On Fri, Jul 10, 2015 at 11:31:44PM +0100, David Woodhouse wrote: > On Fri, 2015-07-10 at 22:01 +0000, brian m. carlson wrote: > > Note that the certificate is in fact valid and verifies correctly, as > > Firefox accepts it. > > What CA is used to verify it? Debian unfortunately doesn't have a > system-wide configuration for trusted CAs — the update-ca-certificates > tool only works for OpenSSL and GnuTLS, and not for NSS. You really > ought to be using p11-kit-trust and replacing the NSS libnssckbi.so > library with it, to actually get consistency across all applications.
Issuer: C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certs.godaddy.com/repository/,CN=Go Daddy Secure Certificate Authority - G2 The certificate is in the system store: /usr/share/ca-certificates/mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt It's listed in /etc/ca-certificates.conf, so it should be in /etc/ssl/certs/ca-certificates.crt. (I rebuilt just to make sure.) Unfortunately, openssl x509 refuses to list more than the first cert, so actually verifying that for certain is nontrivial. > > However, openconnect does not, and prompts. > > Entering "si" displays the certificate, as does entering "sí" or "yes". > > In fact, there's nothing I can enter that makes it accept the > > certificate. > > > > I believe this is because the prompt uses U+0073 + U+0069 + U+0301, > > whereas using the compose key I enter U+0073 + U+00ED. Since either > > encoding is valid, you must use Unicode normalization to accept > > either choice. As it is, the program is unusable in this locale. > > That seems... suboptimal :) > > I do seem to be able to work around it by cutting and pasting the sí > from the prompt. Or by typing 's' 'i' then Ctrl-Shift-u-3-0-1. > But I certainly accept that you shouldn't have to do so! I wasn't aware of the Ctrl-Shift-u trick. That's neat. > A simple 'fix' might be just to change the translation to use the > canonical form U+00ED for the í instead of U+0069 + U+0301. > > Is there a reason *not* to do that? That's probably the easiest solution, and I suspect the one most likely to work. But I must admit that I'm a native English speaker with a US English keyboard, and I know nothing about what byte sequence is actually input by someone with a Spanish keyboard. I expect it will work fine, though. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: Digital signature
