charon-nm: only a single CA cert file is loaded from "server certificate" file

[LuKePicci]

Root Issue

When a certificate file is selected for the server, the nm backend loads only a single cert from that file, even if it is a PEM bundle of both CA certs.

Affected use cases

This breaks PEAP/EAP-TLS/EAP-TTLS/ecc. when the IPsec gateway authenticates itself via a different CA from the one behind the TLS handshake within EAP, which is quite common when using a RADIUS server.

Code affected

strongswan/src/charon-nm/nm/nm_service.c

Lines 769 to 789 in f8e6fd3

	/* gateway/CA cert */
	str = nm_setting_vpn_get_data_item(vpn, "certificate");
	if (str)
	{
	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
	BUILD_FROM_FILE, str, BUILD_END);
	if (!cert)
	{
	g_set_error(err, NM_VPN_PLUGIN_ERROR,
	NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
	"Loading gateway certificate failed.");
	return FALSE;
	}
	priv->creds->add_certificate(priv->creds, cert);
	}
	else
	{
	/* no certificate defined, fall back to system-wide CA certificates */
	priv->creds->load_ca_dir(priv->creds, lib->settings->get_str(
	lib->settings, "charon-nm.ca_dir", NM_CA_DIR));
	}

Workaround

When no cert file is selected, the nm backend loads all certs from the system CA folder. Putting the same CA certs bundle PEM file in that folder makes TLS-based EAP methods working again.

Expected fix

All certs from inside that file should be loaded as trusted CAs or gateway/server cert.

[tobiasbrunner]

When a certificate file is selected for the server, the nm backend loads only a single cert from that file, even if it is a PEM bundle of both CA certs.

Yeah, strongSwan does not support certificate bundles. Changing that is currently not planned.

When no cert file is selected, the nm backend loads all certs from the system CA folder.

You can also configure your own directory (that e.g. only contains the CA certificates you need) via charon-nm.ca_dir option.

Putting the same CA certs bundle PEM file in that folder makes TLS-based EAP methods working again.

Not unless that bundle is processed by a tool and split up into separate files. There is no difference in how files are loaded from the configured directory vs. when configured in the GUI.

[harridu]

https://bugs.debian.org/853266 doesn't provide sufficient details, but it might be related.

Maybe its oversimplified, but I find it difficult to understand that a directory providing 2 certificates is supported, while a file providing the same 2 certificates is not. Just my $0.02.

[tobiasbrunner]

https://bugs.debian.org/853266 doesn't provide sufficient details, but it might be related.

Don't think so. Not only was that created long before basic support for TLS-based EAP methods was added to charon-nm with bc3eda9 in 2020, the main issue is that libcharon-extra-plugins does not ship the eap-peap plugin (it does ship the eap-ttls plugin, though).

Maybe its oversimplified, but I find it difficult to understand that a directory providing 2 certificates is supported, while a file providing the same 2 certificates is not.

strongSwan's certificate parsers can only handle a single certificate per file. So loading a directory with multiple files, each containing a trusted certificate, is straight-forward, loading multiple certificates from a single file is not.