NetworkManager does not allow to set --no-system-trust for openconnect VPNs
Specifying a CA certificate for an OpenConnect VPN does not ensure that this is checked.
Unless --no-system-trust
is set in addition, OpenConnect additionally trusts any CA certificate in the system trust store. So the "CA certificate" option is misleading, and a change of the VPN provider from one CA to another is not alerted upon on the client side.
NetworkManager does not expose the --no-system-trust
option nor enforce that when a CA certificate is set.
I propose to default to --no-system-trust
if a CA certificate is set, and have it user configurable separately.
Please also note this bug report against plasma-nm: https://bugs.kde.org/show_bug.cgi?id=401611