Hi,
hoffe ihr hattet alle einen guten rutsch ins neue Jahr!
Ich versuche gerade ein vpn auf meiner freebsd 5.4 machine
einzurichten. Dabei habe ich mich an folgendes tutorial gehalten,
http://www.pronix.de/pronix-936.html
Aber wie sooft will es nicht so wie ich will...
Das Problem scheint zu sein, das ich keine tauglichen ssl-keys
erstellen kann.
Wenn ich die mittels
/usr/bin/openssl genrsa -aes256 -out \
/usr/local/openssl/private/vpn-cakey.pem 2048
und
/usr/bin/openssl req -new -newkey rsa:1024 -out \
/usr/local/openssl/certs/erik-preCert.pem -nodes -keyout \
/usr/local/openssl/private/erik-key.pem -days 3650
erstellten keys teste, erhalte ich folgendes ergebnis:
/usr/local/sbin/openvpn --test-crypto --secret
/usr/local/openssl/private/vpn-cakey.pem
Mon Jan 2 00:52:37 2006 OpenVPN 2.0.5 i386-portbld-freebsd5.4 [SSL]
[LZO] built on Jan 1 2006
Mon Jan 2 00:52:37 2006 OpenVPN 2.0.5 i386-portbld-freebsd5.4 [SSL]
[LZO] built on Jan 1 2006
Mon Jan 2 00:52:37 2006 Insufficient key material or header text not
found found in file '/usr/local/openssl/private/vpn-cakey.pem'
(0/128/256 bytes found/min/max)
Mon Jan 2 00:52:37 2006 Exiting
Installiert habe ich folgende ports:
openssl-0.9.8a SSL and crypto library
openvpn-2.0.5_1 Secure IP/Ethernet tunnel daemon
Hat einer eine Idee woran das liegen könnte.
Nachfolgende ein script output, mit mehr infos:
-----------------------------------------------
Script started on Mon Jan 2 00:51:32 2006
root(at)develop# cd /usr/local/openssl/
root(at)develop# ls -l
total 8
drwxr-xr-x 2 root wheel 512 2 Jan 00:47 certs
drwxr-xr-x 2 root wheel 512 1 Jan 19:00 crl
-rw-r--r-- 1 root wheel 0 2 Jan 00:51 index.txt
drwx------ 2 root wheel 512 2 Jan 00:49 private
-rw-r--r-- 1 root wheel 3 2 Jan 00:51 serial
/usr/bin/openssl genrsa -aes256 -out /usr/local/openssl/private/vpn-cakey.pem 2048
Generating RSA private key, 2048 bit long modulus
..............................................................................................................................+++
...+++
e is 65537 (0x10001)
Enter pass phrase for /usr/local/openssl/private/vpn-cakey.pem:
Verifying - Enter pass phrase for /usr/local/openssl/private/vpn-cakey.pem:
/usr/bin/openssl req -new -x509 -days 3650 -key /usr/local/openssl/private/vpn-cakey.pem -out /usr/local/openssl/vpn-cacert.pem -set_serial 1
Enter pass phrase for /usr/local/openssl/private/vpn-cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:de
State or Province Name (full name) [Some-State]:hessen
Locality Name (eg, city) []:frankfurt
Organization Name (eg, company) [Internet Widgits Pty Ltd]:test
Organizational Unit Name (eg, section) []:testjerik
Common Name (eg, YOUR name) []:jerk
Email Address []:test(at)test.de
/usr/local/sbin/openvpn --test-crypto --secret /usr/local/openssl/private/vpn-cakey.pem
Mon Jan 2 00:52:37 2006 OpenVPN 2.0.5 i386-portbld-freebsd5.4 [SSL] [LZO] built on Jan 1 2006
Mon Jan 2 00:52:37 2006 OpenVPN 2.0.5 i386-portbld-freebsd5.4 [SSL] [LZO] built on Jan 1 2006
Mon Jan 2 00:52:37 2006 Insufficient key material or header text not found found in file '/usr/local/openssl/private/vpn-cakey.pem' (0/128/256 bytes found/min/max)
Mon Jan 2 00:52:37 2006 Exiting
root(at)develop# ls -l
total 10
drwxr-xr-x 2 root wheel 512 2 Jan 00:47 certs
drwxr-xr-x 2 root wheel 512 1 Jan 19:00 crl
-rw-r--r-- 1 root wheel 0 2 Jan 00:51 index.txt
drwx------ 2 root wheel 512 2 Jan 00:51 private
-rw-r--r-- 1 root wheel 3 2 Jan 00:51 serial
-rw-r--r-- 1 root wheel 1578 2 Jan 00:52 vpn-cacert.pem
root(at)develop# ls -l private/
total 2
-rw-r--r-- 1 root wheel 1766 2 Jan 00:52 vpn-cakey.pem
root(at)develop# ls -l certs/
total 0
root(at)develop# cat index.txt
root(at)develop# cat serial
01
/usr/bin/openssl req -new -newkey rsa:1024 -out /usr/local/openssl/certs/erik-preCert.pem -nodes -keyout /usr/local/openssl/private/erik-key.pem -days 3650
Generating a 1024 bit RSA private key
....................++++++
...........................++++++
writing new private key to '/usr/local/openssl/private/erik-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:de
State or Province Name (full name) [Some-State]:hessen
Locality Name (eg, city) []:frankfurt
Organization Name (eg, company) [Internet Widgits Pty Ltd]:testets
Organizational Unit Name (eg, section) []:testes
Common Name (eg, YOUR name) []:testjeirk
Email Address []:test(at)testse.de
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
/usr/bin/openssl x509 -req -in /usr/local/openssl/certs/erik-preCert.pem -out /usr/local/openssl/certs/erik-cert.pem -CA /usr/local/openssl/vpn-cacert.pem -CAkey /usr/local/openssl/private/vpn-cakey.pem -CAserial serial -days 3650
Signature ok
subject=/C=de/ST=hessen/L=frankfurt/O=testets/OU=testes/CN=testjeirk/emailAddress=test(at)testse.de
Getting CA Private Key
Enter pass phrase for /usr/local/openssl/private/vpn-cakey.pem:
/usr/local/sbin/openvpn --test-crypto --secret /usr/local/openssl/private/erik-key.pem
Mon Jan 2 00:54:14 2006 OpenVPN 2.0.5 i386-portbld-freebsd5.4 [SSL] [LZO] built on Jan 1 2006
Mon Jan 2 00:54:14 2006 OpenVPN 2.0.5 i386-portbld-freebsd5.4 [SSL] [LZO] built on Jan 1 2006
Mon Jan 2 00:54:14 2006 Insufficient key material or header text not found found in file '/usr/local/openssl/private/erik-key.pem' (0/128/256 bytes found/min/max)
Mon Jan 2 00:54:14 2006 Exiting
root(at)develop# pkg_info | grep open
libltdl-1.5.22 System independent dlopen wrapper
open-motif-2.2.3_2 Motif X11 Toolkit (industry standard GUI (IEEE 1295))
openldap-client-2.2.30 Open source LDAP client implementation
openslp-1.2.1_1 Open-source implementation of the Service Location Protocol
openssl-0.9.8a SSL and crypto library
openvpn-2.0.5_1 Secure IP/Ethernet tunnel daemon
pango-1.10.2 An open-source framework for the layout and rendering of i1
php5-openssl-5.0.4_2 The openssl shared extension for php
postgresql-server-8.0.5_1 The most advanced open-source database available anywhere
speex-1.0.5,1 An open-source patent-free voice codec
root(at)develop# exit
exit
Script done on Mon Jan 2 00:54:36 2006
-----------------------------------------------
Gruss Erik
-- J. Erik Heinz Keyboard-samuraing in process :: All non-mailinglist mail to this emailadress will be deleted. OpenBC: https://www.openbc.com/hp/JErik_Heinz To Unsubscribe: send mail to majordomo(at)de.FreeBSD.org with "unsubscribe de-bsd-questions" in the body of the messageReceived on Mon 02 Jan 2006 - 01:16:40 CET