%EC%97%90%EC%84%9C%20%EC%9E%91%EB%8F%99%ED%95%98%EC%A7%80%20%EC%95%8A%EC%8A%B5%EB%8B%88%EB%8B%A4..png)
SSLVerifyClient 옵션은 사용자에게 인증서를 요청한다는 점에서 작동하지만 브라우저에 오류가 표시되고 서버가 ProxyPass .. 서버에 요청을 전달하지 않습니다.
다음 구성 코드(SSLVerifyClient 옵션)는 debian 8 - apache 2.4.10+openssl 1.0.1t(2016년 5월)에서 제대로 작동합니다.
다음 구성 코드(SSLVerifyClient 옵션)는 debian 9에서 제대로 작동합니다 - apache 2.4.25+openssl 1.1.0l(2019년 9월 10일)
다음 구성 코드(SSLVerifyClient 옵션)는 debian 10 - apache 2.4.38+openssl 1.1.1d(2019년 9월 10일)에서 작동하지 않습니다.
SSLCertificateFile ....crt
SSLCertificateKeyFile ...key
SSLCACertificateFile ../root_...crt
SSLCARevocationFile ..crl.pem
ProxyPass / balancer://...
ProxyPassReverse / balancer://...
..
<Location /test>
SSLVerifyClient optional
SSLOptions +StdEnvVars +ExportCertData
..
RequestHeader set X-SSL-CLIENT-S-DN-O "%{SSL_CLIENT_S_DN_O}s"
Apache 2.4.38+openssl 1.1.1d 및 Apache 2.4.25+openssl 1.1.0l 중간 어딘가에서 문제가 발생합니다. 왜 이런 일이 발생합니까?
아파치 로그:
firefox 43.0.2
An error occurred during a connection to test.mytesthost. SSL peer cannot verify your certificate. (Error code: ssl_error_bad_cert_alert)
apache log level set to debug
==> /var/log/apache2/test.mytesthost.error.log <==
[Mon Dec 28 05:05:22.392282 2020] [ssl:info] [pid 2001:tid 140129775593216] [client 127.0.0.1:57716] AH01964: Connection to child 16 established (server test.mytesthost:443)
[Mon Dec 28 05:05:22.392535 2020] [ssl:debug] [pid 2001:tid 140129775593216] ssl_engine_kernel.c(2319): [client 127.0.0.1:57716] AH02043: SSL virtual host for servername test.mytesthost found
[Mon Dec 28 05:05:22.392567 2020] [ssl:debug] [pid 2001:tid 140129775593216] ssl_engine_kernel.c(2319): [client 127.0.0.1:57716] AH02043: SSL virtual host for servername test.mytesthost found
[Mon Dec 28 05:05:22.392572 2020] [core:debug] [pid 2001:tid 140129775593216] protocol.c(2314): [client 127.0.0.1:57716] AH03155: select protocol from , choices=h2,spdy/3.1,http/1.1 for server test.mytesthost
[Mon Dec 28 05:05:22.443004 2020] [ssl:debug] [pid 2001:tid 140129775593216] ssl_engine_kernel.c(2235): [client 127.0.0.1:57716] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[Mon Dec 28 05:05:22.533306 2020] [ssl:debug] [pid 2001:tid 140129775593216] ssl_engine_kernel.c(383): [client 127.0.0.1:57716] AH02034: Initial (No.1) HTTPS request received for child 16 (server test.mytesthost:443)
[Mon Dec 28 05:05:22.533374 2020] [ssl:debug] [pid 2001:tid 140129775593216] ssl_engine_kernel.c(746): [client 127.0.0.1:57716] AH02255: Changed client verification type will force renegotiation
[Mon Dec 28 05:05:22.533379 2020] [ssl:info] [pid 2001:tid 140129775593216] [client 127.0.0.1:57716] AH02221: Requesting connection re-negotiation
[Mon Dec 28 05:05:22.533404 2020] [ssl:debug] [pid 2001:tid 140129775593216] ssl_engine_kernel.c(975): [client 127.0.0.1:57716] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation)
[Mon Dec 28 05:05:22.533461 2020] [ssl:debug] [pid 2001:tid 140129775593216] ssl_engine_kernel.c(2235): [client 127.0.0.1:57716] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[Mon Dec 28 05:05:22.533476 2020] [ssl:info] [pid 2001:tid 140129775593216] [client 127.0.0.1:57716] AH02226: Awaiting re-negotiation handshake
[Mon Dec 28 05:05:22.533604 2020] [ssl:debug] [pid 2001:tid 140129775593216] ssl_engine_kernel.c(2319): [client 127.0.0.1:57716] AH02043: SSL virtual host for servername test.mytesthost found
[Mon Dec 28 05:05:24.962762 2020] [ssl:debug] [pid 2001:tid 140129775593216] ssl_engine_kernel.c(1740): [client 127.0.0.1:57716] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: [email protected],CN=Pers id: 433837686,OU=Company Certification Center,O=Company Transfer / issuer: CN=Company Transfer Root CA,O=WM Transfer Ltd,OU=WM Transfer Certification Services / serial: 1A209C2E0000000B042A / notbefore: Jan 16 13:36:07 2020 GMT / notafter: Jan 16 13:46:07 2022 GMT]
[Mon Dec 28 05:05:24.964246 2020] [ssl:info] [pid 2001:tid 140129775593216] [client 127.0.0.1:57716] AH02276: Certificate Verification: Error (68): CA signature digest algorithm too weak [subject: [email protected],CN=Pers id: 433837686,OU=Company Certification Center,O=Company Transfer / issuer: CN=Company Transfer Root CA,O=WM Transfer Ltd,OU=WM Transfer Certification Services / serial: 1A209C2E0000000B042A / notbefore: Jan 16 13:36:07 2020 GMT / notafter: Jan 16 13:46:07 2022 GMT]
[Mon Dec 28 05:05:24.964287 2020] [socache_shmcb:debug] [pid 2001:tid 140129775593216] mod_socache_shmcb.c(557): AH00837: socache_shmcb_remove (0x60 -> subcache 0)
[Mon Dec 28 05:05:24.964299 2020] [socache_shmcb:debug] [pid 2001:tid 140129775593216] mod_socache_shmcb.c(571): AH00839: leaving socache_shmcb_remove successfully
[Mon Dec 28 05:05:24.964344 2020] [ssl:error] [pid 2001:tid 140129775593216] [client 127.0.0.1:57716] AH02261: Re-negotiation handshake failed
[Mon Dec 28 05:05:24.964363 2020] [ssl:error] [pid 2001:tid 140129775593216] SSL Library Error: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
[Mon Dec 28 05:05:24.964402 2020] [ssl:debug] [pid 2001:tid 140129775593216] ssl_engine_io.c(1372): [client 127.0.0.1:57716] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Mon Dec 28 05:05:24.964407 2020] [ssl:info] [pid 2001:tid 140129775593216] [client 127.0.0.1:57716] AH01998: Connection closed to child 16 with abortive shutdown (server test.mytesthost:443)
firefox 78.6.0esr 출력: 금지됨 이 리소스에 액세스할 수 있는 권한이 없습니다. 이유: 핸드셰이크 후 인증을 수행할 수 없습니다.
==> /var/log/apache2/test.mytesthost.error.log <==
[Tue Dec 29 03:11:47.553633 2020] [ssl:info] [pid 8218:tid 140339011598080] [client 127.0.0.1:58060] AH01964: Connection to child 65 established (server test.mytesthost:443)
[Tue Dec 29 03:11:47.554092 2020] [ssl:debug] [pid 8218:tid 140339011598080] ssl_engine_kernel.c(2319): [client 127.0.0.1:58060] AH02043: SSL virtual host for servername test.mytesthost found
[Tue Dec 29 03:11:47.554113 2020] [ssl:debug] [pid 8218:tid 140339011598080] ssl_engine_kernel.c(2319): [client 127.0.0.1:58060] AH02043: SSL virtual host for servername test.mytesthost found
[Tue Dec 29 03:11:47.554118 2020] [core:debug] [pid 8218:tid 140339011598080] protocol.c(2314): [client 127.0.0.1:58060] AH03155: select protocol from , choices=h2,http/1.1 for server test.mytesthost
[Tue Dec 29 03:11:47.638499 2020] [ssl:debug] [pid 8218:tid 140339011598080] ssl_engine_kernel.c(2235): [client 127.0.0.1:58060] AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_128_GCM_SHA256 (128/128 bits)
[Tue Dec 29 03:11:47.638596 2020] [socache_shmcb:debug] [pid 8218:tid 140339011598080] mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0x92 -> subcache 18)
[Tue Dec 29 03:11:47.638617 2020] [socache_shmcb:debug] [pid 8218:tid 140339011598080] mod_socache_shmcb.c(849): AH00847: insert happened at idx=0, data=(0:32)
[Tue Dec 29 03:11:47.638621 2020] [socache_shmcb:debug] [pid 8218:tid 140339011598080] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/204
[Tue Dec 29 03:11:47.638623 2020] [socache_shmcb:debug] [pid 8218:tid 140339011598080] mod_socache_shmcb.c(516): AH00834: leaving socache_shmcb_store successfully
[Tue Dec 29 03:11:47.638699 2020] [socache_shmcb:debug] [pid 8218:tid 140339011598080] mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0x2f -> subcache 15)
[Tue Dec 29 03:11:47.638721 2020] [socache_shmcb:debug] [pid 8218:tid 140339011598080] mod_socache_shmcb.c(849): AH00847: insert happened at idx=0, data=(0:32)
[Tue Dec 29 03:11:47.638724 2020] [socache_shmcb:debug] [pid 8218:tid 140339011598080] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/203
[Tue Dec 29 03:11:47.638726 2020] [socache_shmcb:debug] [pid 8218:tid 140339011598080] mod_socache_shmcb.c(516): AH00834: leaving socache_shmcb_store successfully
[Tue Dec 29 03:11:47.638824 2020] [ssl:debug] [pid 8218:tid 140339011598080] ssl_engine_kernel.c(383): [client 127.0.0.1:58060] AH02034: Initial (No.1) HTTPS request received for child 65 (server test.mytesthost:443)
[Tue Dec 29 03:11:47.638862 2020] [ssl:error] [pid 8218:tid 140339011598080] [client 127.0.0.1:58060] AH10129: verify client post handshake
[Tue Dec 29 03:11:47.638866 2020] [ssl:error] [pid 8218:tid 140339011598080] [client 127.0.0.1:58060] AH10158: cannot perform post-handshake authentication
[Tue Dec 29 03:11:47.638885 2020] [ssl:error] [pid 8218:tid 140339011598080] SSL Library Error: error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received
[Tue Dec 29 03:11:52.640565 2020] [ssl:debug] [pid 8218:tid 140338928809728] ssl_engine_io.c(1106): [client 127.0.0.1:58060] AH02001: Connection closed to child 66 with standard shutdown (server test.mytesthost:443)
답변1
FF43의 문제는 Gerald Schneider가 발견한 것처럼 "CA 서명 다이제스트 알고리즘이 너무 약함"입니다. 하지만 이는 브라우저의 문제가 아니며,클라이언트 인증서의 신뢰 체인에 문제가 있습니다., 이는 Debian 및 OpenSSL의 이전 및 느슨한 버전에서는 허용되었지만 더 이상 허용되지 않습니다. 보다https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1. 비교하다https://github.com/symless/synergy-core/issues/6561그리고https://stackoverflow.com/questions/52218876/how-to-fix-ssl-issue-ssl-ctx-use-certificate-ca-md-too-weak-on-python-zeep(클라이언트 인증서가 아닌 서버 자체 인증서에 대한 것이지만) 특히 코드를 올바르게 읽었다면 체인의 CA 인증서 중 하나(확인되지 않은 루트 제외)에 SHA256(일명 SHA-2)보다 약한 해시를 사용하는 서명이 있습니다. 2015년 이후 대부분의 브라우저와 CA/Brower 포럼에서 요구하는 최소값입니다. 더 낮은 @SECLEVEL(모든 연결에 대한 보안이 저하될 수 있음)을 허용하도록 서버를 구성하거나 클라이언트가 더 강력한 인증서 체인을 갖도록 변경해야 합니다. 인증서와 인증서를 받은 CA에 따라 새 EE(end-entity=client) 인증서가 필요할 수도 있고, 동일한 EE 인증서에 대해 더 나은 체인이 있을 수도 있습니다.
FF78.6의 문제는 "SSL_verify_client_post_handshake:확장을 받지 못했습니다"라는 것과 다릅니다. OpenSSL 1.1.1은 클라이언트 인증이 수행되는 방식을 변경하는 TLS 1.3을 지원합니다. 특히 이는 이제 '재협상'이 아닌 '포스트 핸드셰이크' 작업입니다(첫 번째 로그 참조). 내 FF78.6 사본은 이 기능을 지원하므로 이 오류가 발생합니다.~해야 한다브라우저 인스턴스에 클라이언트 인증서가 올바르게 설치되지 않았거나 사용자가 이를 선택/승인하지 않았음을 나타냅니다.