[Ocf-linux-users] Fwd: ocf-linux / openvpn
Brought to you by:
david-m
Menu
▾
▴
[Ocf-linux-users] Fwd: ocf-linux / openvpn
|
From: Mark <ic...@gm...> - 2008-05-09 12:37:35
|
Hi Nikola, David
You're fully right... as soon as I enable ocf support I'm no longer
able to create
certificates. Key generation stilll works fine...
This is what I did:
1) Enabled OCF
- Create private key
- Create certificate -> FAILED
2) Disabled OCF (rebooted...)
- Create private key
- Create certificate -> OK
3) Created certificate based on private key generated in step 1
(to verify key generation worked) -> OK
I removed the geode-aes kernel module, so it's pretty sure
problems are not related to it...
--- root@fw : /root
--- # openssl engine
(cryptodev) BSD cryptodev engine
(dynamic) Dynamic engine loading support
--- root@fw : /root
--- # openssl genrsa -engine cryptodev 1024 > a.key
engine "cryptodev" set.
Generating RSA private key, 1024 bit long modulus
.......++++++
...................++++++
e is 65537 (0x10001)
--- root@fw : /root
--- # openssl req -engine cryptodev -new -x509 -sha1 -nodes -days 365
-key a.key > a.crt
engine "cryptodev" set.
You are about to be asked to enter information that will be incorporated
into your certificate requestWhat you are about to enter is what is
called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
754:error:0606B06E:digital envelope routines:EVP_SignFinal:wrong
public key type:p_sign.c:103:
754:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:a_sign.c:276:
--- root@fw : /root
--- # openssl engine
(dynamic) Dynamic engine loading support
--- root@fw : /root
--- # openssl genrsa 1024 > b.key
Generating RSA private key, 1024 bit long modulus
.++++++
.............++++++
e is 65537 (0x10001)
--- root@fw : /root
--- # openssl req -new -x509 -sha1 -nodes -days 365 -key b.key > b.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
--- root@fw : /root
--- # openssl req -new -x509 -sha1 -nodes -days 365 -key a.key > c.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
Are there any debugging options of openssh, to track down
the issue further more?
Regards
Mark
On 5/9/08, David McCullough <Dav...@se...> wrote:
>
> Jivin Nikola Ciprich lays it down ...
>
> > Hello Mark!
> > I'm observing the same problem on our GEODE based system. I've
tracked it to be certificates problem.
> > If I enable OCF, openssl gets unable to even create certificate,
so there is something wrong there with it, ie it's not really openvpn
specific.
>
>
> What command are you running here ?
>
>
> > Does somebody know where the problem could be?
> > Could we do something to help fixing the issue?
>
>
> I don't know what could be happening here unfortunately, I haven't had
> a chance to look at it but as luck would have it one of the guys here is
> playing with OpenVPN at the moment. I'll see if he has time to test it
> out.
>
> If possible, can you get two ocf-enabled openvpn boxes to talk ?
>
> I know we generate certs on ocf ennabled devices all the time so I am
> wondering if this is something to do with the kernel crypto or perhaps
> even the geode driver.
>
> Can you try using cryptosoft without the geode HW support enabled ?
> That might show up something,
>
> Thanks,
> Davidm
>
>
>
> >
> > On Wed, May 07, 2008 at 07:10:09PM +0200, ic...@gm... wrote:
> > > Hi
> > >
> > > Is somebody running openvpn with a openssl+ocf successfully?
> > > As soon as I enable openssl's ocf support (through loading of
the cryptodev
> > > and cryptosoft kernel modules), openvpn is no longer able to setup the
> > > vpn properly:
> > >
> > > May 7 18:59:19 fw openvpn[967]: VERIFY ERROR: depth=1,
> > > error=certificate signature failure: /C=XX/ST=XX/L=XX/O=XX
> > > May 7 18:59:19 fw openvpn[967]: TLS_ERROR: BIO read
> > > tls_read_plaintext error: error:14090086:SSL
> > > routines:SSL3_GET_SERVER_CERTI
> > > May 7 18:59:19 fw openvpn[967]: TLS Error: TLS object -> incoming
> > > plaintext read error
> > > May 7 18:59:19 fw openvpn[967]: TLS Error: TLS handshake failed
> > > May 7 18:59:19 fw openvpn[967]: TCP/UDP: Closing socket
> > > May 7 18:59:19 fw openvpn[967]: SIGUSR1[soft,tls-error] received,
> > > process restarting
> > > May 7 18:59:19 fw openvpn[967]: Restart pause, 2 second(s)
> > >
> > > However, removing the kernel modules makes openvpn working again
> > > (without changing a file, so certfiicates are really valid!)
> > >
> > > Reason for using ocf is, using the hw crypto accelerator of
the geode cpu.
> > >
> > > To make sure, it's not related to the geode driver I used
different ciphers
> > > (geode only supports aes-128-cbc). Always with the same
result... failed!
> > >
> > > Interestingly "openssl speed -engine dynamic -evp aes-128-cbc " and
> > > cryptotest work fine.
> > >
> > > Versions I've used:
> > > - openvpn 2.1_rc7
> > > - openssl 0.9.8g
> > > - ocf-linux 20080427 (20071215 + patch for 2.6.24+ posted on this list)
> > > - linux 2.6.24.6 (+ geode patches from sebastian siewior, posted on
> > > linux-crypto)
> > >
> > > Any ideas or suggestions how to debug this issue?
> > >
> > > Regards
> > > Mark
> > >
> > > -------------------------------------------------------------------------
> > > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> > > Don't miss this year's exciting event. There's still time to save $100.
> > > Use priority code J8TL2D2.
> > > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> > > _______________________________________________
> > > Ocf-linux-users mailing list
> > > Ocf...@li...
> > > https://lists.sourceforge.net/lists/listinfo/ocf-linux-users
> > >
> >
> > --
> > -------------------------------------
> > Nikola CIPRICH
> > LinuxBox.cz, s.r.o.
> > 28. rijna 168, 709 01 Ostrava
> >
> > tel.: +420 596 603 142
> > fax: +420 596 621 273
> > mobil: +420 777 093 799
> > www.linuxbox.cz
> >
> > mobil servis: +420 737 238 656
> > email servis: se...@li...
> > -------------------------------------
> >
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> > Don't miss this year's exciting event. There's still time to save $100.
> > Use priority code J8TL2D2.
> > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> > _______________________________________________
> > Ocf-linux-users mailing list
> > Ocf...@li...
> > https://lists.sourceforge.net/lists/listinfo/ocf-linux-users
> >
>
> --
>
> David McCullough, dav...@se..., Ph:+61 734352815
> Secure Computing - SnapGear http://www.uCdot.org http://www.snapgear.com
>
|
