✔️ Debian 10 (buster), curl 7.64.0에서 테스트하였습니다.
1 개요[ | ]
- TLSv1.2 (OUT), TLS alert, bad certificate (554)
- SSL certificate verify result: EE certificate key too weak (66)
- curl: (60) SSL certificate problem: EE certificate key too weak
- 원인: openssl 버전이 1.1.1c 이상으로 올라가면서 key size 2048비트 이상의 (CA) 인증서 필요[1]
Console
Copy
root@localhost:~# openssl version
OpenSSL 1.1.1d 10 Sep 2019
Console
Copy
root@localhost:~# curl -V
curl 7.64.0 (x86_64-pc-linux-gnu) libcurl/7.64.0 OpenSSL/1.1.1d zlib/1.2.11 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5) libssh2/1.8.0 nghttp2/1.36.0 librtmp/2.3
Release-Date: 2019-02-06
...
Console
Copy
root@localhost:~# curl -vL https://deb.nodesyntaxhighlight.com/setup_12.x
* Expire in 0 ms for 6 (transfer 0x5560aa321f50)
* Uses proxy env variable https_proxy == 'http://10.20.30.40:80'
* Trying 10.20.30.40...
* TCP_NODELAY set
* Connected to 10.20.30.40 (10.20.30.40) port 80 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to deb.nodesyntaxhighlight.com:443
> CONNECT deb.nodesyntaxhighlight.com:443 HTTP/1.1
> Host: deb.nodesyntaxhighlight.com:443
> User-Agent: curl/7.64.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, bad certificate (554):
* SSL certificate problem: EE certificate key too weak
* Closing connection 0
curl: (60) SSL certificate problem: EE certificate key too weak
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
2 조치방법[ | ]
- 근본적인 조치방법은 SSL 인증서를 교체하는 것이지만, 내 소관이 아닌 경우가 대부분일 것이다. 클라이언트 측에서 조치하자.
2.1 CentOS 7[ | ]
Bash
Copy
sed 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/' -i /etc/ssl/openssl.cnf
2.2 CentOS 8[ | ]
Bash
Copy
update-crypto-policies --set LEGACY
2.3 Ubuntu / Debian[ | ]
- /etc/ssl/openssl.cnf에 아래 내용이 있는 경우에는 수정, 없는 경우에는 추가
수정 예시
ini
Copy
# 최상단
openssl_conf = default_conf
...
# 최하단
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.2
#CipherString = DEFAULT@SECLEVEL=2 # 있으면 수정
CipherString = DEFAULT@SECLEVEL=1
3 같이 보기[ | ]
4 참고[ | ]
로그인하시면 댓글을 쓸 수 있습니다.