$ curl "https://iss.ndl.go.jp/" curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
curlではなくopenssl側の問題のよう
$ openssl s_client -connect iss.ndl.go.jp:443 2>&1 | grep error 140124047922496:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2149:
/usr/share/doc/openssl/changelog.gz
Changes between 1.1.1b and 1.1.1c [28 May 2019]
より.
*) Change the default RSA, DSA and DH size to 2048 bit instead of 1024. This changes the size when using the genpkey app when no size is given. It fixes an omission in earlier changes that changed all RSA, DSA and DH generation apps to use 2048 bits by default. [Kurt Roeckx]
Serverが対応してくれるのがいいけどとりあえず手元のOpenSSLの設定で逃げる. といってもグローバルの設定をかえてしまうのもあれなので設定を分ける.
$ sudo cp -p /etc/ssl/openssl.cnf /etc/ssl/openssl-SECLEVEL1.cnf $ sudo vi /etc/ssl/openssl-SECLEVEL1.cnf $ diff -u /etc/ssl/openssl.cnf /etc/ssl/openssl-SECLEVEL1.cnf --- /etc/ssl/openssl.cnf 2019-05-31 00:27:48.000000000 +0900 +++ /etc/ssl/openssl-SECLEVEL1.cnf 2020-10-15 20:29:40.636627353 +0900 @@ -359,4 +359,4 @@ [system_default_sect] MinProtocol = TLSv1.2 -CipherString = DEFAULT@SECLEVEL=2 +CipherString = DEFAULT@SECLEVEL=1
環境変数 OPENSSL_CONF
に新しく作った設定を指定するとその設定が使われる.
$ OPENSSL_CONF=/etc/ssl/openssl-SECLEVEL1.cnf curl "https://iss.ndl.go.jp/" | head % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="ja" lang="ja"> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta http-equiv="content-style-type" content="text/css" /> <meta http-equiv="content-script-type" content="text/javascript" /> <meta name="csrf-param" content="authenticity_token"/> <meta name="csrf-token" content="wkc7aO6RSeD+b266iXdfabL6uIDTN9BaWAMk9JW84EE="/> <link rel="search" type="application/opensearchdescription+xml" title="NDL Search" href="https://iss.ndl.go.jp/api/opensearch_description" /> <link href="/stylesheets/ndl/styles.css?1585140340" media="" rel="stylesheet" type="text/css" /> 43 38314 43 16760 0 0 46426 0 --:--:-- --:--:-- --:--:-- 46426 curl: (23) Failure writing output to destination
$ OPENSSL_CONF=/etc/ssl/openssl-SECLEVEL1.cnf openssl s_client -connect iss.ndl.go.jp:443
てことで既定値で試して駄目ならこの設定を使うというようにすると良さそう.
環境
$ dpkg-query -W curl openssl curl 7.72.0-1 openssl 1.1.1h-1 $ lsb_release -dr Description: Debian GNU/Linux bullseye/sid Release: unstable $ uname -m x86_64
コメント