bash 如何强制 OpenSSL 使用旧密码
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/37619759/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to force OpenSSL to use old ciphers
提问by miken32
I'm trying to check the "security" certificate on an APC power distribution unit using OpenSSL from this shell script, but kept getting back an empty response.
我正在尝试使用此 shell 脚本中的 OpenSSL 检查 APC 配电单元上的“安全”证书,但一直收到空响应。
#!/bin/bash
host=192.168.242.27
port=443
cert=$(openssl s_client -connect "$host":"$port" 2>/dev/null | sed -n '/BEGIN CERT/,/END CERT/p')
echo "We got a cert:"
echo $cert
So I did some debugging. I'm on a Mac, and have a MacPorts environment. Using the MacPorts version of OpenSSL to connect to the server, I get nothing:
所以我做了一些调试。我在 Mac 上,有一个 MacPorts 环境。使用 MacPorts 版本的 OpenSSL 连接到服务器,我什么也没得到:
? openssl version
OpenSSL 1.0.2h 3 May 2016
? openssl s_client -connect 192.168.242.27:443
CONNECTED(00000003)
140735258415184:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1464972048
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
But, using the built-in version I get a response:
但是,使用内置版本我得到一个回应:
? /usr/bin/openssl version
OpenSSL 0.9.8zh 14 Jan 2016
? /usr/bin/openssl s_client -connect 192.168.242.27:443
CONNECTED(00000003)
depth=0 /C=US/ST=Default State/L=Default Locality/O=American Power Conversion Corp/OU=Internally Generated Certificate/CN=5A1320E05051
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=Default State/L=Default Locality/O=American Power Conversion Corp/OU=Internally Generated Certificate/CN=5A1320E05051
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=Default State/L=Default Locality/O=American Power Conversion Corp/OU=Internally Generated Certificate/CN=5A1320E05051
i:/C=US/ST=Default State/L=Default Locality/O=American Power Conversion Corp/OU=Internally Generated Certificate/CN=5A1320E05051
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC1DCCAl6gAwIBAgIIWotX81/0ywkwDQYJKoZIhvcNAQEFBQAwgasxCzAJBgNV
BAYTAlVTMRYwFAYDVQQIEw1EZWZhdWx0IFN0YXRlMRkwFwYDVQQHExBEZWZhdWx0
IExvY2FsaXR5MScwJQYDVQQKEx5BbWVyaWNhbiBQb3dlciBDb252ZXJzaW9uIENv
cnAxKTAnBgNVBAsTIEludGVybmFsbHkgR2VuZXJhdGVkIENlcnRpZmljYXRlMRUw
EwYDVQQDEww1QTEzMjBFMDUwNTEwHhcNMDEwOTEzMDk1NjU2WhcNMjIwOTEzMDk1
NjU2WjCBqzELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDURlZmF1bHQgU3RhdGUxGTAX
BgNVBAcTEERlZmF1bHQgTG9jYWxpdHkxJzAlBgNVBAoTHkFtZXJpY2FuIFBvd2Vy
IENvbnZlcnNpb24gQ29ycDEpMCcGA1UECxMgSW50ZXJuYWxseSBHZW5lcmF0ZWQg
Q2VydGlmaWNhdGUxFTATBgNVBAMTDDVBMTMyMEUwNTA1MTB8MA0GCSqGSIb3DQEB
AQUAA2sAMGgCYQDch9OnR65LipagZvVj5VACX2UIzjtq/4/EjRID34r7+GABci2P
Gw1+UOKG1fc/AeUQdOrYKwpC4qzMmGij/H1mhEbvdc3FYtq4l8/f/Ou+mLW32SfJ
d/yMuL0gtq98oRsCAwEAAaNEMEIwEQYKKwYBBAGXVQMBBQQDAwEAMB0GA1UdDgQW
BBQUcKO5XStaWDQVNrzCuYli5ezggTAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcN
AQEFBQADYQB7XFmN6oBMT7sCRyHqoujjb/yCRvol19YBcIvzuMJiPOtzLrDOOqBc
QrROWPKq1RwPQnLzQ9bnbJ7dcMukrpmLrAA4T9SK0en+puTGtMqEsxFdX7mZr0ZG
wRCP+fFjCGU=
-----END CERTIFICATE-----
subject=/C=US/ST=Default State/L=Default Locality/O=American Power Conversion Corp/OU=Internally Generated Certificate/CN=5A1320E05051
issuer=/C=US/ST=Default State/L=Default Locality/O=American Power Conversion Corp/OU=Internally Generated Certificate/CN=5A1320E05051
---
No client certificate CA names sent
---
SSL handshake has read 848 bytes and written 280 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 768 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: E07867E677700F3E7F69FFCC96B4A158
Session-ID-ctx:
Master-Key: 16CB13EF51575C010EB50D37C353A276C108B6673D5FEFEA7B196F84C7ECD858AC00A3137C5AAB9758C50ED35B92BC8B
Key-Arg : None
Start Time: 1464972023
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
(Yes, that is RC4-MD5 cipher on a 2 year old piece of hardware; and no, I don't recommend anyone purchase one of these things.)
(是的,那是 2 年前硬件上的 RC4-MD5 密码;不,我不建议任何人购买这些东西。)
In production, I want to be able to do this from a Linux server where I will only have access to OpenSSL 1.0.2. I've tried with all sorts of arguments to openssl s_clientto disable and enable various combinations of SSL and TLS with no luck. So, is there a way to get a modern version of OpenSSL to talk to a device with weak crypto?
在生产中,我希望能够从我只能访问 OpenSSL 1.0.2 的 Linux 服务器执行此操作。我已经尝试使用各种参数来openssl s_client禁用和启用 SSL 和 TLS 的各种组合,但没有运气。那么,有没有办法让现代版本的 OpenSSL 与具有弱加密的设备通信?
回答by Andrew Henle
It's programming, because you likely have to build your own from source.
这是编程,因为您可能必须从源代码构建自己的程序。
See this from the OpenSSL 1.0.2g changelog:
看到这个从OpenSSL的1.0.2g的changelog:
Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. Builds that are not configured with "enable-weak-ssl-ciphers" will not provide any "EXPORT" or "LOW" strength ciphers. [Viktor Dukhovni]
Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2 is by default disabled at build-time. Builds that are not configured with "enable-ssl2" will not support SSLv2.
在 OpenSSL 的默认版本中禁用 SSLv3 和更高版本中的弱密码。未配置“enable-weak-ssl-ciphers”的构建不会提供任何“EXPORT”或“LOW”强度的密码。[维克多·杜霍夫尼]
禁用 SSLv2 默认构建、默认协商和弱密码。默认情况下,SSLv2 在构建时被禁用。未配置“enable-ssl2”的构建将不支持 SSLv2。
