我已经使用下面给出的脚本编译了Openssl 3.1.0和FIPS。安装成功并且工作正常。但是如果启用FIPS,则无法进行任何出站连接,得到EE certificate too week error
。
wget https://www.openssl.org/source/openssl-3.1.0.tar.gz \
&& tar zxvf openssl-3.1.0.tar.gz \
&& cd openssl-3.1.0 \
&& CFLAGS=-fPIC ./config enable-fips --prefix=/usr/local/openssl --openssldir=/usr/local/openssl \
&& make \
&& make test \
&& make install \
&& bash -c "echo '/usr/local/openssl/lib64' >> /etc/ld.so.conf" \
&& ldconfig
openssl version
OpenSSL 3.1.0 14 Mar 2023 (Library: OpenSSL 3.1.0 14 Mar 2023)
通过在openssl配置中包含fipsmodule.cnf
文件和添加fips提供程序来启用FIPS。
.include /usr/local/openssl/fipsmodule.cnf
..
..
..
# List of providers to load
[provider_sect]
default = default_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
fips = fips_sect
已通过为文件生成MD5散列来验证启用了FIPS,但如预期出现错误。
openssl md5 <file_path>
Error setting digest
40C7F61E7D7F0000:error:0308010C:digital envelope routines:(unknown function):unsupported:crypto/evp/evp_fetch.c:341:Global default library context, Algorithm (MD5 : 100), Properties ()
40C7F61E7D7F0000:error:03000086:digital envelope routines:(unknown function):initialization error:crypto/evp/digest.c:272:
#
#
openssl sha256 <file_path>
SHA2-256(openssl)= 49c16340d51eba8d2c31dbe569ad1f686fef571a0a7c9a4545a85c22d4650259
[root@centos7 bin]#
但所有的对外连接都失败了,
openssl s_client -connect google.com:443
CONNECTED(00000003)
depth=0 CN = *.google.com
verify error:num=66:EE certificate key too weak
verify return:1
depth=0 CN = *.google.com
verify error:num=66:EE certificate key too weak
verify return:1
40D7CF19B37F0000:error:03000072:digital envelope routines:(unknown function):decode error:crypto/x509/x_pubkey.c:458:
40D7CF19B37F0000:error:0A0000EF:SSL routines:(unknown function):unable to find public key parameters:ssl/statem/statem_clnt.c:1905:
---
Certificate chain
0 s:CN = *.google.com
i:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
v:NotBefore: Mar 28 16:47:33 2023 GMT; NotAfter: Jun 20 16:47:32 2023 GMT
1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
v:NotBefore: Aug 13 00:00:42 2020 GMT; NotAfter: Sep 30 00:00:42 2027 GMT
2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---
no peer certificate available
---
No client certificate CA names sent
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6777 bytes and written 311 bytes
Verification error: EE certificate key too weak
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 66 (EE certificate key too weak)
---
任何帮助解决这个问题,谢谢。
1条答案
按热度按时间hgc7kmma1#
40 D 7 CF 19 B37 F0000:错误:03000072:数字信封例程:(未知函数):解码错误:crypto/x509/x_pubkey.c:458:
我试图安装openssl-3.1.0与FIPS加固和遇到了一个问题,因为FIPS提供商默认情况下不加载编码器/解码器-
显示故障的示例日志-
有关详细信息,请参阅https://www.openssl.org/docs/man3.0/man7/fips_module.html。
对我有用的是启用默认的提供程序,如示例配置中所定义的“fips=yes”。
我建议尝试将“algorithm_sect”添加到您的conf中,看看它是否能解决您的问题。