problemi openvpn e openssl lato client

Tutto quello che ha a che fare con GNU/Linux, soprattutto in ambito sistemistico.

Moderatore: Federico.Lagni

Rispondi
Avatar utente
richardsith
Cisco fan
Messaggi: 37
Iscritto il: mar 08 lug , 2008 1:44 pm
Località: everywhere
Contatta:
Contatta richardsith

ciao a tutti, Cheesy
dopo aver realizzato una semplice vpn usando come autentificazione la chiave a condivisione tra le 2 macchine adesso sto provando a realizzare la stessa cosa utilizzando il protocollo openssl. Ma ho riscontrato un problema, la fase di configurazione sembra funzionante tanto che il log del server non dà problemi mentre qllo del client riporta il seguente errore:

Tue Aug 5 20:14:00 2008 Restart pause, 5 second(s)
Tue Aug 5 20:14:05 2008 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Aug 5 20:14:05 2008 WARNING: file 'client.key' is group or others accessible
Tue Aug 5 20:14:05 2008 /usr/bin/openssl-vulnkey -q -b 512 -m <modulus omitted>
WARN: could not open database for 512 bits. Skipped
Tue Aug 5 20:14:05 2008 LZO compression initialized
Tue Aug 5 20:14:05 2008 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Aug 5 20:14:05 2008 TUN/TAP device tun0 opened
Tue Aug 5 20:14:05 2008 TUN/TAP TX queue length set to 100
Tue Aug 5 20:14:05 2008 ifconfig tun0 10.0.0.3 pointopoint 10.0.0.2 mtu 1500
Tue Aug 5 20:14:05 2008 route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.2
Tue Aug 5 20:14:05 2008 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Aug 5 20:14:05 2008 Local Options hash (VER=V4): 'decd4d95'
Tue Aug 5 20:14:05 2008 Expected Remote Options hash (VER=V4): '8e04699f'
Tue Aug 5 20:14:05 2008 Attempting to establish TCP connection with 192.168.0.2:5000 [nonblock]
Tue Aug 5 20:14:06 2008 TCP connection established with 192.168.0.2:5000
Tue Aug 5 20:14:06 2008 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Aug 5 20:14:06 2008 TCPv4_CLIENT link local (bound): 192.168.0.3:1194
Tue Aug 5 20:14:06 2008 TCPv4_CLIENT link remote: 192.168.0.2:5000
Tue Aug 5 20:14:06 2008 TLS: Initial packet from 192.168.0.2:5000, sid=671cc98a dacd4cc8
Tue Aug 5 20:14:06 2008 VERIFY ERROR: depth=0, error=self signed certificate: /C=IT/ST=ITALY/L=AVEZZANO/O=TEST/OU=TEST/CN=TEST
Tue Aug 5 20:14:06 2008 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Tue Aug 5 20:14:06 2008 TLS Error: TLS object -> incoming plaintext read error
Tue Aug 5 20:14:06 2008 TLS Error: TLS handshake failed
Tue Aug 5 20:14:06 2008 Fatal TLS error (check_tls_errors_co), restarting
Tue Aug 5 20:14:06 2008 TCP/UDP: Closing socket
Tue Aug 5 20:14:06 2008 route del -net 10.0.0.0 netmask 255.255.255.0
Tue Aug 5 20:14:06 2008 Closing TUN/TAP interface
Tue Aug 5 20:14:06 2008 SIGUSR1[soft,tls-error] received, process restarting
Tue Aug 5 20:14:06 2008 Restart pause, 5 second(s)

faccio presente che riavviando i demoni il servizio parte senza prb. Di seguito riporto i files presenti nel client e quelli nel server.
questi sono qlli del client
-rw-r--r-- 1 root root 639 2008-08-05 19:32 ca.crt
-rw-r--r-- 1 root root 639 2008-08-05 19:33 client.crt
-rw-r--r-- 1 root root 513 2008-08-05 19:09 client.csr
-rw-r--r-- 1 root root 493 2008-08-05 18:49 client.key
-rw-r--r-- 1 root root 238 2008-08-05 18:19 openvpn.conf
-rw-r--r-- 1 root root 217 2008-08-05 18:03 openvpn.conf.backup
-rw------- 1 root root 111 2008-08-05 19:55 openvpn.conf.save
-rwxr-xr-x 1 root root 1352 2008-05-14 13:54 update-resolv-conf
mentre questi quelli del server sono i seguenti
-rw-r--r-- 1 root root 639 2008-08-05 18:36 ca.crt
-rw-r--r-- 1 root root 513 2008-08-05 18:35 ca.csr
-rw-r--r-- 1 root root 497 2008-08-05 18:35 ca.key
-rw-r--r-- 1 root root 17 2008-08-05 19:19 ca.srl
-rw-r--r-- 1 root root 639 2008-08-05 19:19 client.crt
-rw-r--r-- 1 riccardo riccardo 513 2008-08-05 19:18 client.csr
-rw-r--r-- 1 root root 245 2008-08-05 18:49 dh.pem
-rw-r--r-- 1 root root 191 2008-08-05 18:08 openvpn.conf
-rw-r--r-- 1 root root 160 2008-08-05 17:52 openvpn.conf.backup
-rw-r--r-- 1 root root 639 2008-08-05 18:50 server.crt
-rw-r--r-- 1 root root 513 2008-08-05 18:39 server.csr
-rw-r--r-- 1 root root 493 2008-08-05 18:38 server.key
-rwxr-xr-x 1 root root 1352 2008-06-11 23:20 update-resolv-conf

Angry Angry qualcuno mi può dare una mano? ringrazio anticipatamente ah mi sono dimenticato di scrivere che per creare le chiavi e le firme ho utilizzato openssl ( ad es. openssl genrsa -out client.key)
Top
Avatar utente
richardsith
Cisco fan
Messaggi: 37
Iscritto il: mar 08 lug , 2008 1:44 pm
Località: everywhere
Contatta:
Contatta richardsith

grazie a tutti problema risolto
Top
marialisa
n00b
Messaggi: 1
Iscritto il: mer 17 set , 2008 4:28 pm

richardsith ha scritto:grazie a tutti problema risolto
Ciao scusami ma ho il tuo stesso problema. Potresti dirmi come hai risolto?
Ecco il mio file di log

root@lisalinux:~# sudo openvpn --config /etc/openvpn/clientca.conf
Wed Sep 17 17:32:08 2008 OpenVPN 2.1_rc7 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Jun 11 2008
Wed Sep 17 17:32:08 2008 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Wed Sep 17 17:32:08 2008 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Wed Sep 17 17:32:08 2008 TUN/TAP device tap1 opened
Wed Sep 17 17:32:08 2008 ifconfig tap1 10.23.24.2 netmask 255.255.255.252 mtu 1500 broadcast 10.23.24.3
Wed Sep 17 17:32:09 2008 Attempting to establish TCP connection with 151.97.9.141:5000 [nonblock]
Wed Sep 17 17:32:10 2008 TCP connection established with 151.97.9.141:5000
Wed Sep 17 17:32:10 2008 TCPv4_CLIENT link local: [undef]
Wed Sep 17 17:32:10 2008 TCPv4_CLIENT link remote: 151.97.9.141:5000
Wed Sep 17 17:32:10 2008 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=IT/ST=CT/L=CATANIA/O=OPENVPN-TEST/CN=OPENVPN-TEST_CA/emailAddress=[email protected]
Wed Sep 17 17:32:10 2008 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Sep 17 17:32:10 2008 TLS Error: TLS object -> incoming plaintext read error
Wed Sep 17 17:32:10 2008 TLS Error: TLS handshake failed
Wed Sep 17 17:32:10 2008 Fatal TLS error (check_tls_errors_co), restarting
Wed Sep 17 17:32:10 2008 SIGUSR1[soft,tls-error] received, process restarting
Wed Sep 17 17:32:11 2008 SIGINT[hard,init_instance] received, process exiting
root@lisalinux:~#


Nel client ho i seguenti certificati:
ca.crt
ca.key
vpnclient.crt
vpnclient.csr
vpnclient.key


nel server:
ca.crt
ca.key
serve.crt
serve.csr
serve.key
dh1024

cosa faccio di sbagliato? mimanca qualche file?
Aspetto con ansia un tuo aiuto
Grazie
Top
Rispondi

Torna a “GNU/Linux”