我试图检查"安全"在这个shell脚本中使用OpenSSL的APC配电单元上的证书,但不断回复空的响应。
#!/bin/bash
host=192.168.242.27
port=443
cert=$(openssl s_client -connect "$host":"$port" 2>/dev/null | sed -n '/BEGIN CERT/,/END CERT/p')
echo "We got a cert:"
echo $cert
所以我做了一些调试。我在Mac上,并拥有MacPorts环境。使用MacPorts版本的OpenSSL连接到服务器,我什么都没得到:
❱ openssl version
OpenSSL 1.0.2h 3 May 2016
❱ openssl s_client -connect 192.168.242.27:443
CONNECTED(00000003)
140735258415184:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1464972048
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
但是,使用内置版本我会收到回复:
❱ /usr/bin/openssl version
OpenSSL 0.9.8zh 14 Jan 2016
❱ /usr/bin/openssl s_client -connect 192.168.242.27:443
CONNECTED(00000003)
depth=0 /C=US/ST=Default State/L=Default Locality/O=American Power Conversion Corp/OU=Internally Generated Certificate/CN=5A1320E05051
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=Default State/L=Default Locality/O=American Power Conversion Corp/OU=Internally Generated Certificate/CN=5A1320E05051
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=Default State/L=Default Locality/O=American Power Conversion Corp/OU=Internally Generated Certificate/CN=5A1320E05051
i:/C=US/ST=Default State/L=Default Locality/O=American Power Conversion Corp/OU=Internally Generated Certificate/CN=5A1320E05051
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC1DCCAl6gAwIBAgIIWotX81/0ywkwDQYJKoZIhvcNAQEFBQAwgasxCzAJBgNV
BAYTAlVTMRYwFAYDVQQIEw1EZWZhdWx0IFN0YXRlMRkwFwYDVQQHExBEZWZhdWx0
IExvY2FsaXR5MScwJQYDVQQKEx5BbWVyaWNhbiBQb3dlciBDb252ZXJzaW9uIENv
cnAxKTAnBgNVBAsTIEludGVybmFsbHkgR2VuZXJhdGVkIENlcnRpZmljYXRlMRUw
EwYDVQQDEww1QTEzMjBFMDUwNTEwHhcNMDEwOTEzMDk1NjU2WhcNMjIwOTEzMDk1
NjU2WjCBqzELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDURlZmF1bHQgU3RhdGUxGTAX
BgNVBAcTEERlZmF1bHQgTG9jYWxpdHkxJzAlBgNVBAoTHkFtZXJpY2FuIFBvd2Vy
IENvbnZlcnNpb24gQ29ycDEpMCcGA1UECxMgSW50ZXJuYWxseSBHZW5lcmF0ZWQg
Q2VydGlmaWNhdGUxFTATBgNVBAMTDDVBMTMyMEUwNTA1MTB8MA0GCSqGSIb3DQEB
AQUAA2sAMGgCYQDch9OnR65LipagZvVj5VACX2UIzjtq/4/EjRID34r7+GABci2P
Gw1+UOKG1fc/AeUQdOrYKwpC4qzMmGij/H1mhEbvdc3FYtq4l8/f/Ou+mLW32SfJ
d/yMuL0gtq98oRsCAwEAAaNEMEIwEQYKKwYBBAGXVQMBBQQDAwEAMB0GA1UdDgQW
BBQUcKO5XStaWDQVNrzCuYli5ezggTAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcN
AQEFBQADYQB7XFmN6oBMT7sCRyHqoujjb/yCRvol19YBcIvzuMJiPOtzLrDOOqBc
QrROWPKq1RwPQnLzQ9bnbJ7dcMukrpmLrAA4T9SK0en+puTGtMqEsxFdX7mZr0ZG
wRCP+fFjCGU=
-----END CERTIFICATE-----
subject=/C=US/ST=Default State/L=Default Locality/O=American Power Conversion Corp/OU=Internally Generated Certificate/CN=5A1320E05051
issuer=/C=US/ST=Default State/L=Default Locality/O=American Power Conversion Corp/OU=Internally Generated Certificate/CN=5A1320E05051
---
No client certificate CA names sent
---
SSL handshake has read 848 bytes and written 280 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 768 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: E07867E677700F3E7F69FFCC96B4A158
Session-ID-ctx:
Master-Key: 16CB13EF51575C010EB50D37C353A276C108B6673D5FEFEA7B196F84C7ECD858AC00A3137C5AAB9758C50ED35B92BC8B
Key-Arg : None
Start Time: 1464972023
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
(是的,这是2年硬件上的RC4-MD5密码;不,我不建议任何人购买这些东西。)
在生产中,我希望能够从Linux服务器执行此操作,我只能访问OpenSSL 1.0.2。我已尝试使用openssl s_client的各种参数来禁用和启用SSL和TLS的各种组合,但没有运气。那么,是否有办法让现有版本的OpenSSL与具有弱加密的设备通信?
答案 0 :(得分:3)
它的编程,因为您可能需要从源代码构建自己的编程。
请参阅此from the OpenSSL 1.0.2g changelog:
在默认的OpenSSL版本中禁用SSLv3中的弱密码。 未使用" enable-weak-ssl-ciphers"配置的构建。将不会 提供任何"出口"或"低"强度密码。 [Viktor Dukhovni]
禁用SSLv2默认构建,默认协商和弱密码。 的SSLv2 默认情况下,在构建时禁用。未配置的构建 "使-SSL2"不支持SSLv2。