Help us understand the problem. What is going on with this article?

OpenSSL 0.9.8で作成した鍵をOpenSSL 1.1.1 でも使う方法

Ubuntu 20.04 (OepnSSL 1.1.1)

  • SSLCipherSuite の指定をする。
/etc/apache2/sites-available/default-ssl.conf
 <IfModule mod_ssl.c>
         <VirtualHost _default_:443>
                 ServerAdmin webmaster@localhost

                 DocumentRoot /var/www/html

                 ErrorLog ${APACHE_LOG_DIR}/error.log
                 CustomLog ${APACHE_LOG_DIR}/access.log combined

                 SSLEngine on

                 SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
                 SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+                SSLCipherSuite @SECLEVEL=0:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!DES:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8

                 <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                 SSLOptions +StdEnvVars
                 </FilesMatch>
                 <Directory /usr/lib/cgi-bin>
                                 SSLOptions +StdEnvVars
                 </Directory>

         </VirtualHost>
 </IfModule>

Ubuntu 16.04 (OepnSSL 1.0.2e)

/etc/apache2/sites-available/default-ssl.conf
 <IfModule mod_ssl.c>
         <VirtualHost _default_:443>
                 ServerAdmin webmaster@localhost

                 DocumentRoot /var/www/html

                 ErrorLog ${APACHE_LOG_DIR}/error.log
                 CustomLog ${APACHE_LOG_DIR}/access.log combined

                 SSLEngine on

                 SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
                 SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+                SSLCipherSuite kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!DES:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8

                 <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                 SSLOptions +StdEnvVars
                 </FilesMatch>
                 <Directory /usr/lib/cgi-bin>
                                 SSLOptions +StdEnvVars
                 </Directory>

         </VirtualHost>
 </IfModule>

CentOS 8

Level 0
Everything is permitted. This retains compatibility with previous versions of OpenSSL.

Apacheをhttps有効で起動しようとするも起動できない場合。
/var/log/httpd/ssl_error_logを確認。

key too smallへの対処

SSL Library Error: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small

と出た場合、SSLCertificateKeyFileなどを旧サーバーからコピーして動かした場合だと思います。

なお、apacheでの定義は以下 /etc/httpd/conf.d/ssl.conf

/etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/localhost.crt

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

エラーメッセージ確認

# 起動
/usr/sbin/httpd -D FOREGROUND

# ログ確認
tail -f /var/log/httpd/ssl_error_log

SSL Library Error: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small

CentOS 8 (7?) 以降、このエラーが出る。

対処 (SECLEVELを下げる)

debianの場合、以下

/etc/ssl/openssl.cnf
- CipherString = DEFAULT@SECLEVEL=2
+ CipherString = DEFAULT@SECLEVEL=1

CentOS 8 の場合、以下

/etc/crypto-policies/config
- DEFAULT
+ LEGACY
設定反映
update-crypto-policies
  • /etc/crypto-policies/back-ends/*.config が一斉に修正される。

もしくはStrong crypto defaults in RHEL 8 and deprecation of weak crypto algorithms - Red Hat Customer Portal

update-crypto-policies --set LEGACY

ca md too weak への対処

SSL Library Error: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak

この場合は、SECLEVEL を さらに下げる。

/etc/crypto-policies/back-ends/openssl.config
- @SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!DES:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
+ @SECLEVEL=0:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!DES:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
  • update-crypto-policies を実施しても /etc/crypto-policies/back-ends/openssl.configの内容は変わらなかった。
    • update-crypto-policies --set LEGACY の場合は書き換わる。

IPA

スクリーンショット_2020-04-20_13-56-55.png

tukiyo3
インフラ / web開発
http://tukiyo.github.io/
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
No comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
ユーザーは見つかりませんでした