[zorp-hu] 3.9.5 keybridge
Szilárd Pfeiffer
pfeiffer.szilard at balabit.hu
2014. Aug. 4., H, 15:42:36 CEST
On 2014-08-04 14:34, Kosa Attila wrote:
> Hello!
> A kornyezet: zorp 3.9.5-4+mhp3~wheezy, naprakesz Debian Wheezy,
> gyari kernellel, tproxy-val.
>
> # ls -ald /etc/zorp/
> drwxr-x--- 7 root zorp 416 aug 4 14:15 /etc/zorp/
> # ls -ald /etc/zorp/keybridge/
> drwxr-x--- 2 root zorp 424 aug 4 13:47 /etc/zorp/keybridge/
> # ls -Al /etc/zorp/keybridge/
> összesen 20
> -rw-r----- 1 root zorp 963 aug 4 13:47 key.pem
> -rw-r----- 1 root zorp 3338 aug 4 13:46 ZorpGPL_TrustedCA.cert.pem
> -rw-r----- 1 root zorp 963 aug 4 13:46 ZorpGPL_TrustedCA.key.pem
> -rw-r----- 1 root zorp 3352 aug 4 13:47 ZorpGPL_UnTrustedCA.cert.pem
> -rw-r----- 1 root zorp 963 aug 4 13:47 ZorpGPL_UnTrustedCA.key.pem
> # ls -ald /var/lib/zorp/keybridge-cache/
> drwxrwx--- 2 zorp zorp 104 aug 4 13:15 /var/lib/zorp/keybridge-cache/
>
>
> A konfig:
>
> from Zorp.Core import *
> from Zorp.Proxy import *
> from Zorp.Http import *
>
> InetZone("intranet", "192.168.0.0/24",
> inbound_services=[],
> outbound_services=["intra_https"])
>
> InetZone("internet", "0.0.0.0/0",
> inbound_services=["intra_https"],
> outbound_services=[])
>
> class HttpsProxyKeybridge(HttpProxy):
> key_generator=X509KeyBridge(
> key_file="/etc/zorp/keybridge/key.pem",
> key_passphrase="passphrase",
> cache_directory="/var/lib/zorp/keybridge-cache",
> trusted_ca_files=(
> "/etc/zorp/keybridge/ZorpGPL_TrustedCA.cert.pem",
> "/etc/zorp/keybridge/ZorpGPL_TrustedCA.key.pem",
> "passphrase"
> ),
> untrusted_ca_files=(
> "/etc/zorp/keybridge/ZorpGPL_UnTrustedCA.cert.pem",
> "/etc/zorp/keybridge/ZorpGPL_UnTrustedCA.key.pem",
> "passphrase"
> )
> )
>
> def config(self):
> HttpProxy.config(self)
> self.require_host_header=FALSE
> self.ssl.handshake_seq=SSL_HSO_SERVER_CLIENT
> self.ssl.key_generator = self.key_generator
> self.ssl.client_keypair_generate=TRUE
> self.ssl.client_connection_security=SSL_FORCE_SSL
> self.ssl.client_verify_type=SSL_VERIFY_OPTIONAL_UNTRUSTED
> self.ssl.server_connection_security=SSL_FORCE_SSL
> self.ssl.server_verify_type=SSL_VERIFY_REQUIRED_UNTRUSTED
> self.ssl.server_ca_directory = '/etc/ssl/certs'
> self.ssl.server_trusted_certs_directory="/etc/zorp/ca.crt"
>
> def zorp_https():
> Service("intra_https", HttpsProxyKeybridge, TransparentRouter())
> Listener(SockAddrInet("192.168.0.254", 50443), "intra_https", transparent=TRUE)
>
>
> A hibauzenet (10-es debug level-en):
>
> Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.stderr(3): (stderr): File "/usr/share/zorp/pylib/Zorp/Proxy.py", line 409, in __post_config__
> Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.debug(7): (svc/intra_https:0/http): calling __pre_shutdown__() event;
> Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.debug(7): (svc/intra_https:0/http): calling shutdown() event;
> Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.debug(7): (svc/intra_https:0/http): calling __post_shutdown__() event;
> Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.debug(7): (svc/intra_https:0/http): calling __destroy__() event;
> Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.debug(6): (svc/intra_https:0/http): Proxy destroy; class='HttpsProxyKeybridge', module='http'
> Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.debug(6): (svc/intra_https:0/http/client): Shutdown channel; fd='15', mode='2'
> Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.debug(6): (svc/intra_https:0/http/client): Closing stream; type='ZStreamFD'
> Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.session(5): (svc/intra_https:0/http): Proxy ending; class='HttpsProxyKeybridge', module='http'
> Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.stderr(3): (stderr): proxyLog(self, SSL_DEBUG, 6, "Compatibility feature, processing server_ca_directory; value='%s'" % self.ssl.server_ca_directory)
> Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.stderr(3): (stderr): File "/usr/share/zorp/pylib/Zorp/Proxy.py", line 135, in proxyLog
> Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.stderr(3): (stderr): log(self.session.session_id, type, level, msg, args)
> Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.stderr(3): (stderr): TypeError: not all arguments converted during string formatting
> Aug 4 14:17:21 teszt01 zorp/zorp_https[4765]: core.session(4): (svc/intra_https:0): Ending proxy instance;
>
>
> A /usr/share/zorp/pylib/Zorp/Proxy.py 135. sora ez:
> log(self.session.session_id, type, level, msg, args)
>
> Ha erre cserelem, akkor tovabbmegy, de ugyanugy nem mukodik:
> log(self.session.session_id, type, level, msg)
>
> A hibauzenet:
>
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(5): (svc/intra_https:0/http): Loading cached certificate; file='/var/lib/zorp/keybridge-cache/untrusted-55628789eb3493c9db441ca88959d90f.crt'
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(5): (svc/intra_https:0/http): Original keybridged certificate not found, regenerating; file='/var/lib/zorp/keybridge-cache/untrusted-55628789eb3493c9db441ca88959d90f.crt'
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(5): (svc/intra_https:0/http): Cached certificate changed, regenerating; file='/var/lib/zorp/keybridge-cache/untrusted-55628789eb3493c9db441ca88959d90f.crt'
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(5): (svc/intra_https:0/http): Certificate not found in the cache, regenerating;
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.stderr(3): (stderr): Traceback (most recent call last):
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.stderr(3): (stderr): File "/usr/share/zorp/pylib/Zorp/Proxy.py", line 891, in generateKeyClient
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.policy(1): (svc/intra_https:0/http): Error fetching local key/certificate pair; side='client'
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(7): (svc/intra_https:0/http): calling __pre_shutdown__() event;
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(7): (svc/intra_https:0/http): calling shutdown() event;
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(7): (svc/intra_https:0/http): calling __post_shutdown__() event;
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(7): (svc/intra_https:0/http): calling __destroy__() event;
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(6): (svc/intra_https:0/http): Proxy destroy; class='HttpsProxyKeybridge', module='http'
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(6): (svc/intra_https:0/http/client): Shutdown channel; fd='15', mode='2'
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.stderr(3): (stderr): self.ssl.key_generator.getKeypair({'bridge-untrusted-key': self.ssl.server_peer_certificate.blob})
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.stderr(3): (stderr): File "/usr/share/zorp/pylib/Zorp/Keybridge.py", line 395, in getKeypair
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(6): (svc/intra_https:0/http/client): Closing stream; type='ZStreamSsl'
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.stderr(3): (stderr): new_cert = self.genCert(self.key, orig_cert, ca_pair[0], ca_pair[1], serial)
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.stderr(3): (stderr): File "/usr/share/zorp/pylib/Zorp/Keybridge.py", line 335, in genCert
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.debug(6): (svc/intra_https:0/http/client): Closing stream; type='ZStreamFD'
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.dump(8): (svc/intra_https:0/http/server): Writing channel; fd='17', count='69'
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.dump(10): (svc/intra_https:0/http/server): data line 0x0000: 15 03 03 00 40 A3 AE 40 53 8A F6 D6 59 DE B7 1C .... at ..@S...Y...
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.dump(10): (svc/intra_https:0/http/server): data line 0x0010: 7E B3 17 F6 DA 7B 20 68 A2 B1 2E EB D5 F5 04 3C ~....{ h.......<
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.dump(10): (svc/intra_https:0/http/server): data line 0x0020: 2D 9D A3 28 D8 08 3F D6 F7 5F 69 1F 64 34 FD A5 -..(..?.._i.d4..
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.dump(10): (svc/intra_https:0/http/server): data line 0x0030: AC 61 BB 30 27 B7 76 35 D9 E6 FB A2 72 F7 BC 15 .a.0'.v5....r...
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.dump(10): (svc/intra_https:0/http/server): data line 0x0040: 88 E2 BE 5C 5D ...\]
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.stderr(3): (stderr): new_cert.del_extension(ext_index)
> Aug 4 14:23:21 teszt01 zorp/zorp_https[4810]: core.stderr(3): (stderr): AttributeError: 'X509' object has no attribute 'del_extension'
>
> Azt mondja, hogy legeneralja a certificate fajlt, ugyanakkor nem
> jon letre ilyen fajl a /var/lib/zorp/keybridge-cache konyvtarban.
> A serial.txt fajlban no a szam, ott van a .lock fajl is, de mas
> nincs.
>
> Mi okozza a problemat?
>
A probléma az, hogy a keybridge használatához patch-elt python-openssl
szükséges, amihez az alábbi linket ajánlanám figyelmedbe.
https://build.opensuse.org/package/show/home:VPetya:zorp/pyopenssl
Még két információ a jövőbeni működéshez.
1. dolgozunk egy hivatalos Zorp GPL repo létrehozásán
(https://build.opensuse.org/project/show/security:Zorp)
2. dolgozunk azon, hogy lehetőség szerinti legkevesebb patch kelljen a
Zorp GPL működéséhez , aminek egyebek mellett része a sotck
python-openssl, iptables, kernel, stb. (pl a kernel kapcsán lásd az
előző linket) melletti működés
Üdvözlettel:
Szilárd
További információk a(z) zorp-hu levelezőlistáról