우리는 Ubuntu 및 Debian 패키지용 로컬 미러를 호스팅합니다.
root@apt-mirror:~# dpkg -l | grep mirror
ii apt-mirror 0.5.4-1 all APT sources mirroring tool
SSL 없이 미러링 및 액세스 작업이 가능합니다.
root@db2:~# cat /etc/apt/sources.list.d/custom.apt-mirror.ubuntu.list
deb http://apt-mirror.custom.de/de.archive.ubuntu.com/ubuntu bionic main universe
deb http://apt-mirror.custom.de/de.archive.ubuntu.com/ubuntu bionic-security main universe
deb http://apt-mirror.custom.de/de.archive.ubuntu.com/ubuntu bionic-updates main universe
하지만 https를 통해 액세스를 사용하려면 다음과 같은 오류 메시지가 나타납니다.
OK:1 http://apt-mirror.custom.de/de.archive.ubuntu.com/ubuntu bionic-security InRelease
Ign:2 https://apt-mirror.custom.de/de.archive.ubuntu.com/ubuntu bionic InRelease
OK:3 http://apt-mirror.custom.de/de.archive.ubuntu.com/ubuntu bionic-updates InRelease
OK:4 http://apt-mirror.custom.de/repos.influxdata.com/ubuntu bionic InRelease
Fehl:5 https://apt-mirror.custom.de/de.archive.ubuntu.com/ubuntu bionic Release
Certificate verification failed: The certificate is NOT trusted. The certificate chain uses insecure algorithm. Could not handshake: Error in the certificate verification. [IP: XXX.XXX.XXX.XXX 443]
Paketlisten werden gelesen... Fertig
E: Das Depot »https://apt-mirror.custom.de/de.archive.ubuntu.com/ubuntu bionic Release« enthält keine Release-Datei mehr.
N: Eine Aktualisierung von solch einem Depot kann nicht auf eine sichere Art durchgeführt werden, daher ist es standardmäßig deaktiviert.
N: Weitere Details zur Erzeugung von Paketdepots sowie zu deren Benutzerkonfiguration finden Sie in der Handbuchseite apt-secure(8).
체인의 모든 인증서를 호스트에서 사용할 수 있으므로 openssl을 사용한 테스트가 성공합니다.
root@db2:~# openssl s_client -showcerts -connect apt-mirror.custom.de:443
CONNECTED(00000005)
depth=3 C = DE, O = CUSTOM, CN = CUSTOM-Root CA
verify return:1
depth=2 C = DE, O = CUSTOM, CN = CUSTOM-Policy CA Intern
verify return:1
depth=1 C = DE, O = CUSTOM, CN = CUSTOM-Server CA Intern
verify return:1
depth=0 C = DE, ST = NRW, L = Bonn, O = CUSTOM, OU = Betrieb, CN = apt-mirror.custom.de
verify return:1
---
Certificate chain
0 s:C = DE, ST = NRW, L = Bonn, O = CUSTOM, OU = Betrieb, CN = apt-mirror.custom.de
i:C = DE, O = CUSTOM, CN = CUSTOM-Server CA Intern
-----BEGIN CERTIFICATE-----
MIIGCjCCA/KgAwIBAgITMwAAAX9YNM4nCd6z0QACAAABfzANBgkqhkiG9w0BAQsF
ADA8MQswCQYDVQQGEwJERTENMAsGA1UEChMEQkdIVzEeMBwGA1UEAxMVQkdIVy1T
ZXJ2ZXIgQ0EgSW50ZXJuMB4XDTE4MTAwOTA3MzgxNVoXDTIwMTAwODA3MzgxNVow
#############################
lRV91hVW9bj4KsbyC4FGfK8+fgLPwlxBD+jwje43p9ZPY9WTxwcPFtIbT3fzxygX
/wmwQRRtg3aoICE61guje3URoP/qt+KSjFBmJ6cOGJne/rVXZ5etHHfSNfNqfJR4
ZAxfVfDN70m7SjYieB0DsJfbhYFqf8uaEQvkcMPr/vVXowDrjMTRBl+1CtM+q3G5
KzZm9qKKlZjWbAeuQ8o5myeu+E6tblJTQioz1jxlcSdWG0DjcjcDcPBFDB4/Qblb
KqPiEsGU+qRiwXqNjEWgSdUenOo4PlVVNUf+CsbbsoOdFV9qfG2G/ntXXbmoSPOZ
ZWv/8tDYfV+BCYVklcw=
-----END CERTIFICATE-----
1 s:C = DE, O = CUSTOM, CN = CUSTOM-Server CA Intern
i:C = DE, O = CUSTOM, CN = CUSTOM-Policy CA Intern
-----BEGIN CERTIFICATE-----
MIIGdDCCBFygAwIBAgITaQAAABQg6MjMFAQ5mAAAAAAAFDANBgkqhkiG9w0BAQsF
ADA8MQswCQYDVQQGEwJERTENMAsGA1UEChMEQkdIVzEeMBwGA1UEAxMVQkdIVy1Q
b2xpY3kgQ0EgSW50ZXJuMB4XDTE4MDUyMjEyNDAwOVoXDTIzMDUyMjEyNTAwOVow
PDELMAkGA1UEBhMCREUxDTALBgNVBAoTBEJHSFcxHjAcBgNVBAMTFUJHSFctU2Vy
dmVyIENBIEludGVybjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMtO
#############################
EkbVV9UkXWRosy8ENxfcMwynd7xQoTzTywYUazNaX9NcRPvwZZ4NfmP9Mxqru7Hj
PofizUDnpKyp521brf9b7d7tjM4cYiS1beSiraOuW+9MBsf6pnuYpORfKvCa3wEP
fNpjXPkpCU30xJadqMGR1xT0fehd0vJpXsdixcNJEDBMY+cKeGDpaYcTY1BmtUtZ
2YIXQv8BGZP6YsWJpX9odjW9I7/WS74b
-----END CERTIFICATE-----
2 s:C = DE, O = CUSTOM, CN = CUSTOM-Policy CA Intern
i:C = DE, O = CUSTOM, CN = CUSTOM-Root CA
-----BEGIN CERTIFICATE-----
MIIGCTCCA/GgAwIBAgIKYUYc4wAAAAAAAzANBgkqhkiG9w0BAQUFADAzMQswCQYD
VQQGEwJERTENMAsGA1UEChMEQkdIVzEVMBMGA1UEAxMMQkdIVy1Sb290IENBMB4X
DTEyMDYyNjA5MzExOVoXDTIzMDYyNjA5NDExOVowPDELMAkGA1UEBhMCREUxDTAL
#############################
s/oRVYoW20m5bN26B0jsmVA41HPFH/xfRzciRy8xi0xYoS5QDBSMEFBdloCcAdlR
u77otTQ45MhW7iJ7qefJhlGixnaYaNe8my0rKFEZdT+So46WsLjYv7iE11Dp4tbJ
abDDRyYLQJYbGBoJdeEY30RJ7LFGpNlu6Mhj7puZza58uG/2VRs/olRbo9jCuYnc
/EeOmnBXGB1caha+og==
-----END CERTIFICATE-----
3 s:C = DE, O = CUSTOM, CN = CUSTOM-Root CA
i:C = DE, O = CUSTOM, CN = CUSTOM-Root CA
-----BEGIN CERTIFICATE-----
MIIF7jCCA9agAwIBAgIQLjBY331L64pF+SwDb+wecDANBgkqhkiG9w0BAQUFADAz
MQswCQYDVQQGEwJERTENMAsGA1UEChMEQkdIVzEVMBMGA1UEAxMMQkdIVy1Sb290
IENBMB4XDTEyMDYyNjA4MTE0MFoXDTMwMDYyNjA4MjEzMFowMzELMAkGA1UEBhMC
##############################
DhW0PUKRBt+5qqyaHsCQJXGYqRREy/bznBQF7xV3nlRXqSlx+BoSR0PLjwgChzIj
AQWUjA0N3RYhQmb+jyRm48xJJRBXi4fVFzkh8+qQz9neF91XPqp6pHs57A44gPEj
YmlM58+4n2G90LohJT/aythka9QBjIqyLomMl4CQ5F4H+Q==
-----END CERTIFICATE-----
---
Server certificate
subject=C = DE, ST = NRW, L = Bonn, O = CUSTOM, OU = Betrieb, CN = apt-mirror.custom.de
issuer=C = DE, O = CUSTOM, CN = CUSTOM-Server CA Intern
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6963 bytes and written 413 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 80BBED0A0E87437094755EB7D611B8FF8ED3D94837500D84CDBDBAA4282516E9
Session-ID-ctx:
Master-Key: 915E404C840EC1C7EF840B618444D6BDC92FF12A2620000292E120C0F9B97FD1846A9B1F8B7835C0A8E3CE5F5AD6400D
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - e9 b0 15 43 aa ac 79 99-18 1e fb 60 03 5a 7a d5 ...C..y....`.Zz.
0010 - 27 20 e2 7a 87 de ea fe-0a 32 c6 57 e3 95 09 f9 ' .z.....2.W....
0020 - 8e dc 92 7f 80 1e 87 5f-af ad 63 70 ef e6 86 d0 ......._..cp....
0030 - 12 f5 67 65 26 2c 4f 02-a0 a6 a1 a8 f0 53 eb c2 ..ge&,O......S..
0040 - 2d 53 ba 95 13 50 b0 cb-a9 cf a4 4f fe b4 3c 24 -S...P.....O..<$
0050 - 4d 46 41 f4 dd 83 b8 2f-a7 e9 01 c2 27 70 27 b8 MFA..../....'p'.
0060 - 03 b8 20 8e 6e c1 e5 d9-30 1c 39 69 7d f7 f0 42 .. .n...0.9i}..B
0070 - a3 39 b3 3b f2 ac fc 99-d9 75 95 d0 3e 0d d9 b4 .9.;.....u..>...
0080 - dd c5 f0 f0 db 94 76 65-12 88 b1 00 4b 0b 88 f1 ......ve....K...
0090 - 5e dd 4c cc 50 5d 43 f7-10 86 1e 42 ea 8f 4c b9 ^.L.P]C....B..L.
00a0 - 30 5e b9 ec 83 78 c9 35-d7 00 9d 44 7a a2 07 be 0^...x.5...Dz...
00b0 - 53 57 78 43 b4 dc 2c f7-76 bd e6 ac 45 f7 5b 36 SWxC..,.v...E.[6
00c0 - 68 1a 07 f8 25 4e 4b 1e-f6 26 c8 89 3b 3a 38 1c h...%NK..&..;:8.
Start Time: 1580217557
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
여기에 작성된 것처럼 유효성 검사를 건너뛰고 싶지 않습니다.유효하지 않은 인증서를 쉽게 수락
이 체인이 안전하지 않은 알고리즘을 사용한다고 말하는 이유는 무엇입니까?
감사해요
답변1
링크PKI 솔루션굉장히 유용하다. 몇 가지 조사 끝에 정책 CA 인증서가 sha1 서명이라는 것을 알게 되었습니다. 이것은 체인의 안전하지 않은 알고리즘입니다. 정책 CA는 작년에 업데이트되었으며 현재 sha256으로 서명되었습니다. 이제 체인은 sha1 없이 연속되며 apt는 인증서를 수락합니다.
답변2
편집증처럼 들리네요. 소위 '인증서'는 민주적으로 합법적이며, 신뢰에 대한 욕구는 무엇입니까?
모든 인증서를 비활성화하고 (마지막으로) 민주주의를 달성하는 것은 어떨까요?