openvpn icon indicating copy to clipboard operation
openvpn copied to clipboard
verified publisher icon OpenVPN

Added support for TPM 1.2 OpenSSL crypto engine (based on patch https…

Open rtkypoeluev opened this issue 8 years ago • 0 comments

Added support for TPM 1.2 OpenSSL crypto engine (based on patch https://github.com/ThomasHabets/openvpn, but updated for newer OpenVPN 2.4.4 and OpenSSL 1.0.2g)

In order to use TPM 1.2, please follow these steps

  1. Install OpenSSL TPM engine (tested with v0.4.2), https://sourceforge.net/projects/trousers/files/OpenSSL%20TPM%20Engine/0.4.2/
  2. Create OpenSSL configuration file, as an example /etc/ssl/openssl.cnf
#
# OpenSSL example configuration file. This file will load the TPM engine
# for all operations that the TPM engine implements for all apps that
# have OpenSSL config support compiled into them.
#
# Adding OpenSSL config support is as simple as adding the following line to
# the app:
#
# #define OPENSSL_LOAD_CONF 1
#
openssl_conf = openssl_def
 
[openssl_def]
engines = engine_section
 
[engine_section]
 
foo = tpm_section
 
[tpm_section]
dynamic_path = /usr/local/lib/engines/libtpm.so
engine_id = tpm
default_algorithms = ALL
#default_algorithms = RAND,RSA
init = 1
...
<rest of the config file>
  1. Create a TPM key
$ create_tpm_key client.key.pem
  1. Create a certificate request with the TPM key (and obtain client certificate and CA certificate)
openssl req -keyform engine -engine tpm <...other params...>
  1. Specify TPM key/certificate in OpenVPN configuration file, client.conf
...
# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.cert.pem
cert client.cert.pem
key client.key.pem
key-engine tpm
engine tpm
...
<rest of the config file>
  1. Start OpenVPN client to connect
$ openvpn client.conf

Signed-off-by: Yuri Poeluev [email protected]

Thank you for your contribution

You are welcome to open PR, but they are used for discussion only. All patches must eventually go to the openvpn-devel mailing list for review:

  • https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Please send your patch using git-send-email. For example to send your latest commit to the list:

$ git send-email [email protected] HEAD~1

For details, see these Wiki articles:

  • https://community.openvpn.net/openvpn/wiki/DeveloperDocumentation
  • https://community.openvpn.net/openvpn/wiki/Contributing

rtkypoeluev avatar Nov 02 '17 22:11 rtkypoeluev