Linux 小白求助一下! 已经申请 startssl 的 key 和 crt ,请问怎么应用到 ocserv ?
Jays · 2014-10-15 20:48:56 +08:00 · 6517 次点击这是一个创建于 3686 天前的主题,其中的信息可能已经有所发展或是发生改变。
请大家分享一下 使用方法
 |
1
ghy459 2014-10-15 21:04:43 +08:00
|
 |
2
yylyyl 2014-10-15 21:09:53 +08:00
http://www.infradead.org/ocserv/manual.html
ocserv 文档在此,自己看看吧 |
 |
3
Jays OP |
|
4
Jays OP PING bwg.ssnpv.tk (23.252.111.188) 56(84) bytes of data.
64 bytes from 23.252.111.188.16clouds.com (23.252.111.188): icmp_seq=1 ttl=51 time=83.3 ms 64 bytes from 23.252.111.188.16clouds.com (23.252.111.188): icmp_seq=2 ttl=51 time=84.3 ms 64 bytes from 23.252.111.188.16clouds.com (23.252.111.188): icmp_seq=3 ttl=51 time=82.4 ms 64 bytes from 23.252.111.188.16clouds.com (23.252.111.188): icmp_seq=4 ttl=51 time=81.6 ms 64 bytes from 23.252.111.188.16clouds.com (23.252.111.188): icmp_seq=5 ttl=51 time=82.3 ms 64 bytes from 23.252.111.188.16clouds.com (23.252.111.188): icmp_seq=6 ttl=51 time=84.8 ms 64 bytes from 23.252.111.188.16clouds.com (23.252.111.188): icmp_seq=7 ttl=51 time=81.6 ms 64 bytes from 23.252.111.188.16clouds.com (23.252.111.188): icmp_seq=8 ttl=51 time=81.7 ms 64 bytes from 23.252.111.188.16clouds.com (23.252.111.188): icmp_seq=9 ttl=51 time=81.5 ms 64 bytes from 23.252.111.188.16clouds.com (23.252.111.188): icmp_seq=10 ttl=51 time=80.4 ms |
 |
5
zeng0730 2014-10-15 21:23:26 +08:00  1
我的是这样
server-cert = /etc/ocserv/server.crt server-key = /etc/ocserv/server.key 证书,配置文件,密码文件都在 /etc/ocserv/下 |
 |
7
0x142857 2014-10-15 21:25:02 +08:00 via Android
startssl 又可以注册了?
|
|
9
zeng0730 2014-10-15 21:27:42 +08:00
这只是证书那段
|
|
11
zeng0730 2014-10-15 21:38:53 +08:00
这是我的配置,在默认配置的基础上修改
注释掉以下行 auth = "plain[./sample.passwd]" route = 192.168.1.0/255.255.255.0 route = 192.168.5.0/255.255.255.0 去掉以下行注释 #auth = "plain[/etc/ocserv/ocpasswd]" #output-buffer = 10 修改以下行 原设置 max-clients = 16 max-same-clients = 2 server-cert = ../tests/server-cert.pem server-key = ../tests/server-key.pem ipv4-network = 192.168.1.0 ipv4-netmask = 255.255.255.0 dns = 192.168.1.2 修改后 max-clients = 1024 max-same-clients = 10 server-cert = /etc/ocserv/server.crt server-key = /etc/ocserv/server.key ipv4-network = 10.0.0.0 ipv4-netmask = 255.255.0.0 dns = 8.8.8.8 dns = 8.8.4.4 添加以下行 route = 101.0.0.0/255.0.0.0 route = 107.0.0.0/255.0.0.0 route = 109.0.0.0/255.0.0.0 route = 117.0.0.0/255.0.0.0 route = 125.0.0.0/255.0.0.0 route = 128.0.0.0/255.0.0.0 route = 141.0.0.0/255.0.0.0 route = 168.0.0.0/255.0.0.0 route = 170.0.0.0/255.0.0.0 route = 173.0.0.0/255.0.0.0 route = 174.0.0.0/255.0.0.0 route = 176.0.0.0/255.0.0.0 route = 190.0.0.0/255.0.0.0 route = 192.0.0.0/255.0.0.0 route = 198.0.0.0/255.0.0.0 route = 199.0.0.0/255.0.0.0 route = 205.0.0.0/255.0.0.0 route = 206.0.0.0/255.0.0.0 route = 208.0.0.0/255.0.0.0 route = 210.0.0.0/255.0.0.0 route = 216.0.0.0/255.0.0.0 route = 220.0.0.0/255.0.0.0 route = 50.0.0.0/255.0.0.0 route = 54.0.0.0/255.0.0.0 route = 59.0.0.0/255.0.0.0 route = 61.244.0.0/255.255.0.0 route = 63.0.0.0/255.0.0.0 route = 66.0.0.0/255.0.0.0 route = 69.0.0.0/255.0.0.0 route = 72.0.0.0/255.0.0.0 route = 73.0.0.0/255.0.0.0 route = 74.0.0.0/255.0.0.0 route = 78.0.0.0/255.0.0.0 route = 8.0.0.0/255.0.0.0 route = 92.0.0.0/255.0.0.0 route = 92.0.0.0/255.0.0.0 route = 93.0.0.0/255.0.0.0 route = 93.0.0.0/255.0.0.0 route = 96.0.0.0/255.0.0.0 route = 97.0.0.0/255.0.0.0 |
 |
12
xoxo 2014-10-15 21:39:40 +08:00
又一位加入HTTPS大军的同学~赞!
|
 |
15
windhunter 2014-10-16 09:50:56 +08:00
关于证书,我正好知道点细节。
第一步,从startssl下载他的ca文件和你自己的证书。ca需要两个文件:ca.pem 和 sub.class1.server.ca.pem。 第二步,合并证书文件。一定要按照以下步骤执行,不然ocserv不认。 cat your.domain.crt > /etc/ocserv/your-server-cert.pem; #这里your.domain.crt为startssl颁发给你的证书文件。 cat sub.class1.server.ca.pem >> /etc/ocserv/your-server-cert.pem cat ca.pem >> /etc/ocserv/your-server-cert.pem 第三步,修改ocserv.conf server-cert = /your/path/to/your-server-cert.pem #这里是刚刚合并好的证书文件 server-key = /your/path/to/your-server-key.pem #你的证书的key文件。 ca-cert=/your/path/to/your-ca.pem #ca证书 希望对你有帮助。 |
|
16
Jays OP @windhunter 合并证书文件需要怎么做呢?
|
|
17
Jays OP @windhunter auth = 这里你选择的是什么模式?
#auth = "plain[/etc/ocserv/ocpasswd]" #auth = "certificate" #auth = "pam" |
|
18
Jays OP 配置完 运行 auth = "certificate" 模式! 提示这个
root@SS-BWG:/# ocserv -c /etc/ocserv/ocserv.conf -f -d 1 listening (TCP) on 0.0.0.0:443... listening (UDP) on 0.0.0.0:443... ocserv[2509]: main: initializing control unix socket: /var/run/occtl.socket ocserv[2509]: main: initialized ocserv 0.8.6 ocserv[2510]: GnuTLS error (at sec-mod.c:554): Error in parsing. ocserv[2509]: error connecting to sec-mod socket '/var/run/ocserv-socket.2509': Connection refused ocserv[2509]: main: main.c:492: ocserv-secmod died unexpectedly ocserv[2509]: main: termination request received; waiting for children to die |
|
19
windhunter 2014-10-19 08:45:57 +08:00
@jays 我目前用plain文本模式做认证。我认为你如果需要用certificate来认证用户的话,需要自签名一个根证书,而不是用startssl的证书。
|
Select Language