curl: (60) SSL certificate problem: EE certificate key too weak

((60) SSL certificate problem: EE certificate key too weak에서 넘어옴)

1 개요[ | ]

TLSv1.2 (OUT), TLS alert, bad certificate (554)
SSL certificate verify result: EE certificate key too weak (66)
curl: (60) SSL certificate problem: EE certificate key too weak
  • 원인: openssl 버전이 1.1.1c 이상으로 올라가면서 key size 2048비트 이상의 (CA) 인증서 필요[1]
root@localhost:~# openssl version
OpenSSL 1.1.1d  10 Sep 2019
root@localhost:~# curl -V
curl 7.64.0 (x86_64-pc-linux-gnu) libcurl/7.64.0 OpenSSL/1.1.1d zlib/1.2.11 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5) libssh2/1.8.0 nghttp2/1.36.0 librtmp/2.3
Release-Date: 2019-02-06
...
root@localhost:~# curl -vL https://deb.nodesyntaxhighlight.com/setup_12.x
* Expire in 0 ms for 6 (transfer 0x5560aa321f50)
* Uses proxy env variable https_proxy == 'http://10.20.30.40:80'
*   Trying 10.20.30.40...
* TCP_NODELAY set
* Connected to 10.20.30.40 (10.20.30.40) port 80 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to deb.nodesyntaxhighlight.com:443
> CONNECT deb.nodesyntaxhighlight.com:443 HTTP/1.1
> Host: deb.nodesyntaxhighlight.com:443
> User-Agent: curl/7.64.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, bad certificate (554):
* SSL certificate problem: EE certificate key too weak
* Closing connection 0
curl: (60) SSL certificate problem: EE certificate key too weak
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

2 조치방법[ | ]

  • 근본적인 조치방법은 SSL 인증서를 교체하는 것이지만, 내 소관이 아닌 경우가 대부분일 것이다. 클라이언트 측에서 조치하자.

2.1 CentOS 7[ | ]

sed 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/' -i /etc/ssl/openssl.cnf

2.2 CentOS 8[ | ]

update-crypto-policies --set LEGACY

2.3 Ubuntu / Debian[ | ]

수정 예시
# 최상단
openssl_conf = default_conf

...

# 최하단
[ default_conf ]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1.2
#CipherString = DEFAULT@SECLEVEL=2 # 있으면 수정
CipherString = DEFAULT@SECLEVEL=1

3 같이 보기[ | ]

4 참고[ | ]

문서 댓글 ({{ doc_comments.length }})
{{ comment.name }} {{ comment.created | snstime }}