Linux 小白求助一下！ 已经申请 startssl 的 key 和 crt ，请问怎么应用到 ocserv ？

https://www.startssl.com/?app=20
官方安装指南

http://www.infradead.org/ocserv/manual.html
ocserv 文档在此，自己看看吧

我日板瓦工的 ip 就一天就被K了~~！ 太悲剧了

bwg.ssnpv.tk 23.252.111.188

PING bwg.ssnpv.tk (23.252.111.188) 56(84) bytes of data.
64 bytes from 23.252.111.188.16clouds.com (23.252.111.188): icmp_seq=1 ttl=51 time=83.3 ms
64 bytes from 23.252.111.188.16clouds.com (23.252.111.188): icmp_seq=2 ttl=51 time=84.3 ms
64 bytes from 23.252.111.188.16clouds.com (23.252.111.188): icmp_seq=3 ttl=51 time=82.4 ms
64 bytes from 23.252.111.188.16clouds.com (23.252.111.188): icmp_seq=4 ttl=51 time=81.6 ms
64 bytes from 23.252.111.188.16clouds.com (23.252.111.188): icmp_seq=5 ttl=51 time=82.3 ms
64 bytes from 23.252.111.188.16clouds.com (23.252.111.188): icmp_seq=6 ttl=51 time=84.8 ms
64 bytes from 23.252.111.188.16clouds.com (23.252.111.188): icmp_seq=7 ttl=51 time=81.6 ms
64 bytes from 23.252.111.188.16clouds.com (23.252.111.188): icmp_seq=8 ttl=51 time=81.7 ms
64 bytes from 23.252.111.188.16clouds.com (23.252.111.188): icmp_seq=9 ttl=51 time=81.5 ms
64 bytes from 23.252.111.188.16clouds.com (23.252.111.188): icmp_seq=10 ttl=51 time=80.4 ms

我的是这样

server-cert = /etc/ocserv/server.crt
server-key = /etc/ocserv/server.key

证书,配置文件,密码文件都在 /etc/ocserv/下

@zeng0730 不用设置其他的吗？

startssl 又可以注册了？

@0x142857 难道不可以？

这只是证书那段

@zeng0730 能麻烦说下，其他还有哪些地方需要操作？

这是我的配置,在默认配置的基础上修改

注释掉以下行

auth = "plain[./sample.passwd]"
route = 192.168.1.0/255.255.255.0
route = 192.168.5.0/255.255.255.0


去掉以下行注释

#auth = "plain[/etc/ocserv/ocpasswd]"
#output-buffer = 10

修改以下行

原设置
max-clients = 16
max-same-clients = 2
server-cert = ../tests/server-cert.pem
server-key = ../tests/server-key.pem
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
dns = 192.168.1.2

修改后
max-clients = 1024
max-same-clients = 10
server-cert = /etc/ocserv/server.crt
server-key = /etc/ocserv/server.key
ipv4-network = 10.0.0.0
ipv4-netmask = 255.255.0.0
dns = 8.8.8.8
dns = 8.8.4.4

添加以下行

route = 101.0.0.0/255.0.0.0
route = 107.0.0.0/255.0.0.0
route = 109.0.0.0/255.0.0.0
route = 117.0.0.0/255.0.0.0
route = 125.0.0.0/255.0.0.0
route = 128.0.0.0/255.0.0.0
route = 141.0.0.0/255.0.0.0
route = 168.0.0.0/255.0.0.0
route = 170.0.0.0/255.0.0.0
route = 173.0.0.0/255.0.0.0
route = 174.0.0.0/255.0.0.0
route = 176.0.0.0/255.0.0.0
route = 190.0.0.0/255.0.0.0
route = 192.0.0.0/255.0.0.0
route = 198.0.0.0/255.0.0.0
route = 199.0.0.0/255.0.0.0
route = 205.0.0.0/255.0.0.0
route = 206.0.0.0/255.0.0.0
route = 208.0.0.0/255.0.0.0
route = 210.0.0.0/255.0.0.0
route = 216.0.0.0/255.0.0.0
route = 220.0.0.0/255.0.0.0
route = 50.0.0.0/255.0.0.0
route = 54.0.0.0/255.0.0.0
route = 59.0.0.0/255.0.0.0
route = 61.244.0.0/255.255.0.0
route = 63.0.0.0/255.0.0.0
route = 66.0.0.0/255.0.0.0
route = 69.0.0.0/255.0.0.0
route = 72.0.0.0/255.0.0.0
route = 73.0.0.0/255.0.0.0
route = 74.0.0.0/255.0.0.0
route = 78.0.0.0/255.0.0.0
route = 8.0.0.0/255.0.0.0
route = 92.0.0.0/255.0.0.0
route = 92.0.0.0/255.0.0.0
route = 93.0.0.0/255.0.0.0
route = 93.0.0.0/255.0.0.0
route = 96.0.0.0/255.0.0.0
route = 97.0.0.0/255.0.0.0

又一位加入HTTPS大军的同学~赞！

@zeng0730 感谢 成功

@zeng0730 请问按照你的设置，是不是还是无法实现证书验证和自动重播？ 只是不会显示不信任的服务器？

关于证书，我正好知道点细节。
第一步，从startssl下载他的ca文件和你自己的证书。ca需要两个文件:ca.pem 和 sub.class1.server.ca.pem。

第二步，合并证书文件。一定要按照以下步骤执行，不然ocserv不认。
cat your.domain.crt > /etc/ocserv/your-server-cert.pem; #这里your.domain.crt为startssl颁发给你的证书文件。
cat sub.class1.server.ca.pem >> /etc/ocserv/your-server-cert.pem
cat ca.pem >> /etc/ocserv/your-server-cert.pem

第三步，修改ocserv.conf
server-cert = /your/path/to/your-server-cert.pem #这里是刚刚合并好的证书文件
server-key = /your/path/to/your-server-key.pem #你的证书的key文件。
ca-cert=/your/path/to/your-ca.pem #ca证书

希望对你有帮助。

@windhunter 合并证书文件需要怎么做呢？

@windhunter auth = 这里你选择的是什么模式？

#auth = "plain[/etc/ocserv/ocpasswd]"
#auth = "certificate"
#auth = "pam"

配置完 运行 auth = "certificate" 模式！ 提示这个

root@SS-BWG:/# ocserv -c /etc/ocserv/ocserv.conf -f -d 1
listening (TCP) on 0.0.0.0:443...
listening (UDP) on 0.0.0.0:443...
ocserv[2509]: main: initializing control unix socket: /var/run/occtl.socket
ocserv[2509]: main: initialized ocserv 0.8.6
ocserv[2510]: GnuTLS error (at sec-mod.c:554): Error in parsing.
ocserv[2509]: error connecting to sec-mod socket '/var/run/ocserv-socket.2509': Connection refused
ocserv[2509]: main: main.c:492: ocserv-secmod died unexpectedly
ocserv[2509]: main: termination request received; waiting for children to die

@jays 我目前用plain文本模式做认证。我认为你如果需要用certificate来认证用户的话，需要自签名一个根证书，而不是用startssl的证书。