Intento portar el cliente openVPN (2.3.8) al dispositivo integrado ARMS. Después de configurar la compilación cruzada, pude ejecutar en ARMS, de alguna manera, cuando inicio openvpn en ARMS, muestra un error: VERIFICAR ERROR: profundidad = 0, error = firma de certificado. A continuación se muestra el registro del cliente ARMS OpenVPN:
root@am335x-evm:~# ./openvpn client25.conf
Fri Sep 25 09:51:06 2015 OpenVPN 2.3.8 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Sep 25 2015
Fri Sep 25 09:51:06 2015 library versions: OpenSSL 1.0.1m 19 Mar 2015, LZO 2.06
Fri Sep 25 09:51:06 2015 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Sep 25 09:51:06 2015 WARNING: file '/home/root/client1.key' is group or others accessible
Fri Sep 25 09:51:06 2015 Socket Buffers: R=[163840->131072] S=[163840->131072]
Fri Sep 25 09:51:06 2015 UDPv4 link local: [undef]
Fri Sep 25 09:51:06 2015 UDPv4 link remote: [AF_INET]192.168.87.25:1194
Fri Sep 25 09:51:06 2015 TLS: Initial packet from [AF_INET]192.168.87.25:1194, sid=b7b62cd9 973685ba
Fri Sep 25 09:51:06 2015 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=IOT, name=EasyRSA, [email protected]
Fri Sep 25 09:51:06 2015 VERIFY ERROR: depth=0, error=certificate signature failure: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=IOT, name=EasyRSA, [email protected]
Fri Sep 25 09:51:06 2015 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:lib(20):func(144):reason(134)
Fri Sep 25 09:51:06 2015 TLS Error: TLS object -> incoming plaintext read error
Fri Sep 25 09:51:06 2015 TLS Error: TLS handshake failed
Fri Sep 25 09:51:06 2015 SIGUSR1[soft,tls-error] received, process restarting
Fri Sep 25 09:51:06 2015 Restart pause, 2 second(s)
El servidor OpenVPN (2.3.8) se instaló en un escritorio Ubuntu 14.04, todo el certificado de cliente/servidor se generó con easy-rsa en este escritorio.
Probé el mismo ca.crt y client.crt, client.key, funcionará bien en otro cliente OpenVPN que se instaló con Ubuntu Linux Desktop.
De alguna manera, por alguna razón, no funciona en Embedded ARMS (cliente OpenVPN).
Aquí adjunto el volcado de ca.crt y client1.crt y probé la "verificación de openssl" en mi ARMS integrado pero fallará con el siguiente registro: ""error 7 en 0 búsqueda en profundidad: falla en la firma del certificado" Registro detallado como se muestra a continuación:
root@am335x-evm:~# openssl
OpenSSL> version
OpenSSL 1.0.1m 19 Mar 2015
OpenSSL>quit
root@am335x-evm:~# openssl x509 -in ca.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e5:16:7f:96:50:e9:bf:e4
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=server25-CA/name=EasyRSA/[email protected]
Validity
Not Before: Sep 25 08:00:49 2015 GMT
Not After : Sep 22 08:00:49 2025 GMT
Subject: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=server25-CA/name=EasyRSA/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d3:3a:be:b8:cf:91:e1:00:0e:20:0e:76:31:bd:
e6:64:f3:e1:2a:60:d6:d3:d7:3c:d8:e1:30:0e:21:
a7:7c:b7:26:e2:9d:96:dd:d0:2d:26:f2:1c:ce:cf:
38:71:5a:24:91:3c:84:9a:2d:44:23:2e:98:38:9b:
ea:70:a5:24:75:57:a4:f4:2f:16:67:50:0c:28:b5:
0e:71:c3:5b:76:a7:0b:eb:cd:cc:34:39:f4:9b:74:
16:40:4b:5c:94:43:07:ef:aa:03:28:03:6b:c8:26:
d5:54:8f:e1:2e:4b:67:39:4b:5c:6a:64:e6:28:d8:
7a:62:75:7c:68:f3:b5:44:eb:2a:ef:ba:a8:38:70:
2e:c1:02:ac:ff:60:b2:65:73:28:5b:93:02:67:1e:
24:f2:f2:aa:89:b0:59:58:ca:d1:37:59:ec:2f:2f:
9e:76:d7:02:a6:04:02:1c:54:a2:77:5a:34:8d:1b:
b9:68:4f:0a:3c:6f:90:8b:f3:bd:fb:4d:4f:fb:86:
21:bc:ee:5e:1e:72:93:7d:41:3c:d0:39:a4:89:c7:
da:75:10:2c:8a:b0:1d:d5:65:19:a1:a1:2e:22:3f:
ba:15:63:be:29:c0:08:db:52:12:bd:e6:33:2a:37:
c7:34:a1:be:71:df:62:aa:1d:20:24:df:95:02:d9:
79:f3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
82:ED:78:18:DC:57:6E:B3:AA:0F:1E:B6:0A:14:34:5E:8E:14:93:25
X509v3 Authority Key Identifier:
keyid:82:ED:78:18:DC:57:6E:B3:AA:0F:1E:B6:0A:14:34:5E:8E:14:93:25
DirName:/C=TW/ST=TW/L=Taipei/O=Foxconn/OU=IOT/CN=server25-CA/name=EasyRSA/[email protected]
serial:E5:16:7F:96:50:E9:BF:E4
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
9b:b1:70:52:0a:8e:b7:79:a1:a3:ee:3a:65:96:e6:5e:82:af:
cd:6e:8f:92:f8:b8:2c:70:dd:28:ee:5d:c1:ce:71:fd:a2:d8:
f8:fa:75:49:c9:2a:ff:2a:e2:4f:d8:42:b8:d7:e1:aa:ec:b5:
80:2b:61:a1:c5:49:9e:4d:4b:8d:0c:95:54:7b:32:59:ee:03:
f4:ca:f6:a8:e9:72:d2:23:37:ef:33:1e:17:68:ec:19:45:86:
ab:b7:27:01:f6:b2:1f:cd:74:8a:97:16:48:ca:90:35:fa:05:
73:10:0a:9b:d5:4a:b5:43:80:f2:b9:7f:1e:44:69:12:f8:20:
0d:18:05:6e:37:17:a4:42:1f:37:cb:00:79:1b:5f:07:ca:80:
08:30:8a:c9:bc:eb:7d:db:e2:43:2a:5c:2b:aa:97:7f:02:32:
c9:61:06:ca:1b:1e:d6:a9:77:60:48:78:ca:2d:b0:80:00:06:
2d:b8:44:41:62:fc:9b:08:3b:8e:93:5f:df:50:1f:e1:2e:fb:
47:47:e6:35:3d:3d:6b:c5:2b:8f:7d:ab:ab:0f:31:77:56:45:
af:fc:d1:34:61:66:13:ab:68:4b:f1:59:28:7f:e7:8c:65:a2:
c2:43:f6:0f:50:d7:a3:c7:e0:38:f0:fd:c5:00:de:67:a8:2c:
0d:c8:39:40
-----BEGIN CERTIFICATE-----
MIIEyjCCA7KgAwIBAgIJAOUWf5ZQ6b/kMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
VQQGEwJUVzELMAkGA1UECBMCVFcxDzANBgNVBAcTBlRhaXBlaTEQMA4GA1UEChMH
Rm94Y29ubjEMMAoGA1UECxMDSU9UMRQwEgYDVQQDEwtzZXJ2ZXIyNS1DQTEQMA4G
A1UEKRMHRWFzeVJTQTEpMCcGCSqGSIb3DQEJARYaamFtZXMuY2suY2hpZW5AZm94
Y29ubi5jb20wHhcNMTUwOTI1MDgwMDQ5WhcNMjUwOTIyMDgwMDQ5WjCBnjELMAkG
A1UEBhMCVFcxCzAJBgNVBAgTAlRXMQ8wDQYDVQQHEwZUYWlwZWkxEDAOBgNVBAoT
B0ZveGNvbm4xDDAKBgNVBAsTA0lPVDEUMBIGA1UEAxMLc2VydmVyMjUtQ0ExEDAO
BgNVBCkTB0Vhc3lSU0ExKTAnBgkqhkiG9w0BCQEWGmphbWVzLmNrLmNoaWVuQGZv
eGNvbm4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0zq+uM+R
4QAOIA52Mb3mZPPhKmDW09c82OEwDiGnfLcm4p2W3dAtJvIczs84cVokkTyEmi1E
Iy6YOJvqcKUkdVek9C8WZ1AMKLUOccNbdqcL683MNDn0m3QWQEtclEMH76oDKANr
yCbVVI/hLktnOUtcamTmKNh6YnV8aPO1ROsq77qoOHAuwQKs/2CyZXMoW5MCZx4k
8vKqibBZWMrRN1nsLy+edtcCpgQCHFSid1o0jRu5aE8KPG+Qi/O9+01P+4YhvO5e
HnKTfUE80DmkicfadRAsirAd1WUZoaEuIj+6FWO+KcAI21ISveYzKjfHNKG+cd9i
qh0gJN+VAtl58wIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFILteBjcV26zqg8etgoU
NF6OFJMlMIHTBgNVHSMEgcswgciAFILteBjcV26zqg8etgoUNF6OFJMloYGkpIGh
MIGeMQswCQYDVQQGEwJUVzELMAkGA1UECBMCVFcxDzANBgNVBAcTBlRhaXBlaTEQ
MA4GA1UEChMHRm94Y29ubjEMMAoGA1UECxMDSU9UMRQwEgYDVQQDEwtzZXJ2ZXIy
NS1DQTEQMA4GA1UEKRMHRWFzeVJTQTEpMCcGCSqGSIb3DQEJARYaamFtZXMuY2su
Y2hpZW5AZm94Y29ubi5jb22CCQDlFn+WUOm/5DAMBgNVHRMEBTADAQH/MA0GCSqG
SIb3DQEBCwUAA4IBAQCbsXBSCo63eaGj7jplluZegq/Nbo+S+LgscN0o7l3BznH9
otj4+nVJySr/KuJP2EK41+Gq7LWAK2GhxUmeTUuNDJVUezJZ7gP0yvao6XLSIzfv
Mx4XaOwZRYartycB9rIfzXSKlxZIypA1+gVzEAqb1Uq1Q4DyuX8eRGkS+CANGAVu
NxekQh83ywB5G18HyoAIMIrJvOt92+JDKlwrqpd/AjLJYQbKGx7WqXdgSHjKLbCA
AAYtuERBYvybCDuOk1/fUB/hLvtHR+Y1PT1rxSuPfaurDzF3VkWv/NE0YWYTq2hL
8Vkof+eMZaLCQ/YPUNejx+A48P3FAN5nqCwNyDlA
-----END CERTIFICATE-----
root@am335x-evm:~#
root@am335x-evm:~# openssl x509 -in client1.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=server25-CA/name=EasyRSA/[email protected]
Validity
Not Before: Sep 25 08:02:05 2015 GMT
Not After : Sep 22 08:02:05 2025 GMT
Subject: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=client1/name=EasyRSA/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d8:24:7b:96:89:a8:09:fa:36:21:03:47:a8:30:
64:e6:42:06:5f:4b:e3:e2:f9:4a:b7:ea:77:d3:90:
f3:7e:b3:78:d0:d2:c6:29:a7:06:c6:cb:9a:57:44:
31:b8:55:22:4c:18:cc:30:5b:57:f1:3b:e4:fc:55:
21:a0:32:06:2a:b0:ec:d3:84:62:b2:2a:c2:7b:79:
1b:61:27:70:74:4d:d5:e8:2a:16:37:e9:17:7a:94:
77:07:c6:dd:84:d8:86:47:ab:ac:5c:a3:8d:c2:81:
57:da:96:54:ba:18:b5:f0:d6:14:41:3b:93:83:ff:
a7:8b:71:42:52:a2:47:a3:8b:05:b2:38:4e:97:d5:
ec:21:e8:e3:4d:ca:dd:31:c3:6c:67:11:ce:a6:0e:
9c:05:18:56:35:df:a7:6d:94:1a:1f:d9:e9:49:5b:
28:bd:79:71:3a:0d:24:42:16:7b:d5:b1:95:a3:20:
c0:d3:a8:e9:50:6a:1f:1d:c5:bf:3f:d4:d8:46:80:
29:1c:b2:31:f4:f7:bc:5d:43:04:fc:98:10:ed:eb:
f1:c1:fd:9f:3e:b6:16:27:74:a6:71:61:84:8f:24:
5d:14:65:ad:be:4f:c4:6c:3f:b6:79:fc:56:b6:cd:
a3:67:0e:c3:c6:28:79:da:6f:b2:97:01:68:7b:fb:
5e:59
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
99:7E:D4:CA:CD:16:25:A0:37:6F:6B:DB:7C:79:45:5F:28:01:F8:19
X509v3 Authority Key Identifier:
keyid:82:ED:78:18:DC:57:6E:B3:AA:0F:1E:B6:0A:14:34:5E:8E:14:93:25
DirName:/C=TW/ST=TW/L=Taipei/O=Foxconn/OU=IOT/CN=server25-CA/name=EasyRSA/[email protected]
serial:E5:16:7F:96:50:E9:BF:E4
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:client1
Signature Algorithm: sha256WithRSAEncryption
2d:7c:69:74:97:26:62:b3:ed:8a:e9:ea:43:ec:43:a7:bb:aa:
37:6f:65:ca:60:89:ef:0e:ba:2e:65:66:b7:5b:ca:9a:68:5d:
62:e1:eb:d6:2a:e1:56:53:00:4b:61:b3:6c:f7:09:2a:4a:35:
34:92:87:7e:0a:a9:45:22:9c:af:31:dd:c9:8e:16:de:d0:2a:
4a:aa:ad:c3:20:2a:34:fd:12:73:3d:50:12:b6:34:ef:07:34:
60:15:03:b4:92:04:cf:19:4e:d5:7b:ce:37:9d:f3:9c:61:22:
e3:f6:bb:50:4f:5d:a5:cc:e7:cd:66:e0:c7:09:7b:84:fe:d1:
87:e4:f8:34:7c:0e:81:34:d6:ff:81:82:b9:cc:a8:da:bf:00:
cf:05:93:66:81:f7:ee:a2:26:14:06:53:33:5e:ed:97:47:04:
d0:a7:58:c7:86:ff:dc:28:3d:13:c9:b5:e3:5a:1e:e2:95:c4:
22:71:b9:04:59:ad:c0:1c:f2:2d:cf:35:c2:02:2d:df:cc:9d:
25:85:97:6b:15:39:30:c7:aa:2e:ee:30:96:ad:f4:3f:04:53:
f3:7d:6c:15:64:eb:cd:23:05:ba:3a:18:a6:e4:e1:ea:8f:0d:
89:0e:22:72:91:d3:78:1b:5f:4e:57:f7:c9:b3:5c:32:ab:1d:
f1:6c:49:95
-----BEGIN CERTIFICATE-----
MIIFIDCCBAigAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnjELMAkGA1UEBhMCVFcx
CzAJBgNVBAgTAlRXMQ8wDQYDVQQHEwZUYWlwZWkxEDAOBgNVBAoTB0ZveGNvbm4x
DDAKBgNVBAsTA0lPVDEUMBIGA1UEAxMLc2VydmVyMjUtQ0ExEDAOBgNVBCkTB0Vh
c3lSU0ExKTAnBgkqhkiG9w0BCQEWGmphbWVzLmNrLmNoaWVuQGZveGNvbm4uY29t
MB4XDTE1MDkyNTA4MDIwNVoXDTI1MDkyMjA4MDIwNVowgZoxCzAJBgNVBAYTAlRX
MQswCQYDVQQIEwJUVzEPMA0GA1UEBxMGVGFpcGVpMRAwDgYDVQQKEwdGb3hjb25u
MQwwCgYDVQQLEwNJT1QxEDAOBgNVBAMTB2NsaWVudDExEDAOBgNVBCkTB0Vhc3lS
U0ExKTAnBgkqhkiG9w0BCQEWGmphbWVzLmNrLmNoaWVuQGZveGNvbm4uY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2CR7lomoCfo2IQNHqDBk5kIG
X0vj4vlKt+p305DzfrN40NLGKacGxsuaV0QxuFUiTBjMMFtX8Tvk/FUhoDIGKrDs
04RisirCe3kbYSdwdE3V6CoWN+kXepR3B8bdhNiGR6usXKONwoFX2pZUuhi18NYU
QTuTg/+ni3FCUqJHo4sFsjhOl9XsIejjTcrdMcNsZxHOpg6cBRhWNd+nbZQaH9np
SVsovXlxOg0kQhZ71bGVoyDA06jpUGofHcW/P9TYRoApHLIx9Pe8XUME/JgQ7evx
wf2fPrYWJ3SmcWGEjyRdFGWtvk/EbD+2efxWts2jZw7Dxih52m+ylwFoe/teWQID
AQABo4IBaTCCAWUwCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFzeS1SU0Eg
R2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSZftTKzRYloDdva9t8eUVf
KAH4GTCB0wYDVR0jBIHLMIHIgBSC7XgY3Fdus6oPHrYKFDRejhSTJaGBpKSBoTCB
njELMAkGA1UEBhMCVFcxCzAJBgNVBAgTAlRXMQ8wDQYDVQQHEwZUYWlwZWkxEDAO
BgNVBAoTB0ZveGNvbm4xDDAKBgNVBAsTA0lPVDEUMBIGA1UEAxMLc2VydmVyMjUt
Q0ExEDAOBgNVBCkTB0Vhc3lSU0ExKTAnBgkqhkiG9w0BCQEWGmphbWVzLmNrLmNo
aWVuQGZveGNvbm4uY29tggkA5RZ/llDpv+QwEwYDVR0lBAwwCgYIKwYBBQUHAwIw
CwYDVR0PBAQDAgeAMBIGA1UdEQQLMAmCB2NsaWVudDEwDQYJKoZIhvcNAQELBQAD
ggEBAC18aXSXJmKz7Yrp6kPsQ6e7qjdvZcpgie8Oui5lZrdbyppoXWLh69Yq4VZT
AEths2z3CSpKNTSSh34KqUUinK8x3cmOFt7QKkqqrcMgKjT9EnM9UBK2NO8HNGAV
A7SSBM8ZTtV7zjed85xhIuP2u1BPXaXM581m4McJe4T+0Yfk+DR8DoE01v+BgrnM
qNq/AM8Fk2aB9+6iJhQGUzNe7ZdHBNCnWMeG/9woPRPJteNaHuKVxCJxuQRZrcAc
8i3PNcICLd/MnSWFl2sVOTDHqi7uMJat9D8EU/N9bBVk680jBbo6GKbk4eqPDYkO
InKR03gbX05X98mzXDKrHfFsSZU=
-----END CERTIFICATE-----
root@am335x-evm:~#
root@am335x-evm:~#
root@am335x-evm:~#
root@am335x-evm:~#
root@am335x-evm:~# openssl verify -verbose -CAfile ca.crt client1.crt
client1.crt: C = TW, ST = TW, L = Taipei, O = Foxconn, OU = IOT, CN = client1, name = EasyRSA, emailAddress = [email protected]
error 7 at 0 depth lookup:certificate signature failure
3067647712:error:04091068:rsa routines:INT_RSA_VERIFY:bad signature:rsa_sign.c:290:
3067647712:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:218:
root@am335x-evm:~#
con el mismo archivo y el mismo comando de verificación de Openssl en el servidor OpenVPN (escritorio Unbuntu) y otro cliente OpenVPN (escritorio Unbuntu) funcionan bien.
Al buscar en Internet, puede deberse a la configuración de default_md en la configuración de easy-rsa. Así que intenté cambiar default_md a md5, sha1, sha256, lo intento todo pero falla... todavía aparece el mismo error.
¿Alguien puede sugerir por qué openssl en mi ARMS no podrá verificar el certificado? ¿Hay algo adicional que deba verificar? Ya llevo algunas horas estancado en esto, ¡¡agradezco tu ayuda!!
Saludos cordiales, James.
Respuesta1
Finalmente, descubrí que se trataba de un problema con la biblioteca openssl de TI am335x-evm. Actualmente he solucionado este problema trasladando mi propia biblioteca openssl, he probado que ambas (1.0.1g y 1.0.1p) funcionan bien, OpenVPN ahora funciona como se esperaba. . Por cierto, ya abrí un ticket para TI a través de
https://e2e.ti.com/support/arm/sitara_arm/f/791/t/455089
Y según TI, este problema debería solucionarse con el último SDK V01.00.00.03. Solo intento confirmar que el último SDK de TI no tiene el problema, gracias.
Saludos cordiales James