Commit 39926c6c authored by Guillaume Bury's avatar Guillaume Bury

Fixed certificates CN

parent 8e0a7ede
...@@ -28,7 +28,6 @@ def server(ip, pipe_fd, *args, **kw): ...@@ -28,7 +28,6 @@ def server(ip, pipe_fd, *args, **kw):
return openvpn( return openvpn(
'--tls-server', '--tls-server',
'--mode', 'server', '--mode', 'server',
'--duplicate-cn', # XXX : to be removed
'--up', 'up-server %s/%u' % (ip, len(config.vifibnet)), '--up', 'up-server %s/%u' % (ip, len(config.vifibnet)),
'--client-connect', 'client-connect ' + str(pipe_fd), '--client-connect', 'client-connect ' + str(pipe_fd),
'--client-disconnect', 'client-connect ' + str(pipe_fd), '--client-disconnect', 'client-connect ' + str(pipe_fd),
......
...@@ -6,6 +6,9 @@ from SimpleXMLRPCServer import SimpleXMLRPCServer, SimpleXMLRPCRequestHandler ...@@ -6,6 +6,9 @@ from SimpleXMLRPCServer import SimpleXMLRPCServer, SimpleXMLRPCRequestHandler
from OpenSSL import crypto from OpenSSL import crypto
import traceback import traceback
# To generate server ca and key with correct serial
# openssl req -nodes -new -x509 -key ca.key -set_serial 0x120010db80042 -days 365 -out ca.crt
IPV6_V6ONLY = 26 IPV6_V6ONLY = 26
SOL_IPV6 = 41 SOL_IPV6 = 41
...@@ -148,7 +151,7 @@ class main(object): ...@@ -148,7 +151,7 @@ class main(object):
cert.gmtime_adj_notAfter(self.cert_duration) cert.gmtime_adj_notAfter(self.cert_duration)
cert.set_issuer(self.ca.get_subject()) cert.set_issuer(self.ca.get_subject())
subject = req.get_subject() subject = req.get_subject()
subject.serialNumber = "%u/%u" % (int(prefix, 2), prefix_len) subject.CN = "%u/%u" % (int(prefix, 2), prefix_len)
cert.set_subject(subject) cert.set_subject(subject)
cert.set_pubkey(req.get_pubkey()) cert.set_pubkey(req.get_pubkey())
cert.sign(self.key, 'sha1') cert.sign(self.key, 'sha1')
...@@ -181,7 +184,7 @@ class main(object): ...@@ -181,7 +184,7 @@ class main(object):
if client_ip.startswith(self.network): if client_ip.startswith(self.network):
prefix = client_ip[len(self.network):] prefix = client_ip[len(self.network):]
prefix, = self.db.execute("SELECT prefix FROM vifib WHERE prefix <= ? ORDER BY prefix DESC LIMIT 1", (prefix,)).next() prefix, = self.db.execute("SELECT prefix FROM vifib WHERE prefix <= ? ORDER BY prefix DESC LIMIT 1", (prefix,)).next()
self.db.execute("INSERT OR REPLACE INTO peers VALUES (?,?,?,?)", (prefix, ip, port, proto)) self.db.execute("INSERT OR REPLACE INTO peers (prefix, ip, port, proto) VALUES (?,?,?,?)", (prefix, ip, port, proto))
return True return True
else: else:
# TODO: use log + DO NOT PRINT BINARY IP # TODO: use log + DO NOT PRINT BINARY IP
......
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIBejBkAgcBIAENuABCMA0GCSqGSIb3DQEBBQUAMAAwHhcNMTIwNzEyMTE1OTQz MIIDDTCCAfWgAwIBAgIHASABDbgAQjANBgkqhkiG9w0BAQUFADAeMQswCQYDVQQG
WhcNMTMwNzA0MjEyOTQ4WjAeMQswCQYDVQQGEwJGUjEPMA0GA1UEChMGVlBOIEFD EwJGUjEPMA0GA1UEAwwGVlBOIENBMB4XDTEyMDcxNjExNTMwNVoXDTEzMDcxNjEx
MAgwAwYBAAMBADANBgkqhkiG9w0BAQUFAAOCAQEAFYuU4QGUcs60LlThDqQhhyN8 NTMwNVowHjELMAkGA1UEBhMCRlIxDzANBgNVBAMMBlZQTiBDQTCCASIwDQYJKoZI
ZFAaHcPROkUkHE5HNqQ1kOjApzneA7lcEV2gO6vO0qmHW5aBfUYQKGxosqiiCtaT hvcNAQEBBQADggEPADCCAQoCggEBALMp1ojWB123yI3kxM0x75sq5W3QJ+rfg5SH
SD6IltD7qMxx0dtXH0W/SSo7d0JifnZh15isjHi0jEv5Cq3NOKlX0115+HrS/uS2 TLvc1CbUeNQwMeJT/l2OQG7D5jyrw4wjAK43w+DKnoJ8WK8sfdrjZ5uDEmfaR9Tv
scI1ujV9PHUUJiwigb2AZ7gHZP/Ug54yYY+w6Ail85CmZ6txmZvC16obqeRmRZyv TvyCJsIS4g9YP0ZdCNKA/7swlW/erbiDhhlOxrqUonxjU58/aLa41He/v/cEEiyh
g7fvNEg9dmuG8Lj/eXZZTZlrRA5jv2NdWjFl09469t3rGFDFFLop+76H10qR3U/F vymJqXaRsuDP3ov5zMOM85WxX5Uf3UySrqQ7uN82k2gEdVJfORClW6nGLzrAQUiu
Fn8h12o4qLJhIaDV0vRZh9/tg18N0BrBTkX4BET5AD3mqZ6w8xkrs4pVqHM9/A== TOUBhlGZjR9FymuGi8jWIMul2wmxj/LI+B9c0mT3GFOU9Sg3HIfQQ+Ea/QoCslmT
CXN0OPlFVhhwtMSB7fviCvUQgzLN7H+Q3nLVqza1f2XBdNE5zmkCAwEAAaNQME4w
HQYDVR0OBBYEFKAM2cc4IXnFIZuYD1IK6MItGzSdMB8GA1UdIwQYMBaAFKAM2cc4
IXnFIZuYD1IK6MItGzSdMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB
AFIqN4FoxebGAd2f60J9s60a7IExmrrGOCEL+x74XCV+4QBI4UQ27KYzGltXgBO6
eyY2urg2b8MyCjU/U/N5iK6QhzIUw9oGY927V/6WxlMX/DzKAx9VQg2oIxDrj+tA
TpUw9MxlhL/VBJDxuJe6tjM0zdevTVeDgQAJa0UGMTqfMDFjN53WY+ZUyI/0TXwg
tDmEguWFuE/1O1lzZIq9Bv+5lsIsXynzshDLX8t5VGHrPQ8kBs6v7wTLfdtJyDZz
/jLm5Us3/tUB71aMUa3+7bJEFdqtdasbhBAJAgI4hKszmZfsI9H4NHKWQ51cQKNh
P7R0fzBg1J/ueLW5vuPCkXE=
-----END CERTIFICATE----- -----END CERTIFICATE-----
...@@ -10,6 +10,8 @@ def main(): ...@@ -10,6 +10,8 @@ def main():
help='To only get CA form server') help='To only get CA form server')
_('--db-only', action='store_true', _('--db-only', action='store_true',
help='To only get CA and setup peer db with bootstrap peer') help='To only get CA and setup peer db with bootstrap peer')
_('--no-boot', action='store_true',
help='Enable to skip getting bootstrap peer')
_('--server', required=True, _('--server', required=True,
help='Address of the server delivering certifiactes') help='Address of the server delivering certifiactes')
_('--port', required=True, type=int, _('--port', required=True, type=int,
...@@ -36,7 +38,6 @@ def main(): ...@@ -36,7 +38,6 @@ def main():
sys.exit(0) sys.exit(0)
# Create and initialize peers DB # Create and initialize peers DB
boot_ip, boot_port, boot_proto = s.getBootstrapPeer()
db = sqlite3.connect(os.path.join(config.dir, 'peers.db'), isolation_level=None) db = sqlite3.connect(os.path.join(config.dir, 'peers.db'), isolation_level=None)
try: try:
db.execute("""CREATE TABLE peers ( db.execute("""CREATE TABLE peers (
...@@ -48,6 +49,8 @@ def main(): ...@@ -48,6 +49,8 @@ def main():
date INTEGER DEFAULT (strftime('%s', 'now')))""") date INTEGER DEFAULT (strftime('%s', 'now')))""")
db.execute("CREATE INDEX _peers_used ON peers(used)") db.execute("CREATE INDEX _peers_used ON peers(used)")
db.execute("CREATE UNIQUE INDEX _peers_address ON peers(ip, port, proto)") db.execute("CREATE UNIQUE INDEX _peers_address ON peers(ip, port, proto)")
if not config.no_boot:
boot_ip, boot_port, boot_proto = s.getBootstrapPeer()
db.execute("INSERT INTO peers (ip, port, proto) VALUES (?,?,?)", (boot_ip, boot_port, boot_proto)) db.execute("INSERT INTO peers (ip, port, proto) VALUES (?,?,?)", (boot_ip, boot_port, boot_proto))
except sqlite3.OperationalError, e: except sqlite3.OperationalError, e:
if e.args[0] == 'table peers already exists': if e.args[0] == 'table peers already exists':
......
...@@ -124,17 +124,20 @@ def getConfig(): ...@@ -124,17 +124,20 @@ def getConfig():
help="Common OpenVPN options (e.g. certificates)") help="Common OpenVPN options (e.g. certificates)")
openvpn.config = config = parser.parse_args() openvpn.config = config = parser.parse_args()
log.verbose = config.verbose log.verbose = config.verbose
# Get network prefix from ca.crt # Get network prefix from ca.crt
with open(config.ca, 'r') as f: with open(config.ca, 'r') as f:
ca = crypto.load_certificate(crypto.FILETYPE_PEM, f.read()) ca = crypto.load_certificate(crypto.FILETYPE_PEM, f.read())
config.vifibnet = bin(ca.get_serial_number())[3:] config.vifibnet = bin(ca.get_serial_number())[3:]
# Get ip from cert.crt # Get ip from cert.crt
with open(config.cert, 'r') as f: with open(config.cert, 'r') as f:
cert = crypto.load_certificate(crypto.FILETYPE_PEM, f.read()) cert = crypto.load_certificate(crypto.FILETYPE_PEM, f.read())
subject = cert.get_subject() subject = cert.get_subject()
prefix, prefix_len = subject.serialNumber.split('/') prefix, prefix_len = subject.CN.split('/')
config.internal_ip = ipFromPrefix(prefix, int(prefix_len)) config.internal_ip = ipFromPrefix(prefix, int(prefix_len))
log.log('Intranet ip : %s' % (config.internal_ip,), 3) log.log('Intranet ip : %s' % (config.internal_ip,), 3)
# Treat openvpn arguments # Treat openvpn arguments
if config.openvpn_args[0] == "--": if config.openvpn_args[0] == "--":
del config.openvpn_args[0] del config.openvpn_args[0]
...@@ -234,8 +237,6 @@ def main(): ...@@ -234,8 +237,6 @@ def main():
stdout=os.open(os.path.join(config.log, 'vifibnet.server.log'), os.O_WRONLY | os.O_CREAT | os.O_TRUNC)) stdout=os.open(os.path.join(config.log, 'vifibnet.server.log'), os.O_WRONLY | os.O_CREAT | os.O_TRUNC))
startNewConnection(config.client_count, write_pipe) startNewConnection(config.client_count, write_pipe)
peers_db.populate(10)
# Timed refresh initializing # Timed refresh initializing
next_refresh = time.time() + config.refresh_time next_refresh = time.time() + config.refresh_time
...@@ -248,6 +249,7 @@ def main(): ...@@ -248,6 +249,7 @@ def main():
if ready: if ready:
handle_message(read_pipe.readline()) handle_message(read_pipe.readline())
if time.time() >= next_refresh: if time.time() >= next_refresh:
peers_db.populate(10)
refreshConnections(write_pipe) refreshConnections(write_pipe)
next_refresh = time.time() + config.refresh_time next_refresh = time.time() + config.refresh_time
except KeyboardInterrupt: except KeyboardInterrupt:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment