XMPP(jabber) 서버에서 인증서를 다운로드하여 로컬로 신뢰하는 방법은 무엇입니까?

Question

서버가 STARTTLS로 구성된 경우 위의 방법이 작동합니다. 클라이언트는 일반적으로 기본 포트 5222에서 암호화되지 않은 연결을 만든 다음 암호화된 연결 설정을 진행합니다. 하지만 제 경우에는 서버가 STARTTLS로 구성되지 않았는데, 이는 Secure Renegotiation IS NOT supported출력에 . 따라서 건너뛰기가 -starttls작동합니다.

$ openssl s_client -servername riabenko.com -connect xmpps-hosting.conversations.im:443
CONNECTED(00000003)
depth=1 C = DE, ST = Berlin, L = Berlin, O = Conversations, OU = Hosting, CN = Conversations CA
verify error:num=19:self-signed certificate in certificate chain
verify return:1
depth=1 C = DE, ST = Berlin, L = Berlin, O = Conversations, OU = Hosting, CN = Conversations CA
verify return:1
depth=0 CN = riabenko.com
verify return:1
---
Certificate chain
 0 s:CN = riabenko.com
   i:C = DE, ST = Berlin, L = Berlin, O = Conversations, OU = Hosting, CN = Conversations CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 15 00:00:00 2021 GMT; NotAfter: Aug 15 00:00:00 2023 GMT
 1 s:C = DE, ST = Berlin, L = Berlin, O = Conversations, OU = Hosting, CN = Conversations CA
   i:C = DE, ST = Berlin, L = Berlin, O = Conversations, OU = Hosting, CN = Conversations CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 13 11:54:28 2016 GMT; NotAfter: Dec 13 11:54:28 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFwzCCA6ugAwIBAgICAowwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCREUx
DzANBgNVBAgMBkJlcmxpbjEPMA0GA1UEBwwGQmVybGluMRYwFAYDVQQKDA1Db252
ZXJzYXRpb25zMRAwDgYDVQQLDAdIb3N0aW5nMRkwFwYDVQQDDBBDb252ZXJzYXRp
b25zIENBMB4XDTIxMDgxNTAwMDAwMFoXDTIzMDgxNTAwMDAwMFowFzEVMBMGA1UE
AwwMcmlhYmVua28uY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
5Zn0YXgZOVxsHDDCNSrQlkM7llK2E1BiUKQ8JBPEeBjIP0WcfsrhXxVsiVg95TJK
H7sEFf9qPL1MSlT+4yM8luOOfb20XiFUsaZ4H4PUzi7w2xe11tQ5WZkZ3/eurY20
WeHjtkF6Tk50cHsRhrfR7LQVfAQjmozscw2QdfiEcAWV875wJn1TzdYOlD5ajsLU
h8zj/673mBrbz/e2NyUiQl9gbOvFn3vHOsU4Jbloq0frkwtdpjGSi4MkliWfrnb5
a5YBcVop8tigZIFH0DessnmUHLc4romH3dAg1PRS71tZLA/YC1zzw/7D+8jSXF7a
kVDcZcqqz2sjYnFPlwfc+O8rlUa0fdjpLpKlxs/YWgIlMdJibNVuonb3Q3CM/ZZp
hCMTYpObogOiYNZoq6EXaIBdskVSoXapLUOl+he4kNgWHZ/tNWQrEvnmwsBph6CZ
+yksHS6PZDFMrUMFzaeOnKFlvMJTVnElb8tvF6HUHNZVOQcqNIR4k+OjCWp824a8
o+UsYCM7BIqifEGsJRd6EI1nKtu5RUA2b2UTQVySfjcpVe0NSCsEoNXg4SONt2EU
40ieY31t/SDPEWMpORLseKBnnM4OVYgw3ui1j7PxYCrb/BRgADebUhsRv1Bjmp7o
u+RYbH5lRGST8duWDs2Tsk/3tIS++J8TpD3qt5817ZcCAwEAAaOBuzCBuDAMBgNV
HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwHwYDVR0jBBgwFoAUMmRtKstGotqp53IyjFxGWuSeOY4wWAYDVR0R
BFEwT4IMcmlhYmVua28uY29tghdjb25mZXJlbmNlLnJpYWJlbmtvLmNvbYIScHJv
eHkucmlhYmVua28uY29tghJzaGFyZS5yaWFiZW5rby5jb20wDQYJKoZIhvcNAQEL
BQADggIBAJDwyHwJ2ddHGsRqQmBaRvKTzBt7nqIGevzIr6ezSMfXoutjzrQ0W4GV
e2hzaE4cjXYMvf/sDGZ89g0bSMKPUZzZVCiLTDDbdOAey+ECrrYI62CcPC8zJDIZ
Vy0oUfEzb9aeEIVmVYFqqfIp4Ecqs/WbzbK+DSV1Yrh/JA8NNG5Y3esh3LXfUaJP
lQyyedGjVC4TvDWiQocH6EbSEGLAIcjBX2XcXKHjn0/EjMxjsVMlxgUz01A3gn/2
8Tv8EypHl56inIuiu738G6gHaTQEDYVWakoNN/bJSCYlMp+KrBhi3FF3SsQllxoy
II/4WhPNngQxVgg54SBElGyXt6gyQ1VqJvHSiESr3XmU7riUofC3drmrX7PSzIX3
rLlQA+uT4AHg3DXQrwcXg001vI84QxWnkwnKbgE+9MgLy2CAKsE9/DwJoMakYNn9
LOumoOZOPguXppKboojRNHVRaac8X4/7SR6J0CFNGdcsb4bOtAioVqURSRE+PTQq
mlPWMi/PHqDrpQMvinBJZEjdMOGEweaesbcYMwpQtbGg4r1BA8gEEuiRVOeW1ykC
FxFxSrnDlvfhR08RywfPOhwf+rOs8G8QCiCZAaLKoNUPexigWUo20TsbigHwg69U
RralB5FBzrM01+4y0UV+umNRlEK8IhQDDl5Ap8LZGV/g8QMTk5+0
-----END CERTIFICATE-----
subject=CN = riabenko.com
issuer=C = DE, ST = Berlin, L = Berlin, O = Conversations, OU = Hosting, CN = Conversations CA
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1:DSA+SHA224:DSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3703 bytes and written 421 bytes
Verification error: self-signed certificate in certificate chain
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: CAA294AB238F342CAB537680C748895158A7D0ECC9292A467A816857F33FD454C35A4A2E374E3D0BDF29BACA0FE5DFCC
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1657319079
    Timeout   : 7200 (sec)
    Verify return code: 19 (self-signed certificate in certificate chain)
    Extended master secret: yes
---

^C

Ctrl+ 로 연결을 종료하고 C인증서(시작 -----BEGIN CERTIFICATE-----및 종료 -----END CERTIFICATE-----)를 파일에 저장한 다음 배포 지침에 따라 이를 신뢰 저장소에 추가했습니다. Fedora의 경우 다음과 같습니다.

$ cat /etc/pki/ca-trust/source/README
This directory /etc/pki/ca-trust/source/ contains CA certificates and 
trust settings in the PEM file format. The trust settings found here will be
interpreted with a high priority - higher than the ones found in 
/usr/share/pki/ca-trust-source/.

=============================================================================
QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
            list of CAs trusted on the system:

            Copy it to the
                    /etc/pki/ca-trust/source/anchors/
            subdirectory, and run the
                    update-ca-trust
            command.

            If your certificate is in the extended BEGIN TRUSTED file format,
            then place it into the main source/ directory instead.
=============================================================================

Please refer to the update-ca-trust(8) manual page for additional information.

Answer 1

서버가 STARTTLS로 구성된 경우 위의 방법이 작동합니다. 클라이언트는 일반적으로 기본 포트 5222에서 암호화되지 않은 연결을 만든 다음 암호화된 연결 설정을 진행합니다. 하지만 제 경우에는 서버가 STARTTLS로 구성되지 않았는데, 이는 Secure Renegotiation IS NOT supported출력에 . 따라서 건너뛰기가 -starttls작동합니다.

$ openssl s_client -servername riabenko.com -connect xmpps-hosting.conversations.im:443
CONNECTED(00000003)
depth=1 C = DE, ST = Berlin, L = Berlin, O = Conversations, OU = Hosting, CN = Conversations CA
verify error:num=19:self-signed certificate in certificate chain
verify return:1
depth=1 C = DE, ST = Berlin, L = Berlin, O = Conversations, OU = Hosting, CN = Conversations CA
verify return:1
depth=0 CN = riabenko.com
verify return:1
---
Certificate chain
 0 s:CN = riabenko.com
   i:C = DE, ST = Berlin, L = Berlin, O = Conversations, OU = Hosting, CN = Conversations CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 15 00:00:00 2021 GMT; NotAfter: Aug 15 00:00:00 2023 GMT
 1 s:C = DE, ST = Berlin, L = Berlin, O = Conversations, OU = Hosting, CN = Conversations CA
   i:C = DE, ST = Berlin, L = Berlin, O = Conversations, OU = Hosting, CN = Conversations CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 13 11:54:28 2016 GMT; NotAfter: Dec 13 11:54:28 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFwzCCA6ugAwIBAgICAowwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCREUx
DzANBgNVBAgMBkJlcmxpbjEPMA0GA1UEBwwGQmVybGluMRYwFAYDVQQKDA1Db252
ZXJzYXRpb25zMRAwDgYDVQQLDAdIb3N0aW5nMRkwFwYDVQQDDBBDb252ZXJzYXRp
b25zIENBMB4XDTIxMDgxNTAwMDAwMFoXDTIzMDgxNTAwMDAwMFowFzEVMBMGA1UE
AwwMcmlhYmVua28uY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
5Zn0YXgZOVxsHDDCNSrQlkM7llK2E1BiUKQ8JBPEeBjIP0WcfsrhXxVsiVg95TJK
H7sEFf9qPL1MSlT+4yM8luOOfb20XiFUsaZ4H4PUzi7w2xe11tQ5WZkZ3/eurY20
WeHjtkF6Tk50cHsRhrfR7LQVfAQjmozscw2QdfiEcAWV875wJn1TzdYOlD5ajsLU
h8zj/673mBrbz/e2NyUiQl9gbOvFn3vHOsU4Jbloq0frkwtdpjGSi4MkliWfrnb5
a5YBcVop8tigZIFH0DessnmUHLc4romH3dAg1PRS71tZLA/YC1zzw/7D+8jSXF7a
kVDcZcqqz2sjYnFPlwfc+O8rlUa0fdjpLpKlxs/YWgIlMdJibNVuonb3Q3CM/ZZp
hCMTYpObogOiYNZoq6EXaIBdskVSoXapLUOl+he4kNgWHZ/tNWQrEvnmwsBph6CZ
+yksHS6PZDFMrUMFzaeOnKFlvMJTVnElb8tvF6HUHNZVOQcqNIR4k+OjCWp824a8
o+UsYCM7BIqifEGsJRd6EI1nKtu5RUA2b2UTQVySfjcpVe0NSCsEoNXg4SONt2EU
40ieY31t/SDPEWMpORLseKBnnM4OVYgw3ui1j7PxYCrb/BRgADebUhsRv1Bjmp7o
u+RYbH5lRGST8duWDs2Tsk/3tIS++J8TpD3qt5817ZcCAwEAAaOBuzCBuDAMBgNV
HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwHwYDVR0jBBgwFoAUMmRtKstGotqp53IyjFxGWuSeOY4wWAYDVR0R
BFEwT4IMcmlhYmVua28uY29tghdjb25mZXJlbmNlLnJpYWJlbmtvLmNvbYIScHJv
eHkucmlhYmVua28uY29tghJzaGFyZS5yaWFiZW5rby5jb20wDQYJKoZIhvcNAQEL
BQADggIBAJDwyHwJ2ddHGsRqQmBaRvKTzBt7nqIGevzIr6ezSMfXoutjzrQ0W4GV
e2hzaE4cjXYMvf/sDGZ89g0bSMKPUZzZVCiLTDDbdOAey+ECrrYI62CcPC8zJDIZ
Vy0oUfEzb9aeEIVmVYFqqfIp4Ecqs/WbzbK+DSV1Yrh/JA8NNG5Y3esh3LXfUaJP
lQyyedGjVC4TvDWiQocH6EbSEGLAIcjBX2XcXKHjn0/EjMxjsVMlxgUz01A3gn/2
8Tv8EypHl56inIuiu738G6gHaTQEDYVWakoNN/bJSCYlMp+KrBhi3FF3SsQllxoy
II/4WhPNngQxVgg54SBElGyXt6gyQ1VqJvHSiESr3XmU7riUofC3drmrX7PSzIX3
rLlQA+uT4AHg3DXQrwcXg001vI84QxWnkwnKbgE+9MgLy2CAKsE9/DwJoMakYNn9
LOumoOZOPguXppKboojRNHVRaac8X4/7SR6J0CFNGdcsb4bOtAioVqURSRE+PTQq
mlPWMi/PHqDrpQMvinBJZEjdMOGEweaesbcYMwpQtbGg4r1BA8gEEuiRVOeW1ykC
FxFxSrnDlvfhR08RywfPOhwf+rOs8G8QCiCZAaLKoNUPexigWUo20TsbigHwg69U
RralB5FBzrM01+4y0UV+umNRlEK8IhQDDl5Ap8LZGV/g8QMTk5+0
-----END CERTIFICATE-----
subject=CN = riabenko.com
issuer=C = DE, ST = Berlin, L = Berlin, O = Conversations, OU = Hosting, CN = Conversations CA
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1:DSA+SHA224:DSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3703 bytes and written 421 bytes
Verification error: self-signed certificate in certificate chain
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: CAA294AB238F342CAB537680C748895158A7D0ECC9292A467A816857F33FD454C35A4A2E374E3D0BDF29BACA0FE5DFCC
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1657319079
    Timeout   : 7200 (sec)
    Verify return code: 19 (self-signed certificate in certificate chain)
    Extended master secret: yes
---

^C

Ctrl+ 로 연결을 종료하고 C인증서(시작 -----BEGIN CERTIFICATE-----및 종료 -----END CERTIFICATE-----)를 파일에 저장한 다음 배포 지침에 따라 이를 신뢰 저장소에 추가했습니다. Fedora의 경우 다음과 같습니다.

$ cat /etc/pki/ca-trust/source/README
This directory /etc/pki/ca-trust/source/ contains CA certificates and 
trust settings in the PEM file format. The trust settings found here will be
interpreted with a high priority - higher than the ones found in 
/usr/share/pki/ca-trust-source/.

=============================================================================
QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
            list of CAs trusted on the system:

            Copy it to the
                    /etc/pki/ca-trust/source/anchors/
            subdirectory, and run the
                    update-ca-trust
            command.

            If your certificate is in the extended BEGIN TRUSTED file format,
            then place it into the main source/ directory instead.
=============================================================================

Please refer to the update-ca-trust(8) manual page for additional information.

XMPP(jabber) 서버에서 인증서를 다운로드하여 로컬로 신뢰하는 방법은 무엇입니까?

답변1

관련 정보