Hello! A kornyezet: zorp 3.9.5-4+mhp3~wheezy, naprakesz Debian Wheezy, gyari kernellel, tproxy-val. # ls -ald /etc/zorp/ drwxr-x--- 7 root zorp 416 aug 4 14:15 /etc/zorp/ # ls -ald /etc/zorp/keybridge/ drwxr-x--- 2 root zorp 424 aug 4 13:47 /etc/zorp/keybridge/ # ls -Al /etc/zorp/keybridge/ összesen 20 -rw-r----- 1 root zorp 963 aug 4 13:47 key.pem -rw-r----- 1 root zorp 3338 aug 4 13:46 ZorpGPL_TrustedCA.cert.pem -rw-r----- 1 root zorp 963 aug 4 13:46 ZorpGPL_TrustedCA.key.pem -rw-r----- 1 root zorp 3352 aug 4 13:47 ZorpGPL_UnTrustedCA.cert.pem -rw-r----- 1 root zorp 963 aug 4 13:47 ZorpGPL_UnTrustedCA.key.pem # ls -ald /var/lib/zorp/keybridge-cache/ drwxrwx--- 2 zorp zorp 104 aug 4 13:15 /var/lib/zorp/keybridge-cache/ A konfig: from Zorp.Core import * from Zorp.Proxy import * from Zorp.Http import * InetZone("intranet", "192.168.0.0/24", inbound_services=[], outbound_services=["intra_https"]) InetZone("internet", "0.0.0.0/0", inbound_services=["intra_https"], outbound_services=[]) class HttpsProxyKeybridge(HttpProxy): key_generator=X509KeyBridge( key_file="/etc/zorp/keybridge/key.pem", key_passphrase="passphrase", cache_directory="/var/lib/zorp/keybridge-cache", trusted_ca_files=( "/etc/zorp/keybridge/ZorpGPL_TrustedCA.cert.pem", "/etc/zorp/keybridge/ZorpGPL_TrustedCA.key.pem", "passphrase" ), untrusted_ca_files=( "/etc/zorp/keybridge/ZorpGPL_UnTrustedCA.cert.pem", "/etc/zorp/keybridge/ZorpGPL_UnTrustedCA.key.pem", "passphrase" ) ) def config(self): HttpProxy.config(self) self.require_host_header=FALSE self.ssl.handshake_seq=SSL_HSO_SERVER_CLIENT self.ssl.key_generator = self.key_generator self.ssl.client_keypair_generate=TRUE self.ssl.client_connection_security=SSL_FORCE_SSL self.ssl.client_verify_type=SSL_VERIFY_OPTIONAL_UNTRUSTED self.ssl.server_connection_security=SSL_FORCE_SSL self.ssl.server_verify_type=SSL_VERIFY_REQUIRED_UNTRUSTED self.ssl.server_ca_directory = '/etc/ssl/certs' self.ssl.server_trusted_certs_directory="/etc/zorp/ca.crt" def zorp_https(): Service("intra_https", HttpsProxyKeybridge, TransparentRouter()) Listener(SockAddrInet("192.168.0.254", 50443), "intra_https", transparent=TRUE) A hibauzenet (10-es debug level-en): Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.stderr(3): (stderr): File "/usr/share/zorp/pylib/Zorp/Proxy.py", line 409, in __post_config__ Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.debug(7): (svc/intra_https:0/http): calling __pre_shutdown__() event; Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.debug(7): (svc/intra_https:0/http): calling shutdown() event; Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.debug(7): (svc/intra_https:0/http): calling __post_shutdown__() event; Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.debug(7): (svc/intra_https:0/http): calling __destroy__() event; Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.debug(6): (svc/intra_https:0/http): Proxy destroy; class='HttpsProxyKeybridge', module='http' Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.debug(6): (svc/intra_https:0/http/client): Shutdown channel; fd='15', mode='2' Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.debug(6): (svc/intra_https:0/http/client): Closing stream; type='ZStreamFD' Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.session(5): (svc/intra_https:0/http): Proxy ending; class='HttpsProxyKeybridge', module='http' Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.stderr(3): (stderr): proxyLog(self, SSL_DEBUG, 6, "Compatibility feature, processing server_ca_directory; value='%s'" % self.ssl.server_ca_directory) Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.stderr(3): (stderr): File "/usr/share/zorp/pylib/Zorp/Proxy.py", line 135, in proxyLog Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.stderr(3): (stderr): log(self.session.session_id, type, level, msg, args) Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.stderr(3): (stderr): TypeError: not all arguments converted during string formatting Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.session(4): (svc/intra_https:0): Ending proxy instance; A /usr/share/zorp/pylib/Zorp/Proxy.py 135. sora ez: log(self.session.session_id, type, level, msg, args) Ha erre cserelem, akkor tovabbmegy, de ugyanugy nem mukodik: log(self.session.session_id, type, level, msg) A hibauzenet: Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(5): (svc/intra_https:0/http): Loading cached certificate; file='/var/lib/zorp/keybridge-cache/untrusted-55628789eb3493c9db441ca88959d90f.crt' Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(5): (svc/intra_https:0/http): Original keybridged certificate not found, regenerating; file='/var/lib/zorp/keybridge-cache/untrusted-55628789eb3493c9db441ca88959d90f.crt' Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(5): (svc/intra_https:0/http): Cached certificate changed, regenerating; file='/var/lib/zorp/keybridge-cache/untrusted-55628789eb3493c9db441ca88959d90f.crt' Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(5): (svc/intra_https:0/http): Certificate not found in the cache, regenerating; Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.stderr(3): (stderr): Traceback (most recent call last): Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.stderr(3): (stderr): File "/usr/share/zorp/pylib/Zorp/Proxy.py", line 891, in generateKeyClient Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.policy(1): (svc/intra_https:0/http): Error fetching local key/certificate pair; side='client' Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(7): (svc/intra_https:0/http): calling __pre_shutdown__() event; Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(7): (svc/intra_https:0/http): calling shutdown() event; Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(7): (svc/intra_https:0/http): calling __post_shutdown__() event; Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(7): (svc/intra_https:0/http): calling __destroy__() event; Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(6): (svc/intra_https:0/http): Proxy destroy; class='HttpsProxyKeybridge', module='http' Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(6): (svc/intra_https:0/http/client): Shutdown channel; fd='15', mode='2' Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.stderr(3): (stderr): self.ssl.key_generator.getKeypair({'bridge-untrusted-key': self.ssl.server_peer_certificate.blob}) Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.stderr(3): (stderr): File "/usr/share/zorp/pylib/Zorp/Keybridge.py", line 395, in getKeypair Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(6): (svc/intra_https:0/http/client): Closing stream; type='ZStreamSsl' Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.stderr(3): (stderr): new_cert = self.genCert(self.key, orig_cert, ca_pair[0], ca_pair[1], serial) Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.stderr(3): (stderr): File "/usr/share/zorp/pylib/Zorp/Keybridge.py", line 335, in genCert Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(6): (svc/intra_https:0/http/client): Closing stream; type='ZStreamFD' Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.dump(8): (svc/intra_https:0/http/server): Writing channel; fd='17', count='69' Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.dump(10): (svc/intra_https:0/http/server): data line 0x0000: 15 03 03 00 40 A3 AE 40 53 8A F6 D6 59 DE B7 1C ....@..@S...Y... Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.dump(10): (svc/intra_https:0/http/server): data line 0x0010: 7E B3 17 F6 DA 7B 20 68 A2 B1 2E EB D5 F5 04 3C ~....{ h.......< Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.dump(10): (svc/intra_https:0/http/server): data line 0x0020: 2D 9D A3 28 D8 08 3F D6 F7 5F 69 1F 64 34 FD A5 -..(..?.._i.d4.. Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.dump(10): (svc/intra_https:0/http/server): data line 0x0030: AC 61 BB 30 27 B7 76 35 D9 E6 FB A2 72 F7 BC 15 .a.0'.v5....r... Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.dump(10): (svc/intra_https:0/http/server): data line 0x0040: 88 E2 BE 5C 5D ...\] Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.stderr(3): (stderr): new_cert.del_extension(ext_index) Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.stderr(3): (stderr): AttributeError: 'X509' object has no attribute 'del_extension' Azt mondja, hogy legeneralja a certificate fajlt, ugyanakkor nem jon letre ilyen fajl a /var/lib/zorp/keybridge-cache konyvtarban. A serial.txt fajlban no a szam, ott van a .lock fajl is, de mas nincs. Mi okozza a problemat? -- Udvozlettel Zsiga
On 2014-08-04 14:34, Kosa Attila wrote:
Hello! A kornyezet: zorp 3.9.5-4+mhp3~wheezy, naprakesz Debian Wheezy, gyari kernellel, tproxy-val.
# ls -ald /etc/zorp/ drwxr-x--- 7 root zorp 416 aug 4 14:15 /etc/zorp/ # ls -ald /etc/zorp/keybridge/ drwxr-x--- 2 root zorp 424 aug 4 13:47 /etc/zorp/keybridge/ # ls -Al /etc/zorp/keybridge/ összesen 20 -rw-r----- 1 root zorp 963 aug 4 13:47 key.pem -rw-r----- 1 root zorp 3338 aug 4 13:46 ZorpGPL_TrustedCA.cert.pem -rw-r----- 1 root zorp 963 aug 4 13:46 ZorpGPL_TrustedCA.key.pem -rw-r----- 1 root zorp 3352 aug 4 13:47 ZorpGPL_UnTrustedCA.cert.pem -rw-r----- 1 root zorp 963 aug 4 13:47 ZorpGPL_UnTrustedCA.key.pem # ls -ald /var/lib/zorp/keybridge-cache/ drwxrwx--- 2 zorp zorp 104 aug 4 13:15 /var/lib/zorp/keybridge-cache/
A konfig:
from Zorp.Core import * from Zorp.Proxy import * from Zorp.Http import *
InetZone("intranet", "192.168.0.0/24", inbound_services=[], outbound_services=["intra_https"])
InetZone("internet", "0.0.0.0/0", inbound_services=["intra_https"], outbound_services=[])
class HttpsProxyKeybridge(HttpProxy): key_generator=X509KeyBridge( key_file="/etc/zorp/keybridge/key.pem", key_passphrase="passphrase", cache_directory="/var/lib/zorp/keybridge-cache", trusted_ca_files=( "/etc/zorp/keybridge/ZorpGPL_TrustedCA.cert.pem", "/etc/zorp/keybridge/ZorpGPL_TrustedCA.key.pem", "passphrase" ), untrusted_ca_files=( "/etc/zorp/keybridge/ZorpGPL_UnTrustedCA.cert.pem", "/etc/zorp/keybridge/ZorpGPL_UnTrustedCA.key.pem", "passphrase" ) )
def config(self): HttpProxy.config(self) self.require_host_header=FALSE self.ssl.handshake_seq=SSL_HSO_SERVER_CLIENT self.ssl.key_generator = self.key_generator self.ssl.client_keypair_generate=TRUE self.ssl.client_connection_security=SSL_FORCE_SSL self.ssl.client_verify_type=SSL_VERIFY_OPTIONAL_UNTRUSTED self.ssl.server_connection_security=SSL_FORCE_SSL self.ssl.server_verify_type=SSL_VERIFY_REQUIRED_UNTRUSTED self.ssl.server_ca_directory = '/etc/ssl/certs' self.ssl.server_trusted_certs_directory="/etc/zorp/ca.crt"
def zorp_https(): Service("intra_https", HttpsProxyKeybridge, TransparentRouter()) Listener(SockAddrInet("192.168.0.254", 50443), "intra_https", transparent=TRUE)
A hibauzenet (10-es debug level-en):
Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.stderr(3): (stderr): File "/usr/share/zorp/pylib/Zorp/Proxy.py", line 409, in __post_config__ Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.debug(7): (svc/intra_https:0/http): calling __pre_shutdown__() event; Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.debug(7): (svc/intra_https:0/http): calling shutdown() event; Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.debug(7): (svc/intra_https:0/http): calling __post_shutdown__() event; Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.debug(7): (svc/intra_https:0/http): calling __destroy__() event; Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.debug(6): (svc/intra_https:0/http): Proxy destroy; class='HttpsProxyKeybridge', module='http' Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.debug(6): (svc/intra_https:0/http/client): Shutdown channel; fd='15', mode='2' Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.debug(6): (svc/intra_https:0/http/client): Closing stream; type='ZStreamFD' Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.session(5): (svc/intra_https:0/http): Proxy ending; class='HttpsProxyKeybridge', module='http' Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.stderr(3): (stderr): proxyLog(self, SSL_DEBUG, 6, "Compatibility feature, processing server_ca_directory; value='%s'" % self.ssl.server_ca_directory) Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.stderr(3): (stderr): File "/usr/share/zorp/pylib/Zorp/Proxy.py", line 135, in proxyLog Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.stderr(3): (stderr): log(self.session.session_id, type, level, msg, args) Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.stderr(3): (stderr): TypeError: not all arguments converted during string formatting Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.session(4): (svc/intra_https:0): Ending proxy instance;
A /usr/share/zorp/pylib/Zorp/Proxy.py 135. sora ez: log(self.session.session_id, type, level, msg, args)
Ha erre cserelem, akkor tovabbmegy, de ugyanugy nem mukodik: log(self.session.session_id, type, level, msg)
A hibauzenet:
Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(5): (svc/intra_https:0/http): Loading cached certificate; file='/var/lib/zorp/keybridge-cache/untrusted-55628789eb3493c9db441ca88959d90f.crt' Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(5): (svc/intra_https:0/http): Original keybridged certificate not found, regenerating; file='/var/lib/zorp/keybridge-cache/untrusted-55628789eb3493c9db441ca88959d90f.crt' Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(5): (svc/intra_https:0/http): Cached certificate changed, regenerating; file='/var/lib/zorp/keybridge-cache/untrusted-55628789eb3493c9db441ca88959d90f.crt' Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(5): (svc/intra_https:0/http): Certificate not found in the cache, regenerating; Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.stderr(3): (stderr): Traceback (most recent call last): Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.stderr(3): (stderr): File "/usr/share/zorp/pylib/Zorp/Proxy.py", line 891, in generateKeyClient Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.policy(1): (svc/intra_https:0/http): Error fetching local key/certificate pair; side='client' Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(7): (svc/intra_https:0/http): calling __pre_shutdown__() event; Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(7): (svc/intra_https:0/http): calling shutdown() event; Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(7): (svc/intra_https:0/http): calling __post_shutdown__() event; Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(7): (svc/intra_https:0/http): calling __destroy__() event; Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(6): (svc/intra_https:0/http): Proxy destroy; class='HttpsProxyKeybridge', module='http' Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(6): (svc/intra_https:0/http/client): Shutdown channel; fd='15', mode='2' Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.stderr(3): (stderr): self.ssl.key_generator.getKeypair({'bridge-untrusted-key': self.ssl.server_peer_certificate.blob}) Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.stderr(3): (stderr): File "/usr/share/zorp/pylib/Zorp/Keybridge.py", line 395, in getKeypair Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(6): (svc/intra_https:0/http/client): Closing stream; type='ZStreamSsl' Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.stderr(3): (stderr): new_cert = self.genCert(self.key, orig_cert, ca_pair[0], ca_pair[1], serial) Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.stderr(3): (stderr): File "/usr/share/zorp/pylib/Zorp/Keybridge.py", line 335, in genCert Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(6): (svc/intra_https:0/http/client): Closing stream; type='ZStreamFD' Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.dump(8): (svc/intra_https:0/http/server): Writing channel; fd='17', count='69' Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.dump(10): (svc/intra_https:0/http/server): data line 0x0000: 15 03 03 00 40 A3 AE 40 53 8A F6 D6 59 DE B7 1C ....@..@S...Y... Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.dump(10): (svc/intra_https:0/http/server): data line 0x0010: 7E B3 17 F6 DA 7B 20 68 A2 B1 2E EB D5 F5 04 3C ~....{ h.......< Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.dump(10): (svc/intra_https:0/http/server): data line 0x0020: 2D 9D A3 28 D8 08 3F D6 F7 5F 69 1F 64 34 FD A5 -..(..?.._i.d4.. Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.dump(10): (svc/intra_https:0/http/server): data line 0x0030: AC 61 BB 30 27 B7 76 35 D9 E6 FB A2 72 F7 BC 15 .a.0'.v5....r... Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.dump(10): (svc/intra_https:0/http/server): data line 0x0040: 88 E2 BE 5C 5D ...\] Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.stderr(3): (stderr): new_cert.del_extension(ext_index) Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.stderr(3): (stderr): AttributeError: 'X509' object has no attribute 'del_extension'
Azt mondja, hogy legeneralja a certificate fajlt, ugyanakkor nem jon letre ilyen fajl a /var/lib/zorp/keybridge-cache konyvtarban. A serial.txt fajlban no a szam, ott van a .lock fajl is, de mas nincs.
Mi okozza a problemat?
A probléma az, hogy a keybridge használatához patch-elt python-openssl szükséges, amihez az alábbi linket ajánlanám figyelmedbe. https://build.opensuse.org/package/show/home:VPetya:zorp/pyopenssl Még két információ a jövőbeni működéshez. 1. dolgozunk egy hivatalos Zorp GPL repo létrehozásán (https://build.opensuse.org/project/show/security:Zorp) 2. dolgozunk azon, hogy lehetőség szerinti legkevesebb patch kelljen a Zorp GPL működéséhez , aminek egyebek mellett része a sotck python-openssl, iptables, kernel, stb. (pl a kernel kapcsán lásd az előző linket) melletti működés Üdvözlettel: Szilárd
On Mon, Aug 04, 2014 at 03:42:36PM +0200, Szilárd Pfeiffer wrote:
On 2014-08-04 14:34, Kosa Attila wrote:
A kornyezet: zorp 3.9.5-4+mhp3~wheezy, naprakesz Debian Wheezy, gyari kernellel, tproxy-val.
Azt mondja, hogy legeneralja a certificate fajlt, ugyanakkor nem jon letre ilyen fajl a /var/lib/zorp/keybridge-cache konyvtarban. A serial.txt fajlban no a szam, ott van a .lock fajl is, de mas nincs.
Mi okozza a problemat?
A probléma az, hogy a keybridge használatához patch-elt python-openssl szükséges, amihez az alábbi linket ajánlanám figyelmedbe.
Koszonom, meg fogom nezni.
https://build.opensuse.org/package/show/home:VPetya:zorp/pyopenssl
Még két információ a jövőbeni működéshez.
1. dolgozunk egy hivatalos Zorp GPL repo létrehozásán (https://build.opensuse.org/project/show/security:Zorp) 2. dolgozunk azon, hogy lehetőség szerinti legkevesebb patch kelljen a Zorp GPL működéséhez , aminek egyebek mellett része a sotck python-openssl, iptables, kernel, stb. (pl a kernel kapcsán lásd az előző linket) melletti működés
2011 aprilisaban Squeeze alatt mukodott a keybridge mindenfele patch nelkul... -- Udvozlettel Zsiga
On 2014-08-04 16:07, Kosa Attila wrote:
On Mon, Aug 04, 2014 at 03:42:36PM +0200, Szilárd Pfeiffer wrote:
On 2014-08-04 14:34, Kosa Attila wrote:
A kornyezet: zorp 3.9.5-4+mhp3~wheezy, naprakesz Debian Wheezy, gyari kernellel, tproxy-val.
Azt mondja, hogy legeneralja a certificate fajlt, ugyanakkor nem jon letre ilyen fajl a /var/lib/zorp/keybridge-cache konyvtarban. A serial.txt fajlban no a szam, ott van a .lock fajl is, de mas nincs.
Mi okozza a problemat?
A probléma az, hogy a keybridge használatához patch-elt python-openssl szükséges, amihez az alábbi linket ajánlanám figyelmedbe. Koszonom, meg fogom nezni.
https://build.opensuse.org/package/show/home:VPetya:zorp/pyopenssl
Még két információ a jövőbeni működéshez.
1. dolgozunk egy hivatalos Zorp GPL repo létrehozásán (https://build.opensuse.org/project/show/security:Zorp) 2. dolgozunk azon, hogy lehetőség szerinti legkevesebb patch kelljen a Zorp GPL működéséhez , aminek egyebek mellett része a sotck python-openssl, iptables, kernel, stb. (pl a kernel kapcsán lásd az előző linket) melletti működés 2011 aprilisaban Squeeze alatt mukodott a keybridge mindenfele patch nelkul... Ahogy látom 2011. októberében került rá a patch, ami most neked a problémát okozza.
Üdv.: Szilárd
On Mon, Aug 04, 2014 at 03:42:36PM +0200, Szilárd Pfeiffer wrote:
On 2014-08-04 14:34, Kosa Attila wrote:
A kornyezet: zorp 3.9.5-4+mhp3~wheezy, naprakesz Debian Wheezy, gyari kernellel, tproxy-val.
# ls -ald /etc/zorp/ drwxr-x--- 7 root zorp 416 aug 4 14:15 /etc/zorp/ # ls -ald /etc/zorp/keybridge/ drwxr-x--- 2 root zorp 424 aug 4 13:47 /etc/zorp/keybridge/ # ls -Al /etc/zorp/keybridge/ összesen 20 -rw-r----- 1 root zorp 963 aug 4 13:47 key.pem -rw-r----- 1 root zorp 3338 aug 4 13:46 ZorpGPL_TrustedCA.cert.pem -rw-r----- 1 root zorp 963 aug 4 13:46 ZorpGPL_TrustedCA.key.pem -rw-r----- 1 root zorp 3352 aug 4 13:47 ZorpGPL_UnTrustedCA.cert.pem -rw-r----- 1 root zorp 963 aug 4 13:47 ZorpGPL_UnTrustedCA.key.pem # ls -ald /var/lib/zorp/keybridge-cache/ drwxrwx--- 2 zorp zorp 104 aug 4 13:15 /var/lib/zorp/keybridge-cache/
A konfig:
from Zorp.Core import * from Zorp.Proxy import * from Zorp.Http import *
InetZone("intranet", "192.168.0.0/24", inbound_services=[], outbound_services=["intra_https"])
InetZone("internet", "0.0.0.0/0", inbound_services=["intra_https"], outbound_services=[])
class HttpsProxyKeybridge(HttpProxy): key_generator=X509KeyBridge( key_file="/etc/zorp/keybridge/key.pem", key_passphrase="passphrase", cache_directory="/var/lib/zorp/keybridge-cache", trusted_ca_files=( "/etc/zorp/keybridge/ZorpGPL_TrustedCA.cert.pem", "/etc/zorp/keybridge/ZorpGPL_TrustedCA.key.pem", "passphrase" ), untrusted_ca_files=( "/etc/zorp/keybridge/ZorpGPL_UnTrustedCA.cert.pem", "/etc/zorp/keybridge/ZorpGPL_UnTrustedCA.key.pem", "passphrase" ) )
def config(self): HttpProxy.config(self) self.require_host_header=FALSE self.ssl.handshake_seq=SSL_HSO_SERVER_CLIENT self.ssl.key_generator = self.key_generator self.ssl.client_keypair_generate=TRUE self.ssl.client_connection_security=SSL_FORCE_SSL self.ssl.client_verify_type=SSL_VERIFY_OPTIONAL_UNTRUSTED self.ssl.server_connection_security=SSL_FORCE_SSL self.ssl.server_verify_type=SSL_VERIFY_REQUIRED_UNTRUSTED self.ssl.server_ca_directory = '/etc/ssl/certs' self.ssl.server_trusted_certs_directory="/etc/zorp/ca.crt"
def zorp_https(): Service("intra_https", HttpsProxyKeybridge, TransparentRouter()) Listener(SockAddrInet("192.168.0.254", 50443), "intra_https", transparent=TRUE)
Azt mondja, hogy legeneralja a certificate fajlt, ugyanakkor nem jon letre ilyen fajl a /var/lib/zorp/keybridge-cache konyvtarban. A serial.txt fajlban no a szam, ott van a .lock fajl is, de mas nincs.
Mi okozza a problemat?
A probléma az, hogy a keybridge használatához patch-elt python-openssl szükséges, amihez az alábbi linket ajánlanám figyelmedbe.
https://build.opensuse.org/package/show/home:VPetya:zorp/pyopenssl
Eleg erdekesen vannak itt a fajlok, hogy ugy mondjam... Mindenesetre sikerult elerni, hogy Wheezy alatt csomag legyen belole. Azonban nem oldotta meg a problemat. Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.session(3): (svc/intra_https:0/http): Server connection established; server_fd='17', server_address='AF_INET(195. 228.112.250:443)', server_zone='Zone(internet)', server_local='AF_INET(192.168.1.75:33916)', server_protocol='TCP' Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.policy(1): (svc/intra_https:0/http): Certificate verification failed; error='unable to get local issuer certifica te' Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.policy(3): (svc/intra_https:0/http): Accepting untrusted certificate as directed by the policy; verify_error='unable to get local issuer certificate' Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.debug(4): (svc/intra_https:0/http): Identified peer; side='server', peer='/1.3.6.1.4.1.311.60.2.1.3=HU/businessCategory=Private Organization/serialNumber=01-10-041585/C=HU/postalCode=1051/ST=Budapest/L=Budapest/street=Nador utca 16./O=OTP Bank Nyrt./OU=ITUIG/CN=www.otpbank.hu', issuer='/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA', serial='5C8F4A4F1F45C1A99BC3ACC018E63E8D', version='2' Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.debug(4): (svc/intra_https:0/http): Generating key for the client; trusted='%d' Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.debug(5): (svc/intra_https:0/http): Loading cached certificate; file='/var/lib/zorp/keybridge-cache/untrusted-55628789eb3493c9db441ca88959d90f.crt' Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.debug(5): (svc/intra_https:0/http): Original keybridged certificate not found, regenerating; file='/var/lib/zorp/keybridge-cache/untrusted-55628789eb3493c9db441ca88959d90f.crt' Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.debug(5): (svc/intra_https:0/http): Cached certificate changed, regenerating; file='/var/lib/zorp/keybridge-cache/untrusted-55628789eb3493c9db441ca88959d90f.crt' Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.debug(5): (svc/intra_https:0/http): Certificate not found in the cache, regenerating; Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.stderr(3): (stderr): Traceback (most recent call last): Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.stderr(3): (stderr): File "/usr/share/zorp/pylib/Zorp/Proxy.py", line 891, in generateKeyClient Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.policy(1): (svc/intra_https:0/http): Error fetching local key/certificate pair; side='client' Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.stderr(3): (stderr): self.ssl.key_generator.getKeypair({'bridge-untrusted-key': self.ssl.server_peer_certificate.blob}) Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.stderr(3): (stderr): File "/usr/share/zorp/pylib/Zorp/Keybridge.py", line 395, in getKeypair Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.stderr(3): (stderr): new_cert = self.genCert(self.key, orig_cert, ca_pair[0], ca_pair[1], serial) Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.stderr(3): (stderr): File "/usr/share/zorp/pylib/Zorp/Keybridge.py", line 335, in genCert Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.stderr(3): (stderr): new_cert.del_extension(ext_index) Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.stderr(3): (stderr): AttributeError: 'X509' object has no attribute 'del_extension' Hogyan tovabb? -- Udvozlettel Zsiga
participants (2)
-
Kosa Attila
-
Szilárd Pfeiffer