OpenVPN ssl 验证错误:深度=0,错误=TI am335x-evm 平台中的证书签名失败

OpenVPN ssl 验证错误:深度=0,错误=TI am335x-evm 平台中的证书签名失败

我尝试将 openVPN 客户端(2.3.8)移植到 ARMS 嵌入式设备。设置交叉编译后,我能够在 ARMS 中运行,不知何故,当我在 ARMS 中启动 openvpn 时,它显示错误:验证错误:深度=0,错误=证书签名,以下是 ARMS OpenVPN 客户端日志:

root@am335x-evm:~# ./openvpn client25.conf 
Fri Sep 25 09:51:06 2015 OpenVPN 2.3.8 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Sep 25 2015
Fri Sep 25 09:51:06 2015 library versions: OpenSSL 1.0.1m 19 Mar 2015, LZO 2.06
Fri Sep 25 09:51:06 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Sep 25 09:51:06 2015 WARNING: file '/home/root/client1.key' is group or others accessible
Fri Sep 25 09:51:06 2015 Socket Buffers: R=[163840->131072] S=[163840->131072]
Fri Sep 25 09:51:06 2015 UDPv4 link local: [undef]
Fri Sep 25 09:51:06 2015 UDPv4 link remote: [AF_INET]192.168.87.25:1194
Fri Sep 25 09:51:06 2015 TLS: Initial packet from [AF_INET]192.168.87.25:1194, sid=b7b62cd9 973685ba
Fri Sep 25 09:51:06 2015 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=IOT, name=EasyRSA, [email protected]
Fri Sep 25 09:51:06 2015 VERIFY ERROR: depth=0, error=certificate signature failure: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=IOT, name=EasyRSA, [email protected]
Fri Sep 25 09:51:06 2015 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:lib(20):func(144):reason(134)
Fri Sep 25 09:51:06 2015 TLS Error: TLS object -> incoming plaintext read error
Fri Sep 25 09:51:06 2015 TLS Error: TLS handshake failed
Fri Sep 25 09:51:06 2015 SIGUSR1[soft,tls-error] received, process restarting
Fri Sep 25 09:51:06 2015 Restart pause, 2 second(s)

OpenVPN 服务器(2.3.8)安装在 Ubuntu 14.04 桌面上,所有客户端/服务器证书都是在此桌面上使用 easy-rsa 生成的。

我尝试了相同的 ca.crt 和 client.crt、client.key,可以在安装有 Ubuntu Linux 桌面的另一个 OpenVPN 客户端中正常工作

不知何故,由于某种原因,它无法在嵌入式 ARMS 中工作。(OpenVPN 客户端)

这里附上了 ca.crt 和 client1.crt 转储,我已在嵌入式 ARMS 中尝试了“openssl verify”,但它会失败并显示以下日志:“”错误 7 在 0 深度查找:证书签名失败“详细日志如下:

root@am335x-evm:~# openssl
OpenSSL> version
OpenSSL 1.0.1m 19 Mar 2015
OpenSSL>quit
root@am335x-evm:~# openssl x509 -in ca.crt -text       
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e5:16:7f:96:50:e9:bf:e4
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=server25-CA/name=EasyRSA/[email protected]
        Validity
            Not Before: Sep 25 08:00:49 2015 GMT
            Not After : Sep 22 08:00:49 2025 GMT
        Subject: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=server25-CA/name=EasyRSA/[email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d3:3a:be:b8:cf:91:e1:00:0e:20:0e:76:31:bd:
                    e6:64:f3:e1:2a:60:d6:d3:d7:3c:d8:e1:30:0e:21:
                    a7:7c:b7:26:e2:9d:96:dd:d0:2d:26:f2:1c:ce:cf:
                    38:71:5a:24:91:3c:84:9a:2d:44:23:2e:98:38:9b:
                    ea:70:a5:24:75:57:a4:f4:2f:16:67:50:0c:28:b5:
                    0e:71:c3:5b:76:a7:0b:eb:cd:cc:34:39:f4:9b:74:
                    16:40:4b:5c:94:43:07:ef:aa:03:28:03:6b:c8:26:
                    d5:54:8f:e1:2e:4b:67:39:4b:5c:6a:64:e6:28:d8:
                    7a:62:75:7c:68:f3:b5:44:eb:2a:ef:ba:a8:38:70:
                    2e:c1:02:ac:ff:60:b2:65:73:28:5b:93:02:67:1e:
                    24:f2:f2:aa:89:b0:59:58:ca:d1:37:59:ec:2f:2f:
                    9e:76:d7:02:a6:04:02:1c:54:a2:77:5a:34:8d:1b:
                    b9:68:4f:0a:3c:6f:90:8b:f3:bd:fb:4d:4f:fb:86:
                    21:bc:ee:5e:1e:72:93:7d:41:3c:d0:39:a4:89:c7:
                    da:75:10:2c:8a:b0:1d:d5:65:19:a1:a1:2e:22:3f:
                    ba:15:63:be:29:c0:08:db:52:12:bd:e6:33:2a:37:
                    c7:34:a1:be:71:df:62:aa:1d:20:24:df:95:02:d9:
                    79:f3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                82:ED:78:18:DC:57:6E:B3:AA:0F:1E:B6:0A:14:34:5E:8E:14:93:25
            X509v3 Authority Key Identifier: 
                keyid:82:ED:78:18:DC:57:6E:B3:AA:0F:1E:B6:0A:14:34:5E:8E:14:93:25
                DirName:/C=TW/ST=TW/L=Taipei/O=Foxconn/OU=IOT/CN=server25-CA/name=EasyRSA/[email protected]
                serial:E5:16:7F:96:50:E9:BF:E4

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         9b:b1:70:52:0a:8e:b7:79:a1:a3:ee:3a:65:96:e6:5e:82:af:
         cd:6e:8f:92:f8:b8:2c:70:dd:28:ee:5d:c1:ce:71:fd:a2:d8:
         f8:fa:75:49:c9:2a:ff:2a:e2:4f:d8:42:b8:d7:e1:aa:ec:b5:
         80:2b:61:a1:c5:49:9e:4d:4b:8d:0c:95:54:7b:32:59:ee:03:
         f4:ca:f6:a8:e9:72:d2:23:37:ef:33:1e:17:68:ec:19:45:86:
         ab:b7:27:01:f6:b2:1f:cd:74:8a:97:16:48:ca:90:35:fa:05:
         73:10:0a:9b:d5:4a:b5:43:80:f2:b9:7f:1e:44:69:12:f8:20:
         0d:18:05:6e:37:17:a4:42:1f:37:cb:00:79:1b:5f:07:ca:80:
         08:30:8a:c9:bc:eb:7d:db:e2:43:2a:5c:2b:aa:97:7f:02:32:
         c9:61:06:ca:1b:1e:d6:a9:77:60:48:78:ca:2d:b0:80:00:06:
         2d:b8:44:41:62:fc:9b:08:3b:8e:93:5f:df:50:1f:e1:2e:fb:
         47:47:e6:35:3d:3d:6b:c5:2b:8f:7d:ab:ab:0f:31:77:56:45:
         af:fc:d1:34:61:66:13:ab:68:4b:f1:59:28:7f:e7:8c:65:a2:
         c2:43:f6:0f:50:d7:a3:c7:e0:38:f0:fd:c5:00:de:67:a8:2c:
         0d:c8:39:40
-----BEGIN CERTIFICATE-----
MIIEyjCCA7KgAwIBAgIJAOUWf5ZQ6b/kMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
VQQGEwJUVzELMAkGA1UECBMCVFcxDzANBgNVBAcTBlRhaXBlaTEQMA4GA1UEChMH
Rm94Y29ubjEMMAoGA1UECxMDSU9UMRQwEgYDVQQDEwtzZXJ2ZXIyNS1DQTEQMA4G
A1UEKRMHRWFzeVJTQTEpMCcGCSqGSIb3DQEJARYaamFtZXMuY2suY2hpZW5AZm94
Y29ubi5jb20wHhcNMTUwOTI1MDgwMDQ5WhcNMjUwOTIyMDgwMDQ5WjCBnjELMAkG
A1UEBhMCVFcxCzAJBgNVBAgTAlRXMQ8wDQYDVQQHEwZUYWlwZWkxEDAOBgNVBAoT
B0ZveGNvbm4xDDAKBgNVBAsTA0lPVDEUMBIGA1UEAxMLc2VydmVyMjUtQ0ExEDAO
BgNVBCkTB0Vhc3lSU0ExKTAnBgkqhkiG9w0BCQEWGmphbWVzLmNrLmNoaWVuQGZv
eGNvbm4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0zq+uM+R
4QAOIA52Mb3mZPPhKmDW09c82OEwDiGnfLcm4p2W3dAtJvIczs84cVokkTyEmi1E
Iy6YOJvqcKUkdVek9C8WZ1AMKLUOccNbdqcL683MNDn0m3QWQEtclEMH76oDKANr
yCbVVI/hLktnOUtcamTmKNh6YnV8aPO1ROsq77qoOHAuwQKs/2CyZXMoW5MCZx4k
8vKqibBZWMrRN1nsLy+edtcCpgQCHFSid1o0jRu5aE8KPG+Qi/O9+01P+4YhvO5e
HnKTfUE80DmkicfadRAsirAd1WUZoaEuIj+6FWO+KcAI21ISveYzKjfHNKG+cd9i
qh0gJN+VAtl58wIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFILteBjcV26zqg8etgoU
NF6OFJMlMIHTBgNVHSMEgcswgciAFILteBjcV26zqg8etgoUNF6OFJMloYGkpIGh
MIGeMQswCQYDVQQGEwJUVzELMAkGA1UECBMCVFcxDzANBgNVBAcTBlRhaXBlaTEQ
MA4GA1UEChMHRm94Y29ubjEMMAoGA1UECxMDSU9UMRQwEgYDVQQDEwtzZXJ2ZXIy
NS1DQTEQMA4GA1UEKRMHRWFzeVJTQTEpMCcGCSqGSIb3DQEJARYaamFtZXMuY2su
Y2hpZW5AZm94Y29ubi5jb22CCQDlFn+WUOm/5DAMBgNVHRMEBTADAQH/MA0GCSqG
SIb3DQEBCwUAA4IBAQCbsXBSCo63eaGj7jplluZegq/Nbo+S+LgscN0o7l3BznH9
otj4+nVJySr/KuJP2EK41+Gq7LWAK2GhxUmeTUuNDJVUezJZ7gP0yvao6XLSIzfv
Mx4XaOwZRYartycB9rIfzXSKlxZIypA1+gVzEAqb1Uq1Q4DyuX8eRGkS+CANGAVu
NxekQh83ywB5G18HyoAIMIrJvOt92+JDKlwrqpd/AjLJYQbKGx7WqXdgSHjKLbCA
AAYtuERBYvybCDuOk1/fUB/hLvtHR+Y1PT1rxSuPfaurDzF3VkWv/NE0YWYTq2hL
8Vkof+eMZaLCQ/YPUNejx+A48P3FAN5nqCwNyDlA
-----END CERTIFICATE-----
root@am335x-evm:~# 
root@am335x-evm:~# openssl x509 -in client1.crt -text      
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=server25-CA/name=EasyRSA/[email protected]
        Validity
            Not Before: Sep 25 08:02:05 2015 GMT
            Not After : Sep 22 08:02:05 2025 GMT
        Subject: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=client1/name=EasyRSA/[email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d8:24:7b:96:89:a8:09:fa:36:21:03:47:a8:30:
                    64:e6:42:06:5f:4b:e3:e2:f9:4a:b7:ea:77:d3:90:
                    f3:7e:b3:78:d0:d2:c6:29:a7:06:c6:cb:9a:57:44:
                    31:b8:55:22:4c:18:cc:30:5b:57:f1:3b:e4:fc:55:
                    21:a0:32:06:2a:b0:ec:d3:84:62:b2:2a:c2:7b:79:
                    1b:61:27:70:74:4d:d5:e8:2a:16:37:e9:17:7a:94:
                    77:07:c6:dd:84:d8:86:47:ab:ac:5c:a3:8d:c2:81:
                    57:da:96:54:ba:18:b5:f0:d6:14:41:3b:93:83:ff:
                    a7:8b:71:42:52:a2:47:a3:8b:05:b2:38:4e:97:d5:
                    ec:21:e8:e3:4d:ca:dd:31:c3:6c:67:11:ce:a6:0e:
                    9c:05:18:56:35:df:a7:6d:94:1a:1f:d9:e9:49:5b:
                    28:bd:79:71:3a:0d:24:42:16:7b:d5:b1:95:a3:20:
                    c0:d3:a8:e9:50:6a:1f:1d:c5:bf:3f:d4:d8:46:80:
                    29:1c:b2:31:f4:f7:bc:5d:43:04:fc:98:10:ed:eb:
                    f1:c1:fd:9f:3e:b6:16:27:74:a6:71:61:84:8f:24:
                    5d:14:65:ad:be:4f:c4:6c:3f:b6:79:fc:56:b6:cd:
                    a3:67:0e:c3:c6:28:79:da:6f:b2:97:01:68:7b:fb:
                    5e:59
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                Easy-RSA Generated Certificate
            X509v3 Subject Key Identifier: 
                99:7E:D4:CA:CD:16:25:A0:37:6F:6B:DB:7C:79:45:5F:28:01:F8:19
            X509v3 Authority Key Identifier: 
                keyid:82:ED:78:18:DC:57:6E:B3:AA:0F:1E:B6:0A:14:34:5E:8E:14:93:25
                DirName:/C=TW/ST=TW/L=Taipei/O=Foxconn/OU=IOT/CN=server25-CA/name=EasyRSA/[email protected]
                serial:E5:16:7F:96:50:E9:BF:E4

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature
            X509v3 Subject Alternative Name: 
                DNS:client1
    Signature Algorithm: sha256WithRSAEncryption
         2d:7c:69:74:97:26:62:b3:ed:8a:e9:ea:43:ec:43:a7:bb:aa:
         37:6f:65:ca:60:89:ef:0e:ba:2e:65:66:b7:5b:ca:9a:68:5d:
         62:e1:eb:d6:2a:e1:56:53:00:4b:61:b3:6c:f7:09:2a:4a:35:
         34:92:87:7e:0a:a9:45:22:9c:af:31:dd:c9:8e:16:de:d0:2a:
         4a:aa:ad:c3:20:2a:34:fd:12:73:3d:50:12:b6:34:ef:07:34:
         60:15:03:b4:92:04:cf:19:4e:d5:7b:ce:37:9d:f3:9c:61:22:
         e3:f6:bb:50:4f:5d:a5:cc:e7:cd:66:e0:c7:09:7b:84:fe:d1:
         87:e4:f8:34:7c:0e:81:34:d6:ff:81:82:b9:cc:a8:da:bf:00:
         cf:05:93:66:81:f7:ee:a2:26:14:06:53:33:5e:ed:97:47:04:
         d0:a7:58:c7:86:ff:dc:28:3d:13:c9:b5:e3:5a:1e:e2:95:c4:
         22:71:b9:04:59:ad:c0:1c:f2:2d:cf:35:c2:02:2d:df:cc:9d:
         25:85:97:6b:15:39:30:c7:aa:2e:ee:30:96:ad:f4:3f:04:53:
         f3:7d:6c:15:64:eb:cd:23:05:ba:3a:18:a6:e4:e1:ea:8f:0d:
         89:0e:22:72:91:d3:78:1b:5f:4e:57:f7:c9:b3:5c:32:ab:1d:
         f1:6c:49:95
-----BEGIN CERTIFICATE-----
MIIFIDCCBAigAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnjELMAkGA1UEBhMCVFcx
CzAJBgNVBAgTAlRXMQ8wDQYDVQQHEwZUYWlwZWkxEDAOBgNVBAoTB0ZveGNvbm4x
DDAKBgNVBAsTA0lPVDEUMBIGA1UEAxMLc2VydmVyMjUtQ0ExEDAOBgNVBCkTB0Vh
c3lSU0ExKTAnBgkqhkiG9w0BCQEWGmphbWVzLmNrLmNoaWVuQGZveGNvbm4uY29t
MB4XDTE1MDkyNTA4MDIwNVoXDTI1MDkyMjA4MDIwNVowgZoxCzAJBgNVBAYTAlRX
MQswCQYDVQQIEwJUVzEPMA0GA1UEBxMGVGFpcGVpMRAwDgYDVQQKEwdGb3hjb25u
MQwwCgYDVQQLEwNJT1QxEDAOBgNVBAMTB2NsaWVudDExEDAOBgNVBCkTB0Vhc3lS
U0ExKTAnBgkqhkiG9w0BCQEWGmphbWVzLmNrLmNoaWVuQGZveGNvbm4uY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2CR7lomoCfo2IQNHqDBk5kIG
X0vj4vlKt+p305DzfrN40NLGKacGxsuaV0QxuFUiTBjMMFtX8Tvk/FUhoDIGKrDs
04RisirCe3kbYSdwdE3V6CoWN+kXepR3B8bdhNiGR6usXKONwoFX2pZUuhi18NYU
QTuTg/+ni3FCUqJHo4sFsjhOl9XsIejjTcrdMcNsZxHOpg6cBRhWNd+nbZQaH9np
SVsovXlxOg0kQhZ71bGVoyDA06jpUGofHcW/P9TYRoApHLIx9Pe8XUME/JgQ7evx
wf2fPrYWJ3SmcWGEjyRdFGWtvk/EbD+2efxWts2jZw7Dxih52m+ylwFoe/teWQID
AQABo4IBaTCCAWUwCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFzeS1SU0Eg
R2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSZftTKzRYloDdva9t8eUVf
KAH4GTCB0wYDVR0jBIHLMIHIgBSC7XgY3Fdus6oPHrYKFDRejhSTJaGBpKSBoTCB
njELMAkGA1UEBhMCVFcxCzAJBgNVBAgTAlRXMQ8wDQYDVQQHEwZUYWlwZWkxEDAO
BgNVBAoTB0ZveGNvbm4xDDAKBgNVBAsTA0lPVDEUMBIGA1UEAxMLc2VydmVyMjUt
Q0ExEDAOBgNVBCkTB0Vhc3lSU0ExKTAnBgkqhkiG9w0BCQEWGmphbWVzLmNrLmNo
aWVuQGZveGNvbm4uY29tggkA5RZ/llDpv+QwEwYDVR0lBAwwCgYIKwYBBQUHAwIw
CwYDVR0PBAQDAgeAMBIGA1UdEQQLMAmCB2NsaWVudDEwDQYJKoZIhvcNAQELBQAD
ggEBAC18aXSXJmKz7Yrp6kPsQ6e7qjdvZcpgie8Oui5lZrdbyppoXWLh69Yq4VZT
AEths2z3CSpKNTSSh34KqUUinK8x3cmOFt7QKkqqrcMgKjT9EnM9UBK2NO8HNGAV
A7SSBM8ZTtV7zjed85xhIuP2u1BPXaXM581m4McJe4T+0Yfk+DR8DoE01v+BgrnM
qNq/AM8Fk2aB9+6iJhQGUzNe7ZdHBNCnWMeG/9woPRPJteNaHuKVxCJxuQRZrcAc
8i3PNcICLd/MnSWFl2sVOTDHqi7uMJat9D8EU/N9bBVk680jBbo6GKbk4eqPDYkO
InKR03gbX05X98mzXDKrHfFsSZU=
-----END CERTIFICATE-----
root@am335x-evm:~# 
    root@am335x-evm:~# 
    root@am335x-evm:~# 
    root@am335x-evm:~# 
    root@am335x-evm:~# openssl verify -verbose -CAfile ca.crt client1.crt
    client1.crt: C = TW, ST = TW, L = Taipei, O = Foxconn, OU = IOT, CN = client1, name = EasyRSA, emailAddress = [email protected]
    error 7 at 0 depth lookup:certificate signature failure
    3067647712:error:04091068:rsa routines:INT_RSA_VERIFY:bad signature:rsa_sign.c:290:
    3067647712:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:218:
    root@am335x-evm:~# 

在 OpenVPN 服务器(Unbuntu 桌面)和另一个 OpenVPN 客户端(Unbuntu 桌面)中使用相同的文件和相同的 Openssl verify 命令可以正常工作。

在互联网上搜索,这可能是由 easy-rsa 设置中的 default_md 设置导致的,因此我尝试将 default_md 更改为 md5、sha1、sha256,我全部尝试但都失败了......仍然出现相同的错误。

有人能告诉我为什么我的 ARMS 中的 openssl 无法验证证书吗,我还需要检查什么吗?我已经被这个问题困扰了好几个小时,非常感谢你的帮助!!

谨致问候詹姆斯

答案1

最后,我发现这是 TI am335x-evm openssl 库的问题,目前我已经通过移植自己的 openssl 库解决了这个问题,我尝试了两者(1.0.1g 和 1.0.1p)都运行良好,OpenVPN 现在按预期运行。顺便说一句,我已经通过以下方式向 TI 开具了工单

https://e2e.ti.com/support/arm/sitara_arm/f/791/t/455089

并且根据 TI,该问题应该在最新的 SDK V01.00.00.03 中得到修复,我只是尝试确认最新的 TI SDK 没有该问题,谢谢。

詹姆斯

相关内容