Hi Kai,
2018-06-12 16:55 GMT+03:00 Kai Engert <kaie(a)kuix.de>:
If a single CA list for both TLS and VPNs was used, and a user added a
VPN's private CA to that shared list, it would technically enable the
VPN operator to issue false certificates, and TLS clients like Firefox
would then trust such false certificates. This side effect of installing
a VPN's private CA should be avoided.
Therefore I agree with you, the directory for VPN CAs should be
configured separately.
Are there any VPNs that use server certificates issued by web CAs? All
VPNs that I have seen personally used their own CA certificates.
A public VPN service provider might conceivably use a certificate
issued by a well-known public CA to spare the clients the hassle of
installing custom CA certificates.
> I came up with /etc/pki/vpn, that is not currently populated in
> Fedora. Would there be a more appropriate choice, governed by PKI
> policies that I'm not aware of?
If the directory format expected by charon-nm might be different from
the input expect by other vpn clients, then it might make sense to
define a directory specifically for charon-nm. If you think it's
reusable, it might make sense to define the file format expected in that
directory. For TLS, because different tools require the list of CAs in
different format, we have chosen the approach that is documented in the
update-ca-trust(8) manual apge.
Does charon-nm want individual files? Does it expect specific filenames,
like the hashed filenames that openssl may use? Does it expect files in
PEM or DER format? Does it support files in which multiple certificates
are concatenated, or does it accept only one CA per file? These are
example attributes, that might cause the contents of the directory to
work only for the charon-nm tool, but not for others.
Accordingly to the documentation and my brief analysis of the code,
charon-nm can load both PEM or DER. It tries to load all files present
in the configured directory as CA certificates, using OpenSSL
functions to parse the formats.
It supports concatenated certificate bundles at least in PEM format; I
verified that it works with the bundle file in
/etc/pki/ca-trust/extracted/openssl. So I think the directory can be
shared between charon-nm and other VPN clients using standard PKI
formats.
Best regards,
Mikhail