c:\OpenSSL-Win64-3.0\bin\openssl.exe pkcs12 -info -in new.pfx
Enter Import Password:
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
Bag Attributes
........
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Bag Attributes
localKeyID: 00 37 4E 49 8C 65 60 46 21 DA 9B E4 0D 24 0E 0B 4C 34 91 DB
Key Attributes: <No Attributes>
А OpenSSL 1.1.1 по умолчанию создает файл pkcs12 в формате 3DES:
c:\OpenSSL-Win64\bin\openssl.exe pkcs12 -info -in new.pfx
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
.....
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
localKeyID: 00 37 4E 49 8C 65 60 46 21 DA 9B E4 0D 24 0E 0B 4C 34 91 DB
Key Attributes: <No Attributes>Я правильно понимаю, что в Рутокен ЭЦП 3.0 невозможно импортировать RSA-ключ pkcs12 зашифрованный в формате AES? Это ограничение драйверов или самого токена?
Модель Рутокена - Рутокен ЭЦП 3.0 (3220).
После интеграции sdk с openssl решил проверить скорость шифрования. Для этого создал файл на несколько гигабайт в tmpfs
Получил примерную скорость для алгоритма kuznechik около 110 мегабАЙТ в секунду на одно ядро. (Для магмы плюс минус столькоже)
При этом для AES-256 на этом же процессоре результат составил примерно в 5 раз быстрее.
В интернете есть несколько статей где упоминается, что при использовании инструкций sse и avx производительность вырастала в разы.
Подскажите в вашем продукте - используются какие то техники оптимизации под современные процессоры, или может быть есть отдельная сборка под них?
]]>Записывал вот так:
pkcs11-tool --module librtpkcs11ecp.so --slot-index 0 --login --pin 00000000 --type privkey --write-object crt.key --id 13
- записал приватный ключ
pkcs11-tool --module librtpkcs11ecp.so --slot-index 0 --login --pin 00000000 --type cert --write-object crt.crt --id 13
- записал открытый ключВсё работает, OpenVPN видит контейнер, подключается.
pkcs11-id 'Aktiv\x20Co\x2E/Rutoken\x20ECP/375f773c/Rutoken\x20ECP\x20\x3Cno\x20label\x3E/13'Но в панели управления рутокен, я вижу только сертификат, подписанный как "сертификат без ключевой пары". Почему так?
]]>Нужна помощь, всю голову сломал, уперся в стенку, не пойму в чем дело.
Клиент Windows 10 stunnel 5.69
debug = 7
output = stunnel.log
engine = pkcs11
engineCtrl = MODULE_PATH:rtPKCS11.dll
engineCtrl = PIN:12345678
[test]
engineId = pkcs11
client = yes
accept = 1333
connect = 172.19.103.17:13395
verifyChain = yes
checkHost = my.contoso.com
cert = pkcs11:id=ce0c71cf-130d-48c6-91c7-4d5c1e60256c_E
CAfile = ca-certs.pem
Сервер Centos 8 stunnel 5.69
debug = 7
output = /stunnel.log
include = /etc/stunnel/conf.d/
curves = prime256v1
sslVersionMin = TLSv1.2
options = NO_SSLv2
options = NO_SSLv3
client = no
из conf.d
[rdp]
accept = 13391
connect = 172.19.103.20:443
renegotiation = no
verifyPeer = yes
ciphers = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-SHA
cert = /etc/stunnel/certs/my.contoso.com.crt
key = /etc/stunnel/certs/my.contoso.com.key
CAfile = /etc/stunnel/certs/clients.pem
requireCert = yes
При попытке подключения к клиент выдает
2023.06.07 16:29:11 LOG7[0]: TLS state (connect): SSLv3/TLS read server certificate
2023.06.07 16:29:11 LOG7[0]: TLS state (connect): TLSv1.3 read server certificate verify
2023.06.07 16:29:11 LOG7[0]: TLS state (connect): SSLv3/TLS read finished
2023.06.07 16:29:11 LOG7[0]: TLS state (connect): SSLv3/TLS write change cipher spec
2023.06.07 16:29:11 LOG7[0]: TLS state (connect): SSLv3/TLS write client certificate
2023.06.07 16:29:11 LOG7[0]: TLS alert (write): fatal: internal error
2023.06.07 16:29:11 LOG3[0]: error queue: ssl/statem/statem_lib.c:361: error:0A080006:SSL routines::EVP lib
2023.06.07 16:29:11 LOG3[0]: SSL_connect: p11_rsa.c:119: error:42000070:PKCS#11 module::Mechanism invalid
2023.06.07 16:29:11 LOG5[0]: Connection closed/reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2023.06.07 16:29:11 LOG7[0]: Deallocating application specific data for session connect address
2023.06.07 16:29:11 LOG7[0]: Remote descriptor (FD=1304) closed
2023.06.07 16:29:11 LOG7[0]: local_rfd/local_wfd reset (FD=1288)
2023.06.07 16:29:11 LOG7[0]: Local descriptor (FD=1288) closed
2023.06.07 16:29:11 LOG7[0]: Service [test] finished (0 left)
----------------------------
Сервер
2023.06.07 16:29:11 LOG7[main]: Found 1 ready file descriptor(s)
2023.06.07 16:29:11 LOG7[main]: FD=4 events=0x2001 revents=0x0
2023.06.07 16:29:11 LOG7[main]: FD=9 events=0x2001 revents=0x0
2023.06.07 16:29:11 LOG7[main]: FD=10 events=0x2001 revents=0x1
2023.06.07 16:29:11 LOG7[main]: FD=11 events=0x2001 revents=0x0
2023.06.07 16:29:11 LOG7[main]: Service [lagos] accepted (FD=3) from 172.19.19.101:58054
2023.06.07 16:29:11 LOG7[3]: Service [lagos] started
2023.06.07 16:29:11 LOG7[3]: Setting local socket options (FD=3)
2023.06.07 16:29:11 LOG7[3]: Option TCP_NODELAY set on local socket
2023.06.07 16:29:11 LOG5[3]: Service [lagos] accepted connection from 172.19.19.101:58054
2023.06.07 16:29:11 LOG6[3]: Peer certificate required
2023.06.07 16:29:11 LOG7[3]: TLS state (accept): before SSL initialization
2023.06.07 16:29:11 LOG7[3]: TLS state (accept): before SSL initialization
2023.06.07 16:29:11 LOG7[3]: Initializing application specific data for session authenticated
2023.06.07 16:29:11 LOG7[3]: SNI: no virtual services defined
2023.06.07 16:29:11 LOG7[3]: TLS state (accept): SSLv3/TLS read client hello
2023.06.07 16:29:11 LOG7[3]: TLS state (accept): SSLv3/TLS write server hello
2023.06.07 16:29:11 LOG7[3]: TLS state (accept): SSLv3/TLS write change cipher spec
2023.06.07 16:29:11 LOG7[3]: TLS state (accept): TLSv1.3 write encrypted extensions
2023.06.07 16:29:11 LOG7[3]: TLS state (accept): SSLv3/TLS write certificate request
2023.06.07 16:29:11 LOG7[3]: TLS state (accept): SSLv3/TLS write certificate
2023.06.07 16:29:11 LOG7[3]: TLS state (accept): TLSv1.3 write server certificate verify
2023.06.07 16:29:11 LOG7[3]: TLS state (accept): SSLv3/TLS write finished
2023.06.07 16:29:11 LOG7[3]: TLS state (accept): TLSv1.3 early data
2023.06.07 16:29:11 LOG7[3]: TLS state (accept): TLSv1.3 early data
2023.06.07 16:29:11 LOG7[3]: Verification started at depth=1: CN=my.contoso.com
2023.06.07 16:29:11 LOG6[3]: CERT: Pre-verification error ignored: self signed certificate in certificate chain
2023.06.07 16:29:11 LOG6[3]: Certificate accepted at depth=1: CN=my.contoso.com
2023.06.07 16:29:11 LOG7[3]: Verification started at depth=1: CN=my.contoso.com
2023.06.07 16:29:11 LOG7[3]: CERT: Pre-verification succeeded
2023.06.07 16:29:11 LOG6[3]: Certificate accepted at depth=1: CN=my.contoso.com
2023.06.07 16:29:11 LOG7[3]: Verification started at depth=0: CN=KAV
2023.06.07 16:29:11 LOG7[3]: CERT: Pre-verification succeeded
2023.06.07 16:29:11 LOG6[3]: CERT: No subject checks configured
2023.06.07 16:29:11 LOG6[3]: CERT: Locally installed certificate matched
2023.06.07 16:29:11 LOG5[3]: Certificate accepted at depth=0: CN=KAV
2023.06.07 16:29:11 LOG7[3]: TLS alert (read): fatal: internal error
2023.06.07 16:29:11 LOG3[3]: SSL_accept: ssl/record/rec_layer_s3.c:1544: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
2023.06.07 16:29:11 LOG5[3]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2023.06.07 16:29:11 LOG7[3]: Deallocating application specific data for session connect address
2023.06.07 16:29:11 LOG7[3]: Local descriptor (FD=3) closed
2023.06.07 16:29:11 LOG7[3]: Service [lagos] finished (0 left)
В списке механизмов поддержка есть, хотя со странным размером ключа:
ECDSA-KEY-PAIR-GEN, keySize={257,257}, hw, generate_key_pair, EC F_P, EC OID, EC uncompressedВ описании также сказано, что поддерживаются secp256k1 и secp256r1.
При попытке обе выдают некорректный результат:
$ pkcs11-tool --module /usr/lib/librtpkcs11ecp.so --keypairgen --key-type EC:secp256r1 --label "SSH" --login --pin *****
Using slot 0 with a present token (0x0)
error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_TEMPLATE_INCONSISTENT (0xd1)
Aborting.
$ pkcs11-tool --module /usr/lib/librtpkcs11ecp.so --keypairgen --key-type EC:secp256k1 --label "SSH" --login --pin *****
Using slot 0 with a present token (0x0)
error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_TEMPLATE_INCONSISTENT (0xd1)
Aborting.Версии пакетов:
librtpkcs11ecp: 2.6.1.0
opensc: 0.22.0-2.1Для настройки использовалась статья . Но с настройками openssl из статьи stunnel вообще не стартует. С настройками этой статьи stunnel стартует, процесс висит, но не работает.
Мои настройки такие:
openssl.cnf:
openssl_conf = openssl_def
*******
[openssl_def]
engines = engine_section
[engine_section]
rtengine = gost_section
pkcs11 = pkcs11_section
[gost_section]
engine_id = rtengine
dynamic_path = /usr/lib/x86_64-linux-gnu/librtengine.so
pkcs11_path = /usr/lib/librtpkcs11ecp.so
# rand_token = pkcs11:manufacturer=Aktiv%20Co.;model=Rutoken%20ECP;id=048883ad0cce9ce51ea7206c8f7d629a6bfdeb22
rand_token = pkcs11:model=Rutoken%20ECP?pin-value=12345678
default_algorithms = CIPHERS, DIGEST, PKEY, RAND
enable_rand = yes
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
MODULE_PATH = /usr/lib/librtpkcs11ecp.so
default_algorithms = CIPHERS, DIGEST, PKEY, RANDstunnel.conf:
; уровень логирования и путь до лог-файла
debug = 7
output = /home/tester/stunnel.log
pid = /home/tester/stunnel_cli_pid.pid
; устанавливаем протокол защиты TLSv1
sslVersion = TLSv1.1
; sslVersion = all
; подгружаем движок
engine = rtengine
; engine = pkcs11
[https]
engineId = rtengine
; engineId = pkcs11
client = yes
accept = 127.0.0.1:8000
connect = sit01.dom.test.gosuslugi.ru:10082
; путь до корневого сертификата
CAFile = /etc/stunnel/CA-SIT_2022.pem
checkHost = yes
; путь до сертификата клиента
; cert=pkcs11:model=Rutoken%20ECP?pin-value=12345678
; cert=pkcs11:id=0477dda5f69dfb917a512ff03460557567690ab7
cert = /home/tester/my_certs/rezonans_new_base64.cer
; путь до ключа на токене.
key=pkcs11:model=Rutoken%20ECP?pin-value=12345678
; key=pkcs11:id=0477dda5f69dfb917a512ff03460557567690ab7
options = NO_SSLv2
; устанавливаем верификацию
verify = 2stunnel.log:
2022.08.03 14:18:25 LOG7[ui]: Clients allowed=500
2022.08.03 14:18:25 LOG5[ui]: stunnel 5.56 on x86_64-pc-linux-gnu platform
2022.08.03 14:18:25 LOG5[ui]: Compiled with OpenSSL 1.1.1c 28 May 2019
2022.08.03 14:18:25 LOG5[ui]: Running with OpenSSL 1.1.1f 31 Mar 2020
2022.08.03 14:18:25 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
2022.08.03 14:18:25 LOG7[ui]: errno: (*__errno_location ())
2022.08.03 14:18:25 LOG5[ui]: Reading configuration from file /etc/stunnel/stunnel.conf
2022.08.03 14:18:25 LOG5[ui]: UTF-8 byte order mark not detected
2022.08.03 14:18:25 LOG7[ui]: Enabling support for engine "rtengine"
2022.08.03 14:18:25 LOG6[ui]: UI not supported by engine #1 (rtengine)
2022.08.03 14:18:25 LOG7[ui]: Initializing engine #1 (rtengine)
2022.08.03 14:18:25 LOG6[ui]: Engine #1 (rtengine) initialized
2022.08.03 14:18:25 LOG5[ui]: FIPS mode disabled
2022.08.03 14:18:25 LOG7[ui]: Compression disabled
2022.08.03 14:18:25 LOG7[ui]: No PRNG seeding was required
2022.08.03 14:18:25 LOG6[ui]: Initializing service [https]
2022.08.03 14:18:26 LOG7[ui]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
2022.08.03 14:18:26 LOG7[ui]: TLSv1.3 ciphersuites: TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM>2022.08.03 14:18:26 LOG7[ui]: TLS options: 0x02100004 (+0x00000000, -0x00000000)
2022.08.03 14:18:26 LOG6[ui]: Client certificate engine (rtengine) not supported
2022.08.03 14:18:26 LOG6[ui]: Loading certificate from engine ID: /home/tester/my_certs/rezonans_new_base64.cer
2022.08.03 14:18:26 LOG3[ui]: ENGINE_ctrl_cmd: Peer suddenly disconnected
2022.08.03 14:18:26 LOG6[ui]: Initializing private key on engine ID: pkcs11:model=Rutoken%20ECP?pin-value=12345678
2022.08.03 14:18:28 LOG6[ui]: Private key initialized on engine ID: pkcs11:model=Rutoken%20ECP?pin-value=12345678
2022.08.03 14:18:28 LOG6[ui]: Loading certificate from file: /home/tester/my_certs/rezonans_new_base64.cer
2022.08.03 14:18:28 LOG6[ui]: Certificate loaded from file: /home/tester/my_certs/rezonans_new_base64.cer
2022.08.03 14:18:28 LOG7[ui]: Private key check succeeded
2022.08.03 14:18:28 LOG5[ui]: Configuration successful
2022.08.03 14:18:28 LOG7[ui]: Binding service [https]
2022.08.03 14:18:28 LOG7[ui]: Listening file descriptor created (FD=10)
2022.08.03 14:18:28 LOG7[ui]: Setting accept socket options (FD=10)
2022.08.03 14:18:28 LOG7[ui]: Option SO_REUSEADDR set on accept socket
2022.08.03 14:18:28 LOG6[ui]: Service [https] (FD=10) bound to 127.0.0.1:8000
2022.08.03 14:18:28 LOG7[main]: Created pid file /home/tester/stunnel_cli_pid.pid
2022.08.03 14:18:28 LOG7[cron]: Cron thread initialized
2022.08.03 14:18:28 LOG6[cron]: Executing cron jobs
2022.08.03 14:18:28 LOG6[cron]: Cron jobs completed in 0 seconds
2022.08.03 14:18:28 LOG7[cron]: Waiting 86400 seconds
2022.08.03 14:18:49 LOG7[main]: Found 1 ready file descriptor(s)
2022.08.03 14:18:49 LOG7[main]: FD=5 events=0x2001 revents=0x1
2022.08.03 14:18:49 LOG7[main]: FD=10 events=0x2001 revents=0x0
2022.08.03 14:18:49 LOG7[main]: Dispatching a signal from the signal pipe
2022.08.03 14:18:49 LOG7[main]: Processing SIGNAL_TERMINATE
2022.08.03 14:18:49 LOG5[main]: Terminated
2022.08.03 14:18:49 LOG7[main]: Leak detection table utilization: 13/997, 1.30%
2022.08.03 14:18:49 LOG7[main]: Removed pid file /home/tester/stunnel_cli_pid.pid
2022.08.03 14:18:49 LOG7[main]: Terminating the cron thread
2022.08.03 14:18:49 LOG5[main]: Terminating 1 service thread(s)
2022.08.03 14:18:49 LOG5[main]: Service threads terminated
2022.08.03 14:18:49 LOG7[main]: Deallocating section defaultsПодскажите, пожалуйста, в чём может быть проблема?
Если в stunnel.conf вызвать движок pkcs11, а так же параметр cert сделать:
pkcs11:id=0477dda5f69dfb917a512ff03460557567690ab7
Тогда при попытке запуска stunnel вывод будет таким:
Specified object not found
Specified object not found
Specified object not found
PKCS11_get_private_key returned NULL
[ ] Clients allowed=500
[.] stunnel 5.56 on x86_64-pc-linux-gnu platform
[.] Compiled with OpenSSL 1.1.1c 28 May 2019
[.] Running with OpenSSL 1.1.1f 31 Mar 2020
[.] Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
[ ] errno: (*__errno_location ())
[.] Reading configuration from file /etc/stunnel/stunnel.conf
[.] UTF-8 byte order mark not detected
[ ] Enabling support for engine "pkcs11"
[.] UI set for engine #1 (pkcs11)
[ ] Initializing engine #1 (pkcs11)
[ ] Engine #1 (pkcs11) initialized
[.] FIPS mode disabled
[ ] Compression disabled
[ ] No PRNG seeding was required
[ ] Initializing service [https]
[ ] Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
[ ] TLSv1.3 ciphersuites: TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
[ ] TLS options: 0x02100004 (+0x00000000, -0x00000000)
[ ] Client certificate engine (pkcs11) not supported
[ ] Loading certificate from engine ID: pkcs11:id=0477dda5f69dfb917a512ff03460557567690ab7
[!] ENGINE_ctrl_cmd: eng_back.c:593: error:82066065:pkcs11 engine:ctx_ctrl_load_cert:object not found
[ ] Initializing private key on engine ID: pkcs11:model=Rutoken%20ECP?pin-value=12345678
[!] error queue: ../crypto/engine/eng_pkey.c:77: error:26096080:engine routines:ENGINE_load_private_key:failed loading private key
[!] ENGINE_load_private_key: eng_back.c:858: error:82067065:pkcs11 engine:ctx_load_privkey:object not found
[ ] Loading certificate from file: pkcs11:id=0477dda5f69dfb917a512ff03460557567690ab7
[!] error queue: ../ssl/ssl_rsa.c:615: error:140DC002:SSL routines:use_certificate_chain_file:system lib
[!] error queue: ../crypto/bio/bss_file.c:290: error:20074002:BIO routines:file_ctrl:system lib
[!] SSL_CTX_use_certificate_chain_file: ../crypto/bio/bss_file.c:288: error:02001002:system library:fopen:No such file or directory
[!] Service [https]: Failed to initialize TLS context
[ ] Deallocating section defaultsПроблема после установки на сервер и генерации сертификата в openssl 1.1.1k.
Соединение прекрасно устанавливается, если сертификат и ключ доступны и прописаны в клиентском конфиге openvpn.
Однако после импорта pfx пары в токен и соответсвующей правки конфига токен не принимает правильный пароль и после двух-трех попыток вываливается с ошибкой.
Интересно, что на этой же машине прекрасно отрабатывает конфиг и токен с сертификатами, сделанными на openssl 1.1.0
Где копать?
Версия rtPKCS11.dll 4.9.1.0
Версия openvpn 2.5.5.0
Конфиг для работы без токена:
proto udp
dev tun
persist-key
persist-tun
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
nobind
remote Х.Х.Х.Х 1194
verb 3
ca ca.crt
remote-cert-tls server
tls-auth ta.key 1
cert client1.crt
key client1.key
pkcs11-pin-cache 300
float
keepalive 10 120Лог работы без токена:
2022-04-11 15:13:40 OpenVPN 2.5.5 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 15 2021
2022-04-11 15:13:40 Windows version 10.0 (Windows 10 or greater) 64bit
2022-04-11 15:13:40 library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10
2022-04-11 15:13:40 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2022-04-11 15:13:40 Need hold release from management interface, waiting...
2022-04-11 15:13:40 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
2022-04-11 15:13:40 MANAGEMENT: CMD 'state on'
2022-04-11 15:13:40 MANAGEMENT: CMD 'log all on'
2022-04-11 15:13:40 MANAGEMENT: CMD 'echo all on'
2022-04-11 15:13:40 MANAGEMENT: CMD 'bytecount 5'
2022-04-11 15:13:40 MANAGEMENT: CMD 'hold off'
2022-04-11 15:13:40 MANAGEMENT: CMD 'hold release'
2022-04-11 15:13:40 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-04-11 15:13:40 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-04-11 15:13:40 TCP/UDP: Preserving recently used remote address: [AF_INET]Х.Х.Х.Х:1194
2022-04-11 15:13:40 Socket Buffers: R=[65536->65536] S=[65536->65536]
2022-04-11 15:13:40 UDP link local: (not bound)
2022-04-11 15:13:40 UDP link remote: [AF_INET]Х.Х.Х.Х:1194
2022-04-11 15:13:40 MANAGEMENT: >STATE:1649679220,WAIT,,,,,,
2022-04-11 15:13:40 MANAGEMENT: >STATE:1649679220,AUTH,,,,,,
2022-04-11 15:13:40 TLS: Initial packet from [AF_INET]Х.Х.Х.Х:1194, sid=2a64e72c 93f8c592
2022-04-11 15:13:40 VERIFY OK: depth=1, CN=Easy-RSA CA
2022-04-11 15:13:40 VERIFY KU OK
2022-04-11 15:13:40 Validating certificate extended key usage
2022-04-11 15:13:40 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-04-11 15:13:40 VERIFY EKU OK
2022-04-11 15:13:40 VERIFY OK: depth=0, CN=ovpn-serv
2022-04-11 15:13:40 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2022-04-11 15:13:40 [ovpn-serv] Peer Connection Initiated with [AF_INET]Х.Х.Х.Х:1194
2022-04-11 15:13:40 PUSH: Received control message: 'PUSH_REPLY,sndbuf 393216,rcvbuf 393216,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 60,route 10.168.103.0 255.255.255.0,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
2022-04-11 15:13:40 OPTIONS IMPORT: timers and/or timeouts modified
2022-04-11 15:13:40 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2022-04-11 15:13:40 Socket Buffers: R=[65536->393216] S=[65536->393216]
2022-04-11 15:13:40 OPTIONS IMPORT: --ifconfig/up options modified
2022-04-11 15:13:40 OPTIONS IMPORT: route options modified
2022-04-11 15:13:40 OPTIONS IMPORT: peer-id set
2022-04-11 15:13:40 OPTIONS IMPORT: adjusting link_mtu to 1624
2022-04-11 15:13:40 OPTIONS IMPORT: data channel crypto options modified
2022-04-11 15:13:40 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-04-11 15:13:40 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-04-11 15:13:40 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-04-11 15:13:40 interactive service msg_channel=612
2022-04-11 15:13:40 open_tun
2022-04-11 15:13:40 tap-windows6 device [OpenVPN TAP-Windows6] opened
2022-04-11 15:13:40 TAP-Windows Driver Version 9.24
2022-04-11 15:13:40 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {3C99C393-A79C-41F9-87D0-BFB1E37B704F} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
2022-04-11 15:13:40 Successful ARP Flush on interface [8] {3C99C393-A79C-41F9-87D0-BFB1E37B704F}
2022-04-11 15:13:40 MANAGEMENT: >STATE:1649679220,ASSIGN_IP,,10.8.0.6,,,,
2022-04-11 15:13:40 IPv4 MTU set to 1500 on interface 8 using service
2022-04-11 15:13:45 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
2022-04-11 15:13:45 MANAGEMENT: >STATE:1649679225,ADD_ROUTES,,,,,,
2022-04-11 15:13:45 C:\Windows\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.5
2022-04-11 15:13:45 Route addition via service succeeded
2022-04-11 15:13:45 C:\Windows\system32\route.exe ADD 10.168.103.0 MASK 255.255.255.0 10.8.0.5
2022-04-11 15:13:45 Route addition via service succeeded
2022-04-11 15:13:45 Initialization Sequence Completed
2022-04-11 15:13:45 MANAGEMENT: >STATE:1649679225,CONNECTED,SUCCESS,10.8.0.6,Х.Х.Х.Х,1194,,Конфиг для работы с токеном:
proto udp
dev tun
persist-key
persist-tun
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
nobind
remote Х.Х.Х.Х 1194
verb 3
ca ca.crt
remote-cert-tls server
tls-auth ta.key 1
pkcs11-providers c:\\windows\\system32\\rtPKCS11.dll
pkcs11-id 'Aktiv\x20Co\x2E/Rutoken\x20S/2cc64ac5/Rutoken\x20S\x20\x3Cno\x20label\x3E/62633163633037322D643561632D343961372D383762382D3964306130316637663364305F45'
pkcs11-pin-cache 300
float
keepalive 10 120Лог работы с токеном:
2022-04-11 15:19:49 OpenVPN 2.5.5 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 15 2021
2022-04-11 15:19:49 Windows version 10.0 (Windows 10 or greater) 64bit
2022-04-11 15:19:49 library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10
2022-04-11 15:19:49 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2022-04-11 15:19:49 Need hold release from management interface, waiting...
2022-04-11 15:19:49 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
2022-04-11 15:19:49 MANAGEMENT: CMD 'state on'
2022-04-11 15:19:49 MANAGEMENT: CMD 'log all on'
2022-04-11 15:19:49 MANAGEMENT: CMD 'echo all on'
2022-04-11 15:19:49 MANAGEMENT: CMD 'bytecount 5'
2022-04-11 15:19:49 MANAGEMENT: CMD 'hold off'
2022-04-11 15:19:49 MANAGEMENT: CMD 'hold release'
2022-04-11 15:19:49 PKCS#11: Adding PKCS#11 provider 'c:\windows\system32\rtPKCS11.dll'
2022-04-11 15:19:49 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-04-11 15:19:49 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-04-11 15:19:49 TCP/UDP: Preserving recently used remote address: [AF_INET]Х.Х.Х.Х:1194
2022-04-11 15:19:49 Socket Buffers: R=[65536->65536] S=[65536->65536]
2022-04-11 15:19:49 UDP link local: (not bound)
2022-04-11 15:19:49 UDP link remote: [AF_INET]Х.Х.Х.Х:1194
2022-04-11 15:19:49 MANAGEMENT: >STATE:1649679589,WAIT,,,,,,
2022-04-11 15:19:49 MANAGEMENT: >STATE:1649679589,AUTH,,,,,,
2022-04-11 15:19:49 TLS: Initial packet from [AF_INET]Х.Х.Х.Х:1194, sid=ff5e9ddc 01a1704c
2022-04-11 15:19:50 VERIFY OK: depth=1, CN=Easy-RSA CA
2022-04-11 15:19:50 VERIFY KU OK
2022-04-11 15:19:50 Validating certificate extended key usage
2022-04-11 15:19:50 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-04-11 15:19:50 VERIFY EKU OK
2022-04-11 15:19:50 VERIFY OK: depth=0, CN=ovpn-serv
2022-04-11 15:19:54 MANAGEMENT: CMD 'password [...]'
2022-04-11 15:20:12 MANAGEMENT: CMD 'password [...]'
2022-04-11 15:20:12 PKCS#11: Cannot perform signature 112:'CKR_MECHANISM_INVALID'
2022-04-11 15:20:12 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
2022-04-11 15:20:12 TLS_ERROR: BIO read tls_read_plaintext error
2022-04-11 15:20:12 TLS Error: TLS object -> incoming plaintext read error
2022-04-11 15:20:12 TLS Error: TLS handshake failed
2022-04-11 15:20:12 SIGUSR1[soft,tls-error] received, process restarting
2022-04-11 15:20:12 MANAGEMENT: >STATE:1649679612,RECONNECTING,tls-error,,,,,
2022-04-11 15:20:12 Restart pause, 5 second(s)
2022-04-11 15:20:17 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-04-11 15:20:17 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-04-11 15:20:17 TCP/UDP: Preserving recently used remote address: [AF_INET]Х.Х.Х.Х:1194
2022-04-11 15:20:17 Socket Buffers: R=[65536->65536] S=[65536->65536]
2022-04-11 15:20:17 UDP link local: (not bound)
2022-04-11 15:20:17 UDP link remote: [AF_INET]Х.Х.Х.Х:1194
2022-04-11 15:20:17 MANAGEMENT: >STATE:1649679617,WAIT,,,,,,
2022-04-11 15:20:17 MANAGEMENT: >STATE:1649679617,AUTH,,,,,,
2022-04-11 15:20:17 TLS: Initial packet from [AF_INET]Х.Х.Х.Х:1194, sid=eeebdcdc f1cd5ac7
2022-04-11 15:20:17 VERIFY OK: depth=1, CN=Easy-RSA CA
2022-04-11 15:20:17 VERIFY KU OK
2022-04-11 15:20:17 Validating certificate extended key usage
2022-04-11 15:20:17 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-04-11 15:20:17 VERIFY EKU OK
2022-04-11 15:20:17 VERIFY OK: depth=0, CN=ovpn-serv
2022-04-11 15:20:19 PKCS#11: Cannot perform signature 1:'CKR_CANCEL'
2022-04-11 15:20:19 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
2022-04-11 15:20:19 TLS_ERROR: BIO read tls_read_plaintext error
2022-04-11 15:20:19 TLS Error: TLS object -> incoming plaintext read error
2022-04-11 15:20:19 TLS Error: TLS handshake failed
2022-04-11 15:20:19 SIGTERM[hard,tls-error] received, process exiting
2022-04-11 15:20:19 MANAGEMENT: >STATE:1649679619,EXITING,tls-error,,,,,Мой коллега snussi уже когда-то здесь задавал вопросы, связанные с использованием rutoken для vpn авторизации.
В общем, мы уже на нескольких дистрибутивах линукса эту цепочку отладили, хотя там определённое колдунство требуется. Используется взятый когда-то l2tpvpnmanager, но его пришлось допиливать.
В общем, если кто-то интересуется работой vpn с авторизации с использованием рутокена, могли бы наработки выложить. В конечном счете, доя пользователя все настраивается через gui.
]]>Есть FreeBSD 11.2 amd64, там стоит криптопро, драйвера Rutoken S, с криптопро все работает, но SDK для него нужно покупать отдельно, а мне всего-то нужно программно, без вызова внешней утилиты, подписывать, шифровать, расшифровывать файлы.
GOST собрал. openssl 1.1.1b.
Нигде не нашел ответа на вопрос "как в openssl воспользоваться ключами с Rutoken S?"
]]>