LINUX.ORG.RU

OpenVPN ошибка tls при проверке сертификата


0

1

Вроде ругается на плохой сертификат, но причины возникновения не ясны. Connection.Log:

[one@localhost ~]$ openvpn --cd /home/one/openvpn/Client1 --config opClient1.conf
Wed Mar  5 10:13:39 2014 OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Sep 12 2013
Wed Mar  5 10:13:39 2014 WARNING: file '/home/one/openvpn/Client1/KClient1.pem' is group or others accessible
Wed Mar  5 10:13:39 2014 Control Channel Authentication: using '/home/one/openvpn/Client1/ta.key' as a OpenVPN static key file
Wed Mar  5 10:13:39 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar  5 10:13:39 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar  5 10:13:39 2014 Socket Buffers: R=[124928->131072] S=[124928->131072]
Wed Mar  5 10:13:39 2014 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Wed Mar  5 10:13:39 2014 UDPv4 link local (bound): [undef]
Wed Mar  5 10:13:39 2014 UDPv4 link remote: [AF_INET]192.168.1.1:1194
Wed Mar  5 10:13:39 2014 TLS: Initial packet from [AF_INET]192.168.1.1:1194, sid=0df6a107 7d987c71
Wed Mar  5 10:13:40 2014 VERIFY ERROR: depth=0, error=self signed certificate: O=Company, CN=Client1
Wed Mar  5 10:13:40 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Mar  5 10:13:40 2014 TLS Error: TLS object -> incoming plaintext read error
Wed Mar  5 10:13:40 2014 TLS Error: TLS handshake failed
Wed Mar  5 10:13:40 2014 SIGUSR1[soft,tls-error] received, process restarting
Wed Mar  5 10:13:40 2014 Restart pause, 2 second(s)
Wed Mar  5 10:13:42 2014 Socket Buffers: R=[124928->131072] S=[124928->131072]
Wed Mar  5 10:13:42 2014 UDPv4 link local (bound): [undef]
Wed Mar  5 10:13:42 2014 UDPv4 link remote: [AF_INET]192.168.1.1:1194
Wed Mar  5 10:13:42 2014 TLS Error: Unroutable control packet received from [AF_INET]192.168.1.1:1194 (si=3 op=P_CONTROL_V1)
Wed Mar  5 10:13:42 2014 TLS: Initial packet from [AF_INET]192.168.1.1:1194, sid=5d3bd5ee 6eea5d26
Wed Mar  5 10:13:43 2014 TLS Error: Unroutable control packet received from [AF_INET]192.168.1.1:1194 (si=3 op=P_CONTROL_V1)
OPserv.conf:
dev               tap
#local             89.169.4.79
port              1194
proto             udp
server            10.0.0.0 255.255.255.0
push              "route 10.0.0.0 255.255.255.0"
route             192.168.1.0 255.255.255.0
client-config-dir ccd
client-to-client
tls-server
log               /opt/etc/openvpn/vpn.log
dh                /opt/etc/ssl/dh2048.pem
ca                /opt/etc/ssl/CA_cert.pem
cert              /opt/etc/ssl/certs/server.pem
key               /opt/etc/ssl/keys/server.pem
crl-verify        /opt/etc/ssl/crl/crl.pem
tls-auth          /opt/etc/ssl/ta.key 0
comp-lzo
keepalive         10 120
tun-mtu           1500
mssfix            1450
persist-key
persist-tun
user              jffs
group             jffs
verb              3

OPserv.conf:

client
dev          tap
proto        udp
remote       192.168.1.1
tls-client
#tls-remote   Client1
ca           "/home/one/openvpn/Client1/CA_cert.pem"
cert         "/home/one/openvpn/Client1/CClient1.pem"
key          "/home/one/openvpn/Client1/KClient1.pem"
tls-auth     "/home/one/openvpn/Client1/ta.key" 1
ns-cert-type server
comp-lzo
tun-mtu      1500
mssfix       1450
persist-key
persist-tun
user         one
group        one
verb         3

Настройки времени на сервере и клиенте:

/opt/etc/ssl # date;date -R
Wed Mar  5 10:34:27 UTC 2014
Wed, 05 Mar 2014 10:34:27 +0400

[one@localhost one]# date;date -R
Срд Мар  5 10:34:28 MSK 2014
Wed, 05 Mar 2014 10:34:28 +0400

openssl.cnf:

[ ca ]
default_ca               = CA_default
[ CA_default ]
dir                      = /etc/ssl
crl_dir                  = $dir/crl
database                 = $dir/index.txt
new_certs_dir            = $dir/certs
certificate              = $dir/CA_cert.pem
serial                   = $dir/serial
crl                      = $dir/crl/crl.pem
private_key              = $dir/private/CA_key.pem
RANDFILE                 = $dir/private/.rand
default_days             = 3650
default_crl_days         = 365
default_md               = md5
unique_subject           = yes
policy                   = policy_any
x509_extensions          = user_extensions
[ policy_any ]
organizationName         = match
organizationalUnitName   = optional
commonName               = supplied
[ req ]
default_bits             = 2048
default_keyfile          = privkey.pem
distinguished_name       = req_distinguished_name
x509_extensions          = CA_extensions
[ req_distinguished_name ]
organizationName         = Organization Name (must match CA)
organizationName_default = Company
organizationalUnitName   = Location Name
commonName               = Common User or Org Name
commonName_max           = 64
[ user_extensions ]
basicConstraints         = CA:FALSE
[ CA_extensions ]
basicConstraints         = CA:TRUE
#default_days             = 3650
[ server ]
basicConstraints         = CA:FALSE
nsCertType               = server

покажи четыре выхлопа openssl verify на клиенте и на сервере для клиентского и серверного сертификата

anonymous ()
Ответ на: комментарий от anonymous

Клиент

[one@localhost Client1]$ openssl verify CA_cert.pem
CA_cert.pem: O = Company, CN = Client1
error 18 at 0 depth lookup:self signed certificate
OK
[one@localhost Client1]$ openssl verify CClient1.pem 
CClient1.pem: O = Company, CN = Client1
error 18 at 0 depth lookup:self signed certificate
OK
[one@localhost Client1]$ openssl verify KClient1.pem
unable to load certificate
140506893313864:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
[one@localhost Client1]$ openssl verify ta.key
unable to load certificate
140257194796872:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

Сервер

/opt/etc/ssl # openssl verify CA_cert.pem
CA_cert.pem: O = Company, CN = Client1
error 18 at 0 depth lookup:self signed certificate
OK
/opt/etc/ssl # openssl verify certs/CClient1.pem
certs/CClient1.pem: O = Company, CN = Client1
error 18 at 0 depth lookup:self signed certificate
OK
/opt/etc/ssl # openssl verify keys/KClient1.pem
unable to load certificate
731010116:error:0906D06C:lib(9):func(109):reason(108):NA:0:Expecting: TRUSTED CERTIFICATE
/opt/etc/ssl # openssl verify ta.key
unable to load certificate
723715140:error:0906D06C:lib(9):func(109):reason(108):NA:0:Expecting: TRUSTED CERTIFICATE

QIQuJIunn ★★ ()
Ответ на: комментарий от QIQuJIunn

/opt/etc/ssl # openssl verify certs/CClient1.pem
certs/CClient1.pem: O = Company, CN = Client1
error 18 at 0 depth lookup:self signed certificate
OK

Вот косяк - это не должен быть самоподписанный сертификат.

Так же проверь /opt/etc/ssl/certs/server.pem

Dramokl ()
Ответ на: комментарий от QIQuJIunn

Так же при проверке сертификатов, надо явно указывать свой CA(если вы его не добавили в рутлист), как то так:

openssl verify -CAfile

ta.key KClient1.pem - это не сертификаты, их проверять не надо

TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Тут явно сказано что ошибка в серверном сертификате - скорей всего он самоподписанный.

Dramokl ()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.