SSLVerifyClient 不適用於新的 openssl 和\或新的 apache (debian 10)

tag-icon tag-icon apache-2.4 openssl
SSLVerifyClient 不適用於新的 openssl 和\或新的 apache (debian 10)

SSLVerifyClient 選項的工作方式是請求使用者提供證書,但瀏覽器會顯示錯誤,且伺服器不會將請求傳遞給 ProxyPass .. 伺服器。

以下設定程式碼(SSLVerifyClient 選項)在 debian 8 - apache 2.4.10+openssl 1.0.1t(2016 年 5 月)上運作正常

以下設定程式碼(SSLVerifyClient 選項)在 debian 9 - apache 2.4.25+openssl 1.1.0l 上運作正常(2019 年 9 月 10 日)

以下設定程式碼(SSLVerifyClient 選項)不適用於 debian 10 - apache 2.4.38+openssl 1.1.1d(2019 年 9 月 10 日)

  SSLCertificateFile ....crt
  SSLCertificateKeyFile ...key
  SSLCACertificateFile ../root_...crt
  SSLCARevocationFile ..crl.pem

  ProxyPass / balancer://...
  ProxyPassReverse / balancer://...
..
  <Location /test>
    SSLVerifyClient optional
    SSLOptions +StdEnvVars +ExportCertData
    ..
    RequestHeader set X-SSL-CLIENT-S-DN-O "%{SSL_CLIENT_S_DN_O}s"

在 apache 2.4.38+openssl 1.1.1d 和 apache 2.4.25+openssl 1.1.0l 中間的某個地方出現問題,為什麼會發生這種情況?

阿帕契日誌:

firefox 43.0.2
An error occurred during a connection to test.mytesthost. SSL peer cannot verify your certificate. (Error code: ssl_error_bad_cert_alert) 
apache log level set to debug 

==> /var/log/apache2/test.mytesthost.error.log <==
[Mon Dec 28 05:05:22.392282 2020] [ssl:info] [pid 2001:tid 140129775593216] [client 127.0.0.1:57716] AH01964: Connection to child 16 established (server test.mytesthost:443)
[Mon Dec 28 05:05:22.392535 2020] [ssl:debug] [pid 2001:tid 140129775593216] ssl_engine_kernel.c(2319): [client 127.0.0.1:57716] AH02043: SSL virtual host for servername test.mytesthost found
[Mon Dec 28 05:05:22.392567 2020] [ssl:debug] [pid 2001:tid 140129775593216] ssl_engine_kernel.c(2319): [client 127.0.0.1:57716] AH02043: SSL virtual host for servername test.mytesthost found
[Mon Dec 28 05:05:22.392572 2020] [core:debug] [pid 2001:tid 140129775593216] protocol.c(2314): [client 127.0.0.1:57716] AH03155: select protocol from , choices=h2,spdy/3.1,http/1.1 for server test.mytesthost
[Mon Dec 28 05:05:22.443004 2020] [ssl:debug] [pid 2001:tid 140129775593216] ssl_engine_kernel.c(2235): [client 127.0.0.1:57716] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[Mon Dec 28 05:05:22.533306 2020] [ssl:debug] [pid 2001:tid 140129775593216] ssl_engine_kernel.c(383): [client 127.0.0.1:57716] AH02034: Initial (No.1) HTTPS request received for child 16 (server test.mytesthost:443)
[Mon Dec 28 05:05:22.533374 2020] [ssl:debug] [pid 2001:tid 140129775593216] ssl_engine_kernel.c(746): [client 127.0.0.1:57716] AH02255: Changed client verification type will force renegotiation
[Mon Dec 28 05:05:22.533379 2020] [ssl:info] [pid 2001:tid 140129775593216] [client 127.0.0.1:57716] AH02221: Requesting connection re-negotiation
[Mon Dec 28 05:05:22.533404 2020] [ssl:debug] [pid 2001:tid 140129775593216] ssl_engine_kernel.c(975): [client 127.0.0.1:57716] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation)
[Mon Dec 28 05:05:22.533461 2020] [ssl:debug] [pid 2001:tid 140129775593216] ssl_engine_kernel.c(2235): [client 127.0.0.1:57716] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[Mon Dec 28 05:05:22.533476 2020] [ssl:info] [pid 2001:tid 140129775593216] [client 127.0.0.1:57716] AH02226: Awaiting re-negotiation handshake
[Mon Dec 28 05:05:22.533604 2020] [ssl:debug] [pid 2001:tid 140129775593216] ssl_engine_kernel.c(2319): [client 127.0.0.1:57716] AH02043: SSL virtual host for servername test.mytesthost found
[Mon Dec 28 05:05:24.962762 2020] [ssl:debug] [pid 2001:tid 140129775593216] ssl_engine_kernel.c(1740): [client 127.0.0.1:57716] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: [email protected],CN=Pers id: 433837686,OU=Company Certification Center,O=Company Transfer / issuer: CN=Company Transfer Root CA,O=WM Transfer Ltd,OU=WM Transfer Certification Services / serial: 1A209C2E0000000B042A / notbefore: Jan 16 13:36:07 2020 GMT / notafter: Jan 16 13:46:07 2022 GMT]
[Mon Dec 28 05:05:24.964246 2020] [ssl:info] [pid 2001:tid 140129775593216] [client 127.0.0.1:57716] AH02276: Certificate Verification: Error (68): CA signature digest algorithm too weak [subject: [email protected],CN=Pers id: 433837686,OU=Company Certification Center,O=Company Transfer / issuer: CN=Company Transfer Root CA,O=WM Transfer Ltd,OU=WM Transfer Certification Services / serial: 1A209C2E0000000B042A / notbefore: Jan 16 13:36:07 2020 GMT / notafter: Jan 16 13:46:07 2022 GMT]
[Mon Dec 28 05:05:24.964287 2020] [socache_shmcb:debug] [pid 2001:tid 140129775593216] mod_socache_shmcb.c(557): AH00837: socache_shmcb_remove (0x60 -> subcache 0)
[Mon Dec 28 05:05:24.964299 2020] [socache_shmcb:debug] [pid 2001:tid 140129775593216] mod_socache_shmcb.c(571): AH00839: leaving socache_shmcb_remove successfully
[Mon Dec 28 05:05:24.964344 2020] [ssl:error] [pid 2001:tid 140129775593216] [client 127.0.0.1:57716] AH02261: Re-negotiation handshake failed
[Mon Dec 28 05:05:24.964363 2020] [ssl:error] [pid 2001:tid 140129775593216] SSL Library Error: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
[Mon Dec 28 05:05:24.964402 2020] [ssl:debug] [pid 2001:tid 140129775593216] ssl_engine_io.c(1372): [client 127.0.0.1:57716] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Mon Dec 28 05:05:24.964407 2020] [ssl:info] [pid 2001:tid 140129775593216] [client 127.0.0.1:57716] AH01998: Connection closed to child 16 with abortive shutdown (server test.mytesthost:443)

使用 firefox 78.6.0esr 輸出:Forbidden You don't 無權存取此資源。

==> /var/log/apache2/test.mytesthost.error.log <==
[Tue Dec 29 03:11:47.553633 2020] [ssl:info] [pid 8218:tid 140339011598080] [client 127.0.0.1:58060] AH01964: Connection to child 65 established (server test.mytesthost:443)
[Tue Dec 29 03:11:47.554092 2020] [ssl:debug] [pid 8218:tid 140339011598080] ssl_engine_kernel.c(2319): [client 127.0.0.1:58060] AH02043: SSL virtual host for servername test.mytesthost found
[Tue Dec 29 03:11:47.554113 2020] [ssl:debug] [pid 8218:tid 140339011598080] ssl_engine_kernel.c(2319): [client 127.0.0.1:58060] AH02043: SSL virtual host for servername test.mytesthost found
[Tue Dec 29 03:11:47.554118 2020] [core:debug] [pid 8218:tid 140339011598080] protocol.c(2314): [client 127.0.0.1:58060] AH03155: select protocol from , choices=h2,http/1.1 for server test.mytesthost
[Tue Dec 29 03:11:47.638499 2020] [ssl:debug] [pid 8218:tid 140339011598080] ssl_engine_kernel.c(2235): [client 127.0.0.1:58060] AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_128_GCM_SHA256 (128/128 bits)
[Tue Dec 29 03:11:47.638596 2020] [socache_shmcb:debug] [pid 8218:tid 140339011598080] mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0x92 -> subcache 18)
[Tue Dec 29 03:11:47.638617 2020] [socache_shmcb:debug] [pid 8218:tid 140339011598080] mod_socache_shmcb.c(849): AH00847: insert happened at idx=0, data=(0:32)
[Tue Dec 29 03:11:47.638621 2020] [socache_shmcb:debug] [pid 8218:tid 140339011598080] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/204
[Tue Dec 29 03:11:47.638623 2020] [socache_shmcb:debug] [pid 8218:tid 140339011598080] mod_socache_shmcb.c(516): AH00834: leaving socache_shmcb_store successfully
[Tue Dec 29 03:11:47.638699 2020] [socache_shmcb:debug] [pid 8218:tid 140339011598080] mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0x2f -> subcache 15)
[Tue Dec 29 03:11:47.638721 2020] [socache_shmcb:debug] [pid 8218:tid 140339011598080] mod_socache_shmcb.c(849): AH00847: insert happened at idx=0, data=(0:32)
[Tue Dec 29 03:11:47.638724 2020] [socache_shmcb:debug] [pid 8218:tid 140339011598080] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/203
[Tue Dec 29 03:11:47.638726 2020] [socache_shmcb:debug] [pid 8218:tid 140339011598080] mod_socache_shmcb.c(516): AH00834: leaving socache_shmcb_store successfully
[Tue Dec 29 03:11:47.638824 2020] [ssl:debug] [pid 8218:tid 140339011598080] ssl_engine_kernel.c(383): [client 127.0.0.1:58060] AH02034: Initial (No.1) HTTPS request received for child 65 (server test.mytesthost:443)
[Tue Dec 29 03:11:47.638862 2020] [ssl:error] [pid 8218:tid 140339011598080] [client 127.0.0.1:58060] AH10129: verify client post handshake
[Tue Dec 29 03:11:47.638866 2020] [ssl:error] [pid 8218:tid 140339011598080] [client 127.0.0.1:58060] AH10158: cannot perform post-handshake authentication
[Tue Dec 29 03:11:47.638885 2020] [ssl:error] [pid 8218:tid 140339011598080] SSL Library Error: error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received
[Tue Dec 29 03:11:52.640565 2020] [ssl:debug] [pid 8218:tid 140338928809728] ssl_engine_io.c(1106): [client 127.0.0.1:58060] AH02001: Connection closed to child 66 with standard shutdown (server test.mytesthost:443)

答案1

正如 Gerald Schneider 所指出的,FF43 的問題是「CA 簽章摘要演算法太弱」。但這不是瀏覽器的問題,這是客戶端憑證的信任鏈的問題,它在較舊且較寬鬆的 Debian 和 OpenSSL 版本中被接受,但不再被接受;看https://wiki.debian.org/ContinouslyIntegration/TriagingTips/openssl-1.1.1。比較https://github.com/symless/synergy-core/issues/6561https://stackoverflow.com/questions/52218876/how-to-fix-ssl-issue-ssl-ctx-use-certificate-ca-md-too-weak-on-python-zeep(儘管這是伺服器自己的憑證而不是客戶端憑證)。具體來說,如果我正確地閱讀了程式碼,則鏈中的CA 憑證之一(根憑證除外,未檢查)的簽章使用弱於SHA256(又稱SHA-2)的雜湊值,該雜湊值已自2015 年以來大多數瀏覽器和CA/Brower 論壇所要求的最低要求。以擁有更強的憑證鏈。根據證書和獲得證書的 CA,這可能還需要新的 EE(最終實體=客戶端)證書,或者同一 EE 證書可能有更好的鏈。

FF78.6 的問題有所不同:「SSL_verify_client_post_handshake:未收到擴充功能」。 OpenSSL 1.1.1 支援 TLS 1.3,這改變了客戶端身份驗證的方式;具體來說,它現在是“握手後”操作,而不是“重新協商”(請參閱您的第一個日誌)。我的 FF78.6 副本確實支援此功能,因此出現此錯誤應該表示您的瀏覽器實例未正確安裝客戶端憑證或使用者未選擇/批准它。

相關內容