如何使用 curl/openssl 中的弱客户端证书

如何使用 curl/openssl 中的弱客户端证书

我正在尝试在 Ubuntu 18.04 服务器上使用 PCKS12 客户端证书。curl 7.58.0我的 证书信息是:OpenSSL 1.1.1

~# openssl pkcs12 -info -in cert.p12 -noout -nomacver
Enter Import Password:
MAC: sha1, Iteration 1
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

当我尝试像这样将它与 curl 一起使用时:

curl --cert-type P12 --cert cert.p12:******* https://server.com

我明白了

curl: (58) could not load PKCS12 client certificate, OpenSSL error error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak

我怎样才能让 curl/openssl 接受此证书?
我试过了--insecure,但--tlsv1.0都没有用。


编辑
的输出openssl pkcs12 -in cert.p12 -nokeys | openssl x509 -text -noout为:

Enter Import Password:
MAC verified OK
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1558524593 (0x5ce532b1)
    Signature Algorithm: md5WithRSAEncryption
        Issuer: C=IR, ST=Tehran, O=IPM, OU=IRNIC dotIR ccTLD, CN=IRNIC department/[email protected]
        Validity
            Not Before: May 22 11:29:53 2019 GMT
            Not After : Nov 22 11:29:53 2019 GMT
        Subject: C=IR, ST=Tehran, L=Tehran, O=Hamid Reza Naeini, OU=Hamid Reza Naeini, CN=da74-irnic,T234/[email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:de:57:fa:8c:7f:44:18:87:58:04:73:91:be:1a:
                    f4:5d:63:22:7c:79:a8:b8:7c:af:13:91:39:6e:11:
                    5d:f6:e7:70:13:d0:0f:9c:38:90:f5:13:da:c1:d1:
                    5d:73:8b:85:d0:00:bf:0f:ad:c3:e4:a3:91:87:51:
                    10:e2:b8:3b:03:fe:44:82:7b:4f:e4:b2:29:43:9c:
                    bb:33:7d:1d:2b:81:76:55:1d:69:57:fe:ac:ec:0f:
                    a6:4c:ec:4b:a1:0c:10:63:f5:ec:c7:1f:8a:68:e9:
                    95:7a:4c:22:21:47:5f:50:22:e8:c9:60:b2:c2:89:
                    5c:da:73:df:b1:e3:bf:66:71
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                40:F0:CE:06:33:DD:40:3B:69:F2:97:89:43:EF:8D:12:BB:88:E7:2A
            X509v3 Authority Key Identifier: 
                keyid:FC:D4:95:B1:9E:AD:B8:1B:94:09:3B:77:A1:CF:09:D7:F5:D6:BE:BE
                DirName:/C=IR/ST=Tehran/O=IPM/OU=IRNIC dotIR ccTLD/CN=IRNIC department/[email protected]
                serial:AF:4A:3A:99:D9:CE:99:C1

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: md5WithRSAEncryption
         88:a7:d8:8e:63:6f:15:69:cd:45:31:8b:2e:14:f1:48:bf:66:
         24:33:b5:ef:6d:5f:75:8b:31:f2:94:09:b6:c2:72:87:09:b8:
         31:4c:8b:c5:8d:b0:03:f3:70:91:63:fc:ed:52:19:62:31:98:
         82:e4:e9:e8:14:2a:c9:6c:ca:fc:3f:d6:e0:fc:d2:94:82:88:
         4e:0b:5a:77:74:19:de:99:17:e8:ba:c9:58:b9:6f:d9:e6:c9:
         f6:de:26:e7:6e:2e:02:4d:f9:2c:6b:e2:1f:9f:0a:7a:35:d0:
         5e:9c:cd:09:74:fa:df:a4:c8:5a:42:82:91:8c:6f:68:a9:06:
         14:51:1f:22:46:8f:0b:db:13:1d:17:bc:b2:c1:fd:41:5b:5b:
         2b:57:9c:cf:a8:7f:64:2a:4b:6e:a6:e6:37:c4:b0:3b:ef:11:
         df:90:d3:b7:65:aa:40:40:f4:cd:d1:87:4d:22:20:4b:4b:13:
         bc:e8:14:79:c5:a9:14:6d:6e:6b:22:8e:21:27:44:26:23:8d:
         a0:2f:38:21:03:7f:cd:e1:cb:dc:51:d7:a5:a5:87:af:a3:65:
         d1:a3:7c:84:78:43:c6:74:40:fe:fd:97:5c:23:ad:ec:5f:a1:
         ef:05:89:ac:5c:85:20:74:17:f9:95:cf:66:30:73:ec:04:0f:
         41:67:8c:3a

答案1

令人惊讶的是,你可以降级你的操作系统以使用旧版本的 curl,而且没问题!我们使用 Ubuntu 16.04 而不是 19.10,我们可以连接到 nic 服务器。

相关内容