¡m¤À¨É¡nFreeradius»POpenSSL¾ÌÃÒ

³Ìªñ¦b´ú¸ÕFreeradius¤Wªº¦UºØEAP»{ÃÒ¾÷¨î¡C
Freeradius¤W¤ä´©¤FEAP-MD5¡BLEAP¡BEAP-TLS¡BEAP-TTLS¤ÎEAP-PEAPµ¥¦hºØEAP±`¨£»{ÃÒ¨ó©w¡A
°£¤F¹w³]ªºEAP-MD5¤Ö¤F¬Û¤¬»{ÃÒ¨î(Mutual Authentication)¡A¨ä¥¦4ºØ¾÷¨î³£¤ä´©¬Û¤¬»{ÃÒ¡C
¦ÓEAP-TLS¡BEAP-TTLS¤ÎEAP-PEAP³o¤TºØ¾÷¨î¡A§ó»Ý­n¾ÌÃÒ¨Ó¶i¦æ¸ê®Æ¥[±K¶Ç¿éÅçÃÒ¡C
¨º»ò¦b¦w¸ËFreeRadiusªºUbuntu¤W¡A¬O¦p¦ó²£¥Í³o¨Ç¾ÌÃÒ©O¡H


¨ä¹ê¦bUbuntu 14.04¤W¦w¸Ë¦nFreeradius«á¡A¥u­n¤U¹F freeradius -X «ü¥O¡A
¨t²Î´N·|©ó /etc/freeradius/certs ¥Ø¿ý¤U¡A³z¹LbootstrapÀɮפ¤ªºscript¨Ó«Ø¥ß¹w³]ªºsnake oil¾ÌÃҨѨϥΪ̶i¦æ´ú¸Õ¡C

­Y§Ú­Ì·Q­n«Ø¥ß¦Û¤vªº¾ÌÃÒ¡A¥i°Ñ¦Ò¤U¹Ï¤F¸Ñ¾ÌÃÒ¥@¬É¤¤ªºª«¥óÃöÁp¡A³z¹L¤º«ØªºOpenSSL¨Ó¶i¦æ¡C


¡ô¦³¨S¦³µo垷client©Mserverªº¥Ó½Ð¬yµ{¬O§¹¥þ¬Û¦Pªº¡I¡H

• ·Ç³Æ¦nOpenSSLªº¤u§@Àô¹Ò
  ¦bFreeradius¤¤¡A¨ä¾ÌÃҥؿý¬O©w¸q¦b /etc/freeradius/eap.conf Àɮפ¤¡A
  ¹w³]¬° /etc/freeradius/certs ¸ô®|¤U¡C
  (´ú¸Õªºsnake oil¾ÌÃÒ¤]¬O©ñ¸m©ó¦¹¡C)
  
  
  
  ¬°¤F¤u§@¤è«K¡A¥H¤Uªº¾ÌÃÒ¬ÛÃö¾Þ§@Àô¹Ò±N¤Á´«¨ì¦¹¸ô®|¤U¡F
  «Ø¥ß¾ÌÃҮɡAª½±µ²£¥Í¾ÌÃҩ󦹥ؿý¤¤¡A¹ïÀ³¨ìFreeradiusªº»Ý¨D¡A¬Ù¥h·h²¾ªº³Â·Ð¡C
  
  ¦b¶i¦æ¥H¤U¾Þ§@«e¡A½Ð¥ý±N¦¹certs¥Ø¿ý²MªÅ¡A©Î·h²¾³Æ¥÷¨ì§O³B¡C
  
  
• «Ø¸m¦Û¤vCA
  Freeradius¤¤¤º«Ø¤F¤T­Ó¹w³]²ÕºA½d¨ÒÀÉca.cnf¡Bserver.cnf¡Bclient.cnf¡A
  ³o¨Ç²ÕºAÀɲΤ@©ñ¦b /usr/share/doc/freeradius/examples/certs ¥Ø¿ý¤¤¡C
  
  ¦b«Ø¸m¦Û¤vªºCA¤W¡A§Ú­Ì°£¤F¥i³z¹L¤¬°Ê¦¡°Ýµª¡A³v¤@¿é¤JCA¤º®e¥~¡F
  ¤]¥i¥H³z¹L²ÕºAÀÉca.cnf¨Ó¶i¦æ³]©w¡C
  
  ³z¹Lca.cnf²ÕºAÀɨӫظmCA®É¡A
  «Øij¥ý§â /usr/share/doc/freeradius/examples/certs ¥Ø¿ý¤¤ªºca.cnf¡A½Æ»s¤@¥÷¨ì /etc/freeradius/certs ¥Ø¿ý¤¤¡A
  µM«á¤Á´«¤u§@¥Ø¿ý¨ì /etc/freeradius/certs ¤U¡A¦A¹ïca.cnf¶i¦æ°Ñ¼Æ½s¿è¡A
  ¥[¤J¦Û¤v²Õ´³æ¦ìªº¸ê°T¡A°µ¬°¾ÌÃÒªº¤º®e¡C
  
  
  ¡ô¨ä¤¤ªºinput_password´N¬OCAªºpass phrase¡A³o­Ó±K½X¦b¨C¦¸Åª¨úca.key®É¡A³£·|­n¨D¿é¤J¡C
  
  ±µµÛ³z¹L¥H¤U«ü¥O¨Ó²£¥ÍCAªºprivate key»Pca¾ÌÃÒca.pem¡C
  
  openssl req -new -x509 -keyout ca.key -out ca.pem -config ./ca.cnf
  
  
  
  ­Y¤W­z«ü¥O¤£±a¤J°Ñ¼Æ -config¡A«h¤£·|¥hŪ¨ú²ÕºAÀÉca.cnfªº¤º®e³]©w¨Ó°µ¬°¾ÌÃÒ¤º®e¡C
  ©Ò¦³«Ø¥ßCA¾ÌÃҩһݭnªº²Õ´³æ¦ì»Ppass phraseµ¥¸ê°T¡A³£­n³z¹L¤¬°Ê¦¡°Ýµª¡A¤@­Ó¤@­Ó¿é¤J¡ã
  
  
  ­þ¤@­Ó¤ñ¸û¦n¡H
  ¨ä¹ê®ÄªG³£¤@¼Ë¡AµL©Ò¿×¦nÃa¡A¬Ý­Ó¤H²ßºD¡C
  ¦ý­Y¦³ca.cnf³]©wÀÉ¡A¦b¤é«áºûÅ@¤W·|¤ñ¸û²M·¡CAªº¬ÛÃö¤º®e¡C
  
  ¥t¥~¡A¾ÌÃÒ¦³¦hºØ®æ¦¡pem¡Acrt¡Acer...µ¥¡A
  ¦]¬°Freeradius¹w³]¬O¦Ypem®æ¦¡¾ÌÃÒ¡A©Ò¥H¦b¥»¤åªº«ü¥O¤¤¡A¤@«ß²£¥Ípem®æ¦¡¾ÌÃÒ¡C
  ­Y»Ý­n¨ä¥¦®æ¦¡¾ÌÃÒ¡A½Ð¦Û¤v­×§ï«Ø¥ß¾ÌÃÒ«ü¥Oªº out ªþÀɦW®æ¦¡¡C
  
  
• «Ø¥ßserverªº¾ÌÃÒ
  CA«Ø¥ß«á¡A±µ¤U¨Ó´N­n¦VCA¥Ó½ÐFreeradius©Ò»Ý­nªº¾ÌÃÒ¤F¡C
  
  ­n¥ýCA¥Ó½Ð¾ÌÃÒ¡A­º¥ý­n«Ø¥ßserver¦Û¤vªºprivate key¡A¥i³z¹L¥H¤U«ü¥O¨Ó¶i¦æ¡C
  
  openssl genrsa -des3 -out server.key 1024
  
  
  ¡ô³oùتºpass phrase±K½X´N¬Oserverªºprivate keyªº±K½X¡C³o­Ó±K½X¦b¨C¦¸Åª¨úserver.key®É¡A³£·|­n¨D¿é¤J¡C
  
  ½Ðª`·N¡G
  ÁöµM¦b¥»¨Ò¤¤¡ACA¸òFreeradius¬O¦P¤@¥x¥D¾÷¡A¦ý¨âªÌ¦b·N¸q¤W¬O¤£¦Pªº¡C
  CA¬O°µ¬°¾ÌÃÒ¤¤¤ß¡A¦ÓFreeradius«h¬O°µ¬°«eºÝ»Ý¨DªÌ(Server)¡A¦VCA¥Ó½Ð¾ÌÃÒ¡A
  CA¦³CA¦Û¤vªºprivate key¡AServer¦³Server¦Û¤vªºprivate.key¡A
  ¦Ó¨C¤@¤äkey³£·|¦³¦Û¤vªºpass phrase±K½X¡A¨âªÌ¤£­n·d²V³á¡I
  
  Freeradiusªºserver.key«Ø¥ß«á¡A±µµÛ³z¹L¦¹private key«Ø¥ßcsrÀÉ¡A·Ç³Æ¦VCA¥Ó½Ð¾ÌÃÒ¡C
  ²£¥Íserver.csrÀÉ´N¸òca¾ÌÃÒ¤@¼Ë¡A¥i³z¹L²ÕºA³]©wÀÉserver.cnf¨Ó²£¥Í¡A¤]¥i³z¹L¤¬°Ê°Ýµª¨Ó«Ø¥ß¡C
  
  ³z¹L²ÕºA³]©wÀɪº¤è¦¡¦p¤U¡C
  ¥ý½Æ»s¤@¥÷serverºÝªº²ÕºA³]©w½d¨Òserver.cnf¨ì²{¦bªº¤u§@¥Ø¿ý¡AµM«á¦A½s¿è¤u§@¥Ø¿ý¤Uªºserver.cnf³]©wÀÉ¡C
  
  cp /usr/share/doc/freeradius/examples/certs/server.cnf /etc/freeradius/certs/server.cnf
  
  
  ¡ô³]©wÀɤºªºinput_password¡A­n¿é¤J­è¤~«Ø¥ßserver.key®É©Ò¿é¤Jªºpass phrase±K½X³á¡C
  
  µM«á¤U¹F¥H¤U«ü¥O¡A«Ø¥ßserverºÝªºcsrÀÉ¡Aserver.csr¡C
  
  openssl req -new -key server.key -out server.csr -config ./server.cnf
  
  
  
  ­Y¤W­z«ü¥O¤£±a¤J°Ñ¼Æ -config¡A«hÅܦ¨³z¹L¤¬°Ê¦¡°Ýµª¡A¨Ì´£¥Ü¨Ó³v¤@¿é¤Jcsr¬ÛÃö¸ê°T¡C
  
  openssl req -new -key server.key -out server.csr
  
  
  ¡ô«Ø¥ßserverºÝcsr¤@¶}©l´N·|¸ò§A­nprivate keyªºpass phrase±K½X¡A³o±K½X´N¬O«Ø¥ßserver.key®É©Ò¿é¤Jªº±K½X³á¡I
  
  ServerºÝªºcsrÀɫإ߫á¡A´N¥i¥H¥H¦¹ÀɮצVCA¥Ó½Ð¾ÌÃÒ¡C
  ¤£¹LCAºÝÁÙ¦³¤u§@¥¼§¹¦¨¡Aª½±µ«Ø¥ß¾ÌÃÒªº¸Ü¡A¥i¬O·|³ø¿ùªº¡I
  
  CAºÝÁÙ¦³­þ¨Ç¤u§@­n°µ©O¡H
  À˵ø³]©wÀÉca.cnf¡A§Ú­Ìµo²{ÁÙ¦³crl¥Ø¿ý»Pindex.txt¡BserialÀÉ®×­n«Ø¥ß¡C
  
  
  
  §Ú­Ì¥i³z¹L¥H¤U«ü¥O¨Ó«Ø¥ß¥Ø¿ý¤ÎÀɮסC
  
  mkdir crl
  touch index.txt
  echo 01 > serial
  
  
  CAºÝªºÀô¹Ò»Ý¨D¸É¨¬«á¡A¦A³z¹L¥H¤U«ü¥O¥Hserver.csr¦VCA¥Ó½Ð¾ÌÃÒ´N¤£·|³ø¿ù¤F¡C
  
  openssl ca -in server.csr -out server.pem -cert ca.pem -keyfile ca.key -config ./ca.cnf
  
  
  ¡ô³o¬O¥H¬OCAªº¨¤¦â¨Ó¤U«ü¥O¡A©Ò¥HŪ¨úCAªºprivate key¨Ó®Öµoserverªº¾ÌÃҮɡA­n¿é¤Jªºpass phrase±K½X¬OCAªº±K½X¡I
  
  ¨ì³oÃä¡AserverºÝªº¾ÌÃҥӽдN¤j¥\§i¦¨Åo¡ã
  ¤£¹L¥HFreeradius¨Ó»¡¡A¥¦ªº¾ÌÃÒ¾÷¨îùØÁٻݭndh»Prandom³o¨â­ÓÀɮסC
  
  
  
  ³o³¡¤À¥i³z¹L¥H¤U«ü¥O¨Ó«Ø¥ß³o¨â­ÓÀɮסC
  
  openssl dhparam -check -text -5 512 -out dh
  dd if=/dev/urandom of=random count=2
  
  ¸É¨¬¥²­nÀɮ׫á¡AFreeradius¦b¹B§@¤W¤~¤£·|³ø¿ù¡C
  
  ÁÙ¦³´N¬O§Ú­Ì¤w¸g«Ø¥ß¦Û¤vªº¾ÌÃÒ¤F¡A
  ­Y«Ø¥ßserver.key®É¡A¤£¬O±Ä¥Î¹w³]ªº±K½X whatever ªº¸Ü¡A
  ¦beap.confùØ tls °Ï¬q¤ºªº private_key_password ¤]­n­×§ï¬°§A«Ø¥ßserver.key®É©Ò³]©wªºpass phrase±K½X¤~¦æ³á¡I
  
  ³Ì«á¡A§Ú­Ì¤w¸g«Ø¥ß¦n¦Û¤v¾ÌÃÒ¤F¡A
  Freeradius¤W²£¥Í¹w³]snake oil¾ÌÃÒªº³]©w´N¤£»Ý­n¤F¡C
  ¬d¬Ý¤@¤Ueap.confùØ¡Atls °Ï¬q¤ºªº make_cert_command = "${certdir}/bootstrap" ³o¤@¦æ¬O§_¤wµù¸Ñ±¼¡C
  ­Y¥¼µù¸Ñ±¼¡A½Ð°O±o§â¥¦µù¸Ñ±¼³á¡I
  
  
• «Ø¥ßclientªº¾ÌÃÒ
  ClientºÝ¾ÌÃÒªº¥Ó½Ð¬yµ{¡A¨ä¹ê©MServerºÝªº¬O§¹¥þ¬Û¦Pªº¡C
  
  
  ¦P¼Ë¥i³z¹L²ÕºA³]©wÀÉclient.cnf©Î¤¬°Ê¦¡°Ýµª¨âºØ¤è¦¡¨Ó«Ø¥ß¡C
  ClientºÝ¤@¼Ë¦³¨äprivate key¤Î¨äpass phrase±K½X¡A¥Î¨ÓÅçÃÒ§A¬O§_¬°¦Xªk«ù¦³¡F
  µM«á³z¹L¦¹key«Ø¥ßclient.csr¡A¦A¦VCA´£¥X¾ÌÃҥӽСC
  ³o³¡¤À´N¤£­«Âл¡©ú¤F¡C
  
  ·í§AªºFreeradius¬O±Ä¥ÎTTLS¤ÎPEAPªº¸Ü¡A¬O¤£»Ý­n¦¹clientºÝ¾ÌÃÒ¡C
  ¦ý­Y±Ä¥Îªº¬OTLSªºEAPªº¸Ü¡A´N­n«Ø¥ß¦¹¾ÌÃÒ¡AµM«áÂàµoµ¹¨Ï¥ÎªÌ¦w¸Ë¡A
  ³o¼ËEAP-TLSªºÂù¦VÅçÃÒ¤~·|³q¹L¡C
  
  ­Y«eºÝ¨Ï¥ÎªÌ¬OWindows©ÎAndroid¤â¾÷¡A»Ý­nP12®æ¦¡ªº¾ÌÃÒ¡A¥i¥H³z¹L¥H¤U«ü¥OÂà¥X¡C
  
  openssl pkcs12 -export -in client.pem -inkey client.key -out client.p12
  
  
  ¡ôÂà¥X®É·|¥ý­nclient.keyªºpass phrase±K½X¶i¦æ½T»{¡A¦A«Ø¥ßP12ªºExport Password¡A°µ¬°XP¶×¤J¾ÌÃÒ®ÉÅçÃҨϥΡC
  

♥¶¶¤l¦Ñ±Cªººô©ç¡A½Ð¦hÃö·Ó¡ã

If you don't like something, change it.
If you can't change it, change your attitude.
Don't complain!

¡m¤À¨É¡nOpenSSL°ÝÃD»P³B²z

OpenSSL°ÝÃD»P³B²z¤è¦¡¾ã²z¦p¤U

• commonName¤£¥i­«ÂСI
  ¾ÌÃÒ¶¡ªºÃѧO¬O¥HcommonName¨Ó°Ï¤À¡C
  ©Ò¥H¤£½×¬OCA©Î¬O«eºÝ¥Ó½Ðªºserver/client¡A¨äcommonName¬O¤£¥i¥H¬Û¦Pªº¡C
  ¦b³W¹º¬[ºc®É¡A½Ð°È¥²ª`·N¦¹ÂI¡C
  
  
• ¦VCA¥Ó½Ð¾ÌÃҮɡA¥X²{¡§The stateOrProvinceName field needed to be the same in the¡K¡¨¿ù»~¡H
  ©ú©úCA»PServer¦b«Ø¥ß®É¡AstateOrProvinceName ³£¬O¥´¤@¼Ë¤@¼ËªºTaipei¡A¬°¤°»ò¥Ó½Ð¾ÌÃÒÁÙ·|³ø¿ù¡H
  
  
  
  ­YCA»PServerªº¬ÛÃöÀɮצb«Ø¥ß®É¡A³£¬O³z¹L²ÕºA³]©wÀÉcnf¨Ó¶i¦æ¡F
  ©Î¬O³£¤£³z¹L²ÕºA³]©wÀÉ¡A¥þ³¡³£¬O¥Ñ¤@°Ý¤@µªªº³z¹L¤¬°Ê°Ýµª¨Ó«Ø¥ß¾ÌÃÒ¡A
  °ò¥»¤W¬O¤£·|¥X²{¦¹¿ù»~ªº¡C
  
  ¦ý­Y¨ä¤¤¤@­Ó¬O³z¹L²ÕºAÀɨӫإߡA¦Ó¥t¤@­Ó¬O³z¹L¤¬°Ê°Ýµª¨Ó«Ø¥ß¡A
  ¨º»ò´N¦³¬Û·í°ªªº¾÷²v·|¥X²{¦¹¿ù»~¡C
  
  ®t§O¦b©ó³z¹L¤¬°Ê¦¡°ÝÃD¨Ó«Ø¥ß¾ÌÃÒ¸ê®Æ®É¡A°Ñ¦Òªº¬O /usr/lib/ssl/openssl.cnf ÀÉ®×ùتº°Ñ¼Æ³]©w¡A
  ¦Ó¦¹³]©wÀɤº®e»PFreeradius´£¨Ñªº¨º¤T­Ó³]©wÀɤº®e¦b°Ñ¼Æ¤W¦³¨Ç®t²§¡A
  ©Ò¥H¾É­P¿ù»~µo¥Í¡C
  
  ¸Ñ¨M¤è¦¡¦³¤G¡A
  1. ¦b /usr/lib/ssl/openssl.cnf ùØ¡A±N [ req ] °Ï¬qùØ°Ñ¼Æ string_mask ªº¤º®e¥Ñ utf8only §ï¬° pkix¡A
     µM«á­«·s²£¥Í¾ÌÃÒ¡C
     
  2. ¦b©Ò¦³ªº²ÕºA³]©wÀɤ¤¡A©ó [ req ] °Ï¬qùØ¡A§¡¥[¤W°Ñ¼Æ string_mask¡A­È¬° utf8only ªº¤º®e¡A
     µM«á­«·s²£¥Í¾ÌÃÒ¡C
  
  ¨âªÌ¥u­n¾Ü¤@¨Ó°µ§Y¥i¡A
  °ò¥»¤W´N¬OÅý°Ñ¼Æ¤º®e¤@­P¤Æ¡A¦b«Ø¥ß¾ÌÃҮɡA´N¤£·|¥X²{¤£¤@­Pªº¿ù»~¤F¡C
  
  
• ¦VCA¥Ó½Ð¾ÌÃҮɡA¥X²{TXT_DBªº¿ù»~¡I
  
  
  ·|¥X²{³o­ÓTXT_DBªº¿ù»~¬O¦]¬°OpenSSL¤@¦¸¥u¯à³B²z¤@­Ó¾ÌÃÒªº¥Ó½Ð¡C
  §Ú¤£ª¾¹D³oºâ¤£ºâ¬Obug¡H
  
  ³B²z¤èªk«Ü²³æ¡A
  ¥u­n§R±¼index.txtÀÉ¡AµM«á¦A²£¥Í¤@­Ó·sªº¡AµL¥ô¦ó¸ê®Æªºindex.txt´N¥i¥H¦A«Ø¥ß¾ÌÃÒ¡C
  
  
• Private keyªºÅçÃÒ±K½X¨ä¹ê¬O¥i¥H¥h°£ªº¡H
  ¤£½×ca.key©Î¬Oserver.key¡Bclient.key¡A
  ¥ô¦ó¤@ºØ¨p¦³ª÷Æ_¥hŪ¨ú®É³£»Ý­n¿é¤Jpass phrase±K½X¨Ó½T»{§A¬O§_¦Xªk«ù¦³¦¹¨p¦³ª÷Æ_¡C
  
  ­Y­n¥h°£¦¹±K½X¡A¥i¥H³z¹L¥H¤U«ü¥O¨Ó¶i¦æ¡C
  
  openssl rsa -in XXXXX.key -out XXXXX.key
  
  ¾Þ§@®É¡AÁÙ¬O­n¥ý¿é¤J¤@¦¸±K½X¡A½T»{§A¬O¦Xªk«ù¦³¡C
  ±K½X½T»{¹L¡A§¹¦¨¾Þ§@«á¡A¨p¦³ª÷Æ_ªº±K½X®ø°£¤F¡C
  
  
• ­Y¨S¦³CA¡A¥i§_«Ø¥ß¦Û§Úñ¸p¾ÌÃÒ¡H
  ­Y¨S¦³CA¡A¤]¤£·Q¦Û«ØCA¡A
  ¦b«Ø¥ßcsr«á¡A¨ä¹ê¥i¥H³z¹L¥H¤U«ü¥O¨Ó«Ø¥ß¦Û§Úñ¸p¾ÌÃÒ¡C
  
  openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.pem
  
  
  
• À˵ø¾ÌÃÒ¤º®e
  ­Y­nÀ˵ø¾ÌÃÒªº¤º®e¡A½TÃÒµo©ñ¸ê°T¡A¥i³z¹L¥H¤U«ü¥O¨Ó¶i¦æ¡C
  
  openssl x509 -text -in ­nÀ˵øªº¾ÌÃÒÀɦW -noout
  
  
  
• ¦p¦ó¾ÌÃÒ¦³®Ä¤é´Áªº³]©w¡H
  ÁöµM¦b²ÕºAÀɤ¤¡A©ú©ú¦³¨â­Ó°Ñ¼Æ default_days ¤Î default_crl_days ¬Ý¦ü¬O¹ïÀ³¾ÌÃÒªº¦³®Ä¤é´Á¡A
  ¦ý¶¶¤l¤£ºÞ«ç»ò½Õ¾ã³]©w³£¨S¥Î¡AµLªkµo¥Í®ÄªG¡H
  ¾ÌÃÒªº¦³®Ä¤é´ÁÁÙ¬O¦^Âk©R¥Oªº°Ñ¼Æ³]©w¤ñ¸û²³æ¡C
  
  ©ó²£¥Í¾ÌÃÒªº«ü¥O¤¤¡A¥[¤W°Ñ¼Æ days¡A¦A±a¤W·Q­nªº¦³®Ä´Á¤é¼Æ§Y¥i¡C
  ¨Ò¦p²£¥Í¤@­Ó¦³®Ä¤é´Á¤Q¦~ªºCA¾ÌÃÒ¡A«ü¥O¦p¤U¡C
  
  openssl req -new -x509 -days 3650 -keyout ca.key -out ca.pem -config ./ca.cnf
  
  ¨ä¥¦server¡Aclientªº¾ÌÃÒ¤ñ·Ó¿ì²z¡C
  
  
• ¾ÌÃÒÃþ«¬Âà´«
  
  1. DER file (.crt .cer .der) to PEM
     
     openssl x509 -inform der -in XXXXX.der -out XXXXX.pem
     
     
  2. PEM file to DER
     
     openssl x509 -outform der -in XXXXX.pem -out XXXXX.der
     
     
  3. PEM file to PKCS#12 (.pfx .p12)
     
     openssl pkcs12 -export -out XXXXX.pfx -inkey XXXXX.key -in XXXXX.pem
     
     
  4. PKCS#12 file (.pfx .p12) to PEM
     
     openssl pkcs12 -in XXXXX.pfx -out XXXXX.pem
     
     pfx/p12ÂàPEM®É¡A¦³¦p¤U°Ñ¼Æ¥i¥Î¡C
     ¥[ -nodes Âà¥XPEM¡A¤£¥[±K¡F
     ¥[ -nokeys ¶ÈÂà¥XPEM¡A¤£±aprivate key¡F
     ¥[ -nocert ¶ÈÂà¥Xprivate key¡A¤£±a¾ÌÃÒ¡C·íµMÂà¥Xªº°ÆÀɦW­n§ï¬°key¡C

♥¶¶¤l¦Ñ±Cªººô©ç¡A½Ð¦hÃö·Ó¡ã

If you don't like something, change it.
If you can't change it, change your attitude.
Don't complain!

¡m¤À¨É¡nFreeradius¤W¤TºØ¾ÌÃÒ¼Ò¦¡³]©w»P½Õ¾ã

¦bFreeradius¤W¤ä´©¤FPEAP/TTLS/TLS¤TºØ¸g¥Ñ¾ÌÃÒ¨ÓÅçÃÒªºEAP¼Ò¦¡¡A
¨ä¤¤PEAP¤ÎTTLS¥u»Ý­nserverºÝªº¾ÌÃÒ¡A¤£»Ý­nclientªº¾ÌÃÒ°µÂù¦V»{ÃÒ¡A¦]¦¹clientºÝÁÙ¬O»Ý­n³z¹L±b¸¹/±K½X¨ÓÅçÃҨϥΪ̡F
¦ÓTLS«h¦P®É»Ý­nserver»PclientºÝªº¾ÌÃÒ¡A¤]¦]¬°clientºÝ¤w³z¹L¾ÌÃÒÅçÃÒ¡A©Ò¥H¤£»Ý­n¦A¿é¤J±b¸¹/±K½X¨ÓÅçÃҨϥΪ̡C

¦bFreeradius¤W¡A¾ÌÃÒªº¬ÛÃö³]©w¬O©w¸q¦b /etc/freeradius/eap.conf Àɮתº tls °Ï¬q¤¤¡A
³o¬O¤TºØ¾ÌÃÒEAP¾÷¨î³£·|®M¥Î¨ìªº¦@³q³]©w¡C



¦pªG±z¦³¨Ì¶¶¤lªº¥Ü½d¦Û«Ø¾ÌÃÒ©ó¹ïÀ³¥Ø¿ý¤U¡A°ò¥»¤W tls °Ï¬q¤¤ªº¾ÌÃÒ³]©w¤£¥Î¦A­×§ï¡A
¦ý¦pªG¦³­×§ï¦WºÙ©Î¸ô®|¡A½Ð¨Ì¹ê»ÚÀô¹Ò¶i¦æ½Õ¾ã¡C


¥Ñ©óWin7¤W¶¶¤l§ä¤£¨ì802.1XªºTTLS¬ÛÃö³]©w¡A©Ò¥H¥H¤U´ú¸Õªº«eºÝÀô¹Ò¡A²Î¤@±Ä¥ÎAndorid¤â¾÷¨Ó¶i¦æ¡F
¦ÓNASºÝ«h¨Ï¥ÎEnterasys Thin AP¨Ó¬[³]802.1XªºÅçÃÒÀô¹Ò¡C






±µ¤U§Ú­Ì¨Ó¬Ý¬ÝFreeradius¤W¡A¤TºØEAP¼Ò¦¡ªº­Ó§O³]©w»P´ú¸Õ¡C

• PEAP
  Freeradius¤WEAPªºÃþ«¬¬O¦beap.conf¤¤ªº°Ñ¼Æ default_eap_type ¨Ó³]©w¡A¹w³]­È¬O md5¡F
  ­n±Ä¥ÎPEAPÅçÃÒ¡A²Ä¤@¨B¦ÛµM¬O§â¦¹ default_eap_type ªº­È­×§ï¬° peap¡C
  
  ¦Óeap.conf¤¤ªº peap °Ï¬q¡A³]©w¤F°Ñ¼Æ default_eap_type ªº­È¬O¸û¦w¥þªº mschapv2¡A
  ©Ò¥H§Ú­Ì¤]­n¥h /etc/freeradius/module ¥Ø¿ý¤U¡A­×§ïÀÉ®× mschap ªº¤º®e¡A
  ¨ú®ø¤F³¡¥÷µù¸Ñ»P­×§ï°Ñ¼Æ­È¡A±N¤º®e­×§ï¦p¤U¡C
  
  use_mppe = yes
  require_encryption = yes
  require_strong = yes
  with_ntdomain_hack = yes
  
  µM«á³z¹L¥H¤U«ü¥O¡A­«·s¸ü¤Jlibray¤º®e¡C
  
  ldconfig
  
  §¹¦¨«á¡A±Ò°ÊFreeradius -X¡A§Ú­Ì¥i¥H¶}©l´ú¸Õ¤F¡C
  
  Android¤â¾÷³sµ²¦¹SSID¡A³]©w¶i¶¥¿ï¶µªºEAP¤èªk¬° PEAP¡A
  ¶¥¬q2ÅçÃÒ¬° MSCHAPV2 ¶}©l³s½u¤F¡C
  
  
  
  Freeradius¥X²{¥H¤U°T®§¡APEAPÅçÃÒ¦¨¥\¡A¤â¾÷¦¨¥\®³¨ìDHCP IP¡A¥¿±`¤Wºô¡ã
  
  rad_recv: Access-Request packet from host 192.168.33.37 port 57067, id=135, length=134
  User-Name = "shunze"
  NAS-IP-Address = 172.18.18.253
  NAS-Port = 106
  Framed-MTU = 1400
  Called-Station-Id = "20:b3:99:6b:4f:f9"
  Calling-Station-Id = "a8:a6:68:7a:da:43"
  NAS-Port-Type = Wireless-802.11
  NAS-Identifier = "Radius_Auth"
  EAP-Message = 0x0200000b017368756e7a65
  Message-Authenticator = 0x0e07734bffc82436bd89f93bcb087c5e
  # Executing section authorize from file /etc/freeradius/sites-enabled/default
  ...
  Found Auth-Type = EAP
  # Executing group from file /etc/freeradius/sites-enabled/default
  +- entering group authenticate {...}
  [eap] Request found, released from the list
  [eap] EAP/peap
  [eap] processing type peap
  [peap] processing EAP-TLS
  TLS Length 198
  [peap] Length Included
  [peap] eaptls_verify returned 11
  [peap] (other): before/accept initialization
  [peap] TLS_accept: before/accept initialization
  [peap] <<< TLS 1.0 Handshake [length 00c1], ClientHello
  [peap] TLS_accept: SSLv3 read client hello A
  [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello
  [peap] TLS_accept: SSLv3 write server hello A
  [peap] >>> TLS 1.0 Handshake [length 06fb], Certificate
  [peap] TLS_accept: SSLv3 write certificate A
  [peap] >>> TLS 1.0 Handshake [length 00cb], ServerKeyExchange
  [peap] TLS_accept: SSLv3 write key exchange A
  [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
  [peap] TLS_accept: SSLv3 write server done A
  [peap] TLS_accept: SSLv3 flush data
  [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
  In SSL Handshake Phase
  In SSL Accept mode
  [peap] eaptls_process returned 13
  [peap] EAPTLS_HANDLED
  ++[eap] returns handled
  ...
  [eap] Request found, released from the list
  [eap] EAP/peap
  [eap] processing type peap
  [peap] processing EAP-TLS
  [peap] eaptls_verify returned 7
  [peap] Done initial handshake
  [peap] eaptls_process returned 7
  [peap] EAPTLS_OK
  [peap] Session established. Decoding tunneled attributes.
  [peap] Peap state send tlv success
  [peap] Received EAP-TLV response.
  [peap] Success
  [eap] Freeing handler
  ++[eap] returns ok
  
  
  
• TTLS
  ­n§ï¥ÎTTLS¨ÓÅçÃÒ¡A¦P¼Ë¦beap.conf¤¤¡A±N°Ñ¼Æ default_eap_type ªº­È§ï¬° ttls¡C
  ¦Óeap.conf¤¤ªº ttls °Ï¬qªº°Ñ¼Æ default_eap_type ­È¹w³]¬O¸û¤£¦w¥þªº md5¡A§Ú­Ì¤@¼Ë½Õ¾ã¬°mschapv2¡C
  §¹¦¨«á¡A±Ò°ÊFreeradius -X¡A§Ú­Ì¥i¥H¶}©l´ú¸Õ¤F¡C
  
  Android¤â¾÷³sµ²¦¹SSID¡A³]©w¶i¶¥¿ï¶µªºEAP¤èªk¬° TTLS¡A
  ¶¥¬q2ÅçÃÒºû«ù­è¤~ªº MSCHAPV2 §Y¥i¡A¶}©l³s½u´ú¸Õ¤F¡C
  
  
  
  Freeradius¥X²{¥H¤U°T®§¡ATTLSÅçÃÒ¦¨¥\¡A¤â¾÷¦¨¥\®³¨ìDHCP IP¡A¥¿±`¤Wºô¡ã
  
  rad_recv: Access-Request packet from host 192.168.33.37 port 52171, id=163, length=134
  User-Name = "shunze"
  NAS-IP-Address = 172.18.18.253
  NAS-Port = 106
  Framed-MTU = 1400
  Called-Station-Id = "20:b3:99:6b:4f:f9"
  Calling-Station-Id = "a8:a6:68:7a:da:43"
  NAS-Port-Type = Wireless-802.11
  NAS-Identifier = "Radius_Auth"
  EAP-Message = 0x0212000b017368756e7a65
  Message-Authenticator = 0xe9185514f50cfb7ba8eb818a28348c99
  # Executing section authorize from file /etc/freeradius/sites-enabled/default
  ...
  # Executing group from file /etc/freeradius/sites-enabled/default
  +- entering group authenticate {...}
  [eap] Request found, released from the list
  [eap] EAP/ttls
  [eap] processing type ttls
  [ttls] Authenticate
  [ttls] processing EAP-TLS
  [ttls] eaptls_verify returned 7
  [ttls] Done initial handshake
  [ttls] (other): before/accept initialization
  [ttls] TLS_accept: before/accept initialization
  [ttls] <<< TLS 1.0 Handshake [length 00c1], ClientHello
  [ttls] TLS_accept: SSLv3 read client hello A
  [ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello
  [ttls] TLS_accept: SSLv3 write server hello A
  [ttls] >>> TLS 1.0 Handshake [length 06fb], Certificate
  [ttls] TLS_accept: SSLv3 write certificate A
  [ttls] >>> TLS 1.0 Handshake [length 00cb], ServerKeyExchange
  [ttls] TLS_accept: SSLv3 write key exchange A
  [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
  [ttls] TLS_accept: SSLv3 write server done A
  [ttls] TLS_accept: SSLv3 flush data
  [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A
  In SSL Handshake Phase
  In SSL Accept mode
  [ttls] eaptls_process returned 13
  ++[eap] returns handled
  ...
  [eap] Request found, released from the list
  [eap] EAP/ttls
  [eap] processing type ttls
  [ttls] Authenticate
  [ttls] processing EAP-TLS
  [ttls] Received TLS ACK
  [ttls] ACK handshake is finished
  [ttls] eaptls_verify returned 3
  [ttls] eaptls_process returned 3
  [ttls] Using saved attributes from the original Access-Accept
  [eap] Freeing handler
  ++[eap] returns ok
  
  
  
• TLS
  ³Ì«á¨Ó´ú¸ÕTTLSÅçÃÒ§a¡I
  ¦P¼Ë¦beap.conf¤¤¡A±N°Ñ¼Æ default_eap_type ªº­È§ï¬° tls¡A
  µM«á§Ú­Ì¥i¥H¶}©l´ú¸Õ¤F¡C
  
  Android¤â¾÷³sµ²¦¹SSID¡A³]©w¶i¶¥¿ï¶µªºEAP¤èªk¬° TLS¡A
  ¦ýCA¾ÌÃÒ»P¨Ï¥ÎªÌ¾ÌÃÒ§Ú­Ì¥ý¤£¸Ë¡A¬Ý¬Ý¯à§_´ú¸Õ³q¹L¡C
  
  
  
  
  rad_recv: Access-Request packet from host 192.168.33.37 port 54076, id=30, length=134
  User-Name = "shunze"
  NAS-IP-Address = 172.18.18.253
  NAS-Port = 106
  Framed-MTU = 1400
  Called-Station-Id = "20:b3:99:6b:4f:f9"
  Calling-Station-Id = "a8:a6:68:7a:da:43"
  NAS-Port-Type = Wireless-802.11
  NAS-Identifier = "Radius_Auth"
  EAP-Message = 0x0200000b017368756e7a65
  Message-Authenticator = 0xe78b4aeb0b76411adef3543ecbe073b5
  # Executing section authorize from file /etc/freeradius/sites-enabled/default
  ...
  +- entering group authenticate {...}
  [eap] EAP Identity
  [eap] processing type tls
  [tls] Requiring client certificate
  [tls] Initiate
  [tls] Start returned 1
  ++[eap] returns handled
  ...
  Failed to authenticate the user.
  Using Post-Auth-Type Reject
  # Executing group from file /etc/freeradius/sites-enabled/default
  +- entering group REJECT {...}
  [attr_filter.access_reject] expand: %{User-Name} -> shunze
  attr_filter: Matched entry DEFAULT at line 11
  ++[attr_filter.access_reject] returns updated
  
  ¥Ñ©ó¯Ê¤ÖclientºÝ¾ÌÃÒ¡A©Ò¥HTLSÅçÃÒ¥¢±Ñ¤F...
  §Ú­Ì¦bAndroid¤â¾÷¤W¦w¸Ë¦nCA»PclientºÝ¾ÌÃÒ«á¡A¦A¦¸´ú¸Õ¯à§_¶¶§QÅçÃÒ³q¹L¡C
  
  
  
  
  rad_recv: Access-Request packet from host 192.168.33.37 port 59770, id=79, length=134
  User-Name = "shunze"
  NAS-IP-Address = 172.18.18.253
  NAS-Port = 106
  Framed-MTU = 1400
  Called-Station-Id = "20:b3:99:6b:4f:f9"
  Calling-Station-Id = "a8:a6:68:7a:da:43"
  NAS-Port-Type = Wireless-802.11
  NAS-Identifier = "Radius_Auth"
  EAP-Message = 0x0200000b017368756e7a65
  Message-Authenticator = 0xf21bc7784597c4b5d357ab4438d95238
  # Executing section authorize from file /etc/freeradius/sites-enabled/default
  ...
  # Executing group from file /etc/freeradius/sites-enabled/default
  +- entering group authenticate {...}
  [eap] EAP Identity
  [eap] processing type tls
  [tls] Requiring client certificate
  [tls] Initiate
  [tls] Start returned 1
  ...
  [eap] Request found, released from the list
  [eap] EAP/tls
  [eap] processing type tls
  [tls] Authenticate
  [tls] processing EAP-TLS
  [tls] Received TLS ACK
  [tls] ACK handshake is finished
  [tls] eaptls_verify returned 3
  [tls] eaptls_process returned 3
  [tls] Adding user data to cached session
  [eap] Freeing handler
  ++[eap] returns ok
  
  ´ú¸Õµ²ªG¡A
  ªGµMTLS½T¹ê¬O»Ý­nserver»PclientºÝ¡AÂù¦V¾ÌÃÒ¶i¦æ¤¬¬ÛÅçÃÒ¤~·|³q¹L¡I

♥¶¶¤l¦Ñ±Cªººô©ç¡A½Ð¦hÃö·Ó¡ã

If you don't like something, change it.
If you can't change it, change your attitude.
Don't complain!