Is it working at all?

Post Reply
shylion
Posts: 8
Joined: 22 Jan 2019, 13:10

Is it working at all?

Post by shylion »

Tried to setup windows client, it shows "Error 0x80090308: The token supplied to the function is invalid"

Next i tried to use openssl to check server certificate:

Code: Select all

# openssl s_client -showcerts -connect localhost:443
CONNECTED(00000003)
139672310948288:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1557142451
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
Is that correct output?

Config (sstp part. l2tp and pptp is working):

Code: Select all

[sstp]
verbose=1
ssl-ca-file=/etc/ssl/sstp-ca.crt
ssl-pemfile=/etc/ssl/sstp-cert.pem
ssl-keyfile=/etc/ssl/sstp-key.pem
Certs:
sstp-ca.crt:

Code: Select all

# openssl x509 -noout -text -certopt no_pubkey,no_sigdump -in /etc/ssl/sstp-ca.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b7:99:4b:09:86:76:11:a6
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = RU, ST = Russia, L = Tyumen, O = MyOrg, OU = IT, CN = devCA root
        Validity
            Not Before: Dec 13 12:45:44 2018 GMT
            Not After : Nov 30 12:45:44 2068 GMT
        Subject: C = RU, ST = Russia, L = Tyumen, O = MyOrg, OU = IT, CN = devCA root
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                93:DF:37:9A:5B:CE:99:C7:05:F5:40:9D:6B:DA:12:17:31:E3:56:E4
            X509v3 Authority Key Identifier: 
                keyid:93:DF:37:9A:5B:CE:99:C7:05:F5:40:9D:6B:DA:12:17:31:E3:56:E4

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
sstp-cert.pem

Code: Select all

# openssl x509 -noout -text -certopt no_pubkey,no_sigdump -in /etc/ssl/sstp-cert.pem 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            94:a6:5f:ee:66:6f:a1:74
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = RU, ST = Russia, L = Tyumen, O = MyOrg, OU = IT, CN = devCA root
        Validity
            Not Before: May  6 10:58:44 2019 GMT
            Not After : Apr 15 10:58:44 2040 GMT
        Subject: C = RU, ST = Russia, L = Tyumen, O = MyOrg, OU = IT, CN = dm-gw
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                IP Address:185.x.x.x, DNS:dm-gw, DNS:vpn.changed.ru
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
shylion
Posts: 8
Joined: 22 Jan 2019, 13:10

Re: Is it working at all?

Post by shylion »

My bad.
Had to set accept=ssl
FreeOwl
Posts: 2
Joined: 12 Apr 2020, 08:19

Re: Is it working at all?

Post by FreeOwl »

shylion, скажи пожалуйста, как ты генерировал сертификаты?

делаю так:
1. мой CNF
camy.cnf
Спойлер
[ ca ]
default_ca = CA_default

[ CA_default ]
serial = ca-serial
crl = ca-crl.pem
default_crl_days = 3650
default_md = md5

[ req ]
default_bits = 2048
days = 3650
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no

[ req_distinguished_name ]
C = RU
ST = MO
L = Moscow
O = BL
OU = BLITdep
CN = ca
emailAddress = admin@vdebian.homenet.home

[ req_attributes ]
1. корневой ключ
openssl genrsa -out sstp-ca.key
2. корневой сертификат.
openssl req -x509 -new -key sstp-ca.key -days 3650 -out sstp-ca.crt -config camy.cnf
3. ключ для sstp
openssl genrsa -out sstp-key.pem
4. запрос на сертификат
openssl req -new -key sstp-key.pem -out sstp-csr.csr -config camy.cnf
5. подписать запрос на сертификат корневым сертификатом
openssl x509 -req -in sstp-csr.csr -CA sstp-ca.crt -CAkey sstp-ca.key -CAcreateserial -out sstp-cert.pem -days 3650
6. импортирую "sstp-ca.crt" в Windows "Доверенные корневые центры сертификации -> Локальный компьютер -> Сертификаты"

секция SSTP в конфиге
[sstp]
verbose=1
bind=0.0.0.0
accept=ssl
ssl-ca-file=/etc/accel-ppp/ssl/sstp-ca.crt
ssl-pemfile=/etc/accel-ppp/ssl/sstp-cert.pem
ssl-keyfile=/etc/accel-ppp/ssl/sstp-key.pem
cert-hash-proto=sha256
http-error=allow
ifname=sstp%d

при подключении:
"не удаётся проверить подпись сертификата"

чего я делаю не так?
dimka88
Posts: 872
Joined: 13 Oct 2014, 05:51
Contact:

Re: Is it working at all?

Post by dimka88 »

Для Windows и самоподписанных сертификатов существует особая магия. Лучше сделать сертификат LE
FreeOwl
Posts: 2
Joined: 12 Apr 2020, 08:19

Re: Is it working at all?

Post by FreeOwl »

dimka88 wrote: 12 Apr 2020, 09:22 особая магия
:lol:
а можно подробнее?
rasrzn
Posts: 3
Joined: 26 Apr 2020, 09:18

Re: Is it working at all?

Post by rasrzn »

FreeOwl wrote: 12 Apr 2020, 08:29
при подключении:
"не удаётся проверить подпись сертификата"

чего я делаю не так?
Чтобы не было ошибки "не удаётся проверить подпись сертификата" надо запустить certmgr.msc и импортировать в хранилище локального компьютера, а не пользователя, два сертификата: sstp-ca.crt и sstp-cert.pem
Post Reply