[Pkg-swan-devel] Bug#835095: Bug#835095: strongswan-nm: doesn't use the system CA store
Yves-Alexis Perez
corsac at debian.org
Mon Aug 22 14:12:47 UTC 2016
On lun., 2016-08-22 at 14:23 +0200, Raphael Geissert wrote:
> When no certificate is specified in a network-manager's strongswan vpn
> connection, charon-nm looks for CAs in a directory set at
> compile-time, nm-ca-dir. This, however, by default makes it look for
> certificates in /usr/share/ca-certificates instead of the expected
> dir, /etc/ssl/certs.
>
> Attached patch makes charon-nm default to using /etc/ssl/certs.
Thanks for the patch, it looks good at first sight, but I wonder if we really
want to have a (valid) default CA store for a VPN client. That means that by
default a client would accept any CA from CA mafia, which might be useful (or
at least unavoidable) for a browser, but not really the expected behavior for
a VPN client.
What do you think?
Regards,
--
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-swan-devel/attachments/20160822/8319d200/attachment.sig>
More information about the Pkg-swan-devel
mailing list