我使用下面给出的脚本编译了带有 fips 的 Openssl 3.1.0。安装成功并且工作正常。但是,如果启用了 FIPS,则无法建立任何出站连接,从而获得
EE certificate too week errorwget https://www.openssl.org/source/openssl-3.1.0.tar.gz \
&& tar zxvf openssl-3.1.0.tar.gz \
&& cd openssl-3.1.0 \
&& CFLAGS=-fPIC ./config enable-fips --prefix=/usr/local/openssl --openssldir=/usr/local/openssl \
&& make \
&& make test \
&& make install \
&& bash -c "echo '/usr/local/openssl/lib64' >> /etc/ld.so.conf" \
&& ldconfig
openssl version
OpenSSL 3.1.0 14 Mar 2023 (Library: OpenSSL 3.1.0 14 Mar 2023)
通过在 openssl 配置中包含
fipsmodule.cnf.include /usr/local/openssl/fipsmodule.cnf
..
..
..
# List of providers to load
[provider_sect]
default = default_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
fips = fips_sect
通过为文件生成 MD5 哈希来验证启用的 FIPS,如预期的那样出错。
openssl md5 <file_path>
Error setting digest
40C7F61E7D7F0000:error:0308010C:digital envelope routines:(unknown function):unsupported:crypto/evp/evp_fetch.c:341:Global default library context, Algorithm (MD5 : 100), Properties ()
40C7F61E7D7F0000:error:03000086:digital envelope routines:(unknown function):initialization error:crypto/evp/digest.c:272:
#
#
openssl sha256 <file_path>
SHA2-256(openssl)= 49c16340d51eba8d2c31dbe569ad1f686fef571a0a7c9a4545a85c22d4650259
[root@centos7 bin]#
但是所有出站连接都失败了,
openssl s_client -connect google.com:443
CONNECTED(00000003)
depth=0 CN = *.google.com
verify error:num=66:EE certificate key too weak
verify return:1
depth=0 CN = *.google.com
verify error:num=66:EE certificate key too weak
verify return:1
40D7CF19B37F0000:error:03000072:digital envelope routines:(unknown function):decode error:crypto/x509/x_pubkey.c:458:
40D7CF19B37F0000:error:0A0000EF:SSL routines:(unknown function):unable to find public key parameters:ssl/statem/statem_clnt.c:1905:
---
Certificate chain
0 s:CN = *.google.com
i:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
v:NotBefore: Mar 28 16:47:33 2023 GMT; NotAfter: Jun 20 16:47:32 2023 GMT
1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
v:NotBefore: Aug 13 00:00:42 2020 GMT; NotAfter: Sep 30 00:00:42 2027 GMT
2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---
no peer certificate available
---
No client certificate CA names sent
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6777 bytes and written 311 bytes
Verification error: EE certificate key too weak
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 66 (EE certificate key too weak)
---
解决此问题的任何帮助,谢谢。