[Pkg-swan-devel] Bug#1004166: strongswan-nm: Creates VPN configs that disable using system CA certificate directories

Daniel Fussell dlf29 at et.byu.edu
Sat Jan 22 02:49:12 GMT 2022 

Package: strongswan-nm
Version: 5.9.1-1+deb11u1
Severity: important

Dear Maintainer,

After upgrading from Buster to Bullseye, found that NetworkManager is
no longer able to start Strongswan VPN connections that use the system's
CA certificate store.  The daemon.log shows the following error during
phase1:

	charon-nm: 05[LIB]   opening '' failed: No such file or directory

Specifying the appropriate CA cert for the provided server cert fixes
the issue, at least until the server starts using a cert signed by a
different CA root cert (e.g. changing CA vendor, vendor changes root
cert for whatever reason, new server cert is a different cert service
class, etc).

Removing the blank "certificate=" line from the VPN connection config in
/etc/NetworkManager/system-connections/ restores the original behavior. 
However, modifying the connection config in NetworkManager will again add
the blank "certficiate=" line, once again breaking the connection config.

Setting "certificate=" to a large cert file like
/etc/ssl/certs/ca-certificates.crt does not allow one to restore the
original behavior.  As I recall, it seems to try a few certs, then fails
as not being able to verify the server cert chain.  I have not tested if
a smaller combined CA cert file would work.

I would expect the user to decide if they wished to use
system certificates, or even a small set of trusted CA certificates.
This could be done as in the past, by specifying a blank certificate
field, or by a plugin option (either in the connection editor, or
in /etc/strongswan/charon configs for charon-nm) that allows the user to select if
they want to use system CA certs, a smaller set of trusted certs (e.g.
/etc/ipsec.d/cacerts), or the current behavior of only trusting a 
single CA cert.




-- System Information:
Debian Release: 11.2
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-11-amd64 (SMP w/8 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages strongswan-nm depends on:
ii  libc6                 2.31-13+deb11u2
ii  libglib2.0-0          2.66.8-1
ii  libnm0                1.30.0-2
ii  libstrongswan         5.9.1-1+deb11u1
ii  strongswan-libcharon  5.9.1-1+deb11u1

Versions of packages strongswan-nm recommends:
ii  network-manager-strongswan  1.5.2-1

strongswan-nm suggests no packages.

-- no debconf information

More information about the Pkg-swan-devel mailing list