On lun., 2016-08-22 at 14:23 +0200, Raphael Geissert wrote: > When no certificate is specified in a network-manager's strongswan vpn > connection, charon-nm looks for CAs in a directory set at > compile-time, nm-ca-dir. This, however, by default makes it look for > certificates in /usr/share/ca-certificates instead of the expected > dir, /etc/ssl/certs. > > Attached patch makes charon-nm default to using /etc/ssl/certs.
Thanks for the patch, it looks good at first sight, but I wonder if we really want to have a (valid) default CA store for a VPN client. That means that by default a client would accept any CA from CA mafia, which might be useful (or at least unavoidable) for a browser, but not really the expected behavior for a VPN client. What do you think? Regards, -- Yves-Alexis
signature.asc
Description: This is a digitally signed message part