#1004166 strongswan-nm: Creates VPN configs that disable using system CA certificate directories #1004166
- Package:
- strongswan-nm
- Source:
- strongswan
- Description:
- strongSwan plugin to interact with NetworkManager
- Submitter:
- Daniel Fussell
- Date:
- 2022-01-25 08:24:04 UTC
- Severity:
- important
Dear Maintainer, After upgrading from Buster to Bullseye, found that NetworkManager is no longer able to start Strongswan VPN connections that use the system's CA certificate store. The daemon.log shows the following error during phase1: charon-nm: 05[LIB] opening '' failed: No such file or directory Specifying the appropriate CA cert for the provided server cert fixes the issue, at least until the server starts using a cert signed by a different CA root cert (e.g. changing CA vendor, vendor changes root cert for whatever reason, new server cert is a different cert service class, etc). Removing the blank "certificate=" line from the VPN connection config in /etc/NetworkManager/system-connections/ restores the original behavior. However, modifying the connection config in NetworkManager will again add the blank "certficiate=" line, once again breaking the connection config. Setting "certificate=" to a large cert file like /etc/ssl/certs/ca-certificates.crt does not allow one to restore the original behavior. As I recall, it seems to try a few certs, then fails as not being able to verify the server cert chain. I have not tested if a smaller combined CA cert file would work. I would expect the user to decide if they wished to use system certificates, or even a small set of trusted CA certificates. This could be done as in the past, by specifying a blank certificate field, or by a plugin option (either in the connection editor, or in /etc/strongswan/charon configs for charon-nm) that allows the user to select if they want to use system CA certs, a smaller set of trusted certs (e.g. /etc/ipsec.d/cacerts), or the current behavior of only trusting a single CA cert.
Hi Daniel, I can't reproduce this. What does the "Certificate" file chooser display when you open the editor? "(None)"? Regards, Tobias
Hi Daniel, I can't reproduce this. What does the "Certificate" file chooser display when you open the editor? "(None)"? Regards, Tobias
NetworkManager strongswan VPN plugin config will write a text config file with the 'certificate=' line. For example, the following resulting connection config snippet would be broken because no certificate was specified in the GUI: ... [vpn] address=vpn.example.com certificate= encap=yes ... Changing that snippet to the following makes the connection work using system certificates: ... [vpn] address=vpn.example.com encap=yes ... Notice the missing 'certificate=' line. However, any change made in the GUI would restore the certificate= line as show below: ... [vpn] address=different-vpn.example.com certificate= encap=yes ... Thus, manually modifying the GUI-created VPN config is a temporary workaround, but it will break eventually when the the user applies something in the GUI, and a new config is written out. The GUI config should not include a 'certificate=' line when the GUI's "Certificate:" field is left blank. Alternatively, strongswan should assume 'certificate=' indicates the system certificates should be used. Does that answer your question?
NetworkManager strongswan VPN plugin config will write a text config file with the 'certificate=' line. For example, the following resulting connection config snippet would be broken because no certificate was specified in the GUI: ... [vpn] address=vpn.example.com certificate= encap=yes ... Changing that snippet to the following makes the connection work using system certificates: ... [vpn] address=vpn.example.com encap=yes ... Notice the missing 'certificate=' line. However, any change made in the GUI would restore the certificate= line as show below: ... [vpn] address=different-vpn.example.com certificate= encap=yes ... Thus, manually modifying the GUI-created VPN config is a temporary workaround, but it will break eventually when the the user applies something in the GUI, and a new config is written out. The GUI config should not include a 'certificate=' line when the GUI's "Certificate:" field is left blank. Alternatively, strongswan should assume 'certificate=' indicates the system certificates should be used. Does that answer your question?
Hi Daniel, As I said, I can't reproduce this. I can change whatever in the GUI, no "certificate=" line is added to the config file. I don't see how. The GUI checks gtk_file_chooser_get_filename() and only if that returns a value != NULL will "certificate" be written to the config. That's why I was asking what the GUI actually displays in that file chooser in your case. According to the reference [1], NULL is returned "if no file is selected, or the selected file can't be represented with a local filename", I don't think an empty string should be returned. Yes, we could add a check for an empty string, but the setting shouldn't be there with an empty string in the first place. Regards, Tobias [1] https://docs.gtk.org/gtk3/method.FileChooser.get_filename.html
Hi Daniel, As I said, I can't reproduce this. I can change whatever in the GUI, no "certificate=" line is added to the config file. I don't see how. The GUI checks gtk_file_chooser_get_filename() and only if that returns a value != NULL will "certificate" be written to the config. That's why I was asking what the GUI actually displays in that file chooser in your case. According to the reference [1], NULL is returned "if no file is selected, or the selected file can't be represented with a local filename", I don't think an empty string should be returned. Yes, we could add a check for an empty string, but the setting shouldn't be there with an empty string in the first place. Regards, Tobias [1] https://docs.gtk.org/gtk3/method.FileChooser.get_filename.html