Shunze ¾Ç¶é >¹q¸£¸ê°T¾Ç¨t >¦Y³n¤£¦Yµw > ¡m¤À¨É¡nFreeradius»POpenSSL¾ÌÃÒ «¢Åo¡AÁÙ¨S¦³µù¥U©ÎªÌµn¤J¡C½Ð§A[µù¥U|µn¤J]
« ¤W¤@½g¥DÃD ¤U¤@½g¥DÃD » Åã¥Ü¦¨¦C¦L¼Ò¦¡ | ¼W¥[¨ì§Úªº³Ì·R
µoªí·s¥DÃD µoªí¦^ÂÐ
§@ªÌ
¥DÃD
shunze
¤u¤Í§B§B


µù¥U¤é´Á: 2002 04
¨Ó¦Û: ¼é¦Á²×¤î¤§¦a
¤å³¹: 2370

shunze Â÷½u
¡m¤À¨É¡nFreeradius»POpenSSL¾ÌÃҤޥΦ^ÂÐ ½s¿è/§R°£¤å³¹ ·j´M¥Ñ  µoªíªº¨ä¥L¤å³¹ ¦^³øµ¹ª©¥D IP ¦ì¸m ¦^¦¹­¶³Ì¤W¤è

³Ìªñ¦b´ú¸ÕFreeradius¤Wªº¦UºØEAP»{ÃÒ¾÷¨î¡C
Freeradius¤W¤ä´©¤FEAP-MD5¡BLEAP¡BEAP-TLS¡BEAP-TTLS¤ÎEAP-PEAPµ¥¦hºØEAP±`¨£»{ÃÒ¨ó©w¡A
°£¤F¹w³]ªºEAP-MD5¤Ö¤F¬Û¤¬»{ÃÒ¨î(Mutual Authentication)¡A¨ä¥¦4ºØ¾÷¨î³£¤ä´©¬Û¤¬»{ÃÒ¡C
¦ÓEAP-TLS¡BEAP-TTLS¤ÎEAP-PEAP³o¤TºØ¾÷¨î¡A§ó»Ý­n¾ÌÃÒ¨Ó¶i¦æ¸ê®Æ¥[±K¶Ç¿éÅçÃÒ¡C
¨º»ò¦b¦w¸ËFreeRadiusªºUbuntu¤W¡A¬O¦p¦ó²£¥Í³o¨Ç¾ÌÃÒ©O¡H


¨ä¹ê¦bUbuntu 14.04¤W¦w¸Ë¦nFreeradius«á¡A¥u­n¤U¹F freeradius -X «ü¥O¡A
¨t²Î´N·|©ó /etc/freeradius/certs ¥Ø¿ý¤U¡A³z¹LbootstrapÀɮפ¤ªºscript¨Ó«Ø¥ß¹w³]ªºsnake oil¾ÌÃҨѨϥΪ̶i¦æ´ú¸Õ¡C

­Y§Ú­Ì·Q­n«Ø¥ß¦Û¤vªº¾ÌÃÒ¡A¥i°Ñ¦Ò¤U¹Ï¤F¸Ñ¾ÌÃÒ¥@¬É¤¤ªºª«¥óÃöÁp¡A³z¹L¤º«ØªºOpenSSL¨Ó¶i¦æ¡C


¡ô¦³¨S¦³µo垷client©Mserverªº¥Ó½Ð¬yµ{¬O§¹¥þ¬Û¦Pªº¡I¡H

  • ·Ç³Æ¦nOpenSSLªº¤u§@Àô¹Ò
    ¦bFreeradius¤¤¡A¨ä¾ÌÃҥؿý¬O©w¸q¦b /etc/freeradius/eap.conf Àɮפ¤¡A
    ¹w³]¬° /etc/freeradius/certs ¸ô®|¤U¡C
    (´ú¸Õªºsnake oil¾ÌÃÒ¤]¬O©ñ¸m©ó¦¹¡C)



    ¬°¤F¤u§@¤è«K¡A¥H¤Uªº¾ÌÃÒ¬ÛÃö¾Þ§@Àô¹Ò±N¤Á´«¨ì¦¹¸ô®|¤U¡F
    «Ø¥ß¾ÌÃҮɡAª½±µ²£¥Í¾ÌÃҩ󦹥ؿý¤¤¡A¹ïÀ³¨ìFreeradiusªº»Ý¨D¡A¬Ù¥h·h²¾ªº³Â·Ð¡C

    ¦b¶i¦æ¥H¤U¾Þ§@«e¡A½Ð¥ý±N¦¹certs¥Ø¿ý²MªÅ¡A©Î·h²¾³Æ¥÷¨ì§O³B¡C

  • «Ø¸m¦Û¤vCA
    Freeradius¤¤¤º«Ø¤F¤T­Ó¹w³]²ÕºA½d¨ÒÀÉca.cnf¡Bserver.cnf¡Bclient.cnf¡A
    ³o¨Ç²ÕºAÀɲΤ@©ñ¦b /usr/share/doc/freeradius/examples/certs ¥Ø¿ý¤¤¡C

    ¦b«Ø¸m¦Û¤vªºCA¤W¡A§Ú­Ì°£¤F¥i³z¹L¤¬°Ê¦¡°Ýµª¡A³v¤@¿é¤JCA¤º®e¥~¡F
    ¤]¥i¥H³z¹L²ÕºAÀÉca.cnf¨Ó¶i¦æ³]©w¡C

    ³z¹Lca.cnf²ÕºAÀɨӫظmCA®É¡A
    «Øij¥ý§â /usr/share/doc/freeradius/examples/certs ¥Ø¿ý¤¤ªºca.cnf¡A½Æ»s¤@¥÷¨ì /etc/freeradius/certs ¥Ø¿ý¤¤¡A
    µM«á¤Á´«¤u§@¥Ø¿ý¨ì /etc/freeradius/certs ¤U¡A¦A¹ïca.cnf¶i¦æ°Ñ¼Æ½s¿è¡A
    ¥[¤J¦Û¤v²Õ´³æ¦ìªº¸ê°T¡A°µ¬°¾ÌÃÒªº¤º®e¡C


    ¡ô¨ä¤¤ªºinput_password´N¬OCAªºpass phrase¡A³o­Ó±K½X¦b¨C¦¸Åª¨úca.key®É¡A³£·|­n¨D¿é¤J¡C

    ±µµÛ³z¹L¥H¤U«ü¥O¨Ó²£¥ÍCAªºprivate key»Pca¾ÌÃÒca.pem¡C
    openssl req -new -x509 -keyout ca.key -out ca.pem -config ./ca.cnf



    ­Y¤W­z«ü¥O¤£±a¤J°Ñ¼Æ -config¡A«h¤£·|¥hŪ¨ú²ÕºAÀÉca.cnfªº¤º®e³]©w¨Ó°µ¬°¾ÌÃÒ¤º®e¡C
    ©Ò¦³«Ø¥ßCA¾ÌÃҩһݭnªº²Õ´³æ¦ì»Ppass phraseµ¥¸ê°T¡A³£­n³z¹L¤¬°Ê¦¡°Ýµª¡A¤@­Ó¤@­Ó¿é¤J¡ã


    ­þ¤@­Ó¤ñ¸û¦n¡H
    ¨ä¹ê®ÄªG³£¤@¼Ë¡AµL©Ò¿×¦nÃa¡A¬Ý­Ó¤H²ßºD¡C
    ¦ý­Y¦³ca.cnf³]©wÀÉ¡A¦b¤é«áºûÅ@¤W·|¤ñ¸û²M·¡CAªº¬ÛÃö¤º®e¡C

    ¥t¥~¡A¾ÌÃÒ¦³¦hºØ®æ¦¡pem¡Acrt¡Acer...µ¥¡A
    ¦]¬°Freeradius¹w³]¬O¦Ypem®æ¦¡¾ÌÃÒ¡A©Ò¥H¦b¥»¤åªº«ü¥O¤¤¡A¤@«ß²£¥Ípem®æ¦¡¾ÌÃÒ¡C
    ­Y»Ý­n¨ä¥¦®æ¦¡¾ÌÃÒ¡A½Ð¦Û¤v­×§ï«Ø¥ß¾ÌÃÒ«ü¥Oªº out ªþÀɦW®æ¦¡¡C

  • «Ø¥ßserverªº¾ÌÃÒ
    CA«Ø¥ß«á¡A±µ¤U¨Ó´N­n¦VCA¥Ó½ÐFreeradius©Ò»Ý­nªº¾ÌÃÒ¤F¡C

    ­n¥ýCA¥Ó½Ð¾ÌÃÒ¡A­º¥ý­n«Ø¥ßserver¦Û¤vªºprivate key¡A¥i³z¹L¥H¤U«ü¥O¨Ó¶i¦æ¡C
    openssl genrsa -des3 -out server.key 1024


    ¡ô³oùتºpass phrase±K½X´N¬Oserverªºprivate keyªº±K½X¡C³o­Ó±K½X¦b¨C¦¸Åª¨úserver.key®É¡A³£·|­n¨D¿é¤J¡C

    ½Ðª`·N¡G
    ÁöµM¦b¥»¨Ò¤¤¡ACA¸òFreeradius¬O¦P¤@¥x¥D¾÷¡A¦ý¨âªÌ¦b·N¸q¤W¬O¤£¦Pªº¡C
    CA¬O°µ¬°¾ÌÃÒ¤¤¤ß¡A¦ÓFreeradius«h¬O°µ¬°«eºÝ»Ý¨DªÌ(Server)¡A¦VCA¥Ó½Ð¾ÌÃÒ¡A
    CA¦³CA¦Û¤vªºprivate key¡AServer¦³Server¦Û¤vªºprivate.key¡A
    ¦Ó¨C¤@¤äkey³£·|¦³¦Û¤vªºpass phrase±K½X¡A¨âªÌ¤£­n·d²V³á¡I


    Freeradiusªºserver.key«Ø¥ß«á¡A±µµÛ³z¹L¦¹private key«Ø¥ßcsrÀÉ¡A·Ç³Æ¦VCA¥Ó½Ð¾ÌÃÒ¡C
    ²£¥Íserver.csrÀÉ´N¸òca¾ÌÃÒ¤@¼Ë¡A¥i³z¹L²ÕºA³]©wÀÉserver.cnf¨Ó²£¥Í¡A¤]¥i³z¹L¤¬°Ê°Ýµª¨Ó«Ø¥ß¡C

    ³z¹L²ÕºA³]©wÀɪº¤è¦¡¦p¤U¡C
    ¥ý½Æ»s¤@¥÷serverºÝªº²ÕºA³]©w½d¨Òserver.cnf¨ì²{¦bªº¤u§@¥Ø¿ý¡AµM«á¦A½s¿è¤u§@¥Ø¿ý¤Uªºserver.cnf³]©wÀÉ¡C
    cp /usr/share/doc/freeradius/examples/certs/server.cnf /etc/freeradius/certs/server.cnf


    ¡ô³]©wÀɤºªºinput_password¡A­n¿é¤J­è¤~«Ø¥ßserver.key®É©Ò¿é¤Jªºpass phrase±K½X³á¡C

    µM«á¤U¹F¥H¤U«ü¥O¡A«Ø¥ßserverºÝªºcsrÀÉ¡Aserver.csr¡C
    openssl req -new -key server.key -out server.csr -config ./server.cnf



    ­Y¤W­z«ü¥O¤£±a¤J°Ñ¼Æ -config¡A«hÅܦ¨³z¹L¤¬°Ê¦¡°Ýµª¡A¨Ì´£¥Ü¨Ó³v¤@¿é¤Jcsr¬ÛÃö¸ê°T¡C
    openssl req -new -key server.key -out server.csr


    ¡ô«Ø¥ßserverºÝcsr¤@¶}©l´N·|¸ò§A­nprivate keyªºpass phrase±K½X¡A³o±K½X´N¬O«Ø¥ßserver.key®É©Ò¿é¤Jªº±K½X³á¡I

    ServerºÝªºcsrÀɫإ߫á¡A´N¥i¥H¥H¦¹ÀɮצVCA¥Ó½Ð¾ÌÃÒ¡C
    ¤£¹LCAºÝÁÙ¦³¤u§@¥¼§¹¦¨¡Aª½±µ«Ø¥ß¾ÌÃÒªº¸Ü¡A¥i¬O·|³ø¿ùªº¡I

    CAºÝÁÙ¦³­þ¨Ç¤u§@­n°µ©O¡H
    À˵ø³]©wÀÉca.cnf¡A§Ú­Ìµo²{ÁÙ¦³crl¥Ø¿ý»Pindex.txt¡BserialÀÉ®×­n«Ø¥ß¡C



    §Ú­Ì¥i³z¹L¥H¤U«ü¥O¨Ó«Ø¥ß¥Ø¿ý¤ÎÀɮסC
    mkdir crl
    touch index.txt
    echo 01 > serial


    CAºÝªºÀô¹Ò»Ý¨D¸É¨¬«á¡A¦A³z¹L¥H¤U«ü¥O¥Hserver.csr¦VCA¥Ó½Ð¾ÌÃÒ´N¤£·|³ø¿ù¤F¡C
    openssl ca -in server.csr -out server.pem -cert ca.pem -keyfile ca.key -config ./ca.cnf


    ¡ô³o¬O¥H¬OCAªº¨¤¦â¨Ó¤U«ü¥O¡A©Ò¥HŪ¨úCAªºprivate key¨Ó®Öµoserverªº¾ÌÃҮɡA­n¿é¤Jªºpass phrase±K½X¬OCAªº±K½X¡I

    ¨ì³oÃä¡AserverºÝªº¾ÌÃҥӽдN¤j¥\§i¦¨Åo¡ã
    ¤£¹L¥HFreeradius¨Ó»¡¡A¥¦ªº¾ÌÃÒ¾÷¨îùØÁٻݭndh»Prandom³o¨â­ÓÀɮסC



    ³o³¡¤À¥i³z¹L¥H¤U«ü¥O¨Ó«Ø¥ß³o¨â­ÓÀɮסC
    openssl dhparam -check -text -5 512 -out dh
    dd if=/dev/urandom of=random count=2

    ¸É¨¬¥²­nÀɮ׫á¡AFreeradius¦b¹B§@¤W¤~¤£·|³ø¿ù¡C

    ÁÙ¦³´N¬O§Ú­Ì¤w¸g«Ø¥ß¦Û¤vªº¾ÌÃÒ¤F¡A
    ­Y«Ø¥ßserver.key®É¡A¤£¬O±Ä¥Î¹w³]ªº±K½X whatever ªº¸Ü¡A
    ¦beap.confùØ tls °Ï¬q¤ºªº private_key_password ¤]­n­×§ï¬°§A«Ø¥ßserver.key®É©Ò³]©wªºpass phrase±K½X¤~¦æ³á¡I

    ³Ì«á¡A§Ú­Ì¤w¸g«Ø¥ß¦n¦Û¤v¾ÌÃÒ¤F¡A
    Freeradius¤W²£¥Í¹w³]snake oil¾ÌÃÒªº³]©w´N¤£»Ý­n¤F¡C
    ¬d¬Ý¤@¤Ueap.confùØ¡Atls °Ï¬q¤ºªº make_cert_command = "${certdir}/bootstrap" ³o¤@¦æ¬O§_¤wµù¸Ñ±¼¡C
    ­Y¥¼µù¸Ñ±¼¡A½Ð°O±o§â¥¦µù¸Ñ±¼³á¡I

  • «Ø¥ßclientªº¾ÌÃÒ
    ClientºÝ¾ÌÃÒªº¥Ó½Ð¬yµ{¡A¨ä¹ê©MServerºÝªº¬O§¹¥þ¬Û¦Pªº¡C


    ¦P¼Ë¥i³z¹L²ÕºA³]©wÀÉclient.cnf©Î¤¬°Ê¦¡°Ýµª¨âºØ¤è¦¡¨Ó«Ø¥ß¡C
    ClientºÝ¤@¼Ë¦³¨äprivate key¤Î¨äpass phrase±K½X¡A¥Î¨ÓÅçÃÒ§A¬O§_¬°¦Xªk«ù¦³¡F
    µM«á³z¹L¦¹key«Ø¥ßclient.csr¡A¦A¦VCA´£¥X¾ÌÃҥӽСC
    ³o³¡¤À´N¤£­«Âл¡©ú¤F¡C

    ·í§AªºFreeradius¬O±Ä¥ÎTTLS¤ÎPEAPªº¸Ü¡A¬O¤£»Ý­n¦¹clientºÝ¾ÌÃÒ¡C
    ¦ý­Y±Ä¥Îªº¬OTLSªºEAPªº¸Ü¡A´N­n«Ø¥ß¦¹¾ÌÃÒ¡AµM«áÂàµoµ¹¨Ï¥ÎªÌ¦w¸Ë¡A
    ³o¼ËEAP-TLSªºÂù¦VÅçÃÒ¤~·|³q¹L¡C

    ­Y«eºÝ¨Ï¥ÎªÌ¬OWindows©ÎAndroid¤â¾÷¡A»Ý­nP12®æ¦¡ªº¾ÌÃÒ¡A¥i¥H³z¹L¥H¤U«ü¥OÂà¥X¡C
    openssl pkcs12 -export -in client.pem -inkey client.key -out client.p12


    ¡ôÂà¥X®É·|¥ý­nclient.keyªºpass phrase±K½X¶i¦æ½T»{¡A¦A«Ø¥ßP12ªºExport Password¡A°µ¬°XP¶×¤J¾ÌÃÒ®ÉÅçÃҨϥΡC


°Ñ¦Ò¸ê®Æ
SSL·§©ÀÉOopensslªº¦w装
Production Certificates
OpenSSL - ª÷Æ_»P¾ÌÃÒªººÞ²z
¨Ï¥Î freeRadius ³]¸m 802.1X »{ÃÒÀô¹Ò(¤T)EAP-TLS½g



♥¶¶¤l¦Ñ±Cªººô©ç¡A½Ð¦hÃö·Ó¡ã

If you don't like something, change it.
If you can't change it, change your attitude.
Don't complain!




2015-06-08, 22:00 shunze ªº­Ó¤H¸ê®Æ §â shunze ¥[¤J¦n¤Í¦Cªí µo°eEmailµ¹ shunze ÂsÄý shunze ªººô¯¸ MSN : shunze@gmail.com
shunze
¤u¤Í§B§B


µù¥U¤é´Á: 2002 04
¨Ó¦Û: ¼é¦Á²×¤î¤§¦a
¤å³¹: 2370

shunze Â÷½u
¡m¤À¨É¡nOpenSSL°ÝÃD»P³B²z¤Þ¥Î¦^ÂÐ ½s¿è/§R°£¤å³¹ ·j´M¥Ñ  µoªíªº¨ä¥L¤å³¹ ¦^³øµ¹ª©¥D IP ¦ì¸m ¦^¦¹­¶³Ì¤W¤è

OpenSSL°ÝÃD»P³B²z¤è¦¡¾ã²z¦p¤U

  • commonName¤£¥i­«ÂСI
    ¾ÌÃÒ¶¡ªºÃѧO¬O¥HcommonName¨Ó°Ï¤À¡C
    ©Ò¥H¤£½×¬OCA©Î¬O«eºÝ¥Ó½Ðªºserver/client¡A¨äcommonName¬O¤£¥i¥H¬Û¦Pªº¡C
    ¦b³W¹º¬[ºc®É¡A½Ð°È¥²ª`·N¦¹ÂI¡C

  • ¦VCA¥Ó½Ð¾ÌÃҮɡA¥X²{¡§The stateOrProvinceName field needed to be the same in the¡K¡¨¿ù»~¡H
    ©ú©úCA»PServer¦b«Ø¥ß®É¡AstateOrProvinceName ³£¬O¥´¤@¼Ë¤@¼ËªºTaipei¡A¬°¤°»ò¥Ó½Ð¾ÌÃÒÁÙ·|³ø¿ù¡H



    ­YCA»PServerªº¬ÛÃöÀɮצb«Ø¥ß®É¡A³£¬O³z¹L²ÕºA³]©wÀÉcnf¨Ó¶i¦æ¡F
    ©Î¬O³£¤£³z¹L²ÕºA³]©wÀÉ¡A¥þ³¡³£¬O¥Ñ¤@°Ý¤@µªªº³z¹L¤¬°Ê°Ýµª¨Ó«Ø¥ß¾ÌÃÒ¡A
    °ò¥»¤W¬O¤£·|¥X²{¦¹¿ù»~ªº¡C

    ¦ý­Y¨ä¤¤¤@­Ó¬O³z¹L²ÕºAÀɨӫإߡA¦Ó¥t¤@­Ó¬O³z¹L¤¬°Ê°Ýµª¨Ó«Ø¥ß¡A
    ¨º»ò´N¦³¬Û·í°ªªº¾÷²v·|¥X²{¦¹¿ù»~¡C

    ®t§O¦b©ó³z¹L¤¬°Ê¦¡°ÝÃD¨Ó«Ø¥ß¾ÌÃÒ¸ê®Æ®É¡A°Ñ¦Òªº¬O /usr/lib/ssl/openssl.cnf ÀÉ®×ùتº°Ñ¼Æ³]©w¡A
    ¦Ó¦¹³]©wÀɤº®e»PFreeradius´£¨Ñªº¨º¤T­Ó³]©wÀɤº®e¦b°Ñ¼Æ¤W¦³¨Ç®t²§¡A
    ©Ò¥H¾É­P¿ù»~µo¥Í¡C

    ¸Ñ¨M¤è¦¡¦³¤G¡A
    1. ¦b /usr/lib/ssl/openssl.cnf ùØ¡A±N [ req ] °Ï¬qùØ°Ñ¼Æ string_mask ªº¤º®e¥Ñ utf8only §ï¬° pkix¡A
      µM«á­«·s²£¥Í¾ÌÃÒ¡C
    2. ¦b©Ò¦³ªº²ÕºA³]©wÀɤ¤¡A©ó [ req ] °Ï¬qùØ¡A§¡¥[¤W°Ñ¼Æ string_mask¡A­È¬° utf8only ªº¤º®e¡A
      µM«á­«·s²£¥Í¾ÌÃÒ¡C

    ¨âªÌ¥u­n¾Ü¤@¨Ó°µ§Y¥i¡A
    °ò¥»¤W´N¬OÅý°Ñ¼Æ¤º®e¤@­P¤Æ¡A¦b«Ø¥ß¾ÌÃҮɡA´N¤£·|¥X²{¤£¤@­Pªº¿ù»~¤F¡C

  • ¦VCA¥Ó½Ð¾ÌÃҮɡA¥X²{TXT_DBªº¿ù»~¡I


    ·|¥X²{³o­ÓTXT_DBªº¿ù»~¬O¦]¬°OpenSSL¤@¦¸¥u¯à³B²z¤@­Ó¾ÌÃÒªº¥Ó½Ð¡C
    §Ú¤£ª¾¹D³oºâ¤£ºâ¬Obug¡H

    ³B²z¤èªk«Ü²³æ¡A
    ¥u­n§R±¼index.txtÀÉ¡AµM«á¦A²£¥Í¤@­Ó·sªº¡AµL¥ô¦ó¸ê®Æªºindex.txt´N¥i¥H¦A«Ø¥ß¾ÌÃÒ¡C

  • Private keyªºÅçÃÒ±K½X¨ä¹ê¬O¥i¥H¥h°£ªº¡H
    ¤£½×ca.key©Î¬Oserver.key¡Bclient.key¡A
    ¥ô¦ó¤@ºØ¨p¦³ª÷Æ_¥hŪ¨ú®É³£»Ý­n¿é¤Jpass phrase±K½X¨Ó½T»{§A¬O§_¦Xªk«ù¦³¦¹¨p¦³ª÷Æ_¡C

    ­Y­n¥h°£¦¹±K½X¡A¥i¥H³z¹L¥H¤U«ü¥O¨Ó¶i¦æ¡C
    openssl rsa -in XXXXX.key -out XXXXX.key

    ¾Þ§@®É¡AÁÙ¬O­n¥ý¿é¤J¤@¦¸±K½X¡A½T»{§A¬O¦Xªk«ù¦³¡C
    ±K½X½T»{¹L¡A§¹¦¨¾Þ§@«á¡A¨p¦³ª÷Æ_ªº±K½X®ø°£¤F¡C

  • ­Y¨S¦³CA¡A¥i§_«Ø¥ß¦Û§Úñ¸p¾ÌÃÒ¡H
    ­Y¨S¦³CA¡A¤]¤£·Q¦Û«ØCA¡A
    ¦b«Ø¥ßcsr«á¡A¨ä¹ê¥i¥H³z¹L¥H¤U«ü¥O¨Ó«Ø¥ß¦Û§Úñ¸p¾ÌÃÒ¡C
    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.pem


  • À˵ø¾ÌÃÒ¤º®e
    ­Y­nÀ˵ø¾ÌÃÒªº¤º®e¡A½TÃÒµo©ñ¸ê°T¡A¥i³z¹L¥H¤U«ü¥O¨Ó¶i¦æ¡C
    openssl x509 -text -in ­nÀ˵øªº¾ÌÃÒÀɦW -noout


  • ¦p¦ó¾ÌÃÒ¦³®Ä¤é´Áªº³]©w¡H
    ÁöµM¦b²ÕºAÀɤ¤¡A©ú©ú¦³¨â­Ó°Ñ¼Æ default_days ¤Î default_crl_days ¬Ý¦ü¬O¹ïÀ³¾ÌÃÒªº¦³®Ä¤é´Á¡A
    ¦ý¶¶¤l¤£ºÞ«ç»ò½Õ¾ã³]©w³£¨S¥Î¡AµLªkµo¥Í®ÄªG¡H
    ¾ÌÃÒªº¦³®Ä¤é´ÁÁÙ¬O¦^Âk©R¥Oªº°Ñ¼Æ³]©w¤ñ¸û²³æ¡C

    ©ó²£¥Í¾ÌÃÒªº«ü¥O¤¤¡A¥[¤W°Ñ¼Æ days¡A¦A±a¤W·Q­nªº¦³®Ä´Á¤é¼Æ§Y¥i¡C
    ¨Ò¦p²£¥Í¤@­Ó¦³®Ä¤é´Á¤Q¦~ªºCA¾ÌÃÒ¡A«ü¥O¦p¤U¡C
    openssl req -new -x509 -days 3650 -keyout ca.key -out ca.pem -config ./ca.cnf

    ¨ä¥¦server¡Aclientªº¾ÌÃÒ¤ñ·Ó¿ì²z¡C

  • ¾ÌÃÒÃþ«¬Âà´«
    1. DER file (.crt .cer .der) to PEM
      openssl x509 -inform der -in XXXXX.der -out XXXXX.pem

    2. PEM file to DER
      openssl x509 -outform der -in XXXXX.pem -out XXXXX.der

    3. PEM file to PKCS#12 (.pfx .p12)
      openssl pkcs12 -export -out XXXXX.pfx -inkey XXXXX.key -in XXXXX.pem

    4. PKCS#12 file (.pfx .p12) to PEM
      openssl pkcs12 -in XXXXX.pfx -out XXXXX.pem

      pfx/p12ÂàPEM®É¡A¦³¦p¤U°Ñ¼Æ¥i¥Î¡C
      ¥[ -nodes Âà¥XPEM¡A¤£¥[±K¡F
      ¥[ -nokeys ¶ÈÂà¥XPEM¡A¤£±aprivate key¡F
      ¥[ -nocert ¶ÈÂà¥Xprivate key¡A¤£±a¾ÌÃÒ¡C·íµMÂà¥Xªº°ÆÀɦW­n§ï¬°key¡C


°Ñ¦Ò¸ê®Æ
The Most Common OpenSSL Commands



♥¶¶¤l¦Ñ±Cªººô©ç¡A½Ð¦hÃö·Ó¡ã

If you don't like something, change it.
If you can't change it, change your attitude.
Don't complain!




2015-06-09, 21:35 shunze ªº­Ó¤H¸ê®Æ §â shunze ¥[¤J¦n¤Í¦Cªí µo°eEmailµ¹ shunze ÂsÄý shunze ªººô¯¸ MSN : shunze@gmail.com
shunze
¤u¤Í§B§B


µù¥U¤é´Á: 2002 04
¨Ó¦Û: ¼é¦Á²×¤î¤§¦a
¤å³¹: 2370

shunze Â÷½u
¡m¤À¨É¡nFreeradius¤W¤TºØ¾ÌÃÒ¼Ò¦¡³]©w»P½Õ¾ã¤Þ¥Î¦^ÂÐ ½s¿è/§R°£¤å³¹ ·j´M¥Ñ  µoªíªº¨ä¥L¤å³¹ ¦^³øµ¹ª©¥D IP ¦ì¸m ¦^¦¹­¶³Ì¤W¤è

¦bFreeradius¤W¤ä´©¤FPEAP/TTLS/TLS¤TºØ¸g¥Ñ¾ÌÃÒ¨ÓÅçÃÒªºEAP¼Ò¦¡¡A
¨ä¤¤PEAP¤ÎTTLS¥u»Ý­nserverºÝªº¾ÌÃÒ¡A¤£»Ý­nclientªº¾ÌÃÒ°µÂù¦V»{ÃÒ¡A¦]¦¹clientºÝÁÙ¬O»Ý­n³z¹L±b¸¹/±K½X¨ÓÅçÃҨϥΪ̡F
¦ÓTLS«h¦P®É»Ý­nserver»PclientºÝªº¾ÌÃÒ¡A¤]¦]¬°clientºÝ¤w³z¹L¾ÌÃÒÅçÃÒ¡A©Ò¥H¤£»Ý­n¦A¿é¤J±b¸¹/±K½X¨ÓÅçÃҨϥΪ̡C

¦bFreeradius¤W¡A¾ÌÃÒªº¬ÛÃö³]©w¬O©w¸q¦b /etc/freeradius/eap.conf Àɮתº tls °Ï¬q¤¤¡A
³o¬O¤TºØ¾ÌÃÒEAP¾÷¨î³£·|®M¥Î¨ìªº¦@³q³]©w¡C



¦pªG±z¦³¨Ì¶¶¤lªº¥Ü½d¦Û«Ø¾ÌÃÒ©ó¹ïÀ³¥Ø¿ý¤U¡A°ò¥»¤W tls °Ï¬q¤¤ªº¾ÌÃÒ³]©w¤£¥Î¦A­×§ï¡A
¦ý¦pªG¦³­×§ï¦WºÙ©Î¸ô®|¡A½Ð¨Ì¹ê»ÚÀô¹Ò¶i¦æ½Õ¾ã¡C


¥Ñ©óWin7¤W¶¶¤l§ä¤£¨ì802.1XªºTTLS¬ÛÃö³]©w¡A©Ò¥H¥H¤U´ú¸Õªº«eºÝÀô¹Ò¡A²Î¤@±Ä¥ÎAndorid¤â¾÷¨Ó¶i¦æ¡F
¦ÓNASºÝ«h¨Ï¥ÎEnterasys Thin AP¨Ó¬[³]802.1XªºÅçÃÒÀô¹Ò¡C






±µ¤U§Ú­Ì¨Ó¬Ý¬ÝFreeradius¤W¡A¤TºØEAP¼Ò¦¡ªº­Ó§O³]©w»P´ú¸Õ¡C

  • PEAP
    Freeradius¤WEAPªºÃþ«¬¬O¦beap.conf¤¤ªº°Ñ¼Æ default_eap_type ¨Ó³]©w¡A¹w³]­È¬O md5¡F
    ­n±Ä¥ÎPEAPÅçÃÒ¡A²Ä¤@¨B¦ÛµM¬O§â¦¹ default_eap_type ªº­È­×§ï¬° peap¡C

    ¦Óeap.conf¤¤ªº peap °Ï¬q¡A³]©w¤F°Ñ¼Æ default_eap_type ªº­È¬O¸û¦w¥þªº mschapv2¡A
    ©Ò¥H§Ú­Ì¤]­n¥h /etc/freeradius/module ¥Ø¿ý¤U¡A­×§ïÀÉ®× mschap ªº¤º®e¡A
    ¨ú®ø¤F³¡¥÷µù¸Ñ»P­×§ï°Ñ¼Æ­È¡A±N¤º®e­×§ï¦p¤U¡C
    use_mppe = yes
    require_encryption = yes
    require_strong = yes
    with_ntdomain_hack = yes

    µM«á³z¹L¥H¤U«ü¥O¡A­«·s¸ü¤Jlibray¤º®e¡C
    ldconfig

    §¹¦¨«á¡A±Ò°ÊFreeradius -X¡A§Ú­Ì¥i¥H¶}©l´ú¸Õ¤F¡C

    Android¤â¾÷³sµ²¦¹SSID¡A³]©w¶i¶¥¿ï¶µªºEAP¤èªk¬° PEAP¡A
    ¶¥¬q2ÅçÃÒ¬° MSCHAPV2 ¶}©l³s½u¤F¡C



    Freeradius¥X²{¥H¤U°T®§¡APEAPÅçÃÒ¦¨¥\¡A¤â¾÷¦¨¥\®³¨ìDHCP IP¡A¥¿±`¤Wºô¡ã
    rad_recv: Access-Request packet from host 192.168.33.37 port 57067, id=135, length=134
    User-Name = "shunze"
    NAS-IP-Address = 172.18.18.253
    NAS-Port = 106
    Framed-MTU = 1400
    Called-Station-Id = "20:b3:99:6b:4f:f9"
    Calling-Station-Id = "a8:a6:68:7a:da:43"
    NAS-Port-Type = Wireless-802.11
    NAS-Identifier = "Radius_Auth"
    EAP-Message = 0x0200000b017368756e7a65
    Message-Authenticator = 0x0e07734bffc82436bd89f93bcb087c5e
    # Executing section authorize from file /etc/freeradius/sites-enabled/default
    ...
    Found Auth-Type = EAP
    # Executing group from file /etc/freeradius/sites-enabled/default
    +- entering group authenticate {...}
    [eap] Request found, released from the list
    [eap] EAP/peap
    [eap] processing type peap
    [peap] processing EAP-TLS
    TLS Length 198
    [peap] Length Included
    [peap] eaptls_verify returned 11
    [peap] (other): before/accept initialization
    [peap] TLS_accept: before/accept initialization
    [peap] <<< TLS 1.0 Handshake [length 00c1], ClientHello
    [peap] TLS_accept: SSLv3 read client hello A
    [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello
    [peap] TLS_accept: SSLv3 write server hello A
    [peap] >>> TLS 1.0 Handshake [length 06fb], Certificate
    [peap] TLS_accept: SSLv3 write certificate A
    [peap] >>> TLS 1.0 Handshake [length 00cb], ServerKeyExchange
    [peap] TLS_accept: SSLv3 write key exchange A
    [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
    [peap] TLS_accept: SSLv3 write server done A
    [peap] TLS_accept: SSLv3 flush data
    [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
    In SSL Handshake Phase
    In SSL Accept mode
    [peap] eaptls_process returned 13
    [peap] EAPTLS_HANDLED
    ++[eap] returns handled

    ...
    [eap] Request found, released from the list
    [eap] EAP/peap
    [eap] processing type peap
    [peap] processing EAP-TLS
    [peap] eaptls_verify returned 7
    [peap] Done initial handshake
    [peap] eaptls_process returned 7
    [peap] EAPTLS_OK
    [peap] Session established. Decoding tunneled attributes.
    [peap] Peap state send tlv success
    [peap] Received EAP-TLV response.
    [peap] Success
    [eap] Freeing handler
    ++[eap] returns ok


  • TTLS
    ­n§ï¥ÎTTLS¨ÓÅçÃÒ¡A¦P¼Ë¦beap.conf¤¤¡A±N°Ñ¼Æ default_eap_type ªº­È§ï¬° ttls¡C
    ¦Óeap.conf¤¤ªº ttls °Ï¬qªº°Ñ¼Æ default_eap_type ­È¹w³]¬O¸û¤£¦w¥þªº md5¡A§Ú­Ì¤@¼Ë½Õ¾ã¬°mschapv2¡C
    §¹¦¨«á¡A±Ò°ÊFreeradius -X¡A§Ú­Ì¥i¥H¶}©l´ú¸Õ¤F¡C

    Android¤â¾÷³sµ²¦¹SSID¡A³]©w¶i¶¥¿ï¶µªºEAP¤èªk¬° TTLS¡A
    ¶¥¬q2ÅçÃÒºû«ù­è¤~ªº MSCHAPV2 §Y¥i¡A¶}©l³s½u´ú¸Õ¤F¡C



    Freeradius¥X²{¥H¤U°T®§¡ATTLSÅçÃÒ¦¨¥\¡A¤â¾÷¦¨¥\®³¨ìDHCP IP¡A¥¿±`¤Wºô¡ã
    rad_recv: Access-Request packet from host 192.168.33.37 port 52171, id=163, length=134
    User-Name = "shunze"
    NAS-IP-Address = 172.18.18.253
    NAS-Port = 106
    Framed-MTU = 1400
    Called-Station-Id = "20:b3:99:6b:4f:f9"
    Calling-Station-Id = "a8:a6:68:7a:da:43"
    NAS-Port-Type = Wireless-802.11
    NAS-Identifier = "Radius_Auth"
    EAP-Message = 0x0212000b017368756e7a65
    Message-Authenticator = 0xe9185514f50cfb7ba8eb818a28348c99
    # Executing section authorize from file /etc/freeradius/sites-enabled/default
    ...
    # Executing group from file /etc/freeradius/sites-enabled/default
    +- entering group authenticate {...}
    [eap] Request found, released from the list
    [eap] EAP/ttls
    [eap] processing type ttls
    [ttls] Authenticate
    [ttls] processing EAP-TLS
    [ttls] eaptls_verify returned 7
    [ttls] Done initial handshake
    [ttls] (other): before/accept initialization
    [ttls] TLS_accept: before/accept initialization
    [ttls] <<< TLS 1.0 Handshake [length 00c1], ClientHello
    [ttls] TLS_accept: SSLv3 read client hello A
    [ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello
    [ttls] TLS_accept: SSLv3 write server hello A
    [ttls] >>> TLS 1.0 Handshake [length 06fb], Certificate
    [ttls] TLS_accept: SSLv3 write certificate A
    [ttls] >>> TLS 1.0 Handshake [length 00cb], ServerKeyExchange
    [ttls] TLS_accept: SSLv3 write key exchange A
    [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
    [ttls] TLS_accept: SSLv3 write server done A
    [ttls] TLS_accept: SSLv3 flush data
    [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A
    In SSL Handshake Phase
    In SSL Accept mode
    [ttls] eaptls_process returned 13
    ++[eap] returns handled

    ...
    [eap] Request found, released from the list
    [eap] EAP/ttls
    [eap] processing type ttls
    [ttls] Authenticate
    [ttls] processing EAP-TLS
    [ttls] Received TLS ACK
    [ttls] ACK handshake is finished
    [ttls] eaptls_verify returned 3
    [ttls] eaptls_process returned 3
    [ttls] Using saved attributes from the original Access-Accept
    [eap] Freeing handler
    ++[eap] returns ok


  • TLS
    ³Ì«á¨Ó´ú¸ÕTTLSÅçÃÒ§a¡I
    ¦P¼Ë¦beap.conf¤¤¡A±N°Ñ¼Æ default_eap_type ªº­È§ï¬° tls¡A
    µM«á§Ú­Ì¥i¥H¶}©l´ú¸Õ¤F¡C

    Android¤â¾÷³sµ²¦¹SSID¡A³]©w¶i¶¥¿ï¶µªºEAP¤èªk¬° TLS¡A
    ¦ýCA¾ÌÃÒ»P¨Ï¥ÎªÌ¾ÌÃÒ§Ú­Ì¥ý¤£¸Ë¡A¬Ý¬Ý¯à§_´ú¸Õ³q¹L¡C



    rad_recv: Access-Request packet from host 192.168.33.37 port 54076, id=30, length=134
    User-Name = "shunze"
    NAS-IP-Address = 172.18.18.253
    NAS-Port = 106
    Framed-MTU = 1400
    Called-Station-Id = "20:b3:99:6b:4f:f9"
    Calling-Station-Id = "a8:a6:68:7a:da:43"
    NAS-Port-Type = Wireless-802.11
    NAS-Identifier = "Radius_Auth"
    EAP-Message = 0x0200000b017368756e7a65
    Message-Authenticator = 0xe78b4aeb0b76411adef3543ecbe073b5
    # Executing section authorize from file /etc/freeradius/sites-enabled/default
    ...
    +- entering group authenticate {...}
    [eap] EAP Identity
    [eap] processing type tls
    [tls] Requiring client certificate
    [tls] Initiate
    [tls] Start returned 1
    ++[eap] returns handled

    ...
    Failed to authenticate the user.
    Using Post-Auth-Type Reject
    # Executing group from file /etc/freeradius/sites-enabled/default
    +- entering group REJECT {...}
    [attr_filter.access_reject] expand: %{User-Name} -> shunze
    attr_filter: Matched entry DEFAULT at line 11
    ++[attr_filter.access_reject] returns updated

    ¥Ñ©ó¯Ê¤ÖclientºÝ¾ÌÃÒ¡A©Ò¥HTLSÅçÃÒ¥¢±Ñ¤F...
    §Ú­Ì¦bAndroid¤â¾÷¤W¦w¸Ë¦nCA»PclientºÝ¾ÌÃÒ«á¡A¦A¦¸´ú¸Õ¯à§_¶¶§QÅçÃÒ³q¹L¡C



    rad_recv: Access-Request packet from host 192.168.33.37 port 59770, id=79, length=134
    User-Name = "shunze"
    NAS-IP-Address = 172.18.18.253
    NAS-Port = 106
    Framed-MTU = 1400
    Called-Station-Id = "20:b3:99:6b:4f:f9"
    Calling-Station-Id = "a8:a6:68:7a:da:43"
    NAS-Port-Type = Wireless-802.11
    NAS-Identifier = "Radius_Auth"
    EAP-Message = 0x0200000b017368756e7a65
    Message-Authenticator = 0xf21bc7784597c4b5d357ab4438d95238
    # Executing section authorize from file /etc/freeradius/sites-enabled/default
    ...
    # Executing group from file /etc/freeradius/sites-enabled/default
    +- entering group authenticate {...}
    [eap] EAP Identity
    [eap] processing type tls
    [tls] Requiring client certificate
    [tls] Initiate
    [tls] Start returned 1

    ...
    [eap] Request found, released from the list
    [eap] EAP/tls
    [eap] processing type tls
    [tls] Authenticate
    [tls] processing EAP-TLS
    [tls] Received TLS ACK
    [tls] ACK handshake is finished
    [tls] eaptls_verify returned 3
    [tls] eaptls_process returned 3
    [tls] Adding user data to cached session
    [eap] Freeing handler
    ++[eap] returns ok

    ´ú¸Õµ²ªG¡A
    ªGµMTLS½T¹ê¬O»Ý­nserver»PclientºÝ¡AÂù¦V¾ÌÃÒ¶i¦æ¤¬¬ÛÅçÃÒ¤~·|³q¹L¡I


°Ñ¦Ò¸ê®Æ
Wire-less PEAP
Configuring PEAP authentication with FreeRADIUS
802.1X»{ÃÒ+µL½uAP(Access Point)+FreeRadius Server
¨Ï¥Î freeRadius ³]¸m 802.1X »{ÃÒÀô¹Ò(¤T)EAP-TLS½g
FreeRADIUS Installation on Ubuntu
»´ÃP¬[¦nRADIUS¦øªA¾¹~
USING A RADIUS SERVER ON UBUNTU 14.04 FO... AUTHENTICATION



♥¶¶¤l¦Ñ±Cªººô©ç¡A½Ð¦hÃö·Ó¡ã

If you don't like something, change it.
If you can't change it, change your attitude.
Don't complain!




2015-06-10, 14:18 shunze ªº­Ó¤H¸ê®Æ §â shunze ¥[¤J¦n¤Í¦Cªí µo°eEmailµ¹ shunze ÂsÄý shunze ªººô¯¸ MSN : shunze@gmail.com
  « ¤W¤@½g¥DÃD ¤U¤@½g¥DÃD »
µoªí·s¥DÃD µoªí¦^ÂÐ
¸õ¨ì:

Powered by: Burning Board 1.1.1 2001 WoltLab GbR