Openvpn
OpenVPN ssl 驗證錯誤:深度=0,錯誤=TI am335x-evm 平台中的證書籤名失敗
我嘗試將 openVPN 客戶端(2.3.8)移植到 ARMS 嵌入式設備。設置交叉編譯後,我能夠在 ARMS 中執行,不知何故,當我在 ARMS 中啟動 openvpn 時,它顯示錯誤:驗證錯誤:深度 = 0,錯誤 = 證書籤名,以下是 ARMS OpenVPN 客戶端日誌:
root@am335x-evm:~# ./openvpn client25.conf Fri Sep 25 09:51:06 2015 OpenVPN 2.3.8 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Sep 25 2015 Fri Sep 25 09:51:06 2015 library versions: OpenSSL 1.0.1m 19 Mar 2015, LZO 2.06 Fri Sep 25 09:51:06 2015 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Fri Sep 25 09:51:06 2015 WARNING: file '/home/root/client1.key' is group or others accessible Fri Sep 25 09:51:06 2015 Socket Buffers: R=[163840->131072] S=[163840->131072] Fri Sep 25 09:51:06 2015 UDPv4 link local: [undef] Fri Sep 25 09:51:06 2015 UDPv4 link remote: [AF_INET]192.168.87.25:1194 Fri Sep 25 09:51:06 2015 TLS: Initial packet from [AF_INET]192.168.87.25:1194, sid=b7b62cd9 973685ba Fri Sep 25 09:51:06 2015 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=IOT, name=EasyRSA, emailAddress=james.ck.chien@foxconn.com Fri Sep 25 09:51:06 2015 VERIFY ERROR: depth=0, error=certificate signature failure: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=IOT, name=EasyRSA, emailAddress=james.ck.chien@foxconn.com Fri Sep 25 09:51:06 2015 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:lib(20):func(144):reason(134) Fri Sep 25 09:51:06 2015 TLS Error: TLS object -> incoming plaintext read error Fri Sep 25 09:51:06 2015 TLS Error: TLS handshake failed Fri Sep 25 09:51:06 2015 SIGUSR1[soft,tls-error] received, process restarting Fri Sep 25 09:51:06 2015 Restart pause, 2 second(s)OpenVPN 伺服器(2.3.8)安裝在 Ubuntu 14.04 桌面上,所有客戶端/伺服器證書都是在這個桌面上使用 easy-rsa 生成的。
我已經嘗試過相同的 ca.crt 和 client.crt,client.key,將在另一個安裝了 Ubuntu Linux Desktop 的 OpenVPN 客戶端中正常工作
不知何故,由於某種原因,它不能在嵌入式 ARMS 中工作。(OpenVPN 客戶端)
這裡附上了 ca.crt 和 client1.crt 轉儲,我在嵌入式 ARMS 中嘗試了“openssl 驗證”,但它會失敗並顯示以下日誌:“”錯誤 7 在 0 深度查找:證書籤名失敗“詳細日誌如下:
root@am335x-evm:~# openssl OpenSSL> version OpenSSL 1.0.1m 19 Mar 2015 OpenSSL>quit root@am335x-evm:~# openssl x509 -in ca.crt -text Certificate: Data: Version: 3 (0x2) Serial Number: e5:16:7f:96:50:e9:bf:e4 Signature Algorithm: sha256WithRSAEncryption Issuer: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=server25-CA/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com Validity Not Before: Sep 25 08:00:49 2015 GMT Not After : Sep 22 08:00:49 2025 GMT Subject: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=server25-CA/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d3:3a:be:b8:cf:91:e1:00:0e:20:0e:76:31:bd: e6:64:f3:e1:2a:60:d6:d3:d7:3c:d8:e1:30:0e:21: a7:7c:b7:26:e2:9d:96:dd:d0:2d:26:f2:1c:ce:cf: 38:71:5a:24:91:3c:84:9a:2d:44:23:2e:98:38:9b: ea:70:a5:24:75:57:a4:f4:2f:16:67:50:0c:28:b5: 0e:71:c3:5b:76:a7:0b:eb:cd:cc:34:39:f4:9b:74: 16:40:4b:5c:94:43:07:ef:aa:03:28:03:6b:c8:26: d5:54:8f:e1:2e:4b:67:39:4b:5c:6a:64:e6:28:d8: 7a:62:75:7c:68:f3:b5:44:eb:2a:ef:ba:a8:38:70: 2e:c1:02:ac:ff:60:b2:65:73:28:5b:93:02:67:1e: 24:f2:f2:aa:89:b0:59:58:ca:d1:37:59:ec:2f:2f: 9e:76:d7:02:a6:04:02:1c:54:a2:77:5a:34:8d:1b: b9:68:4f:0a:3c:6f:90:8b:f3:bd:fb:4d:4f:fb:86: 21:bc:ee:5e:1e:72:93:7d:41:3c:d0:39:a4:89:c7: da:75:10:2c:8a:b0:1d:d5:65:19:a1:a1:2e:22:3f: ba:15:63:be:29:c0:08:db:52:12:bd:e6:33:2a:37: c7:34:a1:be:71:df:62:aa:1d:20:24:df:95:02:d9: 79:f3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 82:ED:78:18:DC:57:6E:B3:AA:0F:1E:B6:0A:14:34:5E:8E:14:93:25 X509v3 Authority Key Identifier: keyid:82:ED:78:18:DC:57:6E:B3:AA:0F:1E:B6:0A:14:34:5E:8E:14:93:25 DirName:/C=TW/ST=TW/L=Taipei/O=Foxconn/OU=IOT/CN=server25-CA/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com serial:E5:16:7F:96:50:E9:BF:E4 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption 9b:b1:70:52:0a:8e:b7:79:a1:a3:ee:3a:65:96:e6:5e:82:af: cd:6e:8f:92:f8:b8:2c:70:dd:28:ee:5d:c1:ce:71:fd:a2:d8: f8:fa:75:49:c9:2a:ff:2a:e2:4f:d8:42:b8:d7:e1:aa:ec:b5: 80:2b:61:a1:c5:49:9e:4d:4b:8d:0c:95:54:7b:32:59:ee:03: f4:ca:f6:a8:e9:72:d2:23:37:ef:33:1e:17:68:ec:19:45:86: ab:b7:27:01:f6:b2:1f:cd:74:8a:97:16:48:ca:90:35:fa:05: 73:10:0a:9b:d5:4a:b5:43:80:f2:b9:7f:1e:44:69:12:f8:20: 0d:18:05:6e:37:17:a4:42:1f:37:cb:00:79:1b:5f:07:ca:80: 08:30:8a:c9:bc:eb:7d:db:e2:43:2a:5c:2b:aa:97:7f:02:32: c9:61:06:ca:1b:1e:d6:a9:77:60:48:78:ca:2d:b0:80:00:06: 2d:b8:44:41:62:fc:9b:08:3b:8e:93:5f:df:50:1f:e1:2e:fb: 47:47:e6:35:3d:3d:6b:c5:2b:8f:7d:ab:ab:0f:31:77:56:45: af:fc:d1:34:61:66:13:ab:68:4b:f1:59:28:7f:e7:8c:65:a2: c2:43:f6:0f:50:d7:a3:c7:e0:38:f0:fd:c5:00:de:67:a8:2c: 0d:c8:39:40 -----BEGIN CERTIFICATE----- MIIEyjCCA7KgAwIBAgIJAOUWf5ZQ6b/kMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD VQQGEwJUVzELMAkGA1UECBMCVFcxDzANBgNVBAcTBlRhaXBlaTEQMA4GA1UEChMH Rm94Y29ubjEMMAoGA1UECxMDSU9UMRQwEgYDVQQDEwtzZXJ2ZXIyNS1DQTEQMA4G A1UEKRMHRWFzeVJTQTEpMCcGCSqGSIb3DQEJARYaamFtZXMuY2suY2hpZW5AZm94 Y29ubi5jb20wHhcNMTUwOTI1MDgwMDQ5WhcNMjUwOTIyMDgwMDQ5WjCBnjELMAkG A1UEBhMCVFcxCzAJBgNVBAgTAlRXMQ8wDQYDVQQHEwZUYWlwZWkxEDAOBgNVBAoT B0ZveGNvbm4xDDAKBgNVBAsTA0lPVDEUMBIGA1UEAxMLc2VydmVyMjUtQ0ExEDAO BgNVBCkTB0Vhc3lSU0ExKTAnBgkqhkiG9w0BCQEWGmphbWVzLmNrLmNoaWVuQGZv eGNvbm4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0zq+uM+R 4QAOIA52Mb3mZPPhKmDW09c82OEwDiGnfLcm4p2W3dAtJvIczs84cVokkTyEmi1E Iy6YOJvqcKUkdVek9C8WZ1AMKLUOccNbdqcL683MNDn0m3QWQEtclEMH76oDKANr yCbVVI/hLktnOUtcamTmKNh6YnV8aPO1ROsq77qoOHAuwQKs/2CyZXMoW5MCZx4k 8vKqibBZWMrRN1nsLy+edtcCpgQCHFSid1o0jRu5aE8KPG+Qi/O9+01P+4YhvO5e HnKTfUE80DmkicfadRAsirAd1WUZoaEuIj+6FWO+KcAI21ISveYzKjfHNKG+cd9i qh0gJN+VAtl58wIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFILteBjcV26zqg8etgoU NF6OFJMlMIHTBgNVHSMEgcswgciAFILteBjcV26zqg8etgoUNF6OFJMloYGkpIGh MIGeMQswCQYDVQQGEwJUVzELMAkGA1UECBMCVFcxDzANBgNVBAcTBlRhaXBlaTEQ MA4GA1UEChMHRm94Y29ubjEMMAoGA1UECxMDSU9UMRQwEgYDVQQDEwtzZXJ2ZXIy NS1DQTEQMA4GA1UEKRMHRWFzeVJTQTEpMCcGCSqGSIb3DQEJARYaamFtZXMuY2su Y2hpZW5AZm94Y29ubi5jb22CCQDlFn+WUOm/5DAMBgNVHRMEBTADAQH/MA0GCSqG SIb3DQEBCwUAA4IBAQCbsXBSCo63eaGj7jplluZegq/Nbo+S+LgscN0o7l3BznH9 otj4+nVJySr/KuJP2EK41+Gq7LWAK2GhxUmeTUuNDJVUezJZ7gP0yvao6XLSIzfv Mx4XaOwZRYartycB9rIfzXSKlxZIypA1+gVzEAqb1Uq1Q4DyuX8eRGkS+CANGAVu NxekQh83ywB5G18HyoAIMIrJvOt92+JDKlwrqpd/AjLJYQbKGx7WqXdgSHjKLbCA AAYtuERBYvybCDuOk1/fUB/hLvtHR+Y1PT1rxSuPfaurDzF3VkWv/NE0YWYTq2hL 8Vkof+eMZaLCQ/YPUNejx+A48P3FAN5nqCwNyDlA -----END CERTIFICATE----- root@am335x-evm:~# root@am335x-evm:~# openssl x509 -in client1.crt -text Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha256WithRSAEncryption Issuer: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=server25-CA/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com Validity Not Before: Sep 25 08:02:05 2015 GMT Not After : Sep 22 08:02:05 2025 GMT Subject: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=client1/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d8:24:7b:96:89:a8:09:fa:36:21:03:47:a8:30: 64:e6:42:06:5f:4b:e3:e2:f9:4a:b7:ea:77:d3:90: f3:7e:b3:78:d0:d2:c6:29:a7:06:c6:cb:9a:57:44: 31:b8:55:22:4c:18:cc:30:5b:57:f1:3b:e4:fc:55: 21:a0:32:06:2a:b0:ec:d3:84:62:b2:2a:c2:7b:79: 1b:61:27:70:74:4d:d5:e8:2a:16:37:e9:17:7a:94: 77:07:c6:dd:84:d8:86:47:ab:ac:5c:a3:8d:c2:81: 57:da:96:54:ba:18:b5:f0:d6:14:41:3b:93:83:ff: a7:8b:71:42:52:a2:47:a3:8b:05:b2:38:4e:97:d5: ec:21:e8:e3:4d:ca:dd:31:c3:6c:67:11:ce:a6:0e: 9c:05:18:56:35:df:a7:6d:94:1a:1f:d9:e9:49:5b: 28:bd:79:71:3a:0d:24:42:16:7b:d5:b1:95:a3:20: c0:d3:a8:e9:50:6a:1f:1d:c5:bf:3f:d4:d8:46:80: 29:1c:b2:31:f4:f7:bc:5d:43:04:fc:98:10:ed:eb: f1:c1:fd:9f:3e:b6:16:27:74:a6:71:61:84:8f:24: 5d:14:65:ad:be:4f:c4:6c:3f:b6:79:fc:56:b6:cd: a3:67:0e:c3:c6:28:79:da:6f:b2:97:01:68:7b:fb: 5e:59 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: Easy-RSA Generated Certificate X509v3 Subject Key Identifier: 99:7E:D4:CA:CD:16:25:A0:37:6F:6B:DB:7C:79:45:5F:28:01:F8:19 X509v3 Authority Key Identifier: keyid:82:ED:78:18:DC:57:6E:B3:AA:0F:1E:B6:0A:14:34:5E:8E:14:93:25 DirName:/C=TW/ST=TW/L=Taipei/O=Foxconn/OU=IOT/CN=server25-CA/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com serial:E5:16:7F:96:50:E9:BF:E4 X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Key Usage: Digital Signature X509v3 Subject Alternative Name: DNS:client1 Signature Algorithm: sha256WithRSAEncryption 2d:7c:69:74:97:26:62:b3:ed:8a:e9:ea:43:ec:43:a7:bb:aa: 37:6f:65:ca:60:89:ef:0e:ba:2e:65:66:b7:5b:ca:9a:68:5d: 62:e1:eb:d6:2a:e1:56:53:00:4b:61:b3:6c:f7:09:2a:4a:35: 34:92:87:7e:0a:a9:45:22:9c:af:31:dd:c9:8e:16:de:d0:2a: 4a:aa:ad:c3:20:2a:34:fd:12:73:3d:50:12:b6:34:ef:07:34: 60:15:03:b4:92:04:cf:19:4e:d5:7b:ce:37:9d:f3:9c:61:22: e3:f6:bb:50:4f:5d:a5:cc:e7:cd:66:e0:c7:09:7b:84:fe:d1: 87:e4:f8:34:7c:0e:81:34:d6:ff:81:82:b9:cc:a8:da:bf:00: cf:05:93:66:81:f7:ee:a2:26:14:06:53:33:5e:ed:97:47:04: d0:a7:58:c7:86:ff:dc:28:3d:13:c9:b5:e3:5a:1e:e2:95:c4: 22:71:b9:04:59:ad:c0:1c:f2:2d:cf:35:c2:02:2d:df:cc:9d: 25:85:97:6b:15:39:30:c7:aa:2e:ee:30:96:ad:f4:3f:04:53: f3:7d:6c:15:64:eb:cd:23:05:ba:3a:18:a6:e4:e1:ea:8f:0d: 89:0e:22:72:91:d3:78:1b:5f:4e:57:f7:c9:b3:5c:32:ab:1d: f1:6c:49:95 -----BEGIN CERTIFICATE----- MIIFIDCCBAigAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnjELMAkGA1UEBhMCVFcx CzAJBgNVBAgTAlRXMQ8wDQYDVQQHEwZUYWlwZWkxEDAOBgNVBAoTB0ZveGNvbm4x DDAKBgNVBAsTA0lPVDEUMBIGA1UEAxMLc2VydmVyMjUtQ0ExEDAOBgNVBCkTB0Vh c3lSU0ExKTAnBgkqhkiG9w0BCQEWGmphbWVzLmNrLmNoaWVuQGZveGNvbm4uY29t MB4XDTE1MDkyNTA4MDIwNVoXDTI1MDkyMjA4MDIwNVowgZoxCzAJBgNVBAYTAlRX MQswCQYDVQQIEwJUVzEPMA0GA1UEBxMGVGFpcGVpMRAwDgYDVQQKEwdGb3hjb25u MQwwCgYDVQQLEwNJT1QxEDAOBgNVBAMTB2NsaWVudDExEDAOBgNVBCkTB0Vhc3lS U0ExKTAnBgkqhkiG9w0BCQEWGmphbWVzLmNrLmNoaWVuQGZveGNvbm4uY29tMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2CR7lomoCfo2IQNHqDBk5kIG X0vj4vlKt+p305DzfrN40NLGKacGxsuaV0QxuFUiTBjMMFtX8Tvk/FUhoDIGKrDs 04RisirCe3kbYSdwdE3V6CoWN+kXepR3B8bdhNiGR6usXKONwoFX2pZUuhi18NYU QTuTg/+ni3FCUqJHo4sFsjhOl9XsIejjTcrdMcNsZxHOpg6cBRhWNd+nbZQaH9np SVsovXlxOg0kQhZ71bGVoyDA06jpUGofHcW/P9TYRoApHLIx9Pe8XUME/JgQ7evx wf2fPrYWJ3SmcWGEjyRdFGWtvk/EbD+2efxWts2jZw7Dxih52m+ylwFoe/teWQID AQABo4IBaTCCAWUwCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFzeS1SU0Eg R2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSZftTKzRYloDdva9t8eUVf KAH4GTCB0wYDVR0jBIHLMIHIgBSC7XgY3Fdus6oPHrYKFDRejhSTJaGBpKSBoTCB njELMAkGA1UEBhMCVFcxCzAJBgNVBAgTAlRXMQ8wDQYDVQQHEwZUYWlwZWkxEDAO BgNVBAoTB0ZveGNvbm4xDDAKBgNVBAsTA0lPVDEUMBIGA1UEAxMLc2VydmVyMjUt Q0ExEDAOBgNVBCkTB0Vhc3lSU0ExKTAnBgkqhkiG9w0BCQEWGmphbWVzLmNrLmNo aWVuQGZveGNvbm4uY29tggkA5RZ/llDpv+QwEwYDVR0lBAwwCgYIKwYBBQUHAwIw CwYDVR0PBAQDAgeAMBIGA1UdEQQLMAmCB2NsaWVudDEwDQYJKoZIhvcNAQELBQAD ggEBAC18aXSXJmKz7Yrp6kPsQ6e7qjdvZcpgie8Oui5lZrdbyppoXWLh69Yq4VZT AEths2z3CSpKNTSSh34KqUUinK8x3cmOFt7QKkqqrcMgKjT9EnM9UBK2NO8HNGAV A7SSBM8ZTtV7zjed85xhIuP2u1BPXaXM581m4McJe4T+0Yfk+DR8DoE01v+BgrnM qNq/AM8Fk2aB9+6iJhQGUzNe7ZdHBNCnWMeG/9woPRPJteNaHuKVxCJxuQRZrcAc 8i3PNcICLd/MnSWFl2sVOTDHqi7uMJat9D8EU/N9bBVk680jBbo6GKbk4eqPDYkO InKR03gbX05X98mzXDKrHfFsSZU= -----END CERTIFICATE----- root@am335x-evm:~# root@am335x-evm:~# root@am335x-evm:~# root@am335x-evm:~# root@am335x-evm:~# openssl verify -verbose -CAfile ca.crt client1.crt client1.crt: C = TW, ST = TW, L = Taipei, O = Foxconn, OU = IOT, CN = client1, name = EasyRSA, emailAddress = james.ck.chien@foxconn.com error 7 at 0 depth lookup:certificate signature failure 3067647712:error:04091068:rsa routines:INT_RSA_VERIFY:bad signature:rsa_sign.c:290: 3067647712:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:218: root@am335x-evm:~#在 OpenVPN 伺服器(Unbuntu 桌面)和另一個 OpenVPN 客戶端(Unbuntu 桌面)中使用相同的文件和相同的 Openssl 驗證命令可以正常工作。
搜尋網際網路,它可能是由easy-rsa設置中的default_md設置引起的,所以我嘗試將default_md更改為md5、sha1、sha256,我嘗試了所有但都失敗了……仍然得到同樣的錯誤。
任何人都可以建議為什麼我的 ARMS 中的 openssl 無法驗證證書,我應該檢查任何其他內容嗎?我已經在這個問題上停留了幾個小時,感謝您的幫助!!
最好的問候詹姆斯
最後,我發現這是一個 TI am335x-evm openssl 庫問題,目前我已經通過移植我自己的 openssl 庫來解決這個問題,我已經嘗試過(1.0.1g 和 1.0.1p)都可以正常工作,OpenVPN 現在可以正常工作. 順便說一句,我已經通過 TI 開了一張票
https://e2e.ti.com/support/arm/sitara_arm/f/791/t/455089
並且根據 TI,這個問題應該在最新的 SDK V01.00.00.03 中得到修復,我只是嘗試確認最新的 TI SDK 沒有這個問題,謝謝。
最好的問候詹姆斯