Project

General

Profile

Feature #10570

OpenVPN Export for iOS should use .ovpn12 for certs and private key

Added by Viktor Gurov 4 months ago. Updated 4 months ago.

Status:
New
Priority:
Very Low
Assignee:
-
Category:
OpenVPN Client Export
Target version:
-
Start date:
05/19/2020
Due date:
% Done:

0%

Estimated time:

Description

https://forum.netgate.com/topic/144204/openvpn-export-for-ios-should-use-ovpn12-for-certs-and-private-key:

Have a look here:
https://openvpn.net/faq/how-do-i-use-a-client-certificate-and-private-key-from-the-ios-keychain/

The way things are currently set up, the private key and cert are saved in the iOS Networking/preferences.plist, and they will show up in plaintext if you ever send a sysdiagnose to Apple.

You may verify this for yourself by triggering a sysdiagnose on an iOS device which has imported a pfSense profile exported with the exporter "for iOS" into OpenVPN Connect. Grab the sysdiagnose file from the iOS device and unpack. Examine the ProfileContent nodes in

logs/Networking/com.apple.networkextension.plist
logs/Networking/preferences.plist

You will find the complete, plaintext content of the .ovpn file.
If it was in your .ovpn file, it's there.

By following the recommendations in the OpenVPN link above, only the ca is in the .ovpn file, while the cert and key stay secret in the keystore.

History

#1 Updated by Jim Pingle 4 months ago

  • Priority changed from Normal to Very Low

If we change anything at all, it should only affect the Viscosity bundle export format. Nothing else.

If Apple utilities are leaking private data to Apple, that seems like an Apple problem to me.

Also available in: Atom PDF