Help us understand the problem. What is going on with this article?

curl-7.51.0 & openssl-1.0.2j / CentOS5でのインストール

More than 3 years have passed since last update.

動機

暗号化方式:ECDHE-RSA-AES256-SHA384 などに対応したHTTPSサーバに対してcipherを指定してcurlを叩いたらOSが古かった(CentOS release 5.11 (Final))ので動きませんでした。

$ curl -V
curl 7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Protocols: tftp ftp telnet dict ldap http file https ftps 
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz 
$ curl -v -L --ciphers ECDHE-RSA-AES256-SHA384 <URL>
* About to connect() to <domain>(<ipaddr>) port 443
*   Trying <ipaddr>... connected
* Connected to <domain> port 443
* failed setting cipher list
* Closing connection #0
curl: (59) failed setting cipher list

というかOpenSSLの利用可能なciphersにそもそもECDHE系がありません…

$ /usr/bin/openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
$ /usr/bin/openssl  ciphers -v | grep ECDHE | wc -l
0

諸般の事情によりOSのバージョンアップのための再インストールは不可。このためtarballからコンパイルしてやることにしました。

コンパイル手順

OpenSSLをmakeしてinstall ⇒ curlをmakeしてinstallします。

注意する点として最近のOpenSSLではデフォルトでセキュリティの観点からSSL2に対応していない一方、これを有効化してやらないとcurlがコンパイルできません。
参照:https://www.openssl.org/news/openssl-1.0.2-notes.html

Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016]

Disable SSLv2 default build, default negotiation and weak ciphers (CVE-2016-0800)

何もオプションを指定しないでコンパイル、インストールしたOpenSSLを利用するとcurlのmake時に以下のようなエラーを吐きます。

../lib/.libs/libcurl.so: undefined reference to `SSLv2_client_method’ 

OpenSSL-1.0.2jのインストール

ということでOpenSSLをtarballからインストールします。

$ tar xzvf openssl-1.0.2j.tar.gz 
$ cd openssl-1.0.2j/
$ ./config shared enable-ssl2 enable-ssl3 --prefix=<prefixdir> --openssldir=<prefixdir>
$ make depend
$ make
$ make install

curl-7.51.0のインストール

つづいてcurlをインストールします。--with-sslで先にインストールしたopensslのlibを指定します。

$ tar xzvf curl-7.51.0.tar.bz2 
$ cd curl-7.51.0/
$ ./configure  --enable-libcurl-option --with-ssl=<opensslのdir> --prefix=<curlのprefixdir>
$ make
$ make install

できました

無事OpenSSLが1.0.2jとなりました。

$ LD_LIBRARY_PATH=<openssl_libdir> <compiled_curl_dir>/curl -V
curl 7.51.0 (x86_64-pc-linux-gnu) libcurl/7.51.0 OpenSSL/1.0.2j zlib/1.2.3
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: Largefile NTLM NTLM_WB SSL libz TLS-SRP UnixSockets 

OpenSSL自体もECDHE系が利用可能になりました。

# <compiled_openssl_dir>/bin/openssl  ciphers -v | grep ECDHE
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-RC4-SHA       SSLv3 Kx=ECDH     Au=RSA  Enc=RC4(128)  Mac=SHA1
ECDHE-ECDSA-RC4-SHA     SSLv3 Kx=ECDH     Au=ECDSA Enc=RC4(128)  Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH     Au=RSA  Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168) Mac=SHA1

そして無事接続できました。

$ LD_LIBRARY_PATH=<openssl_libdir> <compiled_curl_dir>/curl -v -L --ciphers ECDHE-RSA-AES256-SHA384 https://<domain>/
*   Trying <ipaddr>...
* TCP_NODELAY set
* Connected to <domain> (<ipaddr>) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ECDHE-RSA-AES256-SHA384
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
...
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: <domain>
> User-Agent: curl/7.51.0
> Accept: */*
> 
< HTTP/1.1 200 OK
...

以上

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away