Puisque nous savons utiliser TinyCA
, autant nous en servir. Nous allons créer avec notre CA un certificat pour aaron
(serveur) et un autre pour cyclope
(client) et allons les placer, ainsi que leur clé privée, sur leurs destinations respectives.
Nous ne détaillons pas la création de ces certificats, reportez-vous à la page Mise en œuvre avec TinyCA du chapitre Notions de cryptographie.
Nous disposons donc de :
bts.eme-cacert.pem
le certificat de notre CA ;cyclope.maison.mrs-key.pem
la clé privée de cyclope
;cyclope.maison.mrs.pem
le certificat de cyclope
;aaron.bts.eme-key.pem
la clé privée de aaron
;aaron.bts.eme.pem
le certificat de aaron
.
Nous posons, par un moyen sécurisé, bts.eme-cacert.pem, cyclope.maison.mrs-key.pem et cyclope.maison.mrs.pem par exemple dans le répertoire de root
de cyclope
.
Nous posons, par un moyen sécurisé, bts.eme-cacert.pem, aaron.bts.eme-key.pem et aaron.bts.eme.pem par exemple dans le répertoire de root
de aaron
.
Enfin, nous créons sur aaron
(le serveur), un paramètre « Diffie Hellman » au moyen d'OpenSSL
, qui servira à générer les clés de session. En effet, la cryptographie « asymétrique », très gourmande en ressources, n'est utilisée que dans la phase d'authentification et d'établissement du tunnel. Par la suite, les données sont chiffrées de manière symétrique avec une clé partagée, communiquée par le serveur au client (à travers un chiffrement asymétrique, bien entendu).
aaron:~# openssl dhparam -out dh1024.pem 1024 Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ..................................
Et quelques (parfois très longues) minutes plus tard, nous avons le fichier :
aaron:~# cat dh1024.pem -----BEGIN DH PARAMETERS----- MIGHAoGBANcTIW0XcvuNDSgK+KiS0rmo14zHNxnMK3IHjvWCqjJL8F0+nwFKvLql FBggAoL1Si+4iuVJoZU3T4H/tsGlsayvWF1l4PNVuaenER2bhIDeFNGx1A/WbYmK 1JNOVpyfwC/i1fv1L/8bpzrjGsgl4GIy8sKzJt+PXRcV61fcJIM7AgEC -----END DH PARAMETERS-----
Celui là, on ne pourra pas dire qu'il a été écrit à la légère.
La ligne de commande va commencer à être longue…
C'est le serveur.
aaron:~# openvpn --port 8147 --dev tun1 --ifconfig 192.168.25.1 192.168.25.2 --comp-lzo --verb 5 --tls-server --dh dh1024.pem --ca bts.eme-cacert.pem --cert aaron.bts.eme.pem --key aaron.bts.eme-key.pem --reneg-sec 21600
Ce qui nous dit :
Sat Nov 15 18:49:41 2008 us=923686 Current Parameter Settings: Sat Nov 15 18:49:41 2008 us=924704 config = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=924953 mode = 0 Sat Nov 15 18:49:41 2008 us=925180 persist_config = DISABLED Sat Nov 15 18:49:41 2008 us=925410 persist_mode = 1 Sat Nov 15 18:49:41 2008 us=925635 show_ciphers = DISABLED Sat Nov 15 18:49:41 2008 us=925862 show_digests = DISABLED Sat Nov 15 18:49:41 2008 us=926087 show_engines = DISABLED Sat Nov 15 18:49:41 2008 us=926314 genkey = DISABLED Sat Nov 15 18:49:41 2008 us=926542 key_pass_file = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=926771 show_tls_ciphers = DISABLED Sat Nov 15 18:49:41 2008 us=927001 proto = 0 Sat Nov 15 18:49:41 2008 us=927226 local = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=927452 remote_list = NULL Sat Nov 15 18:49:41 2008 us=927679 remote_random = DISABLED Sat Nov 15 18:49:41 2008 us=927909 local_port = 8147 Sat Nov 15 18:49:41 2008 us=928155 remote_port = 8147 Sat Nov 15 18:49:41 2008 us=928381 remote_float = DISABLED Sat Nov 15 18:49:41 2008 us=928688 ipchange = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=928925 bind_local = ENABLED Sat Nov 15 18:49:41 2008 us=929153 dev = 'tun1' Sat Nov 15 18:49:41 2008 us=929381 dev_type = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=929608 dev_node = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=929832 tun_ipv6 = DISABLED Sat Nov 15 18:49:41 2008 us=930059 ifconfig_local = '192.168.25.1' Sat Nov 15 18:49:41 2008 us=930303 ifconfig_remote_netmask = '192.168.25.2' Sat Nov 15 18:49:41 2008 us=930536 ifconfig_noexec = DISABLED Sat Nov 15 18:49:41 2008 us=930765 ifconfig_nowarn = DISABLED Sat Nov 15 18:49:41 2008 us=930995 shaper = 0 Sat Nov 15 18:49:41 2008 us=931222 tun_mtu = 1500 Sat Nov 15 18:49:41 2008 us=931452 tun_mtu_defined = ENABLED Sat Nov 15 18:49:41 2008 us=931683 link_mtu = 1500 Sat Nov 15 18:49:41 2008 us=931909 link_mtu_defined = DISABLED Sat Nov 15 18:49:41 2008 us=932140 tun_mtu_extra = 0 Sat Nov 15 18:49:41 2008 us=932365 tun_mtu_extra_defined = DISABLED Sat Nov 15 18:49:41 2008 us=932635 fragment = 0 Sat Nov 15 18:49:41 2008 us=932866 mtu_discover_type = -1 Sat Nov 15 18:49:41 2008 us=933092 mtu_test = 0 Sat Nov 15 18:49:41 2008 us=933317 mlock = DISABLED Sat Nov 15 18:49:41 2008 us=933545 keepalive_ping = 0 Sat Nov 15 18:49:41 2008 us=933772 keepalive_timeout = 0 Sat Nov 15 18:49:41 2008 us=933999 inactivity_timeout = 0 Sat Nov 15 18:49:41 2008 us=934227 ping_send_timeout = 0 Sat Nov 15 18:49:41 2008 us=934452 ping_rec_timeout = 0 Sat Nov 15 18:49:41 2008 us=934679 ping_rec_timeout_action = 0 Sat Nov 15 18:49:41 2008 us=934921 ping_timer_remote = DISABLED Sat Nov 15 18:49:41 2008 us=935153 remap_sigusr1 = 0 Sat Nov 15 18:49:41 2008 us=935381 explicit_exit_notification = 0 Sat Nov 15 18:49:41 2008 us=935609 persist_tun = DISABLED Sat Nov 15 18:49:41 2008 us=935837 persist_local_ip = DISABLED Sat Nov 15 18:49:41 2008 us=936065 persist_remote_ip = DISABLED Sat Nov 15 18:49:41 2008 us=936294 persist_key = DISABLED Sat Nov 15 18:49:41 2008 us=936521 mssfix = 1450 Sat Nov 15 18:49:41 2008 us=936787 passtos = DISABLED Sat Nov 15 18:49:41 2008 us=937016 resolve_retry_seconds = 1000000000 Sat Nov 15 18:49:41 2008 us=937245 connect_retry_seconds = 5 Sat Nov 15 18:49:41 2008 us=937473 username = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=937700 groupname = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=937926 chroot_dir = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=938157 cd_dir = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=938385 writepid = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=938612 up_script = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=938839 down_script = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=939065 down_pre = DISABLED Sat Nov 15 18:49:41 2008 us=939291 up_restart = DISABLED Sat Nov 15 18:49:41 2008 us=939518 up_delay = DISABLED Sat Nov 15 18:49:41 2008 us=939743 daemon = DISABLED Sat Nov 15 18:49:41 2008 us=939970 inetd = 0 Sat Nov 15 18:49:41 2008 us=940195 log = DISABLED Sat Nov 15 18:49:41 2008 us=940422 suppress_timestamps = DISABLED Sat Nov 15 18:49:41 2008 us=940692 nice = 0 Sat Nov 15 18:49:41 2008 us=940919 verbosity = 5 Sat Nov 15 18:49:41 2008 us=941146 mute = 0 Sat Nov 15 18:49:41 2008 us=941372 gremlin = 0 Sat Nov 15 18:49:41 2008 us=941611 status_file = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=941840 status_file_version = 1 Sat Nov 15 18:49:41 2008 us=942066 status_file_update_freq = 60 Sat Nov 15 18:49:41 2008 us=942292 occ = ENABLED Sat Nov 15 18:49:41 2008 us=942520 rcvbuf = 65536 Sat Nov 15 18:49:41 2008 us=942747 sndbuf = 65536 Sat Nov 15 18:49:41 2008 us=942975 socks_proxy_server = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=943205 socks_proxy_port = 0 Sat Nov 15 18:49:41 2008 us=943431 socks_proxy_retry = DISABLED Sat Nov 15 18:49:41 2008 us=943660 fast_io = DISABLED Sat Nov 15 18:49:41 2008 us=943887 comp_lzo = ENABLED Sat Nov 15 18:49:41 2008 us=944114 comp_lzo_adaptive = ENABLED Sat Nov 15 18:49:41 2008 us=944345 route_script = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=944614 route_default_gateway = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=944852 route_noexec = DISABLED Sat Nov 15 18:49:41 2008 us=945081 route_delay = 0 Sat Nov 15 18:49:41 2008 us=945309 route_delay_window = 30 Sat Nov 15 18:49:41 2008 us=945534 route_delay_defined = DISABLED Sat Nov 15 18:49:41 2008 us=945764 management_addr = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=945995 management_port = 0 Sat Nov 15 18:49:41 2008 us=946221 management_user_pass = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=946452 management_log_history_cache = 250 Sat Nov 15 18:49:41 2008 us=946683 management_echo_buffer_size = 100 Sat Nov 15 18:49:41 2008 us=946911 management_query_passwords = DISABLED Sat Nov 15 18:49:41 2008 us=947139 management_hold = DISABLED Sat Nov 15 18:49:41 2008 us=947369 shared_secret_file = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=947599 key_direction = 0 Sat Nov 15 18:49:41 2008 us=947842 ciphername_defined = ENABLED Sat Nov 15 18:49:41 2008 us=948074 ciphername = 'BF-CBC' Sat Nov 15 18:49:41 2008 us=948302 authname_defined = ENABLED Sat Nov 15 18:49:41 2008 us=948809 authname = 'SHA1' Sat Nov 15 18:49:41 2008 us=949054 keysize = 0 Sat Nov 15 18:49:41 2008 us=949281 engine = DISABLED Sat Nov 15 18:49:41 2008 us=949509 replay = ENABLED Sat Nov 15 18:49:41 2008 us=949738 mute_replay_warnings = DISABLED Sat Nov 15 18:49:41 2008 us=949970 replay_window = 64 Sat Nov 15 18:49:41 2008 us=950198 replay_time = 15 Sat Nov 15 18:49:41 2008 us=950424 packet_id_file = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=950654 use_iv = ENABLED Sat Nov 15 18:49:41 2008 us=950882 test_crypto = DISABLED Sat Nov 15 18:49:41 2008 us=951109 tls_server = ENABLED Sat Nov 15 18:49:41 2008 us=951336 tls_client = DISABLED Sat Nov 15 18:49:41 2008 us=951569 key_method = 2 Sat Nov 15 18:49:41 2008 us=951797 ca_file = 'bts.eme-cacert.pem' Sat Nov 15 18:49:41 2008 us=952028 dh_file = 'dh1024.pem' Sat Nov 15 18:49:41 2008 us=952256 cert_file = 'aaron.bts.eme.pem' Sat Nov 15 18:49:41 2008 us=952485 priv_key_file = 'aaron.bts.eme-key.pem' Sat Nov 15 18:49:41 2008 us=952760 pkcs12_file = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=952987 cipher_list = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=953214 tls_verify = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=953442 tls_remote = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=953669 crl_file = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=953898 ns_cert_type = 0 Sat Nov 15 18:49:41 2008 us=954127 tls_timeout = 2 Sat Nov 15 18:49:41 2008 us=954356 renegotiate_bytes = 0 Sat Nov 15 18:49:41 2008 us=954584 renegotiate_packets = 0 Sat Nov 15 18:49:41 2008 us=954826 renegotiate_seconds = 21600 Sat Nov 15 18:49:41 2008 us=955057 handshake_window = 60 Sat Nov 15 18:49:41 2008 us=955285 transition_window = 3600 Sat Nov 15 18:49:41 2008 us=955513 single_session = DISABLED Sat Nov 15 18:49:41 2008 us=955743 tls_exit = DISABLED Sat Nov 15 18:49:41 2008 us=955971 tls_auth_file = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=956283 server_network = 0.0.0.0 Sat Nov 15 18:49:41 2008 us=956530 server_netmask = 0.0.0.0 Sat Nov 15 18:49:41 2008 us=956810 server_bridge_ip = 0.0.0.0 Sat Nov 15 18:49:41 2008 us=957049 server_bridge_netmask = 0.0.0.0 Sat Nov 15 18:49:41 2008 us=957288 server_bridge_pool_start = 0.0.0.0 Sat Nov 15 18:49:41 2008 us=957527 server_bridge_pool_end = 0.0.0.0 Sat Nov 15 18:49:41 2008 us=957758 ifconfig_pool_defined = DISABLED Sat Nov 15 18:49:41 2008 us=957997 ifconfig_pool_start = 0.0.0.0 Sat Nov 15 18:49:41 2008 us=958249 ifconfig_pool_end = 0.0.0.0 Sat Nov 15 18:49:41 2008 us=958487 ifconfig_pool_netmask = 0.0.0.0 Sat Nov 15 18:49:41 2008 us=958717 ifconfig_pool_persist_filename = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=958952 ifconfig_pool_persist_refresh_freq = 600 Sat Nov 15 18:49:41 2008 us=959185 ifconfig_pool_linear = DISABLED Sat Nov 15 18:49:41 2008 us=959417 n_bcast_buf = 256 Sat Nov 15 18:49:41 2008 us=959647 tcp_queue_limit = 64 Sat Nov 15 18:49:41 2008 us=959875 real_hash_size = 256 Sat Nov 15 18:49:41 2008 us=960104 virtual_hash_size = 256 Sat Nov 15 18:49:41 2008 us=960332 client_connect_script = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=960565 learn_address_script = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=960836 client_disconnect_script = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=961068 client_config_dir = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=961302 ccd_exclusive = DISABLED Sat Nov 15 18:49:41 2008 us=961532 tmp_dir = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=961760 push_ifconfig_defined = DISABLED Sat Nov 15 18:49:41 2008 us=962000 push_ifconfig_local = 0.0.0.0 Sat Nov 15 18:49:41 2008 us=962238 push_ifconfig_remote_netmask = 0.0.0.0 Sat Nov 15 18:49:41 2008 us=962467 enable_c2c = DISABLED Sat Nov 15 18:49:41 2008 us=962694 duplicate_cn = DISABLED Sat Nov 15 18:49:41 2008 us=962921 cf_max = 0 Sat Nov 15 18:49:41 2008 us=963150 cf_per = 0 Sat Nov 15 18:49:41 2008 us=963379 max_clients = 1024 Sat Nov 15 18:49:41 2008 us=963609 max_routes_per_client = 256 Sat Nov 15 18:49:41 2008 us=963839 client_cert_not_required = DISABLED Sat Nov 15 18:49:41 2008 us=964069 username_as_common_name = DISABLED Sat Nov 15 18:49:41 2008 us=964300 auth_user_pass_verify_script = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=964545 auth_user_pass_verify_script_via_file = DISABLED Sat Nov 15 18:49:41 2008 us=964847 client = DISABLED Sat Nov 15 18:49:41 2008 us=965048 pull = DISABLED Sat Nov 15 18:49:41 2008 us=965250 auth_user_pass_file = '[UNDEF]' Sat Nov 15 18:49:41 2008 us=965456 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007 Sat Nov 15 18:49:42 2008 us=15536 Diffie-Hellman initialized with 1024 bit key Sat Nov 15 18:49:42 2008 us=21069 LZO compression initialized Sat Nov 15 18:49:42 2008 us=21975 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Sat Nov 15 18:49:42 2008 us=72086 TUN/TAP device tun1 opened Sat Nov 15 18:49:42 2008 us=72501 TUN/TAP TX queue length set to 100 Sat Nov 15 18:49:42 2008 us=72890 ifconfig tun1 192.168.25.1 pointopoint 192.168.25.2 mtu 1500 Sat Nov 15 18:49:42 2008 us=87489 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Sat Nov 15 18:49:42 2008 us=88034 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,ifconfig 192.168.25.2 192.168.25.1,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server' Sat Nov 15 18:49:42 2008 us=88289 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,ifconfig 192.168.25.1 192.168.25.2,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client' Sat Nov 15 18:49:42 2008 us=88685 Local Options hash (VER=V4): '40c5ad26' Sat Nov 15 18:49:42 2008 us=88966 Expected Remote Options hash (VER=V4): 'b7094d11' Sat Nov 15 18:49:42 2008 us=89285 Socket Buffers: R=[110592->131072] S=[110592->131072] Sat Nov 15 18:49:42 2008 us=89823 UDPv4 link local (bound): [undef]:8147 Sat Nov 15 18:49:42 2008 us=90054 UDPv4 link remote: [undef]
C'est le client
cyclope:~# openvpn --remote 82.127.57.95 --port 8147 --dev tun1 --ifconfig 192.168.25.2 192.168.25.1 --comp-lzo --verb 5 --tls-client --ca bts.eme-cacert.pem --cert cyclope.maison.mrs.pem --key cyclope.maison.mrs-key.pem
Sat Nov 15 18:55:03 2008 us=70505 Current Parameter Settings: Sat Nov 15 18:55:03 2008 us=72038 config = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=72781 mode = 0 Sat Nov 15 18:55:03 2008 us=73464 persist_config = DISABLED Sat Nov 15 18:55:03 2008 us=74166 persist_mode = 1 Sat Nov 15 18:55:03 2008 us=74853 show_ciphers = DISABLED Sat Nov 15 18:55:03 2008 us=75617 show_digests = DISABLED Sat Nov 15 18:55:03 2008 us=76425 show_engines = DISABLED Sat Nov 15 18:55:03 2008 us=77118 genkey = DISABLED Sat Nov 15 18:55:03 2008 us=77810 key_pass_file = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=78515 show_tls_ciphers = DISABLED Sat Nov 15 18:55:03 2008 us=79374 proto = 0 Sat Nov 15 18:55:03 2008 us=80071 local = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=80886 remote_list[0] = {'82.127.57.95', 8147} Sat Nov 15 18:55:03 2008 us=81641 remote_random = DISABLED Sat Nov 15 18:55:03 2008 us=82336 local_port = 8147 Sat Nov 15 18:55:03 2008 us=83033 remote_port = 8147 Sat Nov 15 18:55:03 2008 us=84055 remote_float = DISABLED Sat Nov 15 18:55:03 2008 us=84570 ipchange = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=84953 bind_local = ENABLED Sat Nov 15 18:55:03 2008 us=85293 dev = 'tun1' Sat Nov 15 18:55:03 2008 us=86334 dev_type = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=86994 dev_node = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=87748 tun_ipv6 = DISABLED Sat Nov 15 18:55:03 2008 us=88442 ifconfig_local = '192.168.25.2' Sat Nov 15 18:55:03 2008 us=89163 ifconfig_remote_netmask = '192.168.25.1' Sat Nov 15 18:55:03 2008 us=89688 ifconfig_noexec = DISABLED Sat Nov 15 18:55:03 2008 us=90204 ifconfig_nowarn = DISABLED Sat Nov 15 18:55:03 2008 us=91041 shaper = 0 Sat Nov 15 18:55:03 2008 us=91799 tun_mtu = 1500 Sat Nov 15 18:55:03 2008 us=92494 tun_mtu_defined = ENABLED Sat Nov 15 18:55:03 2008 us=93193 link_mtu = 1500 Sat Nov 15 18:55:03 2008 us=93887 link_mtu_defined = DISABLED Sat Nov 15 18:55:03 2008 us=94587 tun_mtu_extra = 0 Sat Nov 15 18:55:03 2008 us=95535 tun_mtu_extra_defined = DISABLED Sat Nov 15 18:55:03 2008 us=96226 fragment = 0 Sat Nov 15 18:55:03 2008 us=96917 mtu_discover_type = -1 Sat Nov 15 18:55:03 2008 us=97432 mtu_test = 0 Sat Nov 15 18:55:03 2008 us=97944 mlock = DISABLED Sat Nov 15 18:55:03 2008 us=98458 keepalive_ping = 0 Sat Nov 15 18:55:03 2008 us=98613 keepalive_timeout = 0 Sat Nov 15 18:55:03 2008 us=98719 inactivity_timeout = 0 Sat Nov 15 18:55:03 2008 us=98822 ping_send_timeout = 0 Sat Nov 15 18:55:03 2008 us=98924 ping_rec_timeout = 0 Sat Nov 15 18:55:03 2008 us=99027 ping_rec_timeout_action = 0 Sat Nov 15 18:55:03 2008 us=99128 ping_timer_remote = DISABLED Sat Nov 15 18:55:03 2008 us=99295 remap_sigusr1 = 0 Sat Nov 15 18:55:03 2008 us=99401 explicit_exit_notification = 0 Sat Nov 15 18:55:03 2008 us=99502 persist_tun = DISABLED Sat Nov 15 18:55:03 2008 us=99604 persist_local_ip = DISABLED Sat Nov 15 18:55:03 2008 us=99705 persist_remote_ip = DISABLED Sat Nov 15 18:55:03 2008 us=99806 persist_key = DISABLED Sat Nov 15 18:55:03 2008 us=99910 mssfix = 1450 Sat Nov 15 18:55:03 2008 us=100010 passtos = DISABLED Sat Nov 15 18:55:03 2008 us=100116 resolve_retry_seconds = 1000000000 Sat Nov 15 18:55:03 2008 us=100220 connect_retry_seconds = 5 Sat Nov 15 18:55:03 2008 us=100322 username = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=100425 groupname = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=100708 chroot_dir = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=100831 cd_dir = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=100937 writepid = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=101038 up_script = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=101141 down_script = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=101243 down_pre = DISABLED Sat Nov 15 18:55:03 2008 us=101344 up_restart = DISABLED Sat Nov 15 18:55:03 2008 us=101447 up_delay = DISABLED Sat Nov 15 18:55:03 2008 us=101548 daemon = DISABLED Sat Nov 15 18:55:03 2008 us=101650 inetd = 0 Sat Nov 15 18:55:03 2008 us=101750 log = DISABLED Sat Nov 15 18:55:03 2008 us=101852 suppress_timestamps = DISABLED Sat Nov 15 18:55:03 2008 us=101955 nice = 0 Sat Nov 15 18:55:03 2008 us=102056 verbosity = 5 Sat Nov 15 18:55:03 2008 us=102158 mute = 0 Sat Nov 15 18:55:03 2008 us=102258 gremlin = 0 Sat Nov 15 18:55:03 2008 us=102358 status_file = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=102462 status_file_version = 1 Sat Nov 15 18:55:03 2008 us=102566 status_file_update_freq = 60 Sat Nov 15 18:55:03 2008 us=102667 occ = ENABLED Sat Nov 15 18:55:03 2008 us=102769 rcvbuf = 65536 Sat Nov 15 18:55:03 2008 us=102871 sndbuf = 65536 Sat Nov 15 18:55:03 2008 us=102973 socks_proxy_server = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=103078 socks_proxy_port = 0 Sat Nov 15 18:55:03 2008 us=103234 socks_proxy_retry = DISABLED Sat Nov 15 18:55:03 2008 us=103346 fast_io = DISABLED Sat Nov 15 18:55:03 2008 us=103448 comp_lzo = ENABLED Sat Nov 15 18:55:03 2008 us=103551 comp_lzo_adaptive = ENABLED Sat Nov 15 18:55:03 2008 us=103654 route_script = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=103758 route_default_gateway = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=103860 route_noexec = DISABLED Sat Nov 15 18:55:03 2008 us=103964 route_delay = 0 Sat Nov 15 18:55:03 2008 us=104066 route_delay_window = 30 Sat Nov 15 18:55:03 2008 us=104167 route_delay_defined = DISABLED Sat Nov 15 18:55:03 2008 us=104271 management_addr = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=104376 management_port = 0 Sat Nov 15 18:55:03 2008 us=104477 management_user_pass = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=104582 management_log_history_cache = 250 Sat Nov 15 18:55:03 2008 us=104687 management_echo_buffer_size = 100 Sat Nov 15 18:55:03 2008 us=104789 management_query_passwords = DISABLED Sat Nov 15 18:55:03 2008 us=104892 management_hold = DISABLED Sat Nov 15 18:55:03 2008 us=104996 shared_secret_file = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=105101 key_direction = 0 Sat Nov 15 18:55:03 2008 us=105207 ciphername_defined = ENABLED Sat Nov 15 18:55:03 2008 us=105313 ciphername = 'BF-CBC' Sat Nov 15 18:55:03 2008 us=105418 authname_defined = ENABLED Sat Nov 15 18:55:03 2008 us=105522 authname = 'SHA1' Sat Nov 15 18:55:03 2008 us=105628 keysize = 0 Sat Nov 15 18:55:03 2008 us=105730 engine = DISABLED Sat Nov 15 18:55:03 2008 us=109467 replay = ENABLED Sat Nov 15 18:55:03 2008 us=109904 mute_replay_warnings = DISABLED Sat Nov 15 18:55:03 2008 us=110259 replay_window = 64 Sat Nov 15 18:55:03 2008 us=111754 replay_time = 15 Sat Nov 15 18:55:03 2008 us=112450 packet_id_file = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=113148 use_iv = ENABLED Sat Nov 15 18:55:03 2008 us=113838 test_crypto = DISABLED Sat Nov 15 18:55:03 2008 us=114529 tls_server = DISABLED Sat Nov 15 18:55:03 2008 us=115306 tls_client = ENABLED Sat Nov 15 18:55:03 2008 us=115980 key_method = 2 Sat Nov 15 18:55:03 2008 us=116674 ca_file = 'bts.eme-cacert.pem' Sat Nov 15 18:55:03 2008 us=117377 dh_file = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=118067 cert_file = 'cyclope.maison.mrs.pem' Sat Nov 15 18:55:03 2008 us=118769 priv_key_file = 'cyclope.maison.mrs-key.pem' Sat Nov 15 18:55:03 2008 us=119534 pkcs12_file = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=120226 cipher_list = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=120918 tls_verify = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=121610 tls_remote = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=121769 crl_file = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=122060 ns_cert_type = 0 Sat Nov 15 18:55:03 2008 us=122174 tls_timeout = 2 Sat Nov 15 18:55:03 2008 us=122281 renegotiate_bytes = 0 Sat Nov 15 18:55:03 2008 us=122389 renegotiate_packets = 0 Sat Nov 15 18:55:03 2008 us=122496 renegotiate_seconds = 3600 Sat Nov 15 18:55:03 2008 us=122604 handshake_window = 60 Sat Nov 15 18:55:03 2008 us=122709 transition_window = 3600 Sat Nov 15 18:55:03 2008 us=122813 single_session = DISABLED Sat Nov 15 18:55:03 2008 us=122918 tls_exit = DISABLED Sat Nov 15 18:55:03 2008 us=123024 tls_auth_file = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=123350 server_network = 0.0.0.0 Sat Nov 15 18:55:03 2008 us=123480 server_netmask = 0.0.0.0 Sat Nov 15 18:55:03 2008 us=123599 server_bridge_ip = 0.0.0.0 Sat Nov 15 18:55:03 2008 us=123716 server_bridge_netmask = 0.0.0.0 Sat Nov 15 18:55:03 2008 us=123835 server_bridge_pool_start = 0.0.0.0 Sat Nov 15 18:55:03 2008 us=123954 server_bridge_pool_end = 0.0.0.0 Sat Nov 15 18:55:03 2008 us=124061 ifconfig_pool_defined = DISABLED Sat Nov 15 18:55:03 2008 us=124180 ifconfig_pool_start = 0.0.0.0 Sat Nov 15 18:55:03 2008 us=124299 ifconfig_pool_end = 0.0.0.0 Sat Nov 15 18:55:03 2008 us=124455 ifconfig_pool_netmask = 0.0.0.0 Sat Nov 15 18:55:03 2008 us=124574 ifconfig_pool_persist_filename = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=124683 ifconfig_pool_persist_refresh_freq = 600 Sat Nov 15 18:55:03 2008 us=124790 ifconfig_pool_linear = DISABLED Sat Nov 15 18:55:03 2008 us=124897 n_bcast_buf = 256 Sat Nov 15 18:55:03 2008 us=125005 tcp_queue_limit = 64 Sat Nov 15 18:55:03 2008 us=125109 real_hash_size = 256 Sat Nov 15 18:55:03 2008 us=125214 virtual_hash_size = 256 Sat Nov 15 18:55:03 2008 us=125321 client_connect_script = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=125429 learn_address_script = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=125536 client_disconnect_script = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=125642 client_config_dir = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=125747 ccd_exclusive = DISABLED Sat Nov 15 18:55:03 2008 us=125851 tmp_dir = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=125955 push_ifconfig_defined = DISABLED Sat Nov 15 18:55:03 2008 us=126075 push_ifconfig_local = 0.0.0.0 Sat Nov 15 18:55:03 2008 us=126193 push_ifconfig_remote_netmask = 0.0.0.0 Sat Nov 15 18:55:03 2008 us=126299 enable_c2c = DISABLED Sat Nov 15 18:55:03 2008 us=126403 duplicate_cn = DISABLED Sat Nov 15 18:55:03 2008 us=126509 cf_max = 0 Sat Nov 15 18:55:03 2008 us=126612 cf_per = 0 Sat Nov 15 18:55:03 2008 us=126718 max_clients = 1024 Sat Nov 15 18:55:03 2008 us=126826 max_routes_per_client = 256 Sat Nov 15 18:55:03 2008 us=126931 client_cert_not_required = DISABLED Sat Nov 15 18:55:03 2008 us=127037 username_as_common_name = DISABLED Sat Nov 15 18:55:03 2008 us=127144 auth_user_pass_verify_script = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=127317 auth_user_pass_verify_script_via_file = DISABLED Sat Nov 15 18:55:03 2008 us=127426 client = DISABLED Sat Nov 15 18:55:03 2008 us=127529 pull = DISABLED Sat Nov 15 18:55:03 2008 us=127633 auth_user_pass_file = '[UNDEF]' Sat Nov 15 18:55:03 2008 us=127747 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007 Sat Nov 15 18:55:03 2008 us=128224 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Sat Nov 15 18:55:03 2008 us=193832 LZO compression initialized Sat Nov 15 18:55:03 2008 us=215986 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Sat Nov 15 18:55:03 2008 us=274091 TUN/TAP device tun1 opened Sat Nov 15 18:55:03 2008 us=275033 TUN/TAP TX queue length set to 100 Sat Nov 15 18:55:03 2008 us=275779 ifconfig tun1 192.168.25.2 pointopoint 192.168.25.1 mtu 1500 Sat Nov 15 18:55:03 2008 us=467561 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Sat Nov 15 18:55:03 2008 us=468607 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,ifconfig 192.168.25.1 192.168.25.2,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client' Sat Nov 15 18:55:03 2008 us=469420 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,ifconfig 192.168.25.2 192.168.25.1,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server' Sat Nov 15 18:55:03 2008 us=470311 Local Options hash (VER=V4): 'b7094d11' Sat Nov 15 18:55:03 2008 us=471125 Expected Remote Options hash (VER=V4): '40c5ad26' Sat Nov 15 18:55:03 2008 us=472024 Socket Buffers: R=[110592->131072] S=[110592->131072] Sat Nov 15 18:55:03 2008 us=472741 UDPv4 link local (bound): [undef]:8147 Sat Nov 15 18:55:03 2008 us=473457 UDPv4 link remote: 82.127.57.95:8147 WRSat Nov 15 18:55:03 2008 us=566989 TLS: Initial packet from 82.127.57.95:8147, sid=fa310697 a7811164 WWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRSat Nov 15 18:55:04 2008 us=947948 VERIFY OK: depth=1, /C=FR/ST=Bouches_du_Rhone/L=Marseille/O=EME/OU=EME/CN=rootCA.bts.eme/emailAddress=sysop@bts.eme Sat Nov 15 18:55:04 2008 us=963876 VERIFY OK: depth=0, /C=FR/ST=Bouches_du_Rhone/L=Marseille/O=EME/OU=EME/CN=aaron.bts.eme/emailAddress=sysop@bts.eme WRWRWRWRWRWRWRWRWRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRRRRWWWWRRRRWRWRSat Nov 15 18:55:07 2008 us=57442 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Sat Nov 15 18:55:07 2008 us=58073 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sat Nov 15 18:55:07 2008 us=59658 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Sat Nov 15 18:55:07 2008 us=60217 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication WSat Nov 15 18:55:07 2008 us=62054 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA Sat Nov 15 18:55:07 2008 us=62827 [aaron.bts.eme] Peer Connection Initiated with 82.127.57.95:8147 Sat Nov 15 18:55:08 2008 us=235349 Initialization Sequence CompletedSitôt que le client se connecte au serveur, il obtient le certificat de
aaron
et vérifie qu'il est bien signé par la CA. Il doit se passer aussi des choses sur aaron
concernant l'identité de cyclope
:
RSat Nov 15 18:55:11 2008 us=189661 TLS: Initial packet from 82.229.41.132:8147, sid=66df4f24 9bbda6c9
WRRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRRRRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRSat Nov 15 18:55:14 2008 us=507464 VERIFY OK: depth=1, /C=FR/ST=Bouches_du_Rhone/L=Marseille/O=EME/OU=EME/CN=rootCA.bts.eme/emailAddress=sysop@bts.eme
Sat Nov 15 18:55:14 2008 us=517805 VERIFY OK: depth=0, /C=FR/ST=Bouches_du_Rhone/L=Marseille/O=EME/OU=EME/CN=cyclope.maison.mrs/emailAddress=sysop@maison.mrs
WRWRWRWRWRWRWRWRWRWRWRSat Nov 15 18:55:14 2008 us=697312 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 15 18:55:14 2008 us=697683 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 15 18:55:14 2008 us=698267 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 15 18:55:14 2008 us=698533 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
WWWRRRSat Nov 15 18:55:14 2008 us=775185 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Sat Nov 15 18:55:14 2008 us=775576 [cyclope.maison.mrs] Peer Connection Initiated with 80.8.135.67:8147
Sat Nov 15 18:55:15 2008 us=812670 Initialization Sequence Completed
Effectivement il y a bien authentification mutuelle des deux bouts du tunnel.
Nous disposons désormais d'un tunnel chiffré, où chaque extrémité sait authentifier l'autre bout. En réalité, il ne fait que vérifier que le certificat présenté par l'autre bout est bien signé par la CA connue (directive –ca
).
Avant de mettre en production, il serait peut-être bon de durcir encore un peu plus ce tunnel, si c'est possible.