[Pkg-swan-devel] Bug#1004166: strongswan-nm: Creates VPN configs that disable using system CA certificate directories
Daniel Fussell
dfussell at byu.edu
Mon Jan 24 21:44:47 GMT 2022
On 1/24/22 02:00, Tobias Brunner wrote:
> Hi Daniel,
>
>> Removing the blank "certificate=" line from the VPN connection config in
>> /etc/NetworkManager/system-connections/ restores the original behavior.
>> However, modifying the connection config in NetworkManager will again
>> add
>> the blank "certficiate=" line, once again breaking the connection
>> config.
>
> I can't reproduce this. What does the "Certificate" file chooser
> display when you open the editor? "(None)"?
>
> Regards,
> Tobias
>
Perhaps I wasn't clear. Applying any change to any field in the
NetworkManager strongswan VPN plugin config will write a text config
file with the 'certificate=' line. For example, the following resulting
connection config snippet would be broken because no certificate was
specified in the GUI:
...
[vpn]
address=vpn.example.com
certificate=
encap=yes
...
Changing that snippet to the following makes the connection work using
system certificates:
...
[vpn]
address=vpn.example.com
encap=yes
...
Notice the missing 'certificate=' line. However, any change made in the
GUI would restore the certificate= line as show below:
...
[vpn]
address=different-vpn.example.com
certificate=
encap=yes
...
Thus, manually modifying the GUI-created VPN config is a temporary
workaround, but it will break eventually when the the user applies
something in the GUI, and a new config is written out.
The GUI config should not include a 'certificate=' line when the GUI's
"Certificate:" field is left blank. Alternatively, strongswan should
assume 'certificate=' indicates the system certificates should be used.
Does that answer your question?
--
Daniel Fussell
CAEDM Linux Administrator
BYU College of Engineering
240 EB, Provo UT 84602
801-422-5351
dfussell at byu.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-swan-devel/attachments/20220124/b42ae42e/attachment-0001.htm>
More information about the Pkg-swan-devel
mailing list