https://bugs.kde.org/show_bug.cgi?id=401611
Bug ID: 401611
Summary: CA certificate is not ensured for openconnect VPNs
Product: plasma-nm
Version: 5.13.5
Platform: Other
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: applet
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
SUMMARY
My VPN provider recently changed their certificate and I got no alert at all.
I have configured a CA certificate in the plasma-nm applet, and it is passed to
openconnect.
However, since "--no-system-trust" is not passed, openconnect trusts *any*
certificate ignoring that. So any user hijacking a trusted CA can present a
certificate and the client is not alerting the user. There's also no alert for
a certificate change.
STEPS TO REPRODUCE
1. Create a new openconnect VPN connection and specify a CA file not matching
the VPN's CA.
2. Have the VPN's CA be trusted by the system.
3. Connect.
OBSERVED RESULT
No alert.
EXPECTED RESULT
Be alerted if the CA is changed / does not match what is specified explicitly
as CA certificate.
SOFTWARE/OS VERSIONS
Linux/KDE Plasma: kernel 4.18.3 / 5.13.5
KDE Frameworks Version: 5.50.0
Qt Version: 5.11.1
ADDITIONAL INFORMATION
A solution would be to pass:
--no-system-trust
to openconnect if a CA certificate is specified.
Alternatively, to expose that flag via a checkbox which is by default checked
if a CA certificate is provided.
--
You are receiving this mail because:
You are watching all bug changes.
