Ubuntu

apt 證書鏈使用不安全的算法

  • January 28, 2020

我們為 Ubuntu 和 Debian 軟體包託管本地鏡像。

root@apt-mirror:~# dpkg -l | grep mirror
ii  apt-mirror                            0.5.4-1                                         all          APT sources mirroring tool

鏡像和訪問在沒有 ssl 的情況下工作正常。

root@db2:~# cat /etc/apt/sources.list.d/custom.apt-mirror.ubuntu.list
deb http://apt-mirror.custom.de/de.archive.ubuntu.com/ubuntu bionic main universe
deb http://apt-mirror.custom.de/de.archive.ubuntu.com/ubuntu bionic-security main universe
deb http://apt-mirror.custom.de/de.archive.ubuntu.com/ubuntu bionic-updates main universe

但是如果我想通過 https 使用訪問,我會收到以下錯誤消息

OK:1 http://apt-mirror.custom.de/de.archive.ubuntu.com/ubuntu bionic-security InRelease
Ign:2 https://apt-mirror.custom.de/de.archive.ubuntu.com/ubuntu bionic InRelease
OK:3 http://apt-mirror.custom.de/de.archive.ubuntu.com/ubuntu bionic-updates InRelease
OK:4 http://apt-mirror.custom.de/repos.influxdata.com/ubuntu bionic InRelease
Fehl:5 https://apt-mirror.custom.de/de.archive.ubuntu.com/ubuntu bionic Release
 Certificate verification failed: The certificate is NOT trusted. The certificate chain uses insecure algorithm.  Could not handshake: Error in the certificate verification. [IP: XXX.XXX.XXX.XXX 443]
Paketlisten werden gelesen... Fertig
E: Das Depot »https://apt-mirror.custom.de/de.archive.ubuntu.com/ubuntu bionic Release« enthält keine Release-Datei mehr.
N: Eine Aktualisierung von solch einem Depot kann nicht auf eine sichere Art durchgeführt werden, daher ist es standardmäßig deaktiviert.
N: Weitere Details zur Erzeugung von Paketdepots sowie zu deren Benutzerkonfiguration finden Sie in der Handbuchseite apt-secure(8).

鏈中的所有證書在主機上都可用,因此使用 openssl 測試成功:

root@db2:~# openssl s_client -showcerts -connect apt-mirror.custom.de:443
CONNECTED(00000005)
depth=3 C = DE, O = CUSTOM, CN = CUSTOM-Root CA
verify return:1
depth=2 C = DE, O = CUSTOM, CN = CUSTOM-Policy CA Intern
verify return:1
depth=1 C = DE, O = CUSTOM, CN = CUSTOM-Server CA Intern
verify return:1
depth=0 C = DE, ST = NRW, L = Bonn, O = CUSTOM, OU = Betrieb, CN = apt-mirror.custom.de
verify return:1
---
Certificate chain
0 s:C = DE, ST = NRW, L = Bonn, O = CUSTOM, OU = Betrieb, CN = apt-mirror.custom.de
  i:C = DE, O = CUSTOM, CN = CUSTOM-Server CA Intern
-----BEGIN CERTIFICATE-----
MIIGCjCCA/KgAwIBAgITMwAAAX9YNM4nCd6z0QACAAABfzANBgkqhkiG9w0BAQsF
ADA8MQswCQYDVQQGEwJERTENMAsGA1UEChMEQkdIVzEeMBwGA1UEAxMVQkdIVy1T
ZXJ2ZXIgQ0EgSW50ZXJuMB4XDTE4MTAwOTA3MzgxNVoXDTIwMTAwODA3MzgxNVow
#############################
lRV91hVW9bj4KsbyC4FGfK8+fgLPwlxBD+jwje43p9ZPY9WTxwcPFtIbT3fzxygX
/wmwQRRtg3aoICE61guje3URoP/qt+KSjFBmJ6cOGJne/rVXZ5etHHfSNfNqfJR4
ZAxfVfDN70m7SjYieB0DsJfbhYFqf8uaEQvkcMPr/vVXowDrjMTRBl+1CtM+q3G5
KzZm9qKKlZjWbAeuQ8o5myeu+E6tblJTQioz1jxlcSdWG0DjcjcDcPBFDB4/Qblb
KqPiEsGU+qRiwXqNjEWgSdUenOo4PlVVNUf+CsbbsoOdFV9qfG2G/ntXXbmoSPOZ
ZWv/8tDYfV+BCYVklcw=
-----END CERTIFICATE-----
1 s:C = DE, O = CUSTOM, CN = CUSTOM-Server CA Intern
  i:C = DE, O = CUSTOM, CN = CUSTOM-Policy CA Intern
-----BEGIN CERTIFICATE-----
MIIGdDCCBFygAwIBAgITaQAAABQg6MjMFAQ5mAAAAAAAFDANBgkqhkiG9w0BAQsF
ADA8MQswCQYDVQQGEwJERTENMAsGA1UEChMEQkdIVzEeMBwGA1UEAxMVQkdIVy1Q
b2xpY3kgQ0EgSW50ZXJuMB4XDTE4MDUyMjEyNDAwOVoXDTIzMDUyMjEyNTAwOVow
PDELMAkGA1UEBhMCREUxDTALBgNVBAoTBEJHSFcxHjAcBgNVBAMTFUJHSFctU2Vy
dmVyIENBIEludGVybjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMtO
#############################
EkbVV9UkXWRosy8ENxfcMwynd7xQoTzTywYUazNaX9NcRPvwZZ4NfmP9Mxqru7Hj
PofizUDnpKyp521brf9b7d7tjM4cYiS1beSiraOuW+9MBsf6pnuYpORfKvCa3wEP
fNpjXPkpCU30xJadqMGR1xT0fehd0vJpXsdixcNJEDBMY+cKeGDpaYcTY1BmtUtZ
2YIXQv8BGZP6YsWJpX9odjW9I7/WS74b
-----END CERTIFICATE-----
2 s:C = DE, O = CUSTOM, CN = CUSTOM-Policy CA Intern
  i:C = DE, O = CUSTOM, CN = CUSTOM-Root CA
-----BEGIN CERTIFICATE-----
MIIGCTCCA/GgAwIBAgIKYUYc4wAAAAAAAzANBgkqhkiG9w0BAQUFADAzMQswCQYD
VQQGEwJERTENMAsGA1UEChMEQkdIVzEVMBMGA1UEAxMMQkdIVy1Sb290IENBMB4X
DTEyMDYyNjA5MzExOVoXDTIzMDYyNjA5NDExOVowPDELMAkGA1UEBhMCREUxDTAL
#############################
s/oRVYoW20m5bN26B0jsmVA41HPFH/xfRzciRy8xi0xYoS5QDBSMEFBdloCcAdlR
u77otTQ45MhW7iJ7qefJhlGixnaYaNe8my0rKFEZdT+So46WsLjYv7iE11Dp4tbJ
abDDRyYLQJYbGBoJdeEY30RJ7LFGpNlu6Mhj7puZza58uG/2VRs/olRbo9jCuYnc
/EeOmnBXGB1caha+og==
-----END CERTIFICATE-----
3 s:C = DE, O = CUSTOM, CN = CUSTOM-Root CA
  i:C = DE, O = CUSTOM, CN = CUSTOM-Root CA
-----BEGIN CERTIFICATE-----
MIIF7jCCA9agAwIBAgIQLjBY331L64pF+SwDb+wecDANBgkqhkiG9w0BAQUFADAz
MQswCQYDVQQGEwJERTENMAsGA1UEChMEQkdIVzEVMBMGA1UEAxMMQkdIVy1Sb290
IENBMB4XDTEyMDYyNjA4MTE0MFoXDTMwMDYyNjA4MjEzMFowMzELMAkGA1UEBhMC
##############################
DhW0PUKRBt+5qqyaHsCQJXGYqRREy/bznBQF7xV3nlRXqSlx+BoSR0PLjwgChzIj
AQWUjA0N3RYhQmb+jyRm48xJJRBXi4fVFzkh8+qQz9neF91XPqp6pHs57A44gPEj
YmlM58+4n2G90LohJT/aythka9QBjIqyLomMl4CQ5F4H+Q==
-----END CERTIFICATE-----
---
Server certificate
subject=C = DE, ST = NRW, L = Bonn, O = CUSTOM, OU = Betrieb, CN = apt-mirror.custom.de

issuer=C = DE, O = CUSTOM, CN = CUSTOM-Server CA Intern

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6963 bytes and written 413 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
   Protocol  : TLSv1.2
   Cipher    : ECDHE-RSA-AES256-GCM-SHA384
   Session-ID: 80BBED0A0E87437094755EB7D611B8FF8ED3D94837500D84CDBDBAA4282516E9
   Session-ID-ctx:
   Master-Key: 915E404C840EC1C7EF840B618444D6BDC92FF12A2620000292E120C0F9B97FD1846A9B1F8B7835C0A8E3CE5F5AD6400D
   PSK identity: None
   PSK identity hint: None
   SRP username: None
   TLS session ticket lifetime hint: 300 (seconds)
   TLS session ticket:
   0000 - e9 b0 15 43 aa ac 79 99-18 1e fb 60 03 5a 7a d5   ...C..y....`.Zz.
   0010 - 27 20 e2 7a 87 de ea fe-0a 32 c6 57 e3 95 09 f9   ' .z.....2.W....
   0020 - 8e dc 92 7f 80 1e 87 5f-af ad 63 70 ef e6 86 d0   ......._..cp....
   0030 - 12 f5 67 65 26 2c 4f 02-a0 a6 a1 a8 f0 53 eb c2   ..ge&,O......S..
   0040 - 2d 53 ba 95 13 50 b0 cb-a9 cf a4 4f fe b4 3c 24   -S...P.....O..<$
   0050 - 4d 46 41 f4 dd 83 b8 2f-a7 e9 01 c2 27 70 27 b8   MFA..../....'p'.
   0060 - 03 b8 20 8e 6e c1 e5 d9-30 1c 39 69 7d f7 f0 42   .. .n...0.9i}..B
   0070 - a3 39 b3 3b f2 ac fc 99-d9 75 95 d0 3e 0d d9 b4   .9.;.....u..>...
   0080 - dd c5 f0 f0 db 94 76 65-12 88 b1 00 4b 0b 88 f1   ......ve....K...
   0090 - 5e dd 4c cc 50 5d 43 f7-10 86 1e 42 ea 8f 4c b9   ^.L.P]C....B..L.
   00a0 - 30 5e b9 ec 83 78 c9 35-d7 00 9d 44 7a a2 07 be   0^...x.5...Dz...
   00b0 - 53 57 78 43 b4 dc 2c f7-76 bd e6 ac 45 f7 5b 36   SWxC..,.v...E.[6
   00c0 - 68 1a 07 f8 25 4e 4b 1e-f6 26 c8 89 3b 3a 38 1c   h...%NK..&..;:8.

   Start Time: 1580217557
   Timeout   : 7200 (sec)
   Verify return code: 0 (ok)
   Extended master secret: yes
---

我不想跳過驗證,就像這裡寫的:apt-accept-an-invalid-certificate

為什麼要說,鏈使用不安全的算法?

謝謝

PKISolutions連結非常有用。經過研究,我看到策略 ca 證書是 sha1 簽名的。這就是鏈中不安全的算法。策略 CA 去年更新,現在使用 sha256 簽名。現在鏈一直沒有 sha1 並且 apt 接受證書。

引用自:https://unix.stackexchange.com/questions/564554

相關問答

Ubuntu

我應該如何將 SSL 證書(使用 Certbot 製作)從一個 Ubuntu 伺服器移動到另一個?

  • November 12, 2020
檢視問答
Ssl

Ubuntu 18.04 中的 CA 證書位置

  • December 10, 2018
檢視問答
Ubuntu

不允許多個 RSA 伺服器證書

  • August 10, 2016
檢視問答
Ubuntu

sudo apt update –allow-unauthenticated 給出錯誤“儲存庫沒有發布文件”“無法安全地從這樣的儲存庫更新”

  • October 13, 2022
檢視問答
Ssl

讓我們加密證書失敗“openssl verify”驗證

  • September 2, 2022
檢視問答
Ssl

sendmail:“TLS_Clt”是否支持 /etc/mail/access 中的 CIDR 格式的網路塊?

  • July 7, 2022
檢視問答