linux Openssl 3.1.0启用FIPS时出现EE证书密钥太弱错误

k4ymrczo  于 2023-04-20  发布在  Linux
关注(0)|答案(1)|浏览(450)

我已经使用下面给出的脚本编译了Openssl 3.1.0和FIPS。安装成功并且工作正常。但是如果启用FIPS,则无法进行任何出站连接,得到EE certificate too week error

wget https://www.openssl.org/source/openssl-3.1.0.tar.gz \
    && tar zxvf openssl-3.1.0.tar.gz \
    && cd openssl-3.1.0 \
    && CFLAGS=-fPIC ./config enable-fips --prefix=/usr/local/openssl --openssldir=/usr/local/openssl \
    && make \
    && make test \
    && make install \
    && bash -c "echo '/usr/local/openssl/lib64' >> /etc/ld.so.conf" \
    && ldconfig
openssl version
OpenSSL 3.1.0 14 Mar 2023 (Library: OpenSSL 3.1.0 14 Mar 2023)

通过在openssl配置中包含fipsmodule.cnf文件和添加fips提供程序来启用FIPS。

.include /usr/local/openssl/fipsmodule.cnf

..
..
..

# List of providers to load
[provider_sect]
default = default_sect

# The fips section name should match the section name inside the
# included fipsmodule.cnf.
fips = fips_sect

已通过为文件生成MD5散列来验证启用了FIPS,但如预期出现错误。

openssl md5 <file_path>
Error setting digest
40C7F61E7D7F0000:error:0308010C:digital envelope routines:(unknown function):unsupported:crypto/evp/evp_fetch.c:341:Global default library context, Algorithm (MD5 : 100), Properties ()
40C7F61E7D7F0000:error:03000086:digital envelope routines:(unknown function):initialization error:crypto/evp/digest.c:272:
# 
# 
openssl sha256 <file_path>
SHA2-256(openssl)= 49c16340d51eba8d2c31dbe569ad1f686fef571a0a7c9a4545a85c22d4650259
[root@centos7 bin]#

但所有的对外连接都失败了,

openssl s_client -connect google.com:443

CONNECTED(00000003)
depth=0 CN = *.google.com
verify error:num=66:EE certificate key too weak
verify return:1
depth=0 CN = *.google.com
verify error:num=66:EE certificate key too weak
verify return:1
40D7CF19B37F0000:error:03000072:digital envelope routines:(unknown function):decode error:crypto/x509/x_pubkey.c:458:
40D7CF19B37F0000:error:0A0000EF:SSL routines:(unknown function):unable to find public key parameters:ssl/statem/statem_clnt.c:1905:
---
Certificate chain
 0 s:CN = *.google.com
   i:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
   v:NotBefore: Mar 28 16:47:33 2023 GMT; NotAfter: Jun 20 16:47:32 2023 GMT
 1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   v:NotBefore: Aug 13 00:00:42 2020 GMT; NotAfter: Sep 30 00:00:42 2027 GMT
 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
   v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---
no peer certificate available
---
No client certificate CA names sent
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6777 bytes and written 311 bytes
Verification error: EE certificate key too weak
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 66 (EE certificate key too weak)
---

任何帮助解决这个问题,谢谢。

linux

1条答案

按热度按时间
hgc7kmma

hgc7kmma1#

40 D 7 CF 19 B37 F0000:错误:03000072:数字信封例程:(未知函数):解码错误:crypto/x509/x_pubkey.c:458:
我试图安装openssl-3.1.0与FIPS加固和遇到了一个问题,因为FIPS提供商默认情况下不加载编码器/解码器-
显示故障的示例日志-

# openssl genrsa 2048
00446BBEC97F0000:error:1D800065:ENCODER routines:OSSL_ENCODER_to_bio:reason(101):crypto/encode_decode/encoder_lib.c:55:No encoders were found. For standard encoders you need at l
east one of the default or base providers available. Did you forget to load them?
00446BBEC97F0000:error:04800073:PEM routines:do_pk8pkey:error converting private key:crypto/pem/pem_pk8.c:133:

有关详细信息,请参阅https://www.openssl.org/docs/man3.0/man7/fips_module.html
对我有用的是启用默认的提供程序,如示例配置中所定义的“fips=yes”。

.include /usr/local/ssl/fipsmodule.cnf

[openssl_init]
providers = provider_sect
alg_section = algorithm_sect

[provider_sect]
fips = fips_sect
default = default_sect

[default_sect]
activate = 1

[algorithm_sect]
default_properties = fips=yes

我建议尝试将“algorithm_sect”添加到您的conf中,看看它是否能解决您的问题。

# openssl3 md5 data/hsm_config
Error setting digest
0054D1E67E7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:341:Global default library context, Algorithm (MD5 : 100), Properties ()
0054D1E67E7F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:crypto/evp/digest.c:272:

## openssl genrsa 2048
-----BEGIN PRIVATE KEY-----
....
-----END PRIVATE KEY-----
赞(0)分享  回复(0)举报  2023-04-20
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com