OpenVPN + SSL

Tomas MACOUREK konference na microware.cz
Sobota Únor 5 20:12:40 CET 2005 

Dobry den,

opet se po case vracim k OpenVPN. Routovani jsme uz pred casem 
rozebehli, ted zase resim neco jineho, tedy certifikaty.

Pokud vygeneruji certifikaty od ca až po klientsky pomoci easy-rsa 
skriptu, koncim neustale s podobnou hlaskou viz nize. Jelikoz je mi 
jasne ze je to na 99% rukama :( obracim se na Vas zda nemate nekde krok 
za krokem popis navod ci neco jak SPRAVNE vygenerovat resp. mozna co 
nastavit.

S testovacimi certifikaty prilozenymi k distribuci to chodi ok!

===========
Sat Feb 05 20:07:01 2005 us=669880 Current Parameter Settings:
Sat Feb 05 20:07:01 2005 us=670128   config = 'C:\Program 
Files\OpenVPN\config\test.ovpn'
Sat Feb 05 20:07:01 2005 us=670212   mode = 0
Sat Feb 05 20:07:01 2005 us=670249   show_ciphers = DISABLED
Sat Feb 05 20:07:01 2005 us=670332   show_digests = DISABLED
Sat Feb 05 20:07:01 2005 us=670370   show_engines = DISABLED
Sat Feb 05 20:07:01 2005 us=670402   genkey = DISABLED
Sat Feb 05 20:07:01 2005 us=670438   key_pass_file = '[UNDEF]'
Sat Feb 05 20:07:01 2005 us=670476   show_tls_ciphers = DISABLED
Sat Feb 05 20:07:01 2005 us=670507   proto = 0
Sat Feb 05 20:07:01 2005 us=670538 NOTE: --mute triggered...
Sat Feb 05 20:07:01 2005 us=670597 177 variation(s) on previous 10 
message(s) su
ppressed by --mute
Sat Feb 05 20:07:01 2005 us=670648 OpenVPN 2.0_rc6 Win32-MinGW [SSL] 
[LZO] built
  on Dec 20 2004
Sat Feb 05 20:07:01 2005 us=670951 WARNING: No server certificate 
verification m
ethod has been enabled.  See 
http://openvpn.sourceforge.net/howto.html#mitm for
more info.
Sat Feb 05 20:07:01 2005 us=674490 LZO compression initialized
Sat Feb 05 20:07:01 2005 us=674697 Control Channel MTU parms [ L:1574 
D:138 EF:3
8 EB:0 ET:0 EL:0 ]
Sat Feb 05 20:07:01 2005 us=681234 Data Channel MTU parms [ L:1574 
D:1450 EF:42
EB:23 ET:32 EL:0 AF:3/1 ]
Sat Feb 05 20:07:01 2005 us=681442 Local Options String: 'V4,dev-type 
tap,link-m
tu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth 
SHA1,keysize 128,ke
y-method 2,tls-client'
Sat Feb 05 20:07:01 2005 us=681610 Expected Remote Options String: 
'V4,dev-type
tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth 
SHA1,keys
ize 128,key-method 2,tls-server'
Sat Feb 05 20:07:01 2005 us=681771 Local Options hash (VER=V4): 'd79ca330'
Sat Feb 05 20:07:01 2005 us=681978 Expected Remote Options hash 
(VER=V4): 'f7df5
6b8'
Sat Feb 05 20:07:01 2005 us=682157 Socket Buffers: R=[8192->8192] 
S=[8192->8192]

Sat Feb 05 20:07:01 2005 us=682265 UDPv4 link local (bound): [undef]:5021
Sat Feb 05 20:07:01 2005 us=682326 UDPv4 link remote: 82.142.79.161:5021
Sat Feb 05 20:07:01 2005 us=696812 TLS: Initial packet from 
82.142.79.161:5021,
sid=90e5c1ee a7c967c8
Sat Feb 05 20:07:01 2005 us=828861 VERIFY ERROR: depth=1, 
error=certificate is n
ot yet valid: /C=CZ/ST=NA/L=PRAGUE/O=Test_SRV/CN=SERVER/emailAddress=secur
ity na mi.cz
Sat Feb 05 20:07:01 2005 us=829563 TLS_ERROR: BIO read 
tls_read_plaintext error:
  error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate 
verify fail
ed
Sat Feb 05 20:07:01 2005 us=829692 TLS Error: TLS object -> incoming 
plaintext r
ead error
Sat Feb 05 20:07:01 2005 us=829834 TLS Error: TLS handshake failed
Sat Feb 05 20:07:01 2005 us=830054 TCP/UDP: Closing socket
Sat Feb 05 20:07:01 2005 us=830721 SIGUSR1[soft,tls-error] received, 
process res
tarting
Sat Feb 05 20:07:01 2005 us=830939 Restart pause, 2 second(s)
Sat Feb 05 20:07:03 2005 us=822352 WARNING: No server certificate 
verification m
ethod has been enabled.  See 
http://openvpn.sourceforge.net/howto.html#mitm for
more info.
Sat Feb 05 20:07:03 2005 us=822557 Re-using SSL/TLS context
Sat Feb 05 20:07:03 2005 us=822694 LZO compression initialized
Sat Feb 05 20:07:03 2005 us=822828 Control Channel MTU parms [ L:1574 
D:138 EF:3
8 EB:0 ET:0 EL:0 ]
Sat Feb 05 20:07:03 2005 us=825128 Data Channel MTU parms [ L:1574 
D:1450 EF:42
EB:23 ET:32 EL:0 AF:3/1 ]
Sat Feb 05 20:07:03 2005 us=825331 Local Options String: 'V4,dev-type 
tap,link-m
tu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth 
SHA1,keysize 128,ke
y-method 2,tls-client'
Sat Feb 05 20:07:03 2005 us=825462 Expected Remote Options String: 
'V4,dev-type
tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth 
SHA1,keys
ize 128,key-method 2,tls-server'
Sat Feb 05 20:07:03 2005 us=825594 Local Options hash (VER=V4): 'd79ca330'
Sat Feb 05 20:07:03 2005 us=825669 Expected Remote Options hash 
(VER=V4): 'f7df5
6b8'
Sat Feb 05 20:07:03 2005 us=826038 Socket Buffers: R=[8192->8192] 
S=[8192->8192]

Sat Feb 05 20:07:03 2005 us=826156 UDPv4 link local (bound): [undef]:5021
Sat Feb 05 20:07:03 2005 us=826226 UDPv4 link remote: 82.142.79.161:5021
Sat Feb 05 20:07:03 2005 us=844829 TLS Error: Unroutable control packet 
received
  from 82.142.79.161:5021 (si=3 op=P_CONTROL_V1)
Sat Feb 05 20:07:03 2005 us=847654 TLS Error: Unroutable control packet 
received
  from 82.142.79.161:5021 (si=3 op=P_CONTROL_V1)
Sat Feb 05 20:07:03 2005 us=850819 TLS Error: Unroutable control packet 
received
  from 82.142.79.161:5021 (si=3 op=P_CONTROL_V1)
Sat Feb 05 20:07:03 2005 us=853443 TLS Error: Unroutable control packet 
received
  from 82.142.79.161:5021 (si=3 op=P_CONTROL_V1)
Sat Feb 05 20:07:03 2005 us=854281 TLS: Initial packet from 
82.142.79.161:5021,


================

Diky za kazdou radu

Tomas

Další informace o konferenci Linux