#1004166 strongswan-nm: Creates VPN configs that disable using system CA certificate directories

Package:
strongswan-nm
Source:
strongswan
Description:
strongSwan plugin to interact with NetworkManager
Submitter:
Daniel Fussell
Date:
2022-01-25 08:24:04 UTC
Severity:
important
#1004166#5
Date:
2022-01-22 02:49:12 UTC
From:
To:
Dear Maintainer,

After upgrading from Buster to Bullseye, found that NetworkManager is
no longer able to start Strongswan VPN connections that use the system's
CA certificate store.  The daemon.log shows the following error during
phase1:

	charon-nm: 05[LIB]   opening '' failed: No such file or directory

Specifying the appropriate CA cert for the provided server cert fixes
the issue, at least until the server starts using a cert signed by a
different CA root cert (e.g. changing CA vendor, vendor changes root
cert for whatever reason, new server cert is a different cert service
class, etc).

Removing the blank "certificate=" line from the VPN connection config in
/etc/NetworkManager/system-connections/ restores the original behavior.
However, modifying the connection config in NetworkManager will again add
the blank "certficiate=" line, once again breaking the connection config.

Setting "certificate=" to a large cert file like
/etc/ssl/certs/ca-certificates.crt does not allow one to restore the
original behavior.  As I recall, it seems to try a few certs, then fails
as not being able to verify the server cert chain.  I have not tested if
a smaller combined CA cert file would work.

I would expect the user to decide if they wished to use
system certificates, or even a small set of trusted CA certificates.
This could be done as in the past, by specifying a blank certificate
field, or by a plugin option (either in the connection editor, or
in /etc/strongswan/charon configs for charon-nm) that allows the user to select if
they want to use system CA certs, a smaller set of trusted certs (e.g.
/etc/ipsec.d/cacerts), or the current behavior of only trusting a
single CA cert.

#1004166#10
Date:
2022-01-24 09:00:41 UTC
From:
To:
Hi Daniel,

I can't reproduce this.  What does the "Certificate" file chooser
display when you open the editor?  "(None)"?

Regards,
Tobias

#1004166#15
Date:
2022-01-24 09:00:41 UTC
From:
To:
Hi Daniel,

I can't reproduce this.  What does the "Certificate" file chooser
display when you open the editor?  "(None)"?

Regards,
Tobias

#1004166#20
Date:
2022-01-24 21:44:47 UTC
From:
To:
NetworkManager strongswan VPN plugin config will write a text config
file with the 'certificate=' line.  For example, the following resulting
connection config snippet would be broken because no certificate was
specified in the GUI:

...

[vpn]
address=vpn.example.com
certificate=
encap=yes
...


Changing that snippet to the following makes the connection work using
system certificates:

...

[vpn]
address=vpn.example.com
encap=yes
...


Notice the missing 'certificate=' line.  However, any change made in the
GUI would restore the certificate= line as show below:
...

[vpn]
address=different-vpn.example.com
certificate=
encap=yes
...

Thus, manually modifying the GUI-created VPN config is a temporary
workaround, but it will break eventually when the the user applies
something in the GUI, and a new config is written out.

The GUI config should not include a 'certificate=' line when the GUI's
"Certificate:" field is left blank.  Alternatively, strongswan should
assume 'certificate=' indicates the system certificates should be used.

Does that answer your question?

#1004166#25
Date:
2022-01-24 21:44:47 UTC
From:
To:
NetworkManager strongswan VPN plugin config will write a text config
file with the 'certificate=' line.  For example, the following resulting
connection config snippet would be broken because no certificate was
specified in the GUI:

...

[vpn]
address=vpn.example.com
certificate=
encap=yes
...


Changing that snippet to the following makes the connection work using
system certificates:

...

[vpn]
address=vpn.example.com
encap=yes
...


Notice the missing 'certificate=' line.  However, any change made in the
GUI would restore the certificate= line as show below:
...

[vpn]
address=different-vpn.example.com
certificate=
encap=yes
...

Thus, manually modifying the GUI-created VPN config is a temporary
workaround, but it will break eventually when the the user applies
something in the GUI, and a new config is written out.

The GUI config should not include a 'certificate=' line when the GUI's
"Certificate:" field is left blank.  Alternatively, strongswan should
assume 'certificate=' indicates the system certificates should be used.

Does that answer your question?

#1004166#30
Date:
2022-01-25 08:21:25 UTC
From:
To:
Hi Daniel,

As I said, I can't reproduce this.  I can change whatever in the GUI, no
"certificate=" line is added to the config file.

I don't see how.  The GUI checks gtk_file_chooser_get_filename() and
only if that returns a value != NULL will "certificate" be written to
the config.  That's why I was asking what the GUI actually displays in
that file chooser in your case.

According to the reference [1], NULL is returned "if no file is
selected, or the selected file can't be represented with a local
filename", I don't think an empty string should be returned.

Yes, we could add a check for an empty string, but the setting shouldn't
be there with an empty string in the first place.

Regards,
Tobias

[1] https://docs.gtk.org/gtk3/method.FileChooser.get_filename.html

#1004166#35
Date:
2022-01-25 08:21:25 UTC
From:
To:
Hi Daniel,

As I said, I can't reproduce this.  I can change whatever in the GUI, no
"certificate=" line is added to the config file.

I don't see how.  The GUI checks gtk_file_chooser_get_filename() and
only if that returns a value != NULL will "certificate" be written to
the config.  That's why I was asking what the GUI actually displays in
that file chooser in your case.

According to the reference [1], NULL is returned "if no file is
selected, or the selected file can't be represented with a local
filename", I don't think an empty string should be returned.

Yes, we could add a check for an empty string, but the setting shouldn't
be there with an empty string in the first place.

Regards,
Tobias

[1] https://docs.gtk.org/gtk3/method.FileChooser.get_filename.html