the key with the host would be necessary if the same connection would be valid for several hosts, which is currently not the case.

So, I propose to change that behavior to save the fingerprint with a different key, and give the user the chance to accept the fingerprint only for the current connection, to accept it forever, and to delete it from the config file.

Diff Detail

Repository

R116 Plasma Network Management Applet

Lint

Lint Skipped

Unit

Unit Tests Skipped

enriquem created this revision.Jan 21 2019, 8:16 PM

Restricted Application added a project: Plasma. · View Herald TranscriptJan 21 2019, 8:16 PM

Restricted Application added a subscriber: plasma-devel. · View Herald Transcript

enriquem requested review of this revision.Jan 21 2019, 8:16 PM

enriquem edited the summary of this revision. (Show Details)Jan 21 2019, 9:05 PM

Can you please rebase this change on top of master? It doesn't apply.

vpn/openconnect/openconnectwidget.cpp
55	Trailing space
66	Trailing space
144	Trailing space. I'm sure there are more, can you please remove them completely? You can for example do this in Kate where you set "Remove trailing spaces" on save.
158	Shouldn't we also set previous secrets? If you do this, we will loose what was stored there before.

Restricted Application added 1 blocking reviewer(s): jgrulich. · View Herald TranscriptMar 5 2019, 10:33 AM

enriquem updated this revision to Diff 53225.Mar 5 2019, 6:07 PM

Diff updated, but please note that this patch would break compatibility with NetworlManager, and with existing configured networks. I still think changes are reasonable, but had to be synchronized with similar changes in NetworkManager. Not that those are difficult, I may be able to implement them, but need to be done. Until all parties agree, I'd recommend not implementing this

enriquem abandoned this revision.May 15 2019, 10:31 AM

Revision Contents
Changeset List

		Path
M		vpn/openconnect/CMakeLists.txt (2 lines)
M		vpn/openconnect/nm-openconnect-service.h (1 line)
A	M	vpn/openconnect/openconnectadvanced.ui (85 lines)
M		vpn/openconnect/openconnectauth.cpp (23 lines)
M		vpn/openconnect/openconnectprop.ui (34 lines)
M		vpn/openconnect/openconnectwidget.h (5 lines)
M		vpn/openconnect/openconnectwidget.cpp (44 lines)