Hi, On 22 August 2016 at 16:12, Yves-Alexis Perez <cor...@debian.org> wrote: > On lun., 2016-08-22 at 14:23 +0200, Raphael Geissert wrote: >> Attached patch makes charon-nm default to using /etc/ssl/certs. > > Thanks for the patch, it looks good at first sight, but I wonder if we really > want to have a (valid) default CA store for a VPN client. That means that by > default a client would accept any CA from CA mafia, which might be useful (or > at least unavoidable) for a browser, but not really the expected behavior for > a VPN client. > > What do you think?
I think that in any case the patch is an improvement over the current default, as it: - adds the local certificates from /usr/local/share/ca-certificates - it removes trust from any certificate that root may have disabled system-wide OTOH, now that the starter plugin is no longer loaded for Network-Manager-initiated connections, a good default could be /etc/ipsec.d/cacerts It doesn't exist by default in a pure strongswan-nm installation, however. One thing that must be noted is that right now the default has an important significance given that no CAdir can be configured for charon-nm. As a side note, I've plans to work on adding support for configuring a directory, but I've no ETA for that. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
