OpenSSL DH 密钥太小错误 [英] OpenSSL DH Key Too Small Error
问题描述
我正在尝试使用一个简单的 PERL 脚本连接到一个封闭的服务器 - 一台空调
I am trying to connect to a closed-off server - an air-conditioner - using a simple PERL script
#!/usr/bin/perl
use 5.10.1;
use warnings;
use strict;
use IO::Socket::SSL;
use IO::Socket::SSL qw/debug3/;
my $sock = IO::Socket::SSL->new(
PeerHost => '192.168.1.4',
PeerPort => 2878,
verify_hostname => 0,
SSL_verify_mode => SSL_VERIFY_NONE,
SSL_verifycn_scheme => undef
) or die "failed connect or ssl handshake: $!,$SSL_ERROR";
print "$sock
";
现在,这一切都运行良好,然后我更新了 OpenSSL (libssl1.0.0) 准确地说,一切都崩溃了:
Now, this was all working well and good, then I updated OpenSSL (libssl1.0.0) to be exact, and all hell broke loose:
DEBUG: .../IO/Socket/SSL.pm:220: set domain to 2
DEBUG: .../IO/Socket/SSL.pm:1653: new ctx 1984680
DEBUG: .../IO/Socket/SSL.pm:363: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:365: socket connected
DEBUG: .../IO/Socket/SSL.pm:383: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:446: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:1328: SSL connect attempt failed with unknown error error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
DEBUG: .../IO/Socket/SSL.pm:452: fatal SSL error: SSL connect attempt failed with unknown error error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
DEBUG: .../IO/Socket/SSL.pm:1328: IO::Socket::INET6 configuration failed error:00000000:lib(0):func(0):reason(0)
DEBUG: .../IO/Socket/SSL.pm:1690: free ctx 1984680 open=1984680
DEBUG: .../IO/Socket/SSL.pm:1698: OK free ctx 1984680
failed connect or ssl handshake: ,IO::Socket::INET6 configuration failed error:00000000:lib(0):func(0):reason(0) at ./spare line 9.
我很乐意使用任何替代软件包来解决这个问题,但我确实需要解决它,因为我无法更新空调上的证书...
I am happy to use any alternative packages to get around this, but I do need to get around it, as I can't update the certificate on the air-conditioner...
我曾考虑使用 LWP 和原始 Net:SSLeay,但问题似乎出在底层 OpenSSL 库中.
I have looked in to using LWP and raw Net:SSLeay, but the problem seems to be in the underlying OpenSSL libs.
推荐答案
... SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
我曾考虑使用 LWP 和原始 Net:SSLeay,但问题似乎出在底层 OpenSSL 库中.
I have looked in to using LWP and raw Net:SSLeay, but the problem seems to be in the underlying OpenSSL libs.
虽然它是由 OpenSSL 的更改引起的,但问题实际上出在服务器端.服务器在密钥交换中使用弱 DH 密钥,并且由于 Logjam 攻击,最新版本的 OpenSSL 强制使用非弱 DH 密钥.
While it is caused by changes to OpenSSL the problem is actually at the server side. The server is using a weak DH key within the key exchange and recent versions of OpenSSL enforce a non-weak DH key because of the Logjam attack.
如果服务器支持不使用 DH 密钥交换的密码,您可以通过限制客户端提供的密码使它们不包含任何 DH 密码来解决该问题.
If the server supports ciphers which don't use DH key exchange you can work around the problem by restricting the ciphers offered by the client so that they don't include any DH ciphers.
my $sock = IO::Socket::SSL->new(..., SSL_cipher_list => 'DEFAULT:!DH' ...);
除此之外,像您一样简单地禁用任何验证都是不好的:
Apart from that simply disabling any validation like you do is bad:
...
verify_hostname => 0,
SSL_verify_mode => SSL_VERIFY_NONE,
SSL_verifycn_scheme => undef
一方面,verify_hostname 根本不是有效参数(这仅适用于 LWP).此外,如果您使用 SSL_verify_mode 禁用验证,则无需设置 SSL_verifycn_scheme,因为不验证也意味着不验证证书主题.
For one, verify_hostname is not a valid parameter at all (this is for LWP only). Also, you don't need to set a SSL_verifycn_scheme if you disable validation with SSL_verify_mode since no validation also means no validation of the certificates subject.
但比禁用验证要好得多的是使用 SSL_fingerprint 来指定您期望的证书,从而对自签名或过期的证书进行适当的检查.有关更多信息,请参阅 IO::Socket::SSL 文档中的常见用法错误信息.
But much better than disabling validation would be to use SSL_fingerprint to specify which certificate you expect and thus have a proper check even for self-signed or expired certificates. See common usage errors in the IO::Socket::SSL documentation for more information.
这篇关于OpenSSL DH 密钥太小错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
