Openvpn

OpenVPN ssl 驗證錯誤:深度=0,錯誤=TI am335x-evm 平台中的證書籤名失敗

  • October 1, 2015

我嘗試將 openVPN 客戶端(2.3.8)移植到 ARMS 嵌入式設備。設置交叉編譯後,我能夠在 ARMS 中執行,不知何故,當我在 ARMS 中啟動 openvpn 時,它顯示錯誤:驗證錯誤:深度 = 0,錯誤 = 證書籤名,以下是 ARMS OpenVPN 客戶端日誌:

root@am335x-evm:~# ./openvpn client25.conf 
Fri Sep 25 09:51:06 2015 OpenVPN 2.3.8 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Sep 25 2015
Fri Sep 25 09:51:06 2015 library versions: OpenSSL 1.0.1m 19 Mar 2015, LZO 2.06
Fri Sep 25 09:51:06 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Sep 25 09:51:06 2015 WARNING: file '/home/root/client1.key' is group or others accessible
Fri Sep 25 09:51:06 2015 Socket Buffers: R=[163840->131072] S=[163840->131072]
Fri Sep 25 09:51:06 2015 UDPv4 link local: [undef]
Fri Sep 25 09:51:06 2015 UDPv4 link remote: [AF_INET]192.168.87.25:1194
Fri Sep 25 09:51:06 2015 TLS: Initial packet from [AF_INET]192.168.87.25:1194, sid=b7b62cd9 973685ba
Fri Sep 25 09:51:06 2015 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=IOT, name=EasyRSA, emailAddress=james.ck.chien@foxconn.com
Fri Sep 25 09:51:06 2015 VERIFY ERROR: depth=0, error=certificate signature failure: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=IOT, name=EasyRSA, emailAddress=james.ck.chien@foxconn.com
Fri Sep 25 09:51:06 2015 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:lib(20):func(144):reason(134)
Fri Sep 25 09:51:06 2015 TLS Error: TLS object -> incoming plaintext read error
Fri Sep 25 09:51:06 2015 TLS Error: TLS handshake failed
Fri Sep 25 09:51:06 2015 SIGUSR1[soft,tls-error] received, process restarting
Fri Sep 25 09:51:06 2015 Restart pause, 2 second(s)

OpenVPN 伺服器(2.3.8)安裝在 Ubuntu 14.04 桌面上,所有客戶端/伺服器證書都是在這個桌面上使用 easy-rsa 生成的。

我已經嘗試過相同的 ca.crt 和 client.crt,client.key,將在另一個安裝了 Ubuntu Linux Desktop 的 OpenVPN 客戶端中正常工作

不知何故,由於某種原因,它不能在嵌入式 ARMS 中工作。(OpenVPN 客戶端)

這裡附上了 ca.crt 和 client1.crt 轉儲,我在嵌入式 ARMS 中嘗試了“openssl 驗證”,但它會失敗並顯示以下日誌:“”錯誤 7 在 0 深度查找:證書籤名失敗“詳細日誌如下:

root@am335x-evm:~# openssl
OpenSSL> version
OpenSSL 1.0.1m 19 Mar 2015
OpenSSL>quit
root@am335x-evm:~# openssl x509 -in ca.crt -text       
Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number:
           e5:16:7f:96:50:e9:bf:e4
   Signature Algorithm: sha256WithRSAEncryption
       Issuer: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=server25-CA/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com
       Validity
           Not Before: Sep 25 08:00:49 2015 GMT
           Not After : Sep 22 08:00:49 2025 GMT
       Subject: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=server25-CA/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
               Public-Key: (2048 bit)
               Modulus:
                   00:d3:3a:be:b8:cf:91:e1:00:0e:20:0e:76:31:bd:
                   e6:64:f3:e1:2a:60:d6:d3:d7:3c:d8:e1:30:0e:21:
                   a7:7c:b7:26:e2:9d:96:dd:d0:2d:26:f2:1c:ce:cf:
                   38:71:5a:24:91:3c:84:9a:2d:44:23:2e:98:38:9b:
                   ea:70:a5:24:75:57:a4:f4:2f:16:67:50:0c:28:b5:
                   0e:71:c3:5b:76:a7:0b:eb:cd:cc:34:39:f4:9b:74:
                   16:40:4b:5c:94:43:07:ef:aa:03:28:03:6b:c8:26:
                   d5:54:8f:e1:2e:4b:67:39:4b:5c:6a:64:e6:28:d8:
                   7a:62:75:7c:68:f3:b5:44:eb:2a:ef:ba:a8:38:70:
                   2e:c1:02:ac:ff:60:b2:65:73:28:5b:93:02:67:1e:
                   24:f2:f2:aa:89:b0:59:58:ca:d1:37:59:ec:2f:2f:
                   9e:76:d7:02:a6:04:02:1c:54:a2:77:5a:34:8d:1b:
                   b9:68:4f:0a:3c:6f:90:8b:f3:bd:fb:4d:4f:fb:86:
                   21:bc:ee:5e:1e:72:93:7d:41:3c:d0:39:a4:89:c7:
                   da:75:10:2c:8a:b0:1d:d5:65:19:a1:a1:2e:22:3f:
                   ba:15:63:be:29:c0:08:db:52:12:bd:e6:33:2a:37:
                   c7:34:a1:be:71:df:62:aa:1d:20:24:df:95:02:d9:
                   79:f3
               Exponent: 65537 (0x10001)
       X509v3 extensions:
           X509v3 Subject Key Identifier: 
               82:ED:78:18:DC:57:6E:B3:AA:0F:1E:B6:0A:14:34:5E:8E:14:93:25
           X509v3 Authority Key Identifier: 
               keyid:82:ED:78:18:DC:57:6E:B3:AA:0F:1E:B6:0A:14:34:5E:8E:14:93:25
               DirName:/C=TW/ST=TW/L=Taipei/O=Foxconn/OU=IOT/CN=server25-CA/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com
               serial:E5:16:7F:96:50:E9:BF:E4

           X509v3 Basic Constraints: 
               CA:TRUE
   Signature Algorithm: sha256WithRSAEncryption
        9b:b1:70:52:0a:8e:b7:79:a1:a3:ee:3a:65:96:e6:5e:82:af:
        cd:6e:8f:92:f8:b8:2c:70:dd:28:ee:5d:c1:ce:71:fd:a2:d8:
        f8:fa:75:49:c9:2a:ff:2a:e2:4f:d8:42:b8:d7:e1:aa:ec:b5:
        80:2b:61:a1:c5:49:9e:4d:4b:8d:0c:95:54:7b:32:59:ee:03:
        f4:ca:f6:a8:e9:72:d2:23:37:ef:33:1e:17:68:ec:19:45:86:
        ab:b7:27:01:f6:b2:1f:cd:74:8a:97:16:48:ca:90:35:fa:05:
        73:10:0a:9b:d5:4a:b5:43:80:f2:b9:7f:1e:44:69:12:f8:20:
        0d:18:05:6e:37:17:a4:42:1f:37:cb:00:79:1b:5f:07:ca:80:
        08:30:8a:c9:bc:eb:7d:db:e2:43:2a:5c:2b:aa:97:7f:02:32:
        c9:61:06:ca:1b:1e:d6:a9:77:60:48:78:ca:2d:b0:80:00:06:
        2d:b8:44:41:62:fc:9b:08:3b:8e:93:5f:df:50:1f:e1:2e:fb:
        47:47:e6:35:3d:3d:6b:c5:2b:8f:7d:ab:ab:0f:31:77:56:45:
        af:fc:d1:34:61:66:13:ab:68:4b:f1:59:28:7f:e7:8c:65:a2:
        c2:43:f6:0f:50:d7:a3:c7:e0:38:f0:fd:c5:00:de:67:a8:2c:
        0d:c8:39:40
-----BEGIN CERTIFICATE-----
MIIEyjCCA7KgAwIBAgIJAOUWf5ZQ6b/kMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
VQQGEwJUVzELMAkGA1UECBMCVFcxDzANBgNVBAcTBlRhaXBlaTEQMA4GA1UEChMH
Rm94Y29ubjEMMAoGA1UECxMDSU9UMRQwEgYDVQQDEwtzZXJ2ZXIyNS1DQTEQMA4G
A1UEKRMHRWFzeVJTQTEpMCcGCSqGSIb3DQEJARYaamFtZXMuY2suY2hpZW5AZm94
Y29ubi5jb20wHhcNMTUwOTI1MDgwMDQ5WhcNMjUwOTIyMDgwMDQ5WjCBnjELMAkG
A1UEBhMCVFcxCzAJBgNVBAgTAlRXMQ8wDQYDVQQHEwZUYWlwZWkxEDAOBgNVBAoT
B0ZveGNvbm4xDDAKBgNVBAsTA0lPVDEUMBIGA1UEAxMLc2VydmVyMjUtQ0ExEDAO
BgNVBCkTB0Vhc3lSU0ExKTAnBgkqhkiG9w0BCQEWGmphbWVzLmNrLmNoaWVuQGZv
eGNvbm4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0zq+uM+R
4QAOIA52Mb3mZPPhKmDW09c82OEwDiGnfLcm4p2W3dAtJvIczs84cVokkTyEmi1E
Iy6YOJvqcKUkdVek9C8WZ1AMKLUOccNbdqcL683MNDn0m3QWQEtclEMH76oDKANr
yCbVVI/hLktnOUtcamTmKNh6YnV8aPO1ROsq77qoOHAuwQKs/2CyZXMoW5MCZx4k
8vKqibBZWMrRN1nsLy+edtcCpgQCHFSid1o0jRu5aE8KPG+Qi/O9+01P+4YhvO5e
HnKTfUE80DmkicfadRAsirAd1WUZoaEuIj+6FWO+KcAI21ISveYzKjfHNKG+cd9i
qh0gJN+VAtl58wIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFILteBjcV26zqg8etgoU
NF6OFJMlMIHTBgNVHSMEgcswgciAFILteBjcV26zqg8etgoUNF6OFJMloYGkpIGh
MIGeMQswCQYDVQQGEwJUVzELMAkGA1UECBMCVFcxDzANBgNVBAcTBlRhaXBlaTEQ
MA4GA1UEChMHRm94Y29ubjEMMAoGA1UECxMDSU9UMRQwEgYDVQQDEwtzZXJ2ZXIy
NS1DQTEQMA4GA1UEKRMHRWFzeVJTQTEpMCcGCSqGSIb3DQEJARYaamFtZXMuY2su
Y2hpZW5AZm94Y29ubi5jb22CCQDlFn+WUOm/5DAMBgNVHRMEBTADAQH/MA0GCSqG
SIb3DQEBCwUAA4IBAQCbsXBSCo63eaGj7jplluZegq/Nbo+S+LgscN0o7l3BznH9
otj4+nVJySr/KuJP2EK41+Gq7LWAK2GhxUmeTUuNDJVUezJZ7gP0yvao6XLSIzfv
Mx4XaOwZRYartycB9rIfzXSKlxZIypA1+gVzEAqb1Uq1Q4DyuX8eRGkS+CANGAVu
NxekQh83ywB5G18HyoAIMIrJvOt92+JDKlwrqpd/AjLJYQbKGx7WqXdgSHjKLbCA
AAYtuERBYvybCDuOk1/fUB/hLvtHR+Y1PT1rxSuPfaurDzF3VkWv/NE0YWYTq2hL
8Vkof+eMZaLCQ/YPUNejx+A48P3FAN5nqCwNyDlA
-----END CERTIFICATE-----
root@am335x-evm:~# 
root@am335x-evm:~# openssl x509 -in client1.crt -text      
Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number: 2 (0x2)
   Signature Algorithm: sha256WithRSAEncryption
       Issuer: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=server25-CA/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com
       Validity
           Not Before: Sep 25 08:02:05 2015 GMT
           Not After : Sep 22 08:02:05 2025 GMT
       Subject: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=client1/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
               Public-Key: (2048 bit)
               Modulus:
                   00:d8:24:7b:96:89:a8:09:fa:36:21:03:47:a8:30:
                   64:e6:42:06:5f:4b:e3:e2:f9:4a:b7:ea:77:d3:90:
                   f3:7e:b3:78:d0:d2:c6:29:a7:06:c6:cb:9a:57:44:
                   31:b8:55:22:4c:18:cc:30:5b:57:f1:3b:e4:fc:55:
                   21:a0:32:06:2a:b0:ec:d3:84:62:b2:2a:c2:7b:79:
                   1b:61:27:70:74:4d:d5:e8:2a:16:37:e9:17:7a:94:
                   77:07:c6:dd:84:d8:86:47:ab:ac:5c:a3:8d:c2:81:
                   57:da:96:54:ba:18:b5:f0:d6:14:41:3b:93:83:ff:
                   a7:8b:71:42:52:a2:47:a3:8b:05:b2:38:4e:97:d5:
                   ec:21:e8:e3:4d:ca:dd:31:c3:6c:67:11:ce:a6:0e:
                   9c:05:18:56:35:df:a7:6d:94:1a:1f:d9:e9:49:5b:
                   28:bd:79:71:3a:0d:24:42:16:7b:d5:b1:95:a3:20:
                   c0:d3:a8:e9:50:6a:1f:1d:c5:bf:3f:d4:d8:46:80:
                   29:1c:b2:31:f4:f7:bc:5d:43:04:fc:98:10:ed:eb:
                   f1:c1:fd:9f:3e:b6:16:27:74:a6:71:61:84:8f:24:
                   5d:14:65:ad:be:4f:c4:6c:3f:b6:79:fc:56:b6:cd:
                   a3:67:0e:c3:c6:28:79:da:6f:b2:97:01:68:7b:fb:
                   5e:59
               Exponent: 65537 (0x10001)
       X509v3 extensions:
           X509v3 Basic Constraints: 
               CA:FALSE
           Netscape Comment: 
               Easy-RSA Generated Certificate
           X509v3 Subject Key Identifier: 
               99:7E:D4:CA:CD:16:25:A0:37:6F:6B:DB:7C:79:45:5F:28:01:F8:19
           X509v3 Authority Key Identifier: 
               keyid:82:ED:78:18:DC:57:6E:B3:AA:0F:1E:B6:0A:14:34:5E:8E:14:93:25
               DirName:/C=TW/ST=TW/L=Taipei/O=Foxconn/OU=IOT/CN=server25-CA/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com
               serial:E5:16:7F:96:50:E9:BF:E4

           X509v3 Extended Key Usage: 
               TLS Web Client Authentication
           X509v3 Key Usage: 
               Digital Signature
           X509v3 Subject Alternative Name: 
               DNS:client1
   Signature Algorithm: sha256WithRSAEncryption
        2d:7c:69:74:97:26:62:b3:ed:8a:e9:ea:43:ec:43:a7:bb:aa:
        37:6f:65:ca:60:89:ef:0e:ba:2e:65:66:b7:5b:ca:9a:68:5d:
        62:e1:eb:d6:2a:e1:56:53:00:4b:61:b3:6c:f7:09:2a:4a:35:
        34:92:87:7e:0a:a9:45:22:9c:af:31:dd:c9:8e:16:de:d0:2a:
        4a:aa:ad:c3:20:2a:34:fd:12:73:3d:50:12:b6:34:ef:07:34:
        60:15:03:b4:92:04:cf:19:4e:d5:7b:ce:37:9d:f3:9c:61:22:
        e3:f6:bb:50:4f:5d:a5:cc:e7:cd:66:e0:c7:09:7b:84:fe:d1:
        87:e4:f8:34:7c:0e:81:34:d6:ff:81:82:b9:cc:a8:da:bf:00:
        cf:05:93:66:81:f7:ee:a2:26:14:06:53:33:5e:ed:97:47:04:
        d0:a7:58:c7:86:ff:dc:28:3d:13:c9:b5:e3:5a:1e:e2:95:c4:
        22:71:b9:04:59:ad:c0:1c:f2:2d:cf:35:c2:02:2d:df:cc:9d:
        25:85:97:6b:15:39:30:c7:aa:2e:ee:30:96:ad:f4:3f:04:53:
        f3:7d:6c:15:64:eb:cd:23:05:ba:3a:18:a6:e4:e1:ea:8f:0d:
        89:0e:22:72:91:d3:78:1b:5f:4e:57:f7:c9:b3:5c:32:ab:1d:
        f1:6c:49:95
-----BEGIN CERTIFICATE-----
MIIFIDCCBAigAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnjELMAkGA1UEBhMCVFcx
CzAJBgNVBAgTAlRXMQ8wDQYDVQQHEwZUYWlwZWkxEDAOBgNVBAoTB0ZveGNvbm4x
DDAKBgNVBAsTA0lPVDEUMBIGA1UEAxMLc2VydmVyMjUtQ0ExEDAOBgNVBCkTB0Vh
c3lSU0ExKTAnBgkqhkiG9w0BCQEWGmphbWVzLmNrLmNoaWVuQGZveGNvbm4uY29t
MB4XDTE1MDkyNTA4MDIwNVoXDTI1MDkyMjA4MDIwNVowgZoxCzAJBgNVBAYTAlRX
MQswCQYDVQQIEwJUVzEPMA0GA1UEBxMGVGFpcGVpMRAwDgYDVQQKEwdGb3hjb25u
MQwwCgYDVQQLEwNJT1QxEDAOBgNVBAMTB2NsaWVudDExEDAOBgNVBCkTB0Vhc3lS
U0ExKTAnBgkqhkiG9w0BCQEWGmphbWVzLmNrLmNoaWVuQGZveGNvbm4uY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2CR7lomoCfo2IQNHqDBk5kIG
X0vj4vlKt+p305DzfrN40NLGKacGxsuaV0QxuFUiTBjMMFtX8Tvk/FUhoDIGKrDs
04RisirCe3kbYSdwdE3V6CoWN+kXepR3B8bdhNiGR6usXKONwoFX2pZUuhi18NYU
QTuTg/+ni3FCUqJHo4sFsjhOl9XsIejjTcrdMcNsZxHOpg6cBRhWNd+nbZQaH9np
SVsovXlxOg0kQhZ71bGVoyDA06jpUGofHcW/P9TYRoApHLIx9Pe8XUME/JgQ7evx
wf2fPrYWJ3SmcWGEjyRdFGWtvk/EbD+2efxWts2jZw7Dxih52m+ylwFoe/teWQID
AQABo4IBaTCCAWUwCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFzeS1SU0Eg
R2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSZftTKzRYloDdva9t8eUVf
KAH4GTCB0wYDVR0jBIHLMIHIgBSC7XgY3Fdus6oPHrYKFDRejhSTJaGBpKSBoTCB
njELMAkGA1UEBhMCVFcxCzAJBgNVBAgTAlRXMQ8wDQYDVQQHEwZUYWlwZWkxEDAO
BgNVBAoTB0ZveGNvbm4xDDAKBgNVBAsTA0lPVDEUMBIGA1UEAxMLc2VydmVyMjUt
Q0ExEDAOBgNVBCkTB0Vhc3lSU0ExKTAnBgkqhkiG9w0BCQEWGmphbWVzLmNrLmNo
aWVuQGZveGNvbm4uY29tggkA5RZ/llDpv+QwEwYDVR0lBAwwCgYIKwYBBQUHAwIw
CwYDVR0PBAQDAgeAMBIGA1UdEQQLMAmCB2NsaWVudDEwDQYJKoZIhvcNAQELBQAD
ggEBAC18aXSXJmKz7Yrp6kPsQ6e7qjdvZcpgie8Oui5lZrdbyppoXWLh69Yq4VZT
AEths2z3CSpKNTSSh34KqUUinK8x3cmOFt7QKkqqrcMgKjT9EnM9UBK2NO8HNGAV
A7SSBM8ZTtV7zjed85xhIuP2u1BPXaXM581m4McJe4T+0Yfk+DR8DoE01v+BgrnM
qNq/AM8Fk2aB9+6iJhQGUzNe7ZdHBNCnWMeG/9woPRPJteNaHuKVxCJxuQRZrcAc
8i3PNcICLd/MnSWFl2sVOTDHqi7uMJat9D8EU/N9bBVk680jBbo6GKbk4eqPDYkO
InKR03gbX05X98mzXDKrHfFsSZU=
-----END CERTIFICATE-----
root@am335x-evm:~# 
   root@am335x-evm:~# 
   root@am335x-evm:~# 
   root@am335x-evm:~# 
   root@am335x-evm:~# openssl verify -verbose -CAfile ca.crt client1.crt
   client1.crt: C = TW, ST = TW, L = Taipei, O = Foxconn, OU = IOT, CN = client1, name = EasyRSA, emailAddress = james.ck.chien@foxconn.com
   error 7 at 0 depth lookup:certificate signature failure
   3067647712:error:04091068:rsa routines:INT_RSA_VERIFY:bad signature:rsa_sign.c:290:
   3067647712:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:218:
   root@am335x-evm:~# 

在 OpenVPN 伺服器(Unbuntu 桌面)和另一個 OpenVPN 客戶端(Unbuntu 桌面)中使用相同的文件和相同的 Openssl 驗證命令可以正常工作。

搜尋網際網路,它可能是由easy-rsa設置中的default_md設置引起的,所以我嘗試將default_md更改為md5、sha1、sha256,我嘗試了所有但都失敗了……仍然得到同樣的錯誤。

任何人都可以建議為什麼我的 ARMS 中的 openssl 無法驗證證書,我應該檢查任何其他內容嗎?我已經在這個問題上停留了幾個小時,感謝您的幫助!!

最好的問候詹姆斯

最後,我發現這是一個 TI am335x-evm openssl 庫問題,目前我已經通過移植我自己的 openssl 庫來解決這個問題,我已經嘗試過(1.0.1g 和 1.0.1p)都可以正常工作,OpenVPN 現在可以正常工作. 順便說一句,我已經通過 TI 開了一張票

https://e2e.ti.com/support/arm/sitara_arm/f/791/t/455089

並且根據 TI,這個問題應該在最新的 SDK V01.00.00.03 中得到修復,我只是嘗試確認最新的 TI SDK 沒有這個問題,謝謝。

最好的問候詹姆斯

引用自:https://serverfault.com/questions/724735