Qiita Teams that are logged in
You are not logged in to any team

Log in to Qiita Team
Community
OrganizationAdvent CalendarQiitadon (β)
Service
Qiita JobsQiita ZineQiita Blog
3
Help us understand the problem. What is going on with this article?
@tukiyo3

OpenSSL 0.9.8で作成した鍵をOpenSSL 1.1.1 でも使う方法

  • @SECLEVEL=0が必要。

nginx

/etc/nginx/conf.d/default.conf
  server {
      listen       80;
      listen       443 ssl;
      server_name  localhost;

      #ssl_verify_client      on;
      ssl_certificate        /etc/nginx/certs/server.crt;
      ssl_certificate_key    /etc/nginx/certs/server.key;
      ssl_client_certificate /etc/nginx/certs/ca.crt;
+     ssl_ciphers    'HIGH:!aNULL:!MD5@SECLEVEL=0';
      # IE11だとなぜかTLSv1.2を有効にしていると接続できない。
+     ssl_protocols  TLSv1 TLSv1.1 TLSv1.3;

      location / {
          root   /usr/share/nginx/html;
          index  index.html index.htm;
      }

      error_page   500 502 503 504  /50x.html;
      location = /50x.html {
          root   /usr/share/nginx/html;
      }

  }

Ubuntu 20.04 (OepnSSL 1.1.1)

  • SSLCipherSuite にて@SECLEVEL=0 の指定を追加する。
/etc/apache2/sites-available/default-ssl.conf
 <IfModule mod_ssl.c>
         <VirtualHost _default_:443>
                 ServerAdmin webmaster@localhost

                 DocumentRoot /var/www/html

                 ErrorLog ${APACHE_LOG_DIR}/error.log
                 CustomLog ${APACHE_LOG_DIR}/access.log combined

                 SSLEngine on

                 SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
                 SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
-                SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
+                SSLCipherSuite @SECLEVEL=0:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!DES:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
                 # もしくは 
+                SSLCipherSuite @SECLEVEL=0:HIGH:MEDIUM:!MD5:!RC4:!3DES
                 <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                 SSLOptions +StdEnvVars
                 </FilesMatch>
                 <Directory /usr/lib/cgi-bin>
                                 SSLOptions +StdEnvVars
                 </Directory>

         </VirtualHost>
 </IfModule>

Ubuntu 16.04 (OepnSSL 1.0.2e)

/etc/apache2/sites-available/default-ssl.conf
 <IfModule mod_ssl.c>
         <VirtualHost _default_:443>
                 ServerAdmin webmaster@localhost

                 DocumentRoot /var/www/html

                 ErrorLog ${APACHE_LOG_DIR}/error.log
                 CustomLog ${APACHE_LOG_DIR}/access.log combined

                 SSLEngine on

                 SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
                 SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+                SSLCipherSuite kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!DES:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8

                 <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                 SSLOptions +StdEnvVars
                 </FilesMatch>
                 <Directory /usr/lib/cgi-bin>
                                 SSLOptions +StdEnvVars
                 </Directory>

         </VirtualHost>
 </IfModule>

CentOS 8

Level 0
Everything is permitted. This retains compatibility with previous versions of OpenSSL.

Apacheをhttps有効で起動しようとするも起動できない場合。
/var/log/httpd/ssl_error_logを確認。

key too smallへの対処

SSL Library Error: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small

と出た場合、SSLCertificateKeyFileなどを旧サーバーからコピーして動かした場合だと思います。

なお、apacheでの定義は以下 /etc/httpd/conf.d/ssl.conf

/etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/localhost.crt

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

エラーメッセージ確認

# 起動
/usr/sbin/httpd -D FOREGROUND

# ログ確認
tail -f /var/log/httpd/ssl_error_log

SSL Library Error: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small

CentOS 8 (7?) 以降、このエラーが出る。

対処 (SECLEVELを下げる)

debianの場合、以下

/etc/ssl/openssl.cnf
- CipherString = DEFAULT@SECLEVEL=2
+ CipherString = DEFAULT@SECLEVEL=1

Ubuntu21.04の場合 Ubuntu 20.04 - how to set lower SSL security level? - Ask Ubuntu

openssl version -a でビルド時のオプションがわかる。md5はopenssl 1.1.1では含まれていない。

/etc/ssl/openssl.cnf
# ファイルの先頭に記述
openssl_conf = openssl_init

(略)

# ファイルの最後に記述
[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT@SECLEVEL=0

CentOS 8 の場合、以下

/etc/crypto-policies/config
- DEFAULT
+ LEGACY
設定反映
update-crypto-policies
  • /etc/crypto-policies/back-ends/*.config が一斉に修正される。

もしくはStrong crypto defaults in RHEL 8 and deprecation of weak crypto algorithms - Red Hat Customer Portal

update-crypto-policies --set LEGACY

ca md too weak への対処

SSL Library Error: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak

この場合は、SECLEVEL を さらに下げる。

/etc/crypto-policies/back-ends/openssl.config
- @SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!DES:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
+ @SECLEVEL=0:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!DES:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
  • update-crypto-policies を実施しても /etc/crypto-policies/back-ends/openssl.configの内容は変わらなかった。
    • update-crypto-policies --set LEGACY の場合は書き換わる。

IPA

スクリーンショット_2020-04-20_13-56-55.png

nginx のログに追加

/etc/nginx/nginx.conf
  http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
+                     '$ssl_client_verify '
+                     '$ssl_cipher '
+                     '$ssl_protocol '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
  }
  • $ssl_client_verify
    • SUCCESSNONE
  • $ssl_cipher
    • ECDHE-RSA-AES128-GCM-SHA256
  • $ssl_protocol
    • TLSv1.2
3
Help us understand the problem. What is going on with this article?
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
tukiyo3
最近はC#とBusyBoxと農業してます

Comments

No comments
Sign up for free and join this conversation.
Sign Up
If you already have a Qiita account Login
3
Help us understand the problem. What is going on with this article?