叫啥好呢呜呜呜
2021-09-18 16:04
采纳率: 100%
浏览 7

关于#bash#的知识点:关于openvpn问题

我需要在openwrt下使用openvpn,但在连接过程中发现如下错误

OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak

网上查询得知是我当前的openssl版本(版本如下图)已经不支持md5

library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10

于是我想对openssl进行降级,并顺利在openwrt中安装号低版本的openssl(版本如下图)

Croot@router:/tmp# openssl version
OpenSSL 1.0.2k  26 Jan 2017

但现在问题来了,当我进行连接时,日志显示依旧时1.1.1版本,并且依旧出现 “ OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak ”问题,如下(先忽略其他错误)

Sat Sep 18 15:44:08 2021 daemon.notice openvpn(sample_client)[18286]: OpenVPN 2.4.7 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Sep 18 15:44:08 2021 daemon.notice openvpn(sample_client)[18286]: library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Sat Sep 18 15:44:08 2021 daemon.warn openvpn(sample_client)[18286]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Sep 18 15:44:08 2021 daemon.err openvpn(sample_client)[18286]: OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
Sat Sep 18 15:44:08 2021 daemon.err openvpn(sample_client)[18286]: Cannot load certificate file /etc/openvpn/client.crt
Sat Sep 18 15:44:08 2021 daemon.notice openvpn(sample_client)[18286]: Exiting due to fatal error

我猜测应该是需要同时对openvpn进行更新,大致猜测需要修改openvpn的Makefile,但是我不知道怎么修改,希望可以得到指点,感谢,下面附上Makefile的部分内容。

Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl +@OPENSSL_WITH_DEPRECATED)
Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls)
Package/openvpn-nossl=$(call Package/openvpn/Default,nossl,plaintext (no SSL))

define Package/openvpn/config/Default
        source "$(SOURCE)/Config-$(1).in"
endef

Package/openvpn-openssl/config=$(call Package/openvpn/config/Default,openssl)
Package/openvpn-mbedtls/config=$(call Package/openvpn/config/Default,mbedtls)
Package/openvpn-nossl/config=$(call Package/openvpn/config/Default,nossl)

ifeq ($(BUILD_VARIANT),mbedtls)
CONFIG_OPENVPN_MBEDTLS:=y
endif
ifeq ($(BUILD_VARIANT),openssl)
CONFIG_OPENVPN_OPENSSL:=y
endif
ifeq ($(BUILD_VARIANT),nossl)
CONFIG_OPENVPN_NOSSL:=y
endif

CONFIGURE_VARS += \
        IFCONFIG=/sbin/ifconfig \
        ROUTE=/sbin/route \
        IPROUTE=/sbin/ip \
        NETSTAT=/sbin/netstat

TARGET_CFLAGS += -ffunction-sections -fdata-sections
TARGET_LDFLAGS += -Wl,--gc-sections

define Build/Configure
        $(call Build/Configure/Default, \
                $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SMALL),--enable-small) \
                --disable-selinux \
                --disable-systemd \
                --disable-plugins \
                --disable-debug \
                --disable-pkcs11 \
                $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZO),--enable,--disable)-lzo \
                $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZ4),--enable,--disable)-lz4 \
                $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),--enable,--disable)-x509-alt-username \
                $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SERVER),--enable,--disable)-server \
                $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \
                $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_FRAGMENT),--enable,--disable)-fragment \
                $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MULTIHOME),--enable,--disable)-multihome \
                $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_IPROUTE2),--enable,--disable)-iproute2 \
                $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_DEF_AUTH),--enable,--disable)-def-auth \
                $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PF),--enable,--disable)-pf \
                $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PORT_SHARE),--enable,--disable)-port-share \
                $(if $(CONFIG_OPENVPN_NOSSL),--disable-crypto,--enable-crypto) \
                $(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl) \
                $(if $(CONFIG_OPENVPN_MBEDTLS),--with-crypto-library=mbedtls) \
        )
endef


  • 收藏