Feature #10570
open
OpenVPN Export for iOS should use .ovpn12 for certs and private key
0%
Description
Have a look here:
https://openvpn.net/faq/how-do-i-use-a-client-certificate-and-private-key-from-the-ios-keychain/
The way things are currently set up, the private key and cert are saved in the iOS Networking/preferences.plist, and they will show up in plaintext if you ever send a sysdiagnose to Apple.
You may verify this for yourself by triggering a sysdiagnose on an iOS device which has imported a pfSense profile exported with the exporter "for iOS" into OpenVPN Connect. Grab the sysdiagnose file from the iOS device and unpack. Examine the ProfileContent nodes in
logs/Networking/com.apple.networkextension.plist logs/Networking/preferences.plist
You will find the complete, plaintext content of the .ovpn file.
If it was in your .ovpn file, it's there.
By following the recommendations in the OpenVPN link above, only the ca is in the .ovpn file, while the cert and key stay secret in the keystore.
Updated by Jim Pingle over 4 years ago
- Priority changed from Normal to Very Low
If we change anything at all, it should only affect the Viscosity bundle export format. Nothing else.
If Apple utilities are leaking private data to Apple, that seems like an Apple problem to me.