designetwork

ネットワークを軸としたIT技術メモ

OpenSSL SECLEVELによるwrong signature typeエラーの概要

OpenSSLのSECLEVEL設定により以下のようなエラーが発生する場合がある。キャプチャ・確認ポイント等をまとめる。

curl: (35) error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type
  • Nginx R-Proxy
2020/09/29 22:25:40 [crit] 3796#3796: *1 SSL_do_handshake() failed (SSL: error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type) while SSL handshaking to upstream, client: 127.0.0.1, server: , request: "GET / HTTP/1.1", upstream: "https://x.x.x.x:443/", host: "localhost:8080"

NginxではCipher Suitesを個別に設定可能だが、指定しない場合はOpenSSLのSECLEVELが踏襲される。

※セキュリティに関する内容であるため、業界動向・最新情報を十分に確認ください。本記事は、どのように動作するか、という観点のみで記載しており、各種設定等の推奨の意図はありません。仕様誤認等がありましたらご指摘ください。

環境情報

2020/10/03時点で最新のUbuntu Docker Imageで動作確認した。CentOSでは動作が異なるので注意。

ubuntu:latest 9140108b62dc

# cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.1 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.1 LTS"
VERSION_ID="20.04"
...
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

# uname -a
Linux e3cce02e4351 4.19.76-linuxkit #1 SMP Tue May 26 11:42:35 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/debian_version
bullseye/sid
apt-get update; apt-get install -y openssl nginx curl;
---
# openssl version -a
OpenSSL 1.1.1f  31 Mar 2020
built on: Mon Apr 20 11:53:50 2020 UTC
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-P_ODHM/openssl-1.1.1f=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
Seeding source: os-specific

# curl -V
curl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
Release-Date: 2020-01-08

# nginx -v
nginx version: nginx/1.18.0 (Ubuntu)

エラーの要因(一例)

上記バージョンのUbuntuではOpenSSLの設定がSECLEVEL=2となっており、signature_algorithmとしてSHA-1が返ってきた場合にエラーとなる。

The default security level can be configured when OpenSSL is compiled by setting -DOPENSSL_TLS_SECURITY_LEVEL=level. If not set then 1 is used.

Cipher Suites (28 suites)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
    Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
    Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xccaa)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
    Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
    Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
    Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
...
Extension: signature_algorithms (len=42)
    Type: signature_algorithms (13)
    Length: 42
    Signature Hash Algorithms Length: 40
    Signature Hash Algorithms (20 algorithms)
        Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
        Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
        Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
        Signature Algorithm: ed25519 (0x0807)
        Signature Algorithm: ed448 (0x0808)
        Signature Algorithm: rsa_pss_pss_sha256 (0x0809)
        Signature Algorithm: rsa_pss_pss_sha384 (0x080a)
        Signature Algorithm: rsa_pss_pss_sha512 (0x080b)
        Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
        Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
        Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
        Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
        Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
        Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
        Signature Algorithm: SHA224 ECDSA (0x0303)
        Signature Algorithm: SHA224 RSA (0x0301)
        Signature Algorithm: SHA224 DSA (0x0302)
        Signature Algorithm: SHA256 DSA (0x0402)
        Signature Algorithm: SHA384 DSA (0x0502)
        Signature Algorithm: SHA512 DSA (0x0602)
  • Server Key Exchange
Handshake Protocol: Server Key Exchange
    Handshake Type: Server Key Exchange (12)
    Length: 329
    EC Diffie-Hellman Server Params
        Curve Type: named_curve (0x03)
        Named Curve: secp256r1 (0x0017)
        Pubkey Length: 65
        Pubkey: 040930ae0b4eb296de996c53ee48b4a6b6424af195997dc6…
        Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
            Signature Hash Algorithm Hash: SHA1 (2)
            Signature Hash Algorithm Signature: RSA (1)
        Signature Length: 256
        Signature: 5fa39be43165be6b6e14773ee2f2943a12019a929042445f…

signature_algorithms

signature_algorithmsの仕様はこちら (TLSv1.2 RFC IPA日本語訳) https://www.ipa.go.jp/security/rfc/RFC5246-07JA.html#074141www.ipa.go.jp

7.4.1.4.1. 署名アルゴリズム

Cipher候補リストに加えて、希望する要件を追加することになる。サーバ側ではこのExtensionを踏まえて適切なCipherSuiteを応答する必要がある。

クライアント側での対処例

※セキュリティレベルを下げることになるため要注意

# apt-get install -y vim
# vi /etc/ssl/openssl.cnf

以下の設定を[ new_oids ]の前に追加する。設定箇所を間違えると階層が崩れ動作しないので注意。

openssl_conf = default_conf

[ default_conf ]

ssl_conf = ssl_sect

[ssl_sect]

system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT:@SECLEVEL=1

SECLEVELをデフォルトの2から1に変更することにより、ClientHelloのCipher Suites, signature_algorithmsがSHA-1を許容するよう緩和される。

Cipher Suites (31 suites)
    Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
    Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
    Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
    Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
    Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xccaa)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
    Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
    Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
    Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
---
Extension: signature_algorithms (len=48)
    Type: signature_algorithms (13)
    Length: 48
    Signature Hash Algorithms Length: 46
    Signature Hash Algorithms (23 algorithms)
        Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
        Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
        Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
        Signature Algorithm: ed25519 (0x0807)
        Signature Algorithm: ed448 (0x0808)
        Signature Algorithm: rsa_pss_pss_sha256 (0x0809)
        Signature Algorithm: rsa_pss_pss_sha384 (0x080a)
        Signature Algorithm: rsa_pss_pss_sha512 (0x080b)
        Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
        Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
        Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
        Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
        Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
        Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
        Signature Algorithm: SHA224 ECDSA (0x0303)
        Signature Algorithm: ecdsa_sha1 (0x0203)
        Signature Algorithm: SHA224 RSA (0x0301)
        Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
        Signature Algorithm: SHA224 DSA (0x0302)
        Signature Algorithm: SHA1 DSA (0x0202)
        Signature Algorithm: SHA256 DSA (0x0402)
        Signature Algorithm: SHA384 DSA (0x0502)
        Signature Algorithm: SHA512 DSA (0x0602)

追加で許可されるのはこちら

    Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
    Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
    Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
---
        Signature Algorithm: ecdsa_sha1 (0x0203)
        Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
        Signature Algorithm: SHA1 DSA (0x0202)

参考