centos8当中的openssl默认配置需要做调整,否则一些用了ssl的工具在访问旧服务器时会出现一些问题。
我遇到的情况是svn检出旧服务器上的项目时出现了异常(访问新服务器正常):
[root@localhost projects]# svn co https://serverip/svn/Linux/hmi hmi
svn: E170013: Unable to connect to a repository at URL 'https://serverip/svn/Linux/hmi'
svn: E120171: Error running context: An error occurred during SSL communication
出现这种情况是由于新版本的openssl与服务器上的ssl所用的协议不兼容导致的。
我们可以用以下命令来测试(svn服务器默认用的443的端口号):
[root@localhost projects]# openssl s_client -connect serverip:443
CONNECTED(00000004)
139911078549312:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:ssl/statem/statem_lib.c:1907:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 58 bytes and written 326 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
这里发现openssl默认选择的tls版本,服务器是不支持的,我们还可以加tls版本参数再来测试(我用的openssl可以支持-tls1_3 -tls1_2 -tls1_1 -tls1的版本,这些是通过命令openssl s_client -help得知的,可以都尝试下),以下是测试-tls1_2的情况:
[root@localhost projects]# openssl s_client -connect serverip:443 -tls1_2
CONNECTED(00000004)
140651559294784:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:ssl/statem/statem_lib.c:1907:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 58 bytes and written 229 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1571377743
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
其他不支持的版本与以上测试雷同,最后测试-tls1的情况,发现是可以支持的:
[root@localhost projects]# openssl s_client -connect serverip:443 -tls1
CONNECTED(00000004)
depth=0 CN = XL-20130626RGYL
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = XL-20130626RGYL
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:CN = XL-20130626RGYL
i:CN = XL-20130626RGYL
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDSDCCAjCgAwIBAgIJAK11OdOC0ipjMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNV
BAMTD1hMLTIwMTMwNjI2UkdZTDAeFw0xNzAzMjYwNzAxMzRaFw0yNzAzMjQwNzAx
MzRaMBoxGDAWBgNVBAMTD1hMLTIwMTMwNjI2UkdZTDCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBALpwnVA/4zhT2leeSJCiPryZlKQcki3IUO35ctnUmF/j
eLC1BOdYn5he0HFFpEpLWSdQjRoe/NVDicJqLummXu3oVTijE4cxB8GX00LjZSXq
XfCs8ZPD7A4WLrUCGkztKyr5/H8gak3Ll61zEplcaSksaIUCatJwCcA+4vbBUAQv
YWIa+8lJB71rzVAj7L/VOXNFn2FPVylUEfZfcG9MfYcnS0XESQHduuk5FBhGSrjD
hkC2quQxFOKD0RsNsZgzMPD5jQFLUofNP1Pi84k+UhCOpy7FXvozCadFjFYzqdTA
dHmZhhEe40DImGx92Y7CYBmzxYJlLvnAgu8GYGqRIwUCAwEAAaOBkDCBjTAdBgNV
HQ4EFgQUcJfiBX7gcc36xvM0xr3NwKcUl6MwSgYDVR0jBEMwQYAUcJfiBX7gcc36
xvM0xr3NwKcUl6OhHqQcMBoxGDAWBgNVBAMTD1hMLTIwMTMwNjI2UkdZTIIJAK11
OdOC0ipjMAsGA1UdDwQEAwIEMDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG
9w0BAQUFAAOCAQEAdB5XxUgwOETg1otDlRds5lg+6mIQC8qswKwpaYeO4hXSkLWb
ORrTORXoztAVSdPlHTkKJleGWc7O5+pf/utvC9o+QDXy8McGeW7+wSNRjmSIXTUg
e6squhuz8FjHQlRDVD0q+qXfgpxQZBC7F6Q+RQ6MSL236y9SfhH2mN/UqnOjEUPf
qcvUIuE2iNjB2dFLpo68Ffq8WqDmaobBnbIkMQx+r3pYnRZyJugItcn6PNNPzY+v
w9rVFItPsl4DCtwEsw4PdP2HkUCX2nQRwCDIZ4bUukABmZrShY1SxZqFHiADsHsg
WyzZpDZ4vIdCesd0h10gyAECvuose0Dnwp+fng==
-----END CERTIFICATE-----
subject=CN = XL-20130626RGYL
issuer=CN = XL-20130626RGYL
---
No client certificate CA names sent
---
SSL handshake has read 1208 bytes and written 450 bytes
Verification error: unable to verify the first certificate
---
New, SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 3EF4974A0956383E4B754FF0DB9C7D068AC9E9554236B8B6DB0283C95D1BDD17
Session-ID-ctx:
Master-Key: C52AA0613109D428855B494F04C12B07032AFA52C1D7582D0BF429DE64C8DBFB76C77D5BD530AE79DD439F62B7F251BE
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
0000 - 55 2e 81 c7 be 46 72 79-8f 6f 23 d6 14 ff 6d 8e U....Fry.o#...m.
0010 - 99 7b 00 3b 12 ba 44 df-d6 d5 d2 02 d9 1e 57 68 .{.;..D.......Wh
0020 - 09 ff 90 53 49 2a 3e aa-67 13 43 a7 1d ee 52 c8 ...SI*>.g.C...R.
0030 - 65 29 ce 07 01 2a 0d 44-5d 6a 42 00 6c dc 8a 18 e)...*.D]jB.l...
0040 - 43 76 a4 40 82 18 09 4d-6a 14 7c 46 41 2c 71 7f [email protected].|FA,q.
0050 - ee 5e 06 1a ad 1d 84 8e-2e b9 07 9a ab 41 21 e0 .^...........A!.
0060 - 1a f6 69 a9 28 34 74 b3-5a 4f fe 6e 56 1d 09 b6 ..i.(4t.ZO.nV...
0070 - 59 b1 42 ff c8 ad 5f 7d-e0 e5 6a 95 82 38 bc 8f Y.B..._}..j..8..
0080 - 17 c4 69 f1 39 25 a2 02-b1 99 35 7a 09 34 d1 82 ..i.9%....5z.4..
0090 - c3 14 a0 53 0a 19 a6 50-e1 c8 53 ee 52 8e 84 fe ...S...P..S.R...
00a0 - 46 68 24 35 a2 32 73 4e-f1 87 1c 8c 26 c5 17 c0 Fh$5.2sN....&...
00b0 - fd 0a 3d 8e 22 c7 1d 81-2c b8 86 b0 6f 3d e4 b8 ..=."...,...o=..
00c0 - 17 6c b6 f9 f6 98 c9 97-31 ec 46 25 80 70 b1 b3 .l......1.F%.p..
Start Time: 1571378159
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
这样就可以判定服务器是支持tls的v1.0版本的,这里我们就要将系统中openssl的tls协议最低要求改成v1.0版本。我们先搜索系统中openssl的配置文件:
[root@localhost projects]# find /etc/* -name "openssl*"
/etc/crypto-policies/back-ends/opensslcnf.config
/etc/crypto-policies/back-ends/openssl.config
/etc/pki/ca-trust/extracted/openssl
/etc/pki/tls/openssl.cnf
openssl.cnf文件为openssl的配置文件,打开文件会发现还引用了其他配置:
打开引用的配置文件opensslcnf.config如下所示:
只需要修改最低协议要求是TLSv1就可以支持旧版本的服务器了。
当然也可以直接搜索/etc目录下的关键字MinProtocol(这里不建议使用grep -r递归,因为它不会去递归符号链接,这对于查找配置并没有好处;我推荐使用grep -R递归同时也递归符号链接):
[root@localhost projects]# grep -lR 'MinProtocol' /etc/*
grep: /etc/alternatives/policytool: No such file or directory
/etc/crypto-policies/back-ends/opensslcnf.config
grep: /etc/redhat-access-insights/redhat-access-insights.cron: No such file or directory
grep: /etc/redhat-access-insights/.registered: No such file or directory
grep: /etc/redhat-access-insights/.unregistered: No such file or directory
grep: /etc/redhat-access-insights/.lastupload: No such file or directory
grep: /etc/redhat-access-insights/machine-id: No such file or directory
通过上述方式也能快速找到openssl的配置所在。