Cannot connect to ocserv 0.8.6 (certificate does not match hostname)

Никита Демидов hamsteruser at gmail.com
Mon Oct 20 23:10:45 PDT 2014


It`s Debian Squeeze (EdgeOS 1.5.0)

POST https://10.24.1.1/
Attempting to connect to server 10.24.1.1:443
Using client certificate 'user'
SSL negotiation with 10.24.1.1
Server certificate verify failed: certificate does not match hostname
Connected to HTTPS on 10.24.1.1
XML POST enabled
POST https://10.24.1.1/auth
POST https://10.24.1.1/auth

ocserv -f -d 9999 --config=ocserv.cfg
listening (TCP) on 0.0.0.0:443...
listening (TCP) on [::]:443...
listening (UDP) on 0.0.0.0:443...
listening (UDP) on [::]:443...
ocserv[7272]: main: initializing control unix socket: /var/run/occtl.socket
ocserv[7272]: main: initialized ocserv 0.8.6
ocserv[7273]: sec-mod: sec-mod initialized (socket: /var/run/ocserv-socket.7272)
ocserv[7272]: main: putting process 7282 to cgroup 'cpuset:test'
ocserv[7272]: main: main-misc.c:752: cannot open:
/sys/fs/cgroup/cpuset/test/tasks
ocserv[7282]: worker: 10.24.1.25:56022 accepted connection
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Allocating epoch #0
ocserv[7282]: TLS[<2>]: ASSERT: gnutls_constate.c:715
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Allocating epoch #1
ocserv[7282]: TLS[<2>]: ASSERT: gnutls_buffers.c:1018
ocserv[7282]: TLS[<4>]: REC[0x875b28]: SSL 3.1 Handshake packet
received. Epoch 0, length: 79
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Expected Packet Handshake(22)
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Received Packet Handshake(22)
with length: 79
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Decrypted Packet[0]
Handshake(22) with length: 79
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: CLIENT HELLO (1) was received.
Length 75[75], frag offset 0, frag length: 75, sequence: 0
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Client's version: 3.1
ocserv[7282]: TLS[<2>]: ASSERT: gnutls_db.c:278
ocserv[7282]: TLS[<2>]: ASSERT: gnutls_extensions.c:165
ocserv[7282]: TLS[<2>]: ASSERT: gnutls_extensions.c:165
ocserv[7282]: TLS[<2>]: ASSERT: gnutls_extensions.c:165
ocserv[7282]: TLS[<2>]: ASSERT: server_name.c:300
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Requested PK algorithm: RSA (1)
-- ctype: X.509 (1)
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: certificate[0] PK algorithm:
RSA (1) - ctype: X.509 (1)
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Removing ciphersuite:
ECDHE_ECDSA_AES_128_CBC_SHA1
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Removing ciphersuite:
ECDHE_ECDSA_AES_128_CBC_SHA256
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Removing ciphersuite:
ECDHE_ECDSA_AES_256_CBC_SHA1
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Removing ciphersuite:
ECDHE_ECDSA_AES_256_CBC_SHA384
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Removing ciphersuite:
ECDHE_ECDSA_3DES_EDE_CBC_SHA1
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Removing ciphersuite:
ECDHE_RSA_AES_128_CBC_SHA1
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Removing ciphersuite:
ECDHE_RSA_AES_128_CBC_SHA256
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Removing ciphersuite:
ECDHE_RSA_AES_256_CBC_SHA1
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Removing ciphersuite:
ECDHE_RSA_3DES_EDE_CBC_SHA1
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Keeping ciphersuite:
RSA_AES_128_CBC_SHA1 (00.2F)
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Keeping ciphersuite:
RSA_AES_128_CBC_SHA256 (00.3C)
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Keeping ciphersuite:
RSA_AES_256_CBC_SHA1 (00.35)
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Keeping ciphersuite:
RSA_AES_256_CBC_SHA256 (00.3D)
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Keeping ciphersuite:
RSA_CAMELLIA_128_CBC_SHA1 (00.41)
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Keeping ciphersuite:
RSA_CAMELLIA_256_CBC_SHA1 (00.84)
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Keeping ciphersuite:
RSA_3DES_EDE_CBC_SHA1 (00.0A)
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Keeping ciphersuite:
RSA_ARCFOUR_128_SHA1 (00.05)
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Keeping ciphersuite:
RSA_ARCFOUR_128_MD5 (00.04)
ocserv[7282]: TLS[<2>]: ASSERT: gnutls_handshake.c:3295
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Removing ciphersuite:
DHE_RSA_AES_128_CBC_SHA1
ocserv[7282]: TLS[<2>]: ASSERT: gnutls_handshake.c:3295
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Removing ciphersuite:
DHE_RSA_AES_128_CBC_SHA256
ocserv[7282]: TLS[<2>]: ASSERT: gnutls_handshake.c:3295
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Removing ciphersuite:
DHE_RSA_AES_256_CBC_SHA1
ocserv[7282]: TLS[<2>]: ASSERT: gnutls_handshake.c:3295
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Removing ciphersuite:
DHE_RSA_AES_256_CBC_SHA256
ocserv[7282]: TLS[<2>]: ASSERT: gnutls_handshake.c:3295
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Removing ciphersuite:
DHE_RSA_CAMELLIA_128_CBC_SHA1
ocserv[7282]: TLS[<2>]: ASSERT: gnutls_handshake.c:3295
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Removing ciphersuite:
DHE_RSA_CAMELLIA_256_CBC_SHA1
ocserv[7282]: TLS[<2>]: ASSERT: gnutls_handshake.c:3295
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Removing ciphersuite:
DHE_RSA_3DES_EDE_CBC_SHA1
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Removing ciphersuite:
DHE_DSS_AES_128_CBC_SHA1
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Removing ciphersuite:
DHE_DSS_AES_128_CBC_SHA256
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Removing ciphersuite:
DHE_DSS_AES_256_CBC_SHA1
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Removing ciphersuite:
DHE_DSS_AES_256_CBC_SHA256
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Removing ciphersuite:
DHE_DSS_CAMELLIA_128_CBC_SHA1
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Removing ciphersuite:
DHE_DSS_CAMELLIA_256_CBC_SHA1
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Removing ciphersuite:
DHE_DSS_3DES_EDE_CBC_SHA1
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Removing ciphersuite:
DHE_DSS_ARCFOUR_128_SHA1
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Requested cipher suites[size: 36]:
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Selected cipher suite:
RSA_AES_128_CBC_SHA1
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Selected Compression Method: NULL
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Allowing unsafe initial negotiation
ocserv[7282]: TLS[<2>]: ASSERT: status_request.c:197
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: SessionID:
55abc4bd0d7b7a49c07c7b29f91e3937ec50bf9bcde994af25be0c9ec1788a6f
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: SERVER HELLO was queued [74 bytes]
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: CERTIFICATE was queued [961 bytes]
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: SERVER HELLO DONE was queued [4 bytes]
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Preparing Packet Handshake(22)
with length: 74 and target length: 74
ocserv[7282]: TLS[<9>]: ENC[0x875b28]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Sent Packet[1] Handshake(22) in
epoch 0 and length: 79
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Preparing Packet Handshake(22)
with length: 961 and target length: 961
ocserv[7282]: TLS[<9>]: ENC[0x875b28]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Sent Packet[2] Handshake(22) in
epoch 0 and length: 966
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Preparing Packet Handshake(22)
with length: 4 and target length: 4
ocserv[7282]: TLS[<9>]: ENC[0x875b28]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Sent Packet[3] Handshake(22) in
epoch 0 and length: 9
ocserv[7282]: TLS[<2>]: ASSERT: gnutls_buffers.c:1018
ocserv[7282]: TLS[<4>]: REC[0x875b28]: SSL 3.1 Handshake packet
received. Epoch 0, length: 310
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Expected Packet Handshake(22)
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Received Packet Handshake(22)
with length: 310
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Decrypted Packet[1]
Handshake(22) with length: 310
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: CLIENT KEY EXCHANGE (16) was
received. Length 306[306], frag offset 0, frag length: 306, sequence:
0
ocserv[7273]: sec-mod: received request from pid 7282 and uid 0
ocserv[7273]: sec-mod: cmd [size=309] sm: decrypt
ocserv[7282]: TLS[<4>]: REC[0x875b28]: SSL 3.1 ChangeCipherSpec packet
received. Epoch 0, length: 1
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Expected Packet ChangeCipherSpec(20)
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Received Packet
ChangeCipherSpec(20) with length: 1
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Decrypted Packet[2]
ChangeCipherSpec(20) with length: 1
ocserv[7282]: TLS[<9>]: INT: PREMASTER SECRET[48]:
03015e8a542c54957f9d7c06939cc89b0dff3ba924c1390fa1c236b57275bfe5e98f8b3467cca6c9d011b7f4c06d1f7c
ocserv[7282]: TLS[<9>]: INT: CLIENT RANDOM[32]:
5445f65c77c6c6d5d2f17d470e6af71e5e88957bd50a451db3931c55e217d10d
ocserv[7282]: TLS[<9>]: INT: SERVER RANDOM[32]:
5445f65c4e0430b5cfa75001249048be41fbc0cc84e9723fce69d39e3369f5c7
ocserv[7282]: TLS[<9>]: INT: MASTER SECRET:
a7cf4c8302376725c39b537b884a22a4a6e64117bf0d3755521a0ca0e84af706bc7a7fd1475b8ce2786439cf872dc847
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Initializing epoch #1
ocserv[7282]: TLS[<9>]: INT: KEY BLOCK[104]:
e0f3c7c24df3016385924f9b517ba62562f09a6218a8956560c1808d5aa8caab
ocserv[7282]: TLS[<9>]: INT: CLIENT WRITE KEY [16]:
23918cc2c3ba4b84253470c6cb3867dc
ocserv[7282]: TLS[<9>]: INT: SERVER WRITE KEY [16]:
aa44c78433bbec9c9312869c43106dd3
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Epoch #1 ready
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Cipher Suite: RSA_AES_128_CBC_SHA1
ocserv[7282]: TLS[<2>]: ASSERT: gnutls_buffers.c:1018
ocserv[7282]: TLS[<4>]: REC[0x875b28]: SSL 3.1 Handshake packet
received. Epoch 0, length: 48
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Expected Packet Handshake(22)
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Received Packet Handshake(22)
with length: 48
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Decrypted Packet[0]
Handshake(22) with length: 16
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: FINISHED (20) was received.
Length 12[12], frag offset 0, frag length: 12, sequence: 0
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: recording tls-unique CB (recv)
ocserv[7282]: TLS[<3>]: REC[0x875b28]: Sent ChangeCipherSpec
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Cipher Suite: RSA_AES_128_CBC_SHA1
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: Initializing internal [write]
cipher sessions
ocserv[7282]: TLS[<3>]: HSK[0x875b28]: FINISHED was queued [16 bytes]
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Preparing Packet
ChangeCipherSpec(20) with length: 1 and target length: 1
ocserv[7282]: TLS[<9>]: ENC[0x875b28]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Sent Packet[4]
ChangeCipherSpec(20) in epoch 0 and length: 6
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Preparing Packet Handshake(22)
with length: 16 and target length: 16
ocserv[7282]: TLS[<9>]: ENC[0x875b28]: cipher: AES-128-CBC, MAC: SHA1, Epoch: 1
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Sent Packet[1] Handshake(22) in
epoch 1 and length: 53
ocserv[7282]: worker: 10.24.1.25:56022 sending message 'resume data
store request' to main
ocserv[7272]: main: 10.24.1.25:56022 main received message 'resume
data store request' of 258 bytes
ocserv[7272]: main: 10.24.1.25:56022 TLS session DB storing
55abc4bd0d7b7a49c07c7b29f91e3937ec50bf9bcde994af25be0c9ec1788a6f
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Start of epoch cleanup
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Epoch #0 freed
ocserv[7282]: TLS[<4>]: REC[0x875b28]: End of epoch cleanup
ocserv[7282]: worker: 10.24.1.25:56022 TLS handshake completed
ocserv[7282]: TLS[<4>]: REC[0x875b28]: SSL 3.1 Application Data packet
received. Epoch 0, length: 512
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Expected Packet Application Data(23)
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Received Packet Application
Data(23) with length: 512
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Decrypted Packet[1] Application
Data(23) with length: 485
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: Host: 10.24.1.1
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: User-Agent: OpenConnect
VPN Agent (NetworkManager) v5.02
ocserv[7282]: worker: 10.24.1.25:56022 User-agent: 'OpenConnect VPN
Agent (NetworkManager) v5.02'
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: Accept: */*
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: Accept-Encoding: identity
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: X-Transcend-Version: 1
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: X-Aggregate-Auth: 1
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: X-AnyConnect-Platform: linux-64
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: Content-Type:
application/x-www-form-urlencoded
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: Content-Length: 203
ocserv[7282]: worker: 10.24.1.25:56022 HTTP POST /
ocserv[7282]: worker: 10.24.1.25:56022 POST body: '<?xml version="1.0"
encoding="UTF-8"?>
<config-auth client="vpn" type="init"><version
who="vpn">v5.02</version><device-id>linux-64</device-id><group-access>https://10.24.1.1</group-access></config-auth>
'
ocserv[7282]: worker: 10.24.1.25:56022 cannot find 'group-select' in
client XML message
ocserv[7282]: worker: 10.24.1.25:56022 cannot find 'group-select' in
client XML message
ocserv[7282]: worker: 10.24.1.25:56022 failed reading groupname
ocserv[7282]: worker: 10.24.1.25:56022 cannot find 'username' in
client XML message
ocserv[7282]: worker: 10.24.1.25:56022 failed reading username
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Preparing Packet Application
Data(23) with length: 417 and target length: 417
ocserv[7282]: TLS[<9>]: ENC[0x875b28]: cipher: AES-128-CBC, MAC: SHA1, Epoch: 1
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Sent Packet[2] Application
Data(23) in epoch 1 and length: 453
ocserv[7282]: TLS[<4>]: REC[0x875b28]: SSL 3.1 Application Data packet
received. Epoch 0, length: 512
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Expected Packet Application Data(23)
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Received Packet Application
Data(23) with length: 512
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Decrypted Packet[2] Application
Data(23) with length: 487
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: Host: 10.24.1.1
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: User-Agent: OpenConnect
VPN Agent (NetworkManager) v5.02
ocserv[7282]: worker: 10.24.1.25:56022 User-agent: 'OpenConnect VPN
Agent (NetworkManager) v5.02'
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: Accept: */*
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: Accept-Encoding: identity
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: X-Transcend-Version: 1
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: X-Aggregate-Auth: 1
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: X-AnyConnect-Platform: linux-64
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: Content-Type:
application/x-www-form-urlencoded
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: Content-Length: 201
ocserv[7282]: worker: 10.24.1.25:56022 HTTP POST /auth
ocserv[7282]: worker: 10.24.1.25:56022 POST body: '<?xml version="1.0"
encoding="UTF-8"?>
<config-auth client="vpn" type="auth-reply"><version
who="vpn">v5.02</version><device-id>linux-64</device-id><auth><username>user</username></auth></config-auth>
'
ocserv[7282]: worker: 10.24.1.25:56022 cannot find 'group-select' in
client XML message
ocserv[7282]: worker: 10.24.1.25:56022 cannot find 'group-select' in
client XML message
ocserv[7282]: worker: 10.24.1.25:56022 failed reading groupname
ocserv[7273]: sec-mod: received request from pid 7282 and uid 0
ocserv[7282]: worker: 10.24.1.25:56022 sending message 'sm: auth init' to secmod
ocserv[7273]: sec-mod: cmd [size=22] sm: auth init
ocserv[7273]: sec-mod: auth init for user 'user' (group: '') from '10.24.1.25'
ocserv[7282]: worker: 10.24.1.25:56022 received auth reply message (value: 2)
ocserv[7282]: worker: 10.24.1.25:56022 continuing authentication for 'user'
ocserv[7282]: worker: 10.24.1.25:56022 sent sid: +iORu/slIF2OFe8g
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Preparing Packet Application
Data(23) with length: 486 and target length: 486
ocserv[7282]: TLS[<9>]: ENC[0x875b28]: cipher: AES-128-CBC, MAC: SHA1, Epoch: 1
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Sent Packet[3] Application
Data(23) in epoch 1 and length: 517
ocserv[7282]: TLS[<4>]: REC[0x875b28]: SSL 3.1 Application Data packet
received. Epoch 0, length: 560
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Expected Packet Application Data(23)
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Received Packet Application
Data(23) with length: 560
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Decrypted Packet[3] Application
Data(23) with length: 527
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: Host: 10.24.1.1
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: User-Agent: OpenConnect
VPN Agent (NetworkManager) v5.02
ocserv[7282]: worker: 10.24.1.25:56022 User-agent: 'OpenConnect VPN
Agent (NetworkManager) v5.02'
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: Accept: */*
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: Accept-Encoding: identity
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: Cookie:
webvpncontext=+iORu/slIF2OFe8g
ocserv[7282]: worker: 10.24.1.25:56022 received sid: +iORu/slIF2OFe8g
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: X-Transcend-Version: 1
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: X-Aggregate-Auth: 1
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: X-AnyConnect-Platform: linux-64
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: Content-Type:
application/x-www-form-urlencoded
ocserv[7282]: worker: 10.24.1.25:56022 HTTP: Content-Length: 201
ocserv[7282]: worker: 10.24.1.25:56022 HTTP POST /auth
ocserv[7282]: worker: 10.24.1.25:56022 POST body: '<?xml version="1.0"
encoding="UTF-8"?>
<config-auth client="vpn" type="auth-reply"><version
who="vpn">v5.02</version><device-id>linux-64</device-id><auth><password>user</password></auth></config-auth>
'
ocserv[7273]: sec-mod: received request from pid 7282 and uid 0
ocserv[7282]: worker: 10.24.1.25:56022 sending message 'sm: auth cont' to secmod
ocserv[7273]: sec-mod: cmd [size=22] sm: auth cont
ocserv[7273]: sec-mod: auth cont for user 'user'
ocserv[7273]: sec-mod: error in password given in auth cont for user 'user'
ocserv[7282]: worker: 10.24.1.25:56022 received auth reply message (value: 2)
ocserv[7282]: worker: 10.24.1.25:56022 continuing authentication for 'user'
ocserv[7282]: worker: 10.24.1.25:56022 sent sid: +iORu/slIF2OFe8g
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Preparing Packet Application
Data(23) with length: 500 and target length: 500
ocserv[7282]: TLS[<9>]: ENC[0x875b28]: cipher: AES-128-CBC, MAC: SHA1, Epoch: 1
ocserv[7282]: TLS[<4>]: REC[0x875b28]: Sent Packet[4] Application
Data(23) in epoch 1 and length: 533
ocserv[7282]: TLS[<2>]: ASSERT: gnutls_buffers.c:515
ocserv[7282]: TLS[<2>]: ASSERT: gnutls_record.c:1001
ocserv[7282]: TLS[<2>]: ASSERT: gnutls_record.c:1113
ocserv[7282]: TLS[<2>]: ASSERT: gnutls_record.c:1348
ocserv[7272]: main: 10.24.1.25:56022 main-misc.c:423: command socket closed
ocserv[7272]: main: 10.24.1.25:56022 removing client '' with id '7282'

root at ubnt:/config/ocserv# cat ocserv.cfg
max-clients = 16
max-same-clients = 16
tcp-port = 443
udp-port = 443
keepalive = 32400
dpd = 1900
mobile-dpd = 1800
try-mtu-discovery = false
auth = "plain[/config/ocserv/ocpasswd]"

server-cert = /config/ocserv/server-cert.pem
server-key = /config/ocserv/server-key.pem

tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"

auth-timeout = 4000
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl

use-utmp = true
use-occtl = true

pid-file = /var/run/ocserv.pid
socket-file = /var/run/ocserv-socket

run-as-user = root
run-as-group = root
cgroup = "cpuset,cpu:test"
device = vpns
cisco-client-compat = true
predictable-ips = true

default-domain = mynet.tld

# The pool of addresses that leases will be given from.
ipv4-network = 192.168.150.0
ipv4-netmask = 255.255.255.0

dns = 8.8.8.8
route = 10.24.1.0/255.255.255.0

ping-leases = false



root at ubnt:/config/ocserv# cat instserv.sh
#!/bin/bash

certtool --generate-privkey --outfile ca-key.pem
cat << _EOF_ >ca.tmpl
cn = "204-ubiquity.mynet.tld"
organization = "REU"
serial = 1
expiration_days = 9999
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_

certtool --generate-self-signed --load-privkey ca-key.pem --template
ca.tmpl --outfile ca-cert.pem

certtool --generate-privkey --outfile server-key.pem
cat << _EOF_ >server.tmpl
cn = "204-ubiquity.mynet.tld"
organization = "REU"
serial = 2
expiration_days = 9999
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_server
_EOF_

certtool --generate-certificate --load-privkey server-key.pem
--load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
--template server.tmpl --outfile server-cert.pem

mv ./server-cert.pem /config/ocserv
mv ./server-key.pem /config/ocserv
ocpasswd root -c /config/ocserv/ocpasswd

root at ubnt:/config/ocserv# cat clientcert.sh
#!/bin/bash

certtool --generate-privkey --outfile user-key.pem
cat << _EOF_ >user.tmpl
cn = "user"
unit = "user"
expiration_days = 9999
signing_key
tls_www_client
_EOF_


certtool --generate-certificate --load-privkey user-key.pem
--load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
--template user.tmpl --outfile user-cert.pem

certtool --to-p12 --load-privkey user-key.pem --pkcs-cipher arcfour
--load-certificate user-cert.pem --outfile user.p12



More information about the openconnect-devel mailing list