Open imlibra opened 3 years ago
It works with nginx, but it seems like there are some problem with ocserv and GnuTLS.
Error log:
ocserv -f -c /etc/ocserv/ocserv.conf -d 9999
note: vhost:default: setting 'certificate' as primary authentication method note: vhost:default: enabling 'plain' as authentication method note: setting 'file' as supplemental config option listening (TCP) on 10.141.0.5:443... listening (UDP) on 10.141.0.5:443... ocserv[22739]: main: Starting 1 instances of ocserv-sm ocserv[22739]: main: created sec-mod socket file (ocserv.sock.c2bceee9.0) ocserv[22739]: main: initializing control unix socket: /var/run/occtl.socket ocserv[22739]: main: initialized ocserv 1.1.3 ocserv[22740]: sec-mod: reading supplemental config from files ocserv[22740]: TLS[<2>]: Initializing all PKCS #11 modules ocserv[22740]: TLS[<2>]: p11: Initializing module: p11-kit-trust ocserv[22740]: TLS[<2>]: p11: Initializing module: opensc ocserv[22740]: TLS[<2>]: p11: Initializing module: tpm2_pkcs11 ocserv[22740]: TLS[<3>]: ASSERT: pkcs11.c[compat_load]:894 ocserv[22740]: TLS[<2>]: p11: Using pin-value to retrieve PIN ocserv[22740]: TLS[<2>]: p11: Login result = ok (0) WARNING:esys:src/tss2-esys/api/Esys_TestParms.c:269:Esys_TestParms_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_TestParms.c:95:Esys_TestParms() Esys Finish ErrorCode (0x000001c4) WARNING:esys:src/tss2-esys/api/Esys_TestParms.c:269:Esys_TestParms_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_TestParms.c:95:Esys_TestParms() Esys Finish ErrorCode (0x000001c4) WARNING:esys:src/tss2-esys/api/Esys_TestParms.c:269:Esys_TestParms_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_TestParms.c:95:Esys_TestParms() Esys Finish ErrorCode (0x000001e6) WARNING:esys:src/tss2-esys/api/Esys_TestParms.c:269:Esys_TestParms_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_TestParms.c:95:Esys_TestParms() Esys Finish ErrorCode (0x000001c4) WARNING:esys:src/tss2-esys/api/Esys_TestParms.c:269:Esys_TestParms_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_TestParms.c:95:Esys_TestParms() Esys Finish ErrorCode (0x000001c4) ocserv[22740]: sec-mod: loaded 1 keys ocserv[22740]: sec-mod: sec-mod initialized (socket: /var/lib/ocserv/ocserv.sock.c2bceee9.0) ocserv[22739]: main: added 1 points (total 1) for IP '114.254.0.114' to ban list ocserv[22739]: main: queue_length retval:0 rqueue:0 wqueue:0 note: vhost:default: setting 'certificate' as primary authentication method note: vhost:default: enabling 'plain' as authentication method
…
ocserv[22742]: TLS[<4>]: HSK[0x5636ef7910a0]: signing TLS 1.2 handshake data: using RSA-PSS-RSAE-SHA256 ocserv[22740]: sec-mod: received request from pid 22742 and uid 992 ocserv[22740]: sec-mod: cmd [size=38] sm: sign hash ocserv[22740]: TLS[<2>]: p11: The crypto mechanism has an invalid argument ocserv[22740]: TLS[<3>]: ASSERT: pkcs11_privkey.c[_gnutls_pkcs11_privkey_sign]:377 ocserv[22740]: TLS[<3>]: ASSERT: privkey.c[privkey_sign_prehashed]:1431 ocserv[22740]: sec-mod: error in crypto operation: The request is invalid. ocserv[22740]: sec-mod: error processing 'sm: sign hash' command (-1) ocserv[22742]: error receiving sec-mod reply: Invalid argument ocserv[22742]: TLS[<3>]: ASSERT: privkey.c[privkey_sign_and_hash_data]:1300 ocserv[22742]: TLS[<3>]: ASSERT: tls-sig.c[_gnutls_handshake_sign_data12]:104 ocserv[22742]: TLS[<3>]: ASSERT: cert.c[_gnutls_gen_dhe_signature]:1781 ocserv[22742]: TLS[<3>]: ASSERT: kx.c[_gnutls_send_server_kx_message]:299 ocserv[22742]: TLS[<3>]: ASSERT: handshake.c[handshake_server]:3463 ocserv[22742]: GnuTLS error (at worker-vpn.c:861): GnuTLS internal error. ocserv[22739]: main:114.254.0.114:48988 worker terminated ocserv[22739]: main:114.254.0.114:48988 user disconnected (reason: unspecified, rx: 0, tx: 0)
My ocserv config file
Did PR #558 for issue #553 fix your issue?
It works with nginx, but it seems like there are some problem with ocserv and GnuTLS.
Error log:
ocserv -f -c /etc/ocserv/ocserv.conf -d 9999
note: vhost:default: setting 'certificate' as primary authentication method note: vhost:default: enabling 'plain' as authentication method note: setting 'file' as supplemental config option listening (TCP) on 10.141.0.5:443... listening (UDP) on 10.141.0.5:443... ocserv[22739]: main: Starting 1 instances of ocserv-sm ocserv[22739]: main: created sec-mod socket file (ocserv.sock.c2bceee9.0) ocserv[22739]: main: initializing control unix socket: /var/run/occtl.socket ocserv[22739]: main: initialized ocserv 1.1.3 ocserv[22740]: sec-mod: reading supplemental config from files ocserv[22740]: TLS[<2>]: Initializing all PKCS #11 modules ocserv[22740]: TLS[<2>]: p11: Initializing module: p11-kit-trust ocserv[22740]: TLS[<2>]: p11: Initializing module: opensc ocserv[22740]: TLS[<2>]: p11: Initializing module: tpm2_pkcs11 ocserv[22740]: TLS[<3>]: ASSERT: pkcs11.c[compat_load]:894 ocserv[22740]: TLS[<2>]: p11: Using pin-value to retrieve PIN ocserv[22740]: TLS[<2>]: p11: Login result = ok (0) WARNING:esys:src/tss2-esys/api/Esys_TestParms.c:269:Esys_TestParms_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_TestParms.c:95:Esys_TestParms() Esys Finish ErrorCode (0x000001c4) WARNING:esys:src/tss2-esys/api/Esys_TestParms.c:269:Esys_TestParms_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_TestParms.c:95:Esys_TestParms() Esys Finish ErrorCode (0x000001c4) WARNING:esys:src/tss2-esys/api/Esys_TestParms.c:269:Esys_TestParms_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_TestParms.c:95:Esys_TestParms() Esys Finish ErrorCode (0x000001e6) WARNING:esys:src/tss2-esys/api/Esys_TestParms.c:269:Esys_TestParms_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_TestParms.c:95:Esys_TestParms() Esys Finish ErrorCode (0x000001c4) WARNING:esys:src/tss2-esys/api/Esys_TestParms.c:269:Esys_TestParms_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_TestParms.c:95:Esys_TestParms() Esys Finish ErrorCode (0x000001c4) ocserv[22740]: sec-mod: loaded 1 keys ocserv[22740]: sec-mod: sec-mod initialized (socket: /var/lib/ocserv/ocserv.sock.c2bceee9.0) ocserv[22739]: main: added 1 points (total 1) for IP '114.254.0.114' to ban list ocserv[22739]: main: queue_length retval:0 rqueue:0 wqueue:0 note: vhost:default: setting 'certificate' as primary authentication method note: vhost:default: enabling 'plain' as authentication method
…
ocserv[22742]: TLS[<4>]: HSK[0x5636ef7910a0]: signing TLS 1.2 handshake data: using RSA-PSS-RSAE-SHA256 ocserv[22740]: sec-mod: received request from pid 22742 and uid 992 ocserv[22740]: sec-mod: cmd [size=38] sm: sign hash ocserv[22740]: TLS[<2>]: p11: The crypto mechanism has an invalid argument ocserv[22740]: TLS[<3>]: ASSERT: pkcs11_privkey.c[_gnutls_pkcs11_privkey_sign]:377 ocserv[22740]: TLS[<3>]: ASSERT: privkey.c[privkey_sign_prehashed]:1431 ocserv[22740]: sec-mod: error in crypto operation: The request is invalid. ocserv[22740]: sec-mod: error processing 'sm: sign hash' command (-1) ocserv[22742]: error receiving sec-mod reply: Invalid argument ocserv[22742]: TLS[<3>]: ASSERT: privkey.c[privkey_sign_and_hash_data]:1300 ocserv[22742]: TLS[<3>]: ASSERT: tls-sig.c[_gnutls_handshake_sign_data12]:104 ocserv[22742]: TLS[<3>]: ASSERT: cert.c[_gnutls_gen_dhe_signature]:1781 ocserv[22742]: TLS[<3>]: ASSERT: kx.c[_gnutls_send_server_kx_message]:299 ocserv[22742]: TLS[<3>]: ASSERT: handshake.c[handshake_server]:3463 ocserv[22742]: GnuTLS error (at worker-vpn.c:861): GnuTLS internal error. ocserv[22739]: main:114.254.0.114:48988 worker terminated ocserv[22739]: main:114.254.0.114:48988 user disconnected (reason: unspecified, rx: 0, tx: 0)
My ocserv config file