subject:"Bug#835095\: \[Pkg\-swan\-devel\] Bug#835095\: strongswan\-nm\: doesn't use the system CA store"

Bug#835095: [Pkg-swan-devel] Bug#835095: strongswan-nm: doesn't use the system CA store

2016-08-22 Thread Raphael Geissert

Hi,

On 22 August 2016 at 16:12, Yves-Alexis Perez  wrote:
> On lun., 2016-08-22 at 14:23 +0200, Raphael Geissert wrote:
>> Attached patch makes charon-nm default to using /etc/ssl/certs.
>
> Thanks for the patch, it looks good at first sight, but I wonder if we really
> want to have a (valid) default CA store for a VPN client. That means that by
> default a client would accept any CA from CA mafia, which might be useful (or
> at least unavoidable) for a browser, but not really the expected behavior for
> a VPN client.
>
> What do you think?

I think that in any case the patch is an improvement over the current
default, as it:
- adds the local certificates from /usr/local/share/ca-certificates
- it removes trust from any certificate that root may have disabled system-wide

OTOH, now that the starter plugin is no longer loaded for
Network-Manager-initiated connections, a good default could be
/etc/ipsec.d/cacerts
It doesn't exist by default in a pure strongswan-nm installation, however.

One thing that must be noted is that right now the default has an
important significance given that no CAdir can be configured for
charon-nm.
As a side note, I've plans to work on adding support for configuring a
directory, but I've no ETA for that.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Bug#835095: [Pkg-swan-devel] Bug#835095: strongswan-nm: doesn't use the system CA store

2016-08-22 Thread Yves-Alexis Perez

On lun., 2016-08-22 at 14:23 +0200, Raphael Geissert wrote:
> When no certificate is specified in a network-manager's strongswan vpn
> connection, charon-nm looks for CAs in a directory set at
> compile-time, nm-ca-dir. This, however, by default makes it look for
> certificates in /usr/share/ca-certificates instead of the expected
> dir,  /etc/ssl/certs.
> 
> Attached patch makes charon-nm default to using /etc/ssl/certs.

Thanks for the patch, it looks good at first sight, but I wonder if we really
want to have a (valid) default CA store for a VPN client. That means that by
default a client would accept any CA from CA mafia, which might be useful (or
at least unavoidable) for a browser, but not really the expected behavior for
a VPN client.

What do you think?

Regards,
-- 
Yves-Alexis

signature.asc
Description: This is a digitally signed message part

Bug#835095: [Pkg-swan-devel] Bug#835095: strongswan-nm: doesn't use the system CA store

Bug#835095: [Pkg-swan-devel] Bug#835095: strongswan-nm: doesn't use the system CA store

2 matches

Site Navigation

Mail list logo

Footer information