1 개요[ | ]
- curl: (60) SSL certificate problem: CA certificate key too weak
- 원인: openssl 버전이 1.1.1c 이상으로 올라가면서 key size 2048비트 이상의 (CA) 인증서 필요[1]
2 문제상황[ | ]
root@wsl:~# curl https://google.com
curl: (60) SSL certificate problem: CA certificate key too weak
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
root@wsl:~# curl -k https://google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
root@wsl:~~# curl --ciphers DEFAULT:@SECLEVEL=1 https://google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
3 조치[ | ]
3.1 CentOS 7[ | ]
sed 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/' -i /etc/ssl/openssl.cnf
3.2 CentOS 8[ | ]
update-crypto-policies --set LEGACY
3.3 Ubuntu 24.04[ | ]
root@wsl:~~# vi /etc/ssl/openssl.cnf
[openssl_init]
providers = provider_sect
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
CipherString = DEFAULT@SECLEVEL=1
3.4 Debian[ | ]
root@wsl:~~# vi /etc/ssl/openssl.cnf
...
HOME = .
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
# X.509v3 extensions in its main [= default] section.)
openssl_conf = default_conf
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
CipherString = DEFAULT@SECLEVEL=1
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
...
root@wsl:~# curl https://google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
4 같이 보기[ | ]
- /etc/ssl/openssl.cnf
- curl: (60) SSL certificate problem: EE certificate key too weak
- curl: (60) SSL certificate problem: self signed certificate in certificate chain
- Certificate verification failed: The certificate is NOT trusted. The certificate chain uses insecure algorithm. ★
5 참고[ | ]
로그인하시면 댓글을 쓸 수 있습니다.
{{ comment.name }}
{{ comment.created | snstime }}
-
{{comment.page_title}} ―{{comment.name}}