sskaje's blog, study & research on technology
In iOS IPSec VPN Server on Ubuntu, I create a local CA with openssl. I’m setting up an OpenConnect VPN, which uses GnuTLS’s certtool generating ca and sign certificates. I want to use share the same Root CA for both OpenSSL and GnuTLS, so I’m generating request from GnuTLS and signing with OpenSSL. Apple has … Continue reading “Generate Certificate with GnuTLS and Sign with OpenSSL”
Apple has its own certtool, GnuTLS’ certtool is renamed as gnutls-certtool in MacPorts. Create Private Key GnuTLS
|
1 |
gnutls-certtool --generate-privkey --bits 2048 --outfile text.key |
OpenSSL
|
1 |
openssl genrsa -out test.key 2048 |
Create Certificate Request GnuTLS You can also create your own template file rather than filling interactively.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
gnutls-certtool --generate-request --load-privkey test.key --outfile test.csr Generating a PKCS #10 certificate request... Common name: Organizational unit name: Organization name: Locality name: State or province name: Country name (2 chars): Enter the subject's domain component (DC): UID: Enter a dnsName of the subject of the certificate: Enter a URI of the subject of the certificate: Enter the IP address of the subject of the certificate: Enter the e-mail of the subject of the certificate: Enter a challenge password: Does the certificate belong to an authority? (y/N): Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n): Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): Is this a TLS web client certificate? (y/N): Is this a TLS web server certificate? (y/N): Self signature: verified |
OpenSSL
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
openssl req -new -key test.key -out test.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: |
Sign request GnuTLS
|
1 |
gnutls-certtool --generate-certificate --load-request sskaje.csr --load-ca-certificate ~/Documents/CA/USER\ CA/user_ca.pem --load-ca-privkey ~/Documents/CA/USER\ CA/user_ca.key --template sskaje.tmpl --outfile tmp.pem |
OpenSSL I don’t like openssl.cnf! Show certificate information GnuTLS
|
1 |
gnutls-certtool --certificate-info --infile sskaje-cert.pem |
OpenSSL
|
1 |
openssl x509 -in sskaje-cert.pem -text |
Working for iOS only, but for OSX, (Cisco AnyConnect Client for OS X 3.1.05160), captive portal is detected. ‘Web Authentication Required’ and error log like
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: compareEKUs File: ../../vpn/CommonCrypt/Certificates/VerifyExtKeyUsage.cpp Line: 330 EKU not found in certificate: 1.3.6.1.5.5.7.3.2 Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: Verify File: ../../vpn/CommonCrypt/Certificates/VerifyExtKeyUsage.cpp Line: 100 Extended key usage verification failed Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: VerifyExtKeyUsage File: ../../vpn/CommonCrypt/Certificates/OpenSSLCertUtils.cpp Line: 1163 Invoked Function: CVerifyExtKeyUsage::Verify Return Code: -31391722 (0xFE210016) Description: CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_FAILED:The certificate did not contain the required Extended Key Usages Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: VerifyExtKeyUsage File: ../../vpn/CommonCrypt/Certificates/OpenSSLCertificate.cpp Line: 2164 Invoked Function: COpenSSLCertUtils::VerifyExtKeyUsage Return Code: -31391722 (0xFE210016) Description: CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_FAILED:The certificate did not contain the required Extended Key Usages Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: getCertList File: ../../vpn/Api/ApiCert.cpp Line: 324 Number of certificates found: 3 Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: setConnectionData File: ../../vpn/Api/ConnectMgr.cpp Line: 1871 Certificate retrieved from preferences: Subject Name: CN=com.apple.idms.appleid.prd.41665a636f64723171575536774a574464536a697a513d3d Issuer Name : C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Application Integration Certification Authority Store : Mac Keychain User Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Message type information sent to the user: Contacting vpn.sskaje.me:443. Apr 17 14:49:31 sskajetekiMacBook-Pro.local acvpnui[29001]: Initiating VPN connection to the secure gateway https://vpn.sskaje.me:443 Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: TestNetEnv File: ../../vpn/Agent/NetEnvironment.cpp Line: 370 Captive portal detected. Retesting connectivity to the secure gateway in 10 seconds. Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway. Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: processConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 11572 Received connect notification (host vpn.sskaje.me:443, profile N/A) Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: respondToConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 4813 The requested VPN connection to vpn.sskaje.me:443 is not possible at this time (Captive Portal needs to be remediated). Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Message type warning sent to the user: Connection attempt has failed. Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: processIfcData File: ../../vpn/Api/ConnectMgr.cpp Line: 2641 Content type (unknown) received. Response type (Captive Portal detected) from openconnect.sskaje.me: Captive Portal detected Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: showConnectError File: ../../vpn/Api/ConnectMgr.cpp Line: 5511 Attempt to connect failed when Agent detected a network issue. Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Message type error sent to the user: The service provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser. Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: connect File: ../../vpn/Api/ConnectMgr.cpp Line: 2053 ConnectMgr::processIfcData failed Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: initiateConnect File: ../../vpn/Api/ConnectMgr.cpp Line: 1181 Connection failed. Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: VPN state: Disconnected Network state: Web Authentication Required Network control state: Network Access: Available Network type: Undefined Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: OnIpcMessageReceivedAtDepot File: ../../vpn/Agent/MainThread.cpp Line: 4234 Received connect failure notification (host vpn.sskaje.me:443, profile N/A) Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnui[29001]: Function: run File: ../../vpn/Api/ConnectMgr.cpp Line: 674 Invoked Function: ConnectMgr::initiateConnect Return Code: -29622263 (0xFE3C0009) Description: CONNECTMGR_ERROR_UNEXPECTED Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: GetPrimaryInterfaceIndex File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 422 Unable to get global IPv6 information from system configuration. Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: determinePublicAddrCandidateFromDefRoute File: ../../vpn/AgentUtilities/HostConfigMgr.cpp Line: 1769 Invoked Function: CHostConfigMgr::FindDefaultRouteInterface Return Code: -24117215 (0xFE900021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED Apr 17 14:49:32 sskajetekiMacBook-Pro.local acvpnagent[89]: Function: updatePotentialPublicAddresses File: ../../vpn/AgentUtilities/HostConfigMgr.cpp Line: 1914 Invoked Function: CHostConfigMgr::determinePublicAddrCandidateFromDefRoute Return Code: -24117215 (0xFE900021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED |
OpenConnect on Ubuntu Generate Certificate with GnuTLS and Sign with OpenSSL Incoming search terms:ROUTETABLE_ERROR_GETBESTROUTE_FAILEDNo valid certificates available for authentication192 168 1 99;29001no valid certificates available for authentication 設定ANyConnect No … Continue reading “Open Connect Server Configuration (Working for iOS)”