charon-nm: only a single CA cert file is loaded from "server certificate" file about strongswan HOT 3 OPEN

When a certificate file is selected for the server, the nm backend loads only a single cert from that file, even if it is a PEM bundle of both CA certs.

Yeah, strongSwan does not support certificate bundles. Changing that is currently not planned.

When no cert file is selected, the nm backend loads all certs from the system CA folder.

You can also configure your own directory (that e.g. only contains the CA certificates you need) via charon-nm.ca_dir option.

Putting the same CA certs bundle PEM file in that folder makes TLS-based EAP methods working again.

Not unless that bundle is processed by a tool and split up into separate files. There is no difference in how files are loaded from the configured directory vs. when configured in the GUI.

from strongswan.

https://bugs.debian.org/853266 doesn't provide sufficient details, but it might be related.

Maybe its oversimplified, but I find it difficult to understand that a directory providing 2 certificates is supported, while a file providing the same 2 certificates is not. Just my $0.02.

from strongswan.

https://bugs.debian.org/853266 doesn't provide sufficient details, but it might be related.

Don't think so. Not only was that created long before basic support for TLS-based EAP methods was added to charon-nm with bc3eda9 in 2020, the main issue is that libcharon-extra-plugins does not ship the eap-peap plugin (it does ship the eap-ttls plugin, though).

Maybe its oversimplified, but I find it difficult to understand that a directory providing 2 certificates is supported, while a file providing the same 2 certificates is not.

strongSwan's certificate parsers can only handle a single certificate per file. So loading a directory with multiple files, each containing a trusted certificate, is straight-forward, loading multiple certificates from a single file is not.

from strongswan.