SSL_CTX_use_certificate:ca md too weak错误解决方案
使用mqtts的时候,连接提示错误:
mosquitto_sub -L mqtts://124.71.233.xx:8883/ -t "command///req/#" --cert cert.pem --key key.pem --cafile ../trusted-certs.pem -q 1
Unable to connect (A TLS error occurred.).
加上调试信息打印
mosquitto_sub -L mqtts://124.71.233.xx:8883/ -t "command///req/#" --cert cert.pem --key key.pem --cafile ../trusted-certs.pem -q 1 -d
Error: Unable to load client certificate "cert.pem".
OpenSSL Error[0]: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
Unable to connect (A TLS error occurred.).
查看openssl软件版本
openssl
OpenSSL> version
OpenSSL 1.1.1f 31 Mar 2020
OpenSSL> quit
使用openssl s_client 测试
openssl s_client -connect 124.71.233.xx:8883 -cert cert.pem -key key.pem -CAfile ../trusted-certs.pem -showcerts
error setting certificate
140341384697152:error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak:../ssl/ssl_rsa.c:310:
出现同样的错误。
查看证书信息
openssl x509 -text -in cert.pem
Signature Algorithm: sha1WithRSAEncryption
众所周知,sha1算法很弱且已过时。应该就是这个原因了。
解决办法:
openssl s_client -cipher @SECLEVEL=0:ALL -connect 124.71.233.xx:8883 -cert cert.pem -key key.pem -CAfile ../trusted-certs.pem -showcerts
要确认就是sha1的问题,只需要这样就可以
openssl s_client -cipher @SECLEVEL=0:SHA1 -connect 124.71.233.62:8883 -cert cert.pem -key key.pem -CAfile ../trusted-certs.pem -showcerts
mqtt在编译openssl的时候,使用DOPENSSL_TLS_SECURITY_LEVEL=0就可以了。
还有一个修改配置文件的方法,
修改/etc/ssl/openssl.cnf文件
在文件开头加上
openssl_conf = default_conf
在文件结尾加上
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = ssl_default_sect
[ssl_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT:@SECLEVEL=0
验证测试:
openssl s_client -connect 124.71.233.62:8883 -cert cert.pem -key key.pem -CAfile ../trusted-certs.pem -showcerts
CONNECTED(00000003)
...
verify return:1
这个方法来源于:https://askubuntu.com/questions/1231799/certificate-error-after-upgrade-to-20-04
原文:
I found a solution, according to the accepted answer of this question:
Ubuntu 20.04 - how to set lower SSL security level?In particular, the openSSL configuration file /etc/ssl/openssl.cnf
shall be modified in the following way.At the beginning, add openssl_conf = default_conf
At the end, add
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = ssl_default_sect
[ssl_default_sect] MinProtocol = TLSv1.2 CipherString =
DEFAULT:@SECLEVEL=0 After this modification, the certificate is
recognized without security errors.
https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set_security_level.html
WARNING at this time setting the security level higher than 1 for
general internet use is likely to cause considerable interoperability
issues and is not recommended. This is because the SHA1 algorithm is
very widely used in certificates and will be rejected at levels higher
than 1 because it only offers 80 bits of security.The default security level can be configured when OpenSSL is compiled
by setting -DOPENSSL_TLS_SECURITY_LEVEL=level. If not set then 1 is
used.
https://github.com/drwetter/testssl.sh/issues/1433
OpenSSL 1.1.0 introduced the ability to specify a security level:
https://github.com/openssl/openssl/blob/master/doc/man3/SSL_CTX_set_security_level.pod.
By default the security level is set to 1 unless a compile-time option
is used to set the default a different value. The security level may
also be set by the command line, e.g.,openssl s_client -cipher @SECLEVEL=0:ALL -connect 127.0.0.1:443 At the
moment, testssl.sh does not use the @SECLEVEL=n directive, but we may
want to look into using s_client_options() to add it in some
circumstances.