Ssltunnel:server
Jump to navigation
Jump to search
Installation du serveur
Pré-requis
- Installation d'OpenSSL :
- A partir des packages : # apt-get install openssl
- A partir des sources : Voir ici
- Installation des packages nécessaires :
# apt-get install libssl-dev ppp autoconf automake gcc g++ make
Installation à partir des sources
# cd /usr/local/src/ # wget http://www.hsc.fr/ressources/outils/ssltunnel/download/ssltunnel-1.16.tar.gz # tar xzvf ssltunnel-1.16.tar.gz # cd ssltunnel-1.16 # ./configure --disable-client # make # make install
Si l'installation s'est bien déroulée, vous devriez voir les fichiers suivants :
- /usr/local/libexec/pppserver
- /usr/local/etc/ssltunnel/tunnel.conf.default
- /usr/local/sbin/pppwho
Pour automatiser le démarrage de ssltunnel :
# cd /usr/local/src/ssltunnel-1.16/server/ # cp pppserver.sh /etc/init.d/ # cd /etc/init.d/ # chmod +x pppserver.sh # update-rc.d pppserver.sh defaults 98
Copie du fichier "users" :
# cp /usr/local/src/ssltunnel-1.16/server/users /usr/local/etc/ssltunnel/
Note
Ce fichier est un exemple, à adapter. Ce point est décrit dans la section Paramétrage/Serveur.
Génération des certificats
Sur le serveur, la génération des certificats s'effectue par les commandes qui suivent.
La documentation officielle se situe ici : http://sourceforge.net/docman/display_doc.php?docid=21843&group_id=89578.
Génération d'un certificat racine avec passphrase
Note
Si vous avez installé openssl à partir des sources, l'outil CA.pl sera certainement dans le répertoire /usr/local/openssl/misc/. Sinon (installation à partir des packages), il doit se trouver dans /usr/lib/ssl/misc/.
# cd /usr/local/etc/ssltunnel/ # /usr/local/openssl/misc/CA.pl -newca CA certificate filename (or enter to create) <<ENTER>> Making CA certificate ... Generating a 1024 bit RSA private key ....++++++ .......++++++ writing new private key to './demoCA/private/cakey.pem' Enter PEM pass phrase:<<PASSPHRASE>> Verifying - Enter PEM pass phrase:<<PASSPHRASE>> ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:FR State or Province Name (full name) [Some-State]:France Locality Name (eg, city) []:Paris Organization Name (eg, company) [Internet Widgits Pty Ltd]:Aldeid Organizational Unit Name (eg, section) []:Main Common Name (eg, YOUR name) []:www.aldeid.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:<<ENTER PASSWORD>> An optional company name []:<<ENTER>> Using configuration from /usr/local/openssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: e4:bb:ea:fa:84:ba:82:ea Validity Not Before: Jan 24 10:14:37 2009 GMT Not After : Jan 24 10:14:37 2012 GMT Subject: countryName = FR stateOrProvinceName = France organizationName = Aldeid organizationalUnitName = Main commonName = www.aldeid.com emailAddress = [email protected] X509v3 extensions: X509v3 Subject Key Identifier: CC:84:B0:99:87:73:6F:EB:80:6F:34:60:39:9C:A9:34:5F:CF:AA:0E X509v3 Authority Key Identifier: keyid:CC:84:B0:99:87:73:6F:EB:80:6F:34:60:39:9C:A9:34:5F:CF:AA:0E DirName:/C=FR/ST=France/O=Aldeid/OU=Main/CN=www.aldeid.com/[email protected] serial:E4:BB:EA:FA:84:BA:82:EA X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until Jan 24 10:14:37 2012 GMT (1095 days) Write out database with 1 new entries Data Base Updated
Copie du certificat dans le système de fichier ssltunnel
# cd /usr/local/etc/ssltunnel/ # cp demoCA/cacert.pem /usr/local/etc/ssltunnel/trusted.pem
Création d'un certificat serveur
Note
Si vous avez installé openssl à partir des sources, openssl sera certainement dans le répertoire /usr/local/bin/. Sinon (installation à partir des packages), il doit se trouver dans /usr/bin/.
# /usr/local/bin/openssl req -new -nodes -keyout server.key -out server.csr -days 365 Generating a 1024 bit RSA private key ..++++++ .......++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:FR State or Province Name (full name) [Some-State]:France Locality Name (eg, city) []:Paris Organization Name (eg, company) [Internet Widgits Pty Ltd]:Aldeid Organizational Unit Name (eg, section) []:Main Common Name (eg, YOUR name) []:www.aldeid.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:<<<ENTER>>> An optional company name []:<<<ENTER>>>
Signature du certificat serveur avec le CA_root
#/usr/local/bin/openssl ca -policy policy_anything -out server.crt -infiles server.csr
Using configuration from /usr/local/openssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:<<PASSPHRASE>>
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
cc:00:19:37:ce:f8:4b:85
Validity
Not Before: Jan 24 10:41:55 2009 GMT
Not After : Jan 24 10:41:55 2010 GMT
Subject:
countryName = FR
stateOrProvinceName = France
localityName = Paris
organizationName = Aldeid
organizationalUnitName = Main
commonName = www.aldeid.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5F:98:96:05:1D:A5:1A:68:75:DA:0D:CC:E1:B7:E8:AA:2A:CA:F5:54
X509v3 Authority Key Identifier:
keyid:A7:17:11:84:2E:9A:3B:FF:58:54:F2:FC:D7:D5:8A:9B:C1:77:D8:5F
Certificate is to be certified until Jan 24 10:41:55 2010 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Application des droits sur la clé serveur
# chmod 600 server.key
Création d'un certificat client
# /usr/local/bin/openssl req -new -nodes -keyout client.key -out client.csr -days 365 Generating a 1024 bit RSA private key ................++++++ ...............++++++ writing new private key to 'client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:FR State or Province Name (full name) [Some-State]:France Locality Name (eg, city) []:Paris Organization Name (eg, company) [Internet Widgits Pty Ltd]:Aldeid Organizational Unit Name (eg, section) []:Main Common Name (eg, YOUR name) []:Sebastien Damaye Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:<<PASSWORD>> An optional company name []:<<ENTER>>
Signature du certificat client
# /usr/local/bin/openssl ca -policy policy_anything -out client.crt -infiles client.csr
Using configuration from /usr/local/openssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:<<PASSWORD>>
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
cc:00:19:37:ce:f8:4b:86
Validity
Not Before: Jan 24 10:49:41 2009 GMT
Not After : Jan 24 10:49:41 2010 GMT
Subject:
countryName = FR
stateOrProvinceName = France
localityName = Paris
organizationName = Aldeid
organizationalUnitName = Main
commonName = Sebastien Damaye
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
45:78:CC:01:F2:CC:9F:CF:4B:3D:65:45:94:7C:BE:02:63:F4:90:A6
X509v3 Authority Key Identifier:
keyid:A7:17:11:84:2E:9A:3B:FF:58:54:F2:FC:D7:D5:8A:9B:C1:77:D8:5F
Certificate is to be certified until Jan 24 10:49:41 2010 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Vérification de l'arborescence
. |-- client.crt |-- client.csr |-- client.key |-- server.crt |-- server.csr |-- server.key |-- trusted.pem |-- tunnel.conf |-- tunnel.conf.default `-- users
Transfert des fichiers vers le client
Transférer les fichiers suivants vers le client :
- trusted.pem
- client.crt
- client.key
Puis appliquez les droits appropriés (sur le client) :
# chmod 600 client.key
Paramétrage du serveur
Fichier tunnel.conf
Ouvrir et modifier le fichier tunnel.conf :
keyfile /usr/local/etc/ssltunnel/server.key certfile /usr/local/etc/ssltunnel/server.crt cacertfile /usr/local/etc/ssltunnel/trusted.pem userfile /usr/local/etc/ssltunnel/users wmtp /var/log/ssltunnel.wtmp pidfile /var/run/pppserver.pid timeout 20 maxusers 10 port 443 listenaddr 192.168.1.1 lockdir /var/lock/ssltunnel
+------------+------------------------------------------------------------+ | Paramètre | Description | +------------+------------------------------------------------------------+ | keyfile | Emplacement de la clé du serveur | | certfile | Emplacement du certificat serveur | | cacertfile | Emplacement du certificat autorité de confiance (CA_root) | | userfile | Emplacement du fichier "users" | | wtmp | Emplacement du fichier de log (servant à pppwho) | | pidfile | Emplacement du fichier de pid (identificatgion du process) | | timeout | Durée du ssl_accept et lecture de la bannière | | maxusers | Nombre maximum d'utilisateurs connectés simultanément | | port | Port d'écoute du démon (laisser 443) | | listenaddr | Adresse d'écoute (mettre votre adresse publique) | | lockdir | Emplacement du fichier de lock | +------------+------------------------------------------------------------+
Fichier users
Editer et adapter le fichier "users" :
# vim /usr/local/etc/ssltunnel/users
Puis y reporter les lignes suivantes :
user /C=FR/ST=France/L=Paris/O=Aldeid/OU=Main/CN=Sebastien Damaye/[email protected] command /usr/sbin/pppd args 192.168.1.1:192.168.1.100 nodefaultroute nodetach debug args lcp-echo-failure 10 lcp-echo-interval 10 proxyarp deflate 8 pty 1 uid 1000 gid 58
Note
Attention, le fichier doit se terminer par une ligne vide.
Note
Si uid et gid sont absents, le serveur sera démarré en tant que root.
+-------------+--------------------------------------------------------------+ | Paramètre | Description | +-------------+--------------------------------------------------------------+ | user | Récupérer le "subject" renvoyé par la commande suivante: | | | # /usr/local/bin/openssl x509 -subject < client.crt | | fingerprint | Récupérer le "fingerprint" renvoyé par la commande suivante: | | (optionnel)| # /usr/local/bin/openssl x509 -fingerprint < client.crt | | command | Emplacement de pppd | | args | Avant les ":" Adr. IP locale, après les ":" adresse IP du | | | client | | pty | Création d'un pty (laisser 1 pour pppd) | | uid | User id utilisé pour lancer pppd | | (optionnel)| | | gid | Group id utilisé pour lancer pppd | | (optionnel)| | +-------------+--------------------------------------------------------------+
Fichier /etc/ppp/options
Editez le fichier /etc/ppp/options :
# vim /etc/ppp/options
- Repérez la ligne "auth" et remplacez-la par "noauth" :
# Require the peer to authenticate itself before allowing network # packets to be sent or received. # Please do not disable this setting. It is expected to be standard in # future releases of pppd. Use the call option (see manpage) to disable # authentication for specific peers. #auth noauth
- Repérez les lignes suivantes et décommentez proxyarp
# Add an entry to this system's ARP [Address Resolution Protocol] # table with the IP address of the peer and the Ethernet address of this # system. proxyarp
| Description
|
Sommaire | Partie client
|