IBM HttpServer сконфигурированная цепочка сертификатов содержит подпись, которая не совместима с требованиями однорангового алгоритма подписи TLS
У меня есть служба входа kubernetes, перенаправляющая трафик на порт SSL на IBM HTTP Server, но соединение не устанавливается с
SSL0280E: SSL Handshake Failed, the configured certificate chain contains a signature that is not compatible with peers TLS Signature Algorithm requirements.
Если я обхожу вход, через прокси-переадресацию порта HTTP-сервера, все работает, так что я предполагаю, что это связано с конфигурацией входа.
Но из сообщения об ошибке не понимаю, в чем может быть проблема.
Полный журнал рукопожатия
[ibm_ssl:debug] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL handshake initiated [10.0.77.139:44716 -> 10.0.34.215:8000] fd 17 userdata 7f2007ffed00
[ibm_ssl:debug] [pid 202:tid 139775549896448] mod_ibm_ssl.c(1184): About to handshake: SSLV2 not enabled, SSLV3 not enabled, TLSv10 not enabled, TLSv11 not enabled, TLSv12 ciphers='TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA', FIPS is disabled
[ibm_ssl:trace3] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL read begin bytes [5] timeout [5000000]
[ibm_ssl:trace3] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL read end bytes [5] err [0] to [0] eof [0]
[ibm_ssl:trace3] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL read begin bytes [183] timeout [5000000]
[ibm_ssl:trace3] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL read end bytes [183] err [0] to [0] eof [0]
[ibm_ssl:trace3] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL write begin bytes [7] timeout [5000000]
[ibm_ssl:trace3] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL write end bytes [7] err [0] to [0]
[ibm_ssl:error] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL0280E: SSL Handshake Failed, the configured certificate chain contains a signature that is not compatible with peers TLS Signature Algorithm requirements.[10.0.77.139:44716 -> 10.0.34.215:8000] [0 ms]
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] Handshake transcript:
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] <client_hello>
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] client_version
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] gsksslDissector_8Bits
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] 03
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] gsksslDissector_8Bits
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] 03
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] TLSV12
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] random
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] gsksslDissector_32Bits
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] 69aaf182
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] gsksslDissector_Opaque
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] Length: 28
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] 01 C4 38 FA 9D 07 48 B8 78 7F 5E 99 4F D3 F9 22 ..8...H.x.^.O.."
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] D1 FA F7 8F 0A 44 4D 05 AF 68 07 67 .....DM..h.g
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] session_id
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] Length: 00
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] cipher_suites
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] Length: 56
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] C0 2C C0 30 00 9F CC A9 CC A8 CC AA C0 2B C0 2F .,.0.........+./
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] 00 9E C0 24 C0 28 00 6B C0 23 C0 27 00 67 C0 0A ...$.(.k.#.'.g..
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] C0 14 00 39 C0 09 C0 13 00 33 00 9D 00 9C 00 3D ...9.....3.....=
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] 00 3C 00 35 00 2F 00 FF .<.5./..
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] tls_ecdhe_ecdsa_with_aes_256_gcm_sha384,tls_ecdhe_rsa_with_aes_256_gcm_sha384,tls_dhe_rsa_with_aes_256_gcm_sha384,tls_ecdhe_ecdsa_with_chacha20_poly1305_sha256,tls_ecdhe_rsa_with_chacha20_poly1305_sha256,tls_dhe_rsa_with_chacha20_poly1305_sha256,tls_ecdhe_ecdsa_with_aes_128_gcm_sha256,tls_ecdhe_rsa_with_aes_128_gcm_sha256,tls_dhe_rsa_with_aes_128_gcm_sha256,tls_ecdhe_ecdsa_with_aes_256_cbc_sha384,tls_ecdhe_rsa_with_aes_256_cbc_sha384,unknown,tls_ecdhe_ecdsa_with_aes_128_cbc_sha256,tls_ecdhe_rsa_with_aes_128_cbc_sha256,tls_dhe_rsa_with_aes_128_cbc_sha256,tls_ecdhe_ecdsa_with_aes_256_cbc_sha,tls_ecdhe_rsa_with_aes_256_cbc_sha,unknown,tls_ecdhe_ecdsa_with_aes_128_cbc_sha,tls_ecdhe_rsa_with_aes_128_cbc_sha,unknown,tls_rsa_with_aes_256_gcm_sha384,tls_rsa_with_aes_128_gcm_sha256,tls_rsa_with_aes_256_cbc_sha256,tls_rsa_with_aes_128_cbc_sha256,tls_rsa_with_aes_256_cbc_sha,tls_rsa_with_aes_128_cbc_sha,tls_ri_scsv
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] compression_methods
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] Length: 01
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] 00 .
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] Extensions
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] Length: 82
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] 00 0B 00 04 03 00 01 02 00 0A 00 0C 00 0A 00 1D ................
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] 00 17 00 1E 00 19 00 18 00 23 00 00 00 16 00 00 .........#......
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] 00 17 00 00 00 0D 00 2A 00 28 04 03 05 03 06 03 .......*.(......
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] 08 07 08 08 08 09 08 0A 08 0B 08 04 08 05 08 06 ................
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] 04 01 05 01 06 01 03 03 03 01 03 02 04 02 05 02 ................
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] 06 02 ..
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] Extension Count: 6
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] ec_point_formats
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] uncompressed,ansiX962_compressed_prime,ansiX962_compressed_char2
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] elliptic_curves
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] unknown,secp256r1,unknown,secp521r1,secp384r1
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] session_ticket
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] encrypt_then_mac
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] extended_master_secret
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] signature_algorithms
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] ecdsa:sha256,ecdsa:sha384,ecdsa:sha512,unknown:unknown,unknown:unknown,unknown:unknown,unknown:unknown,unknown:unknown,unknown:unknown,unknown:unknown,unknown:unknown,rsa:sha256,rsa:sha384,rsa:sha512,ecdsa:sha224,rsa:sha224,dsa:sha224,dsa:sha256,dsa:sha384,dsa:sha512
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] end handshake transcript
Вход использует правильный подписанный сертификат, подстановочный сертификат с несколькими альтернативными именами субъектов и был добавлен в хранилище доверия IBM HTTP Server.
HTTP-сервер использует самозаверяющий сертификат с полным доменным именем службы kubernetes в качестве альтернативного имени субъекта.
Является ли проблема а) с сертификатом, используемым непосредственно входным контроллером? б) С каким-либо промежуточным сертификатом, используемым входным контроллером? в) проблема с протоколами обмена ключами? г) Проблема с http-сервером собственного самозаверяющего сертификата?
заранее спасибо
1 ответ
Оказывается, проблема была в том, что я сам подписал сертификат, который использовал алгоритм подписи sha1. После правильного изменения алгоритма подписи sha256 проблема исчезла.
т.е.
openssl req -new -key mykey.pem -out /tmp/mycsr.csr -config myconfig.properties -sha256
openssl x509 -req -days 3650 -sha256 -in /tmp/mycsr.csr -signkey mykey.pem -out /tmp/mycert.cert -extensions req_ext -extfile myconfig.properties
с myconfig.properties
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=Country
ST=State
L=City
O=O
OU=OU
emailAddress=myemail@domain
CN = default.svc.cluster.local
[ req_ext ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.0 = *.default.svc.cluster.local