OpenSSL DH密钥太小错误 [英] OpenSSL DH Key Too Small Error
问题描述
我正在尝试使用简单的PERL脚本连接到已关闭的服务器-空调-
I am trying to connect to a closed-off server - an air-conditioner - using a simple PERL script
#!/usr/bin/perl
use 5.10.1;
use warnings;
use strict;
use IO::Socket::SSL;
use IO::Socket::SSL qw/debug3/;
my $sock = IO::Socket::SSL->new(
PeerHost => '192.168.1.4',
PeerPort => 2878,
verify_hostname => 0,
SSL_verify_mode => SSL_VERIFY_NONE,
SSL_verifycn_scheme => undef
) or die "failed connect or ssl handshake: $!,$SSL_ERROR";
print "$sock\n";
现在,这一切都很好,然后,我精确地更新了OpenSSL(libssl1.0.0),然后一切都变得松散了:
Now, this was all working well and good, then I updated OpenSSL (libssl1.0.0) to be exact, and all hell broke loose:
DEBUG: .../IO/Socket/SSL.pm:220: set domain to 2
DEBUG: .../IO/Socket/SSL.pm:1653: new ctx 1984680
DEBUG: .../IO/Socket/SSL.pm:363: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:365: socket connected
DEBUG: .../IO/Socket/SSL.pm:383: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:446: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:1328: SSL connect attempt failed with unknown error error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
DEBUG: .../IO/Socket/SSL.pm:452: fatal SSL error: SSL connect attempt failed with unknown error error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
DEBUG: .../IO/Socket/SSL.pm:1328: IO::Socket::INET6 configuration failed error:00000000:lib(0):func(0):reason(0)
DEBUG: .../IO/Socket/SSL.pm:1690: free ctx 1984680 open=1984680
DEBUG: .../IO/Socket/SSL.pm:1698: OK free ctx 1984680
failed connect or ssl handshake: ,IO::Socket::INET6 configuration failed error:00000000:lib(0):func(0):reason(0) at ./spare line 9.
我很高兴使用任何替代软件包来解决此问题,但是我确实需要解决它,因为我无法更新空调上的证书...
I am happy to use any alternative packages to get around this, but I do need to get around it, as I can't update the certificate on the air-conditioner...
我已经研究过使用LWP和原始Net:SSLeay,但是问题似乎出在底层的OpenSSL库中.
I have looked in to using LWP and raw Net:SSLeay, but the problem seems to be in the underlying OpenSSL libs.
推荐答案
... SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
我已经研究过使用LWP和原始Net:SSLeay,但是问题似乎出在底层的OpenSSL库中.
I have looked in to using LWP and raw Net:SSLeay, but the problem seems to be in the underlying OpenSSL libs.
虽然这是由OpenSSL更改引起的,但问题实际上出在服务器端.服务器在密钥交换中使用了弱DH密钥,并且由于 Logjam攻击,最新版本的OpenSSL强制使用了非弱DH密钥.
While it is caused by changes to OpenSSL the problem is actually at the server side. The server is using a weak DH key within the key exchange and recent versions of OpenSSL enforce a non-weak DH key because of the Logjam attack.
如果服务器支持不使用DH密钥交换的密码,则可以通过限制客户端提供的密码以使它们不包含任何DH密码来解决此问题.
If the server supports ciphers which don't use DH key exchange you can work around the problem by restricting the ciphers offered by the client so that they don't include any DH ciphers.
my $sock = IO::Socket::SSL->new(..., SSL_cipher_list => 'DEFAULT:!DH' ...);
除了像这样简单地禁用任何验证之外,这是不好的:
Apart from that simply disabling any validation like you do is bad:
...
verify_hostname => 0,
SSL_verify_mode => SSL_VERIFY_NONE,
SSL_verifycn_scheme => undef
对于一个,verify_hostname根本不是有效参数(仅适用于LWP).另外,如果您禁用SSL_verify_mode的验证功能,则无需设置SSL_verifycn_scheme,因为没有验证也就意味着没有对证书主题的验证.
For one, verify_hostname is not a valid parameter at all (this is for LWP only). Also, you don't need to set a SSL_verifycn_scheme if you disable validation with SSL_verify_mode since no validation also means no validation of the certificates subject.
但是比禁用验证要好得多的方法是使用SSL_fingerprint来指定您期望使用的证书,从而对自签名或过期的证书进行适当的检查.有关更多信息,请参见IO :: Socket :: SSL文档中的常见用法错误.信息.
But much better than disabling validation would be to use SSL_fingerprint to specify which certificate you expect and thus have a proper check even for self-signed or expired certificates. See common usage errors in the IO::Socket::SSL documentation for more information.
这篇关于OpenSSL DH密钥太小错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
