[zorp-hu] 3.9.5 keybridge

Kosa Attila zsiga at kosaek.hu
2014. Sze. 12., P, 11:07:44 CEST 

On Mon, Aug 04, 2014 at 03:42:36PM +0200, Szilárd Pfeiffer wrote:
> On 2014-08-04 14:34, Kosa Attila wrote:
> > A kornyezet: zorp 3.9.5-4+mhp3~wheezy, naprakesz Debian Wheezy,
> > gyari kernellel, tproxy-val.
> >
> > # ls -ald /etc/zorp/
> > drwxr-x--- 7 root zorp 416 aug    4 14:15 /etc/zorp/
> > # ls -ald /etc/zorp/keybridge/
> > drwxr-x--- 2 root zorp 424 aug    4 13:47 /etc/zorp/keybridge/
> > # ls -Al /etc/zorp/keybridge/
> > összesen 20
> > -rw-r----- 1 root zorp  963 aug    4 13:47 key.pem
> > -rw-r----- 1 root zorp 3338 aug    4 13:46 ZorpGPL_TrustedCA.cert.pem
> > -rw-r----- 1 root zorp  963 aug    4 13:46 ZorpGPL_TrustedCA.key.pem
> > -rw-r----- 1 root zorp 3352 aug    4 13:47 ZorpGPL_UnTrustedCA.cert.pem
> > -rw-r----- 1 root zorp  963 aug    4 13:47 ZorpGPL_UnTrustedCA.key.pem
> > # ls -ald /var/lib/zorp/keybridge-cache/
> > drwxrwx--- 2 zorp zorp 104 aug    4 13:15 /var/lib/zorp/keybridge-cache/
> >
> >
> > A konfig:
> >
> > from Zorp.Core import *
> > from Zorp.Proxy import *
> > from Zorp.Http import *
> >
> > InetZone("intranet", "192.168.0.0/24",
> >         inbound_services=[],
> >         outbound_services=["intra_https"])
> >
> > InetZone("internet", "0.0.0.0/0",
> >         inbound_services=["intra_https"],
> >         outbound_services=[])
> >
> > class HttpsProxyKeybridge(HttpProxy):
> >         key_generator=X509KeyBridge(
> >                 key_file="/etc/zorp/keybridge/key.pem",
> >                 key_passphrase="passphrase",
> >                 cache_directory="/var/lib/zorp/keybridge-cache",
> >                 trusted_ca_files=(
> >                         "/etc/zorp/keybridge/ZorpGPL_TrustedCA.cert.pem",
> >                         "/etc/zorp/keybridge/ZorpGPL_TrustedCA.key.pem",
> >                         "passphrase"
> >                 ),
> >                 untrusted_ca_files=(
> >                         "/etc/zorp/keybridge/ZorpGPL_UnTrustedCA.cert.pem",
> >                         "/etc/zorp/keybridge/ZorpGPL_UnTrustedCA.key.pem",
> >                         "passphrase"
> >                 )
> >         )
> >
> >         def config(self):
> >                 HttpProxy.config(self)
> >                 self.require_host_header=FALSE
> >                 self.ssl.handshake_seq=SSL_HSO_SERVER_CLIENT
> >                 self.ssl.key_generator = self.key_generator
> >                 self.ssl.client_keypair_generate=TRUE
> >                 self.ssl.client_connection_security=SSL_FORCE_SSL
> >                 self.ssl.client_verify_type=SSL_VERIFY_OPTIONAL_UNTRUSTED
> >                 self.ssl.server_connection_security=SSL_FORCE_SSL
> >                 self.ssl.server_verify_type=SSL_VERIFY_REQUIRED_UNTRUSTED
> >                 self.ssl.server_ca_directory = '/etc/ssl/certs'
> >                 self.ssl.server_trusted_certs_directory="/etc/zorp/ca.crt"
> >
> > def zorp_https():
> >         Service("intra_https", HttpsProxyKeybridge, TransparentRouter())
> >         Listener(SockAddrInet("192.168.0.254", 50443), "intra_https", transparent=TRUE)
> >
> > Azt mondja, hogy legeneralja a certificate fajlt, ugyanakkor nem
> > jon letre ilyen fajl a /var/lib/zorp/keybridge-cache konyvtarban.
> > A serial.txt fajlban no a szam, ott van a .lock fajl is, de mas
> > nincs.
> >
> > Mi okozza a problemat?
> >
> A probléma az, hogy a keybridge használatához patch-elt python-openssl
> szükséges, amihez az alábbi linket ajánlanám figyelmedbe.
> 
> https://build.opensuse.org/package/show/home:VPetya:zorp/pyopenssl

Eleg erdekesen vannak itt a fajlok, hogy ugy mondjam...
Mindenesetre sikerult elerni, hogy Wheezy alatt csomag legyen
belole. Azonban nem oldotta meg a problemat.

Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.session(3): (svc/intra_https:0/http): Server connection established; server_fd='17', server_address='AF_INET(195.
228.112.250:443)', server_zone='Zone(internet)', server_local='AF_INET(192.168.1.75:33916)', server_protocol='TCP'
Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.policy(1): (svc/intra_https:0/http): Certificate verification failed; error='unable to get local issuer certifica
te'
Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.policy(3): (svc/intra_https:0/http): Accepting untrusted certificate as directed by the policy; verify_error='unable to get local issuer certificate'
Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.debug(4): (svc/intra_https:0/http): Identified peer; side='server', peer='/1.3.6.1.4.1.311.60.2.1.3=HU/businessCategory=Private Organization/serialNumber=01-10-041585/C=HU/postalCode=1051/ST=Budapest/L=Budapest/street=Nador utca 16./O=OTP Bank Nyrt./OU=ITUIG/CN=www.otpbank.hu', issuer='/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA', serial='5C8F4A4F1F45C1A99BC3ACC018E63E8D', version='2'
Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.debug(4): (svc/intra_https:0/http): Generating key for the client; trusted='%d'
Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.debug(5): (svc/intra_https:0/http): Loading cached certificate; file='/var/lib/zorp/keybridge-cache/untrusted-55628789eb3493c9db441ca88959d90f.crt'
Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.debug(5): (svc/intra_https:0/http): Original keybridged certificate not found, regenerating; file='/var/lib/zorp/keybridge-cache/untrusted-55628789eb3493c9db441ca88959d90f.crt'
Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.debug(5): (svc/intra_https:0/http): Cached certificate changed, regenerating; file='/var/lib/zorp/keybridge-cache/untrusted-55628789eb3493c9db441ca88959d90f.crt'
Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.debug(5): (svc/intra_https:0/http): Certificate not found in the cache, regenerating;
Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.stderr(3): (stderr): Traceback (most recent call last):
Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.stderr(3): (stderr):   File "/usr/share/zorp/pylib/Zorp/Proxy.py", line 891, in generateKeyClient
Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.policy(1): (svc/intra_https:0/http): Error fetching local key/certificate pair; side='client'
Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.stderr(3): (stderr):     self.ssl.key_generator.getKeypair({'bridge-untrusted-key': self.ssl.server_peer_certificate.blob})
Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.stderr(3): (stderr):   File "/usr/share/zorp/pylib/Zorp/Keybridge.py", line 395, in getKeypair
Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.stderr(3): (stderr):     new_cert = self.genCert(self.key, orig_cert, ca_pair[0], ca_pair[1], serial)
Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.stderr(3): (stderr):   File "/usr/share/zorp/pylib/Zorp/Keybridge.py", line 335, in genCert
Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.stderr(3): (stderr):     new_cert.del_extension(ext_index)
Sep 12 10:59:42 teszt01 zorp/zorp_https[24782]: core.stderr(3): (stderr): AttributeError: 'X509' object has no attribute 'del_extension'

Hogyan tovabb?

-- 
		Udvozlettel
				    Zsiga

További információk a(z) zorp-hu levelezőlistáról