我们为 Ubuntu 和 Debian 软件包托管一个本地镜像。
root@apt-mirror:~# dpkg -l | grep mirror
ii apt-mirror 0.5.4-1 all APT sources mirroring tool
镜像和访问无需 ssl 即可正常工作。
root@db2:~# cat /etc/apt/sources.list.d/custom.apt-mirror.ubuntu.list
deb http://apt-mirror.custom.de/de.archive.ubuntu.com/ubuntu bionic main universe
deb http://apt-mirror.custom.de/de.archive.ubuntu.com/ubuntu bionic-security main universe
deb http://apt-mirror.custom.de/de.archive.ubuntu.com/ubuntu bionic-updates main universe
但如果我想通过 https 使用访问,我会收到以下错误消息
OK:1 http://apt-mirror.custom.de/de.archive.ubuntu.com/ubuntu bionic-security InRelease
Ign:2 https://apt-mirror.custom.de/de.archive.ubuntu.com/ubuntu bionic InRelease
OK:3 http://apt-mirror.custom.de/de.archive.ubuntu.com/ubuntu bionic-updates InRelease
OK:4 http://apt-mirror.custom.de/repos.influxdata.com/ubuntu bionic InRelease
Fehl:5 https://apt-mirror.custom.de/de.archive.ubuntu.com/ubuntu bionic Release
Certificate verification failed: The certificate is NOT trusted. The certificate chain uses insecure algorithm. Could not handshake: Error in the certificate verification. [IP: XXX.XXX.XXX.XXX 443]
Paketlisten werden gelesen... Fertig
E: Das Depot »https://apt-mirror.custom.de/de.archive.ubuntu.com/ubuntu bionic Release« enthält keine Release-Datei mehr.
N: Eine Aktualisierung von solch einem Depot kann nicht auf eine sichere Art durchgeführt werden, daher ist es standardmäßig deaktiviert.
N: Weitere Details zur Erzeugung von Paketdepots sowie zu deren Benutzerkonfiguration finden Sie in der Handbuchseite apt-secure(8).
链中的所有证书在主机上都可用,因此使用 openssl 的测试成功:
root@db2:~# openssl s_client -showcerts -connect apt-mirror.custom.de:443
CONNECTED(00000005)
depth=3 C = DE, O = CUSTOM, CN = CUSTOM-Root CA
verify return:1
depth=2 C = DE, O = CUSTOM, CN = CUSTOM-Policy CA Intern
verify return:1
depth=1 C = DE, O = CUSTOM, CN = CUSTOM-Server CA Intern
verify return:1
depth=0 C = DE, ST = NRW, L = Bonn, O = CUSTOM, OU = Betrieb, CN = apt-mirror.custom.de
verify return:1
---
Certificate chain
0 s:C = DE, ST = NRW, L = Bonn, O = CUSTOM, OU = Betrieb, CN = apt-mirror.custom.de
i:C = DE, O = CUSTOM, CN = CUSTOM-Server CA Intern
-----BEGIN CERTIFICATE-----
MIIGCjCCA/KgAwIBAgITMwAAAX9YNM4nCd6z0QACAAABfzANBgkqhkiG9w0BAQsF
ADA8MQswCQYDVQQGEwJERTENMAsGA1UEChMEQkdIVzEeMBwGA1UEAxMVQkdIVy1T
ZXJ2ZXIgQ0EgSW50ZXJuMB4XDTE4MTAwOTA3MzgxNVoXDTIwMTAwODA3MzgxNVow
#############################
lRV91hVW9bj4KsbyC4FGfK8+fgLPwlxBD+jwje43p9ZPY9WTxwcPFtIbT3fzxygX
/wmwQRRtg3aoICE61guje3URoP/qt+KSjFBmJ6cOGJne/rVXZ5etHHfSNfNqfJR4
ZAxfVfDN70m7SjYieB0DsJfbhYFqf8uaEQvkcMPr/vVXowDrjMTRBl+1CtM+q3G5
KzZm9qKKlZjWbAeuQ8o5myeu+E6tblJTQioz1jxlcSdWG0DjcjcDcPBFDB4/Qblb
KqPiEsGU+qRiwXqNjEWgSdUenOo4PlVVNUf+CsbbsoOdFV9qfG2G/ntXXbmoSPOZ
ZWv/8tDYfV+BCYVklcw=
-----END CERTIFICATE-----
1 s:C = DE, O = CUSTOM, CN = CUSTOM-Server CA Intern
i:C = DE, O = CUSTOM, CN = CUSTOM-Policy CA Intern
-----BEGIN CERTIFICATE-----
MIIGdDCCBFygAwIBAgITaQAAABQg6MjMFAQ5mAAAAAAAFDANBgkqhkiG9w0BAQsF
ADA8MQswCQYDVQQGEwJERTENMAsGA1UEChMEQkdIVzEeMBwGA1UEAxMVQkdIVy1Q
b2xpY3kgQ0EgSW50ZXJuMB4XDTE4MDUyMjEyNDAwOVoXDTIzMDUyMjEyNTAwOVow
PDELMAkGA1UEBhMCREUxDTALBgNVBAoTBEJHSFcxHjAcBgNVBAMTFUJHSFctU2Vy
dmVyIENBIEludGVybjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMtO
#############################
EkbVV9UkXWRosy8ENxfcMwynd7xQoTzTywYUazNaX9NcRPvwZZ4NfmP9Mxqru7Hj
PofizUDnpKyp521brf9b7d7tjM4cYiS1beSiraOuW+9MBsf6pnuYpORfKvCa3wEP
fNpjXPkpCU30xJadqMGR1xT0fehd0vJpXsdixcNJEDBMY+cKeGDpaYcTY1BmtUtZ
2YIXQv8BGZP6YsWJpX9odjW9I7/WS74b
-----END CERTIFICATE-----
2 s:C = DE, O = CUSTOM, CN = CUSTOM-Policy CA Intern
i:C = DE, O = CUSTOM, CN = CUSTOM-Root CA
-----BEGIN CERTIFICATE-----
MIIGCTCCA/GgAwIBAgIKYUYc4wAAAAAAAzANBgkqhkiG9w0BAQUFADAzMQswCQYD
VQQGEwJERTENMAsGA1UEChMEQkdIVzEVMBMGA1UEAxMMQkdIVy1Sb290IENBMB4X
DTEyMDYyNjA5MzExOVoXDTIzMDYyNjA5NDExOVowPDELMAkGA1UEBhMCREUxDTAL
#############################
s/oRVYoW20m5bN26B0jsmVA41HPFH/xfRzciRy8xi0xYoS5QDBSMEFBdloCcAdlR
u77otTQ45MhW7iJ7qefJhlGixnaYaNe8my0rKFEZdT+So46WsLjYv7iE11Dp4tbJ
abDDRyYLQJYbGBoJdeEY30RJ7LFGpNlu6Mhj7puZza58uG/2VRs/olRbo9jCuYnc
/EeOmnBXGB1caha+og==
-----END CERTIFICATE-----
3 s:C = DE, O = CUSTOM, CN = CUSTOM-Root CA
i:C = DE, O = CUSTOM, CN = CUSTOM-Root CA
-----BEGIN CERTIFICATE-----
MIIF7jCCA9agAwIBAgIQLjBY331L64pF+SwDb+wecDANBgkqhkiG9w0BAQUFADAz
MQswCQYDVQQGEwJERTENMAsGA1UEChMEQkdIVzEVMBMGA1UEAxMMQkdIVy1Sb290
IENBMB4XDTEyMDYyNjA4MTE0MFoXDTMwMDYyNjA4MjEzMFowMzELMAkGA1UEBhMC
##############################
DhW0PUKRBt+5qqyaHsCQJXGYqRREy/bznBQF7xV3nlRXqSlx+BoSR0PLjwgChzIj
AQWUjA0N3RYhQmb+jyRm48xJJRBXi4fVFzkh8+qQz9neF91XPqp6pHs57A44gPEj
YmlM58+4n2G90LohJT/aythka9QBjIqyLomMl4CQ5F4H+Q==
-----END CERTIFICATE-----
---
Server certificate
subject=C = DE, ST = NRW, L = Bonn, O = CUSTOM, OU = Betrieb, CN = apt-mirror.custom.de
issuer=C = DE, O = CUSTOM, CN = CUSTOM-Server CA Intern
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6963 bytes and written 413 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 80BBED0A0E87437094755EB7D611B8FF8ED3D94837500D84CDBDBAA4282516E9
Session-ID-ctx:
Master-Key: 915E404C840EC1C7EF840B618444D6BDC92FF12A2620000292E120C0F9B97FD1846A9B1F8B7835C0A8E3CE5F5AD6400D
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - e9 b0 15 43 aa ac 79 99-18 1e fb 60 03 5a 7a d5 ...C..y....`.Zz.
0010 - 27 20 e2 7a 87 de ea fe-0a 32 c6 57 e3 95 09 f9 ' .z.....2.W....
0020 - 8e dc 92 7f 80 1e 87 5f-af ad 63 70 ef e6 86 d0 ......._..cp....
0030 - 12 f5 67 65 26 2c 4f 02-a0 a6 a1 a8 f0 53 eb c2 ..ge&,O......S..
0040 - 2d 53 ba 95 13 50 b0 cb-a9 cf a4 4f fe b4 3c 24 -S...P.....O..<$
0050 - 4d 46 41 f4 dd 83 b8 2f-a7 e9 01 c2 27 70 27 b8 MFA..../....'p'.
0060 - 03 b8 20 8e 6e c1 e5 d9-30 1c 39 69 7d f7 f0 42 .. .n...0.9i}..B
0070 - a3 39 b3 3b f2 ac fc 99-d9 75 95 d0 3e 0d d9 b4 .9.;.....u..>...
0080 - dd c5 f0 f0 db 94 76 65-12 88 b1 00 4b 0b 88 f1 ......ve....K...
0090 - 5e dd 4c cc 50 5d 43 f7-10 86 1e 42 ea 8f 4c b9 ^.L.P]C....B..L.
00a0 - 30 5e b9 ec 83 78 c9 35-d7 00 9d 44 7a a2 07 be 0^...x.5...Dz...
00b0 - 53 57 78 43 b4 dc 2c f7-76 bd e6 ac 45 f7 5b 36 SWxC..,.v...E.[6
00c0 - 68 1a 07 f8 25 4e 4b 1e-f6 26 c8 89 3b 3a 38 1c h...%NK..&..;:8.
Start Time: 1580217557
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
我不想跳过验证,就像这里写的那样:易于接受无效证书
为什么会说该链使用了不安全的算法?
谢谢
答案1
链接PKI解决方案非常有用。经过研究,我发现策略 ca 证书是 sha1 签名的。这就是链中不安全的算法。策略CA去年更新过,现在是用sha256签名的。现在链连续没有 sha1 并且 apt 接受证书。
答案2
这听起来有些偏执。哪个所谓的“证书”在民主上是合法的,那么信任的愿望又是什么呢?
为什么不停用所有证书并(最终)实现民主?