How to disable certificate validation?

[seventhsite]

I used FortiClient with "Client certificate: none" and "Do not warn invalid server certificate". How I can use same thing in openforticlient?
I'm in search for config option.

[DimitriPapadopoulos]

There's no such option. Get the cert from the server and use the trusted-cert option.

[DimitriPapadopoulos]

You may automate that in a script shell. I don't have an example right now, but it shouldn't be too difficult:

• Get SSL certificate from server.
• Calculate the sha256 sum.
• Feed the sha256sum to openfortivpn with trusted-cert.

If you come up with such a script, I would be happy to add it to the wiki:
https://github.com/adrienverge/openfortivpn/wiki

[fabianonunes]

If you come up with such a script, I would be happy to add it to the wiki:

echo | openssl s_client -connect $ip:$port 2>/dev/null | \
  openssl x509 -outform der | \
  sha256sum | \
  awk '{ print $1 }'

If SNI is enabled on the server, you must use the domain instead of the IP. On older openssl versions, SNI is not enabled by default and you must pass the domain to the -servername option

[seventhsite]

Thank you for answers!

The answer of this script is ...54acd
My config:

host = x.x.x.x
port = yyy
username = seventh
password = mypass
trusted-cert = ...54acd

Then:

root@7thUbuntu:/home/seventh# openfortivpn -v
DEBUG:  openfortivpn 1.12.0
DEBUG:  Loaded config file "/etc/openfortivpn/config".
DEBUG:  Loaded password from config file "/etc/openfortivpn/config"
DEBUG:  Config host = "x.x.x.x"
DEBUG:  Config realm = ""
DEBUG:  Config port = "yyy"
DEBUG:  Config username = "seventh"
DEBUG:  Resolving gateway host ip
DEBUG:  Establishing ssl connection
DEBUG:  server_addr: x.x.x.x
DEBUG:  server_port: yyy
DEBUG:  gateway_addr: x.x.x.x
DEBUG:  gateway_port: yyy
DEBUG:  Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
INFO:   Connected to gateway.
ERROR:  Could not authenticate to gateway. Please check the password, client certificate, etc.
DEBUG:  HTTP status code 405
INFO:   Closed connection to gateway.
DEBUG:  server_addr: x.x.x.x
DEBUG:  server_port: yyy
DEBUG:  gateway_addr: x.x.x.x
DEBUG:  gateway_port: yyy
DEBUG:  Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
INFO:   Logged out.

[DimitriPapadopoulos]

@seventhsite It looks like @fabianonunes has solved your initial problem:

DEBUG:  Gateway certificate digest found in white list.

By the way, instead of blindly accepting a server certificate, you could add the certification authority (CA) that signed the server certificate to the system certificate store. See for example:
How do you add a certificate authority (CA) to Ubuntu?

Now you seem to have a new and different problem:

ERROR:  Could not authenticate to gateway. Please check the password, client certificate, etc.

I suggest you close this issue and open a new issue to address this new problem.

[seventhsite]

Ok, thank you.
#947

[mrbaseman]

By the way, instead of blindly accepting a server certificate, you could add the certification authority (CA) that signed the server certificate to the system certificate store.

Absolutely. I would like to second this. Another approach would be to run the sequence just once and add the --trusted-cert option to the call (or to the config file).

Don't calculate the sha256sum each time you connect and blindly accept it. If you do this once, from a secure environment, you have obtained a checksum for the certificate, which allows you to verify if future ssl-vpn connections are secure or not.