碰到很奇怪的事情,在某一个linux上openssl s_client connect 127.0.0.1 居然会报错。
-
openssl s_client -connect 127.0.0.1:80 -ssl3
-
unknown option -ssl3
从来没见过这个错,后来发现这个openssl 居然是 fips的
-
openssl version -a
-
OpenSSL 1.0.1e-fips 11 Feb 2013
这个openssl 很诡异,我实在是没辙,使用strace 也没有看出点啥,想想也是,ssl的库调用不属于系统调用。
我后来仔细的看了ciphers,从这里我猜测到了一些,这个FIPS的openssl 编译的时候应该就去掉了sslv3的支持。
(no-ssl3)
-
openssl ciphers -v
-
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
-
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
-
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
-
DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
-
EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
-
EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
注意没有一个是sslv3的。来看我另外一个rhel 7 上的openssl ciphers -v 的输出。
对比一下就很清楚了,FIPS的openssl 只有6个ciphers suites. 而我的rhel 7上的openssl ciphers suites 则有70多。
-
penssl version -a
-
OpenSSL 1.0.1e-fips 11 Feb 2013
-
openssl ciphers -v
-
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
-
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
-
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
-
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
-
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
-
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
-
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
-
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
-
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
-
DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256
-
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
-
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
-
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
-
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1
-
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
-
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
-
ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384
-
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384
-
ECDH-RSA-AES256-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA1
-
ECDH-ECDSA-AES256-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA1
-
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
-
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
-
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
-
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
-
PSK-AES256-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1
-
.......省略50行的输出.......................................
-
根据stackoverflow上的信息:FIPS是需要enabled的。
在shared object 里面能看到symbol.
-
~ #nm /usr/lib64/libssl.so.1.0.0 |grep -i fips
-
U FIPS_mode
-
000000000002f860 T tls_fips_digest_extra
-
-
~ #nm /usr/lib64/libcrypto.so |grep -i fips_*
-
0000000000080cd0 T ERR_load_FIPS_strings
-
00000000001bc970 T FIPS_add_error_data
-
00000000001bdda0 T FIPS_add_lock
-
0000000000179fa0 T FIPS_bn_bin2bn
-
0000000000179680 T FIPS_bn_bn2bin
-
...........省略n行输出.............
-
~ # nm /usr/lib64/libcrypto.so | grep -i fips_text_*
-
00000000001beb00 T FIPS_text_end
-
0000000000170a80 T FIPS_text_start
-
~ # nm /usr/lib64/libcrypto.so | grep -i fips_rodata*
-
00000000001efbe0 R FIPS_rodata_end
-
00000000001e48e0 R FIPS_rodata_start
-
~ # nm /usr/lib64/libcrypto.so | grep -i fips_signature*
-
000000000044d6e0 B FIPS_signature
-
~ # nm /usr/lib64/libcrypto.so | grep -i fips_incore*
-
0000000000170c60 T FIPS_incore_fingerprint
-
但是到最后我还是留下了2个疑问:
1. 我可以md5命令而不报错,不知道为啥
-
env OPENSSL_FIPS=1 openssl md5 <some file>
2.另外一个就是我在rhel 上用nm 来查看查看符号,一个都看不到。
-
ldd /usr/bin/openssl
-
linux-vdso.so.1 => (0x00007ffc4f9f7000)
-
libssl.so.10 => /lib64/libssl.so.10 (0x00007feccddcb000)
-
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007feccdb7f000)
-
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007feccd899000)
-
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007feccd695000)
-
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007feccd463000)
-
libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007feccd07a000)
-
libdl.so.2 => /lib64/libdl.so.2 (0x00007feccce76000)
-
libz.so.1 => /lib64/libz.so.1 (0x00007fecccc60000)
-
libc.so.6 => /lib64/libc.so.6 (0x00007feccc89e000)
-
libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007feccc68f000)
-
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007feccc48b000)
-
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007feccc270000)
-
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007feccc054000)
-
/lib64/ld-linux-x86-64.so.2 (0x00007fecce061000)
-
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007feccbe2e000)
-
libpcre.so.1 => /lib64/libpcre.so.1 (0x00007feccbbcd000)
-
liblzma.so.5 => /lib64/liblzma.so.5 (0x00007feccb9a8000)
-
-
nm /lib64/libssl.so.10
-
nm: /lib64/libssl.so.10: no symbols
-
-
strings /lib64/libssl.so.10 |grep ssl
-
ssl2_new
-
ssl2_clear
-
ssl2_free
-
ssl2_accept
-
ssl2_connect
-
ssl2_read
-
ssl2_peek
-
ssl2_write
-
ssl2_shutdown
-
ssl_ok
-
ssl2_ctrl
-
ssl2_ctx_ctrl
-
ssl2_get_cipher_by_char
-
ssl2_put_cipher_by_char
-
ssl2_pending
-
ssl2_num_ciphers
-
ssl2_get_cipher
-
ssl2_default_timeout
-
ssl3_undef_enc_method
后记:
到底什么是 FIPS的openssl 呢?
官方的说法在这里:
阅读(3890) | 评论(0) | 转发(0) |