[Pkg-swan-devel] Bug#835095: Bug#835095: strongswan-nm: doesn't use the system CA store
Raphael Geissert
geissert at debian.org
Mon Aug 22 15:13:02 UTC 2016
Hi,
On 22 August 2016 at 16:12, Yves-Alexis Perez <corsac at debian.org> wrote:
> On lun., 2016-08-22 at 14:23 +0200, Raphael Geissert wrote:
>> Attached patch makes charon-nm default to using /etc/ssl/certs.
>
> Thanks for the patch, it looks good at first sight, but I wonder if we really
> want to have a (valid) default CA store for a VPN client. That means that by
> default a client would accept any CA from CA mafia, which might be useful (or
> at least unavoidable) for a browser, but not really the expected behavior for
> a VPN client.
>
> What do you think?
I think that in any case the patch is an improvement over the current
default, as it:
- adds the local certificates from /usr/local/share/ca-certificates
- it removes trust from any certificate that root may have disabled system-wide
OTOH, now that the starter plugin is no longer loaded for
Network-Manager-initiated connections, a good default could be
/etc/ipsec.d/cacerts
It doesn't exist by default in a pure strongswan-nm installation, however.
One thing that must be noted is that right now the default has an
important significance given that no CAdir can be configured for
charon-nm.
As a side note, I've plans to work on adding support for configuring a
directory, but I've no ETA for that.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
More information about the Pkg-swan-devel
mailing list