Назад | Перейти на главную страницу

IBM HttpServer настроенная цепочка сертификатов содержит подпись, несовместимую с требованиями алгоритма подписи TLS одноранговых узлов

У меня есть входящая служба kubernetes, перенаправляющая трафик на порт SSL на IBM HTTP Server, но соединение не работает с SSL0280E: SSL Handshake Failed, the configured certificate chain contains a signature that is not compatible with peers TLS Signature Algorithm requirements.

Если я обхожу вход, перенаправляя порт HTTP-сервера через прокси, все работает, поэтому я предполагаю, что это связано с конфигурацией входа.

Но из сообщения об ошибке я не понимаю, в чем может быть проблема.

Полный журнал рукопожатия

 [ibm_ssl:debug] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL handshake initiated [10.0.77.139:44716 -> 10.0.34.215:8000] fd 17 userdata 7f2007ffed00 
 [ibm_ssl:debug] [pid 202:tid 139775549896448] mod_ibm_ssl.c(1184): About to handshake: SSLV2 not enabled, SSLV3 not enabled, TLSv10 not enabled, TLSv11 not enabled, TLSv12 ciphers='TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA', FIPS is disabled
[ibm_ssl:trace3] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL read begin bytes [5] timeout [5000000]
[ibm_ssl:trace3] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL read end bytes [5] err [0] to [0] eof [0]
[ibm_ssl:trace3] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL read begin bytes [183] timeout [5000000]
[ibm_ssl:trace3] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL read end bytes [183] err [0] to [0] eof [0]
[ibm_ssl:trace3] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL write begin bytes [7] timeout [5000000]
[ibm_ssl:trace3] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL write end bytes [7] err [0] to [0]
[ibm_ssl:error] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL0280E: SSL Handshake Failed, the configured certificate chain contains a signature that is not compatible with peers TLS Signature Algorithm requirements.[10.0.77.139:44716 -> 10.0.34.215:8000] [0 ms]
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] Handshake transcript:
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  <client_hello>
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  client_version 
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    gsksslDissector_8Bits
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    03
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    gsksslDissector_8Bits
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    03
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  TLSV12
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  random 
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    gsksslDissector_32Bits
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    69aaf182
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    gsksslDissector_Opaque
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    Length: 28
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    01 C4 38 FA 9D 07 48 B8 78 7F 5E 99 4F D3 F9 22     ..8...H.x.^.O.."
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    D1 FA F7 8F 0A 44 4D 05 AF 68 07 67                 .....DM..h.g
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  session_id 
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  Length: 00
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  cipher_suites 
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  Length: 56
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  C0 2C C0 30 00 9F CC A9 CC A8 CC AA C0 2B C0 2F     .,.0.........+./
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  00 9E C0 24 C0 28 00 6B C0 23 C0 27 00 67 C0 0A     ...$.(.k.#.'.g..
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  C0 14 00 39 C0 09 C0 13 00 33 00 9D 00 9C 00 3D     ...9.....3.....=
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  00 3C 00 35 00 2F 00 FF                             .<.5./..
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  tls_ecdhe_ecdsa_with_aes_256_gcm_sha384,tls_ecdhe_rsa_with_aes_256_gcm_sha384,tls_dhe_rsa_with_aes_256_gcm_sha384,tls_ecdhe_ecdsa_with_chacha20_poly1305_sha256,tls_ecdhe_rsa_with_chacha20_poly1305_sha256,tls_dhe_rsa_with_chacha20_poly1305_sha256,tls_ecdhe_ecdsa_with_aes_128_gcm_sha256,tls_ecdhe_rsa_with_aes_128_gcm_sha256,tls_dhe_rsa_with_aes_128_gcm_sha256,tls_ecdhe_ecdsa_with_aes_256_cbc_sha384,tls_ecdhe_rsa_with_aes_256_cbc_sha384,unknown,tls_ecdhe_ecdsa_with_aes_128_cbc_sha256,tls_ecdhe_rsa_with_aes_128_cbc_sha256,tls_dhe_rsa_with_aes_128_cbc_sha256,tls_ecdhe_ecdsa_with_aes_256_cbc_sha,tls_ecdhe_rsa_with_aes_256_cbc_sha,unknown,tls_ecdhe_ecdsa_with_aes_128_cbc_sha,tls_ecdhe_rsa_with_aes_128_cbc_sha,unknown,tls_rsa_with_aes_256_gcm_sha384,tls_rsa_with_aes_128_gcm_sha256,tls_rsa_with_aes_256_cbc_sha256,tls_rsa_with_aes_128_cbc_sha256,tls_rsa_with_aes_256_cbc_sha,tls_rsa_with_aes_128_cbc_sha,tls_ri_scsv
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  compression_methods 
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  Length: 01
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  00                                                  .
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  Extensions
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  Length: 82
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  00 0B 00 04 03 00 01 02 00 0A 00 0C 00 0A 00 1D     ................
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  00 17 00 1E 00 19 00 18 00 23 00 00 00 16 00 00     .........#......
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  00 17 00 00 00 0D 00 2A 00 28 04 03 05 03 06 03     .......*.(......
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  08 07 08 08 08 09 08 0A 08 0B 08 04 08 05 08 06     ................
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  04 01 05 01 06 01 03 03 03 01 03 02 04 02 05 02     ................
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  06 02                                               ..
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]   Extension Count: 6
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]   ec_point_formats
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    uncompressed,ansiX962_compressed_prime,ansiX962_compressed_char2
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]   elliptic_curves
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    unknown,secp256r1,unknown,secp521r1,secp384r1
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]   session_ticket
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]   encrypt_then_mac
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]   extended_master_secret
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]   signature_algorithms
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    ecdsa:sha256,ecdsa:sha384,ecdsa:sha512,unknown:unknown,unknown:unknown,unknown:unknown,unknown:unknown,unknown:unknown,unknown:unknown,unknown:unknown,unknown:unknown,rsa:sha256,rsa:sha384,rsa:sha512,ecdsa:sha224,rsa:sha224,dsa:sha224,dsa:sha256,dsa:sha384,dsa:sha512
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] end handshake transcript

При входе используется надлежащий подписанный сертификат, подстановочный сертификат с несколькими альтернативными именами субъектов, и он был добавлен в хранилище доверенных сертификатов IBM HTTP Server.

HTTP-сервер использует самозаверяющий сертификат с полным доменным именем службы kubernetes в качестве альтернативного имени субъекта.

Проблема в а) с сертификатом, который используется непосредственно контроллером входящего трафика? б) С каким-либо промежуточным сертификатом, используемым входным контроллером? в) Проблема с протоколами обмена ключами? г) Проблема с собственным самозаверяющим сертификатом http серверов?

заранее спасибо

Оказывается, проблема заключалась в моем самоподписанном сертификате, который использовал алгоритм подписи sha1. После правильного изменения алгоритма подписи sha256 проблема исчезла.

т.е.

openssl req -new -key mykey.pem -out /tmp/mycsr.csr -config myconfig.properties -sha256 
openssl x509 -req -days 3650 -sha256 -in /tmp/mycsr.csr -signkey mykey.pem -out /tmp/mycert.cert -extensions req_ext -extfile myconfig.properties   

с myconfig.properties, являющимся

[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=Country
ST=State
L=City
O=O
OU=OU
emailAddress=myemail@domain
CN = default.svc.cluster.local

[ req_ext ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[ alt_names ]
DNS.0 = *.default.svc.cluster.local