ocserv with StartSSL server and client certificate

M. K. bittehier at nurfuerspam.de
Wed Dec 3 04:43:16 PST 2014 

Hi Nikos,

thanks for your fast reply.

>> I want to get ocserv with certificates from StartSSL running but it doesn´t work.
> 
> What doesn't work?

Sorry, I´ve forgot to said that I can´t connect from my iPhone with latest AnyConnect client the ocserv 0.8.8. If I try I get the following log output:

——
Dec  3 13:29:12 test-vpn ocserv[11426]: main: main-misc.c:754: cannot open: /sys/fs/cgroup/cpuset/test/tasks
Dec  3 13:29:13 test-vpn ocserv[11455]: worker: 178.24.234.134:52671 client certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.
Dec  3 13:29:13 test-vpn ocserv[11427]: sec-mod: received request from pid 11455 and uid 65534
Dec  3 13:29:13 test-vpn ocserv[11427]: sec-mod: cmd [size=517] sm: decrypt
Dec  3 13:29:13 test-vpn ocserv[11455]: worker: 178.24.234.134:52671 no certificate provided for authentication
Dec  3 13:29:13 test-vpn ocserv[11426]: main: 178.24.234.134:52671 main-misc.c:425: command socket closed
Dec  3 13:29:13 test-vpn ocserv[11426]: main: main-misc.c:754: cannot open: /sys/fs/cgroup/cpuset/test/tasks
Dec  3 13:29:13 test-vpn ocserv[11456]: worker: 178.24.234.134:52672 client certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.
Dec  3 13:29:13 test-vpn ocserv[11427]: sec-mod: received request from pid 11456 and uid 65534
Dec  3 13:29:13 test-vpn ocserv[11427]: sec-mod: cmd [size=517] sm: decrypt
Dec  3 13:29:13 test-vpn ocserv[11456]: worker: 178.24.234.134:52672 no certificate provided for authentication
Dec  3 13:29:13 test-vpn ocserv[11426]: main: 178.24.234.134:52672 main-misc.c:425: command socket closed
Dec  3 13:29:13 test-vpn ocserv[11426]: main: main-misc.c:754: cannot open: /sys/fs/cgroup/cpuset/test/tasks
Dec  3 13:29:13 test-vpn ocserv[11457]: worker: 178.24.234.134:52673 tlslib.c:372: error verifying client certificate: No certificate was found.
Dec  3 13:29:13 test-vpn ocserv[11427]: sec-mod: received request from pid 11457 and uid 65534
Dec  3 13:29:13 test-vpn ocserv[11427]: sec-mod: cmd [size=517] sm: decrypt
Dec  3 13:29:13 test-vpn ocserv[11457]: worker: 178.24.234.134:52673 no certificate provided for authentication
Dec  3 13:29:13 test-vpn ocserv[11426]: main: 178.24.234.134:52673 main-misc.c:425: command socket closed
——

The config file is:

——
auth = "certificate"
max-clients = 16
max-same-clients = 2
tcp-port = 443
udp-port = 443
keepalive = 32400
dpd = 90
mobile-dpd = 1800
try-mtu-discovery = false
server-cert = /etc/ocserv/ssl/server-chain-cert.pem
server-key = /etc/ocserv/ssl/server-key.pem
ca-cert = /etc/ocserv/ssl/ca-sub1-chain-cert.pem
cert-user-oid = 2.5.4.3
cert-group-oid = 2.5.4.11
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
auth-timeout = 40
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-utmp = true
use-occtl = true
pid-file = /var/run/ocserv.pid
socket-file = /var/run/ocserv-socket
run-as-user = nobody
run-as-group = nogroup
cgroup = "cpuset,cpu:test"
device = vpns
predictable-ips = true
default-domain = example.com
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
dns = 8.8.8.8
ping-leases = false
route-add-cmd = "ip route add %{R} dev %{D}"
route-del-cmd = "ip route delete %{R} dev %{D}"
cisco-client-compat = true
——


> 
>> The special thing with StartSSL is that they use Sub-CAs for signing server and client certificates. So I´ve a server certificate from sub.class2.server.ca.pem and client certificates from sub.class1.server.ca.pem and sub.class2.server.ca.pem. So what should I do to get ocserv running?
>> I´ve created a server certificate with certificate chain inside (cat server.pem sub.class2.server.ca.pem ca.pem > /etc/ocserv/ssl/server-chain-cert.pem) and the config settings:
>>        server-cert = /etc/ocserv/ssl/server-chain-cert.pem
>>        server-key = /etc/ocserv/ssl/server-key.pem
> 
> Nothing special about it, seems reasonable.
> 
>> Then I created a CA chain certificate for all client certificates with sub.class1.server.ca.pem (cat sub.class1.server.ca.pem ca.pem > /etc/ocserv/ssl/ca-sub1-chain-cert.pem).
>>        ca-cert = /etc/ocserv/ssl/ca-sub1-chain-cert.pem
>> But now I don´t know how I could enable the login access for individual user with certificate from sub.class1.server.ca.pem?
> 
> If you use
> auth = "certificate"
> and ca-cert has the authority that signs certificates, what you
> describe will work.
> However, I am confused from your description. Are
> ca-sub1-chain-cert.pem and sub.class1.server.ca.pem the same thing?
> Why did you use different names?

I don´t know exactly but StartSSL use an intermediate CA certificate to provide certificates for different level of identification. Normally I have to provide all certificates from the chain from server to ca with the sub level of class1 or class2 certificate. But I could test it with only the class1 thing - but what´s with the clients which got a class2 certificate?

And the important question: The client certificate are directly from StartSSL and I don´t own a CA or sub CA - how could I restrict logins to only my users? Should I have to install the client certificate to the server or what should I do?

> In any case the rule is in ca-cert you put the CA to verify the
> clients, and in server-cert, the chain of your server's CA.

regards,
Michael

More information about the openconnect-devel mailing list