system toolbox » ubuntu

http://wiki.debian.org/SSLkeys

OpenVPN

Backup /etc/openvpn/openvpn.secretkey.* (I placed them in a new subdirectory called vulnerable-DSA-1571-1)

recreate the keys using: openvpn --genkey --secret openvpn.secretkey.system1-system2 

copy the shared secret keys to the other hosts

restart the vpn with /etc/init.d/openvpn force-reload on each host.

novi server key

root@router-back:/etc/openvpn# mv server.key vulnerable-DSA-1571-1/
root@router-back:/etc/openvpn# openvpn --genkey --secret server.key
root@router-back:/etc/openvpn# ls -l *key
-rw------- 1 root root 636 Apr 26 17:26 openhosting.key
-rw------- 1 root root 636 May 15 11:12 server.key

root@router-back:/etc/openvpn# invoke-rc.d openvpn restart

Stopping virtual private network daemon: ernadh.openosting-client.

Starting virtual private network daemon: ernadh.openosting-client(OK) server-windozeERROR:
unable to load Private Key
24352:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: ANY PRIVATE KEY

(FAILED) serverERROR:
unable to load Private Key
24358:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: ANY PRIVATE KEY

(FAILED).

root@router-back:~/admin/openvpn# cp -a /usr/share/doc/openvpn/examples/easy-rsa/* .

root@router-back:~/admin/openvpn# cat vars
# easy-rsa parameter settings

# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgade.

# This variable should point to
# the top level of the easy-rsa
# tree.
export D=`pwd`

# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=$D/openssl.cnf

# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR=$D/keys

# Issue rm -rf warning
echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY=BA
export KEY_PROVINCE=SA
export KEY_CITY=Sarajevo
export KEY_ORG="OpenVPN bring.out.ba" 
export KEY_EMAIL="cs@sigma-com.net" 

root@router-back:~/admin/openvpn# ./build-ca
Generating a 1024 bit RSA private key
.++++++
............................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [BA]:
State or Province Name (full name) []:SA
Locality Name (eg, city) [Sarajevo]:
root@router-back:~/admin/openvpn# . ./vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /root/admin/openvpn/keys
root@router-back:~/admin/openvpn# ./clean-all
root@router-back:~/admin/openvpn# ./build-ca
Generating a 1024 bit RSA private key
....++++++
...........................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [BA]:
State or Province Name (full name) [SA]:
Locality Name (eg, city) [Sarajevo]:
Organization Name (eg, company) [OpenVPN bring.out.ba]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:router-back.bring.out.ba
Email Address [cs@sigma-com.net]:
root@router-back:~/admin/openvpn# ./build-key
usage: build-key <name>
root@router-back:~/admin/openvpn# ./build-key server
Generating a 1024 bit RSA private key
................++++++
.++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [BA]:
State or Province Name (full name) [SA]:
Locality Name (eg, city) [Sarajevo]:
Organization Name (eg, company) [OpenVPN bring.out.ba]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:router-back.bring.out.ba
Email Address [cs@sigma-com.net]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/admin/openvpn/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'BA'
stateOrProvinceName   :PRINTABLE:'SA'
localityName          :PRINTABLE:'Sarajevo'
organizationName      :PRINTABLE:'OpenVPN bring.out.ba'
commonName            :PRINTABLE:'router-back.bring.out.ba'
emailAddress          :IA5STRING:'cs@sigma-com.net'
Certificate is to be certified until May 13 10:10:15 2018 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@router-back:~/admin/openvpn# ls keys
01.pem  ca.key     index.txt.attr  serial      server.crt  server.key
ca.crt  index.txt  index.txt.old   serial.old  server.csr
root@router-back:~/admin/openvpn# cp keys/server.key keys/server.crt /etc/openvpn
root@router-back:~/admin/openvpn# invoke-rc.d openvpn restart
Stopping virtual private network daemon:kill: 180: No such process

 ernadh.openosting-client server-windoze server.
Starting virtual private network daemon:.
root@router-back:~/admin/openvpn# invoke-rc.d openvpn stop   
Stopping virtual private network daemon:.
root@router-back:~/admin/openvpn# invoke-rc.d openvpn start
Starting virtual private network daemon:.
root@router-back:~/admin/openvpn# cp /etc/openvpn/ 
index.txt   serial      server.crt  server.key  
root@router-back:~/admin/openvpn# cp /etc/openvpn/
index.txt   serial      server.crt  server.key 

ajoj pobrisao sam sve config-e u /etc/openvpn

output prilikom pokušaja konekcije

bjasko@n-book-bjasko-1:/etc/openvpn$ openvpn client.conf 
Thu May 15 12:33:39 2008 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on May 21 2007
Thu May 15 12:33:39 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Thu May 15 12:33:39 2008 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu May 15 12:33:39 2008 WARNING: file '/etc/openvpn/bjasko.key' is group or others accessible
Thu May 15 12:33:39 2008 LZO compression initialized
Thu May 15 12:33:39 2008 UDPv4 link local: [undef]
Thu May 15 12:33:39 2008 UDPv4 link remote: 89.146.163.254:1194
Thu May 15 12:33:39 2008 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=BA/ST=SA/O=OpenVPN_bring.out.ba/CN=router-back.bring.out.ba/emailAddress=cs@sigma-com.net
Thu May 15 12:33:39 2008 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Thu May 15 12:33:39 2008 TLS Error: TLS object -> incoming plaintext read error
Thu May 15 12:33:39 2008 TLS Error: TLS handshake failed
Thu May 15 12:33:39 2008 SIGUSR1[soft,tls-error] received, process restarting
Thu May 15 12:33:41 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Thu May 15 12:33:41 2008 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu May 15 12:33:41 2008 Re-using SSL/TLS context
Thu May 15 12:33:41 2008 LZO compression initialized
Thu May 15 12:33:42 2008 UDPv4 link local: [undef]
Thu May 15 12:33:42 2008 UDPv4 link remote: 89.146.163.254:1194
Thu May 15 12:33:42 2008 TLS Error: Unroutable control packet received from 89.146.163.254:1194 (si=3 op=P_CONTROL_V1)
Thu May 15 12:33:42 2008 TLS Error: Unroutable control packet received from 89.146.163.254:1194 (si=3 op=P_CONTROL_V1)
Thu May 15 12:33:42 2008 TLS Error: Unroutable control packet received from 89.146.163.254:1194 (si=3 op=P_CONTROL_V1)
Thu May 15 12:33:42 2008 TLS Error: Unroutable control packet received from 89.146.163.254:1194 (si=3 op=P_CONTROL_V1)
Thu May 15 12:33:42 2008 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=BA/ST=SA/O=OpenVPN_bring.out.ba/CN=router-back.bring.out.ba/emailAddress=cs@sigma-com.net
Thu May 15 12:33:42 2008 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Thu May 15 12:33:42 2008 TLS Error: TLS object -> incoming plaintext read error
Thu May 15 12:33:42 2008 TLS Error: TLS handshake failed
Thu May 15 12:33:42 2008 SIGUSR1[soft,tls-error] received, process restarting
Thu May 15 12:33:44 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Thu May 15 12:33:44 2008 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu May 15 12:33:44 2008 Re-using SSL/TLS context
Thu May 15 12:33:44 2008 LZO compression initialized
Thu May 15 12:33:44 2008 UDPv4 link local: [undef]
Thu May 15 12:33:44 2008 UDPv4 link remote: 89.146.163.254:1194
Thu May 15 12:33:44 2008 TLS Error: Unroutable control packet received from 89.146.163.254:1194 (si=3 op=P_ACK_V1)
Thu May 15 12:33:45 2008 TLS Error: Unroutable control packet received from 89.146.163.254:1194 (si=3 op=P_CONTROL_V1)
Thu May 15 12:33:45 2008 TLS Error: Unroutable control packet received from 89.146.163.254:1194 (si=3 op=P_CONTROL_V1)
Thu May 15 12:33:45 2008 TLS Error: Unroutable control packet received from 89.146.163.254:1194 (si=3 op=P_CONTROL_V1)
Thu May 15 12:33:45 2008 TLS Error: Unroutable control packet received from 89.146.163.254:1194 (si=3 op=P_CONTROL_V1)
Thu May 15 12:33:45 2008 TLS Error: Unroutable control packet received from 89.146.163.254:1194 (si=3 op=P_CONTROL_V1)
Thu May 15 12:33:45 2008 TLS Error: Unroutable control packet received from 89.146.163.254:1194 (si=3 op=P_CONTROL_V1)
Thu May 15 12:33:45 2008 TLS Error: Unroutable control packet received from 89.146.163.254:1194 (si=3 op=P_CONTROL_V1)
Thu May 15 12:33:45 2008 TLS Error: Unroutable control packet received from 89.146.163.254:1194 (si=3 op=P_CONTROL_V1)
Thu May 15 12:33:46 2008 event_wait : Interrupted system call (code=4)
Thu May 15 12:33:46 2008 SIGINT[hard,] received, process exiting

hajde da nakratko server prevarim - vratio sam stari server.key server.crt i ovu blacklistu nulirao

root@router-back:/usr/share/openssl-blacklist# mv blacklist.RSA-1024 blacklist.RSA-1024.orig
root@router-back:/usr/share/openssl-blacklist# invoke-rc.d openvpn restart
Stopping virtual private network daemon:.
Starting virtual private network daemon: serverERROR: could not open database
(FAILED) server-windozeERROR: could not open database
(FAILED).
root@router-back:/usr/share/openssl-blacklist# ls
blacklist.RSA-1024.orig  blacklist.RSA-2048
root@router-back:/usr/share/openssl-blacklist# echo "" > blacklist.RSA-1024
root@router-back:/usr/share/openssl-blacklist# invoke-rc.d openvpn restart
Stopping virtual private network daemon:.
Starting virtual private network daemon: server(OK) server-windoze(OK).

testirao vranici se može konektovati

ja nemogu, pokušao sam i sa novim ključevima koje mi je hernad poslao

sad je proferceralo

nakon milion pokušaja uspio generisati novi serverski ključeve koji rade na router-back

ovo sam uradio na nmraka-1 (na hardy-ju)

kopirao bring.out.ba.crt => root@nmraka-1:/usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.crt

kopirao bring.out.ba.key => root@nmraka-1:/usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.key

root@nmraka-1:/usr/share/doc/openvpn/examples/easy-rsa/2.0# ./build-key-server server

Generating a 1024 bit RSA private key
...............................................++++++
.......................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [BA]:
State or Province Name (full name) [BiH]:
Locality Name (eg, city) [Sarajevo]:
Organization Name (eg, company) [bring.out.ba]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Email Address [sa@bring.out.ba]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'BA'
stateOrProvinceName   :PRINTABLE:'BiH'
localityName          :PRINTABLE:'Sarajevo'
organizationName      :PRINTABLE:'bring.out.ba'
commonName            :PRINTABLE:'server'
emailAddress          :IA5STRING:'sa@bring.out.ba'
Certificate is to be certified until May 13 12:57:57 2018 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

root@nmraka-1:/usr/share/doc/openvpn/examples/easy-rsa/2.0/keys# scp server.crt server.key ca.crt root@router-back.bring.out.ba:/etc/openvpn

root@nmraka-1:/usr/share/doc/openvpn/examples/easy-rsa/2.0# ./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
....................+..............................+...................+.........................................+........+.........................................................+...............................++*++*++*

root@nmraka-1:/usr/share/doc/openvpn/examples/easy-rsa/2.0# scp keys/dh1024.pem  root@router-back.bring.out.ba:/etc/openvpn

dh1024.pem                                    100%  245     0.2KB/s   00:00   

root@router-back:/usr/share/openssl-blacklist# invoke-rc.d openvpn restart

Stopping virtual private network daemon: server server-windoze.
Starting virtual private network daemon: server(OK) server-windoze(OK).

root@nmraka-1:/usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf

[ CA_default ]

dir             = $ENV::KEY_DIR         # Where everything is kept
certs           = $dir                  # Where the issued certs are kept
crl_dir         = $dir                  # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
new_certs_dir   = $dir                  # default place for new certs.

certificate     = $dir/ca.crt           # The CA certificate
serial          = $dir/serial           # The current serial number
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/ca.key           # The private key
RANDFILE        = $dir/.rand            # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

pokušao sam i varijantu da napravio, novi ca

root@nmraka-1:/usr/share/doc/openvpn/examples/easy-rsa/2.0# ./build-ca
Generating a 1024 bit RSA private key
.................++++++
.....................................................................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [BA]:
State or Province Name (full name) [BiH]:
Locality Name (eg, city) [Sarajevo]:
Organization Name (eg, company) [bring.out.ba]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [bring.out.ba CA]:
Email Address [sa@bring.out.ba]:
root@nmraka-1:/usr/share/doc/openvpn/examples/easy-rsa/2.0# ./build-server-key server
-su: ./build-server-key: No such file or directory
root@nmraka-1:/usr/share/doc/openvpn/examples/easy-rsa/2.0# ./build-key-server server
Generating a 1024 bit RSA private key
.++++++
...................................................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [BA]:
State or Province Name (full name) [BiH]:
Locality Name (eg, city) [Sarajevo]:
Organization Name (eg, company) [bring.out.ba]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Email Address [sa@bring.out.ba]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'BA'
stateOrProvinceName   :PRINTABLE:'BiH'
localityName          :PRINTABLE:'Sarajevo'
organizationName      :PRINTABLE:'bring.out.ba'
commonName            :PRINTABLE:'server'
emailAddress          :IA5STRING:'sa@bring.out.ba'
Certificate is to be certified until May 13 13:27:03 2018 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@nmraka-1:/usr/share/doc/openvpn/examples/easy-rsa/2.0# scp keys/ca.crt keys/server.key keys/server.crt   root@router-back.bring.out.ba:/etc/openvpn

ca.crt                                        100% 1237     1.2KB/s   00:00    
server.key                                    100%  891     0.9KB/s   00:00    
server.crt                                    100% 3892     3.8KB/s   00:00

tada dobijam

Thu May 15 15:30:47 2008 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=BA/ST=BiH/L=Sarajevo/O=bring.out.ba/CN=server/emailAddress=sa@bring.out.ba
Thu May 15 15:30:47 2008 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Thu May 15 15:30:47 2008 TLS Error: TLS object -> incoming plaintext read error
Thu May 15 15:30:47 2008 TLS Error: TLS handshake failed
Thu May 15 15:30:47 2008 SIGUSR1[soft,tls-error] received, process restarting

vraćam na ca.crt = bring.out.ba.crt certifikat