Open narutaro opened 1 year ago
作成
openssl genrsa 2048 > s.key
openssl req -new -key s.key > s.csr
openssl x509 -req -signkey s.key < s.csr > s.crt
キー長が短いとcsr作成時にエラーになる。
140704419046208:error:0DFFF07A:asn1 encoding routines:CRYPTO_internal:first num too large
確認 - pkey
req
x509
を指定
openssl pkey -text -noout < s.key
openssl req -text -noout < s.csr
openssl x509 -text -noout < s.crt
WEBRickでHTTPSサーバーを建てて試す。
index.html
を置いておく。require 'webrick'
require 'webrick/https'
srv = WEBrick::HTTPServer.new({
:DocumentRoot => './',
:BindAddress => '127.0.0.1',
:Port => 8080,
SSLEnable: true,
SSLPrivateKey: OpenSSL::PKey::RSA.new(File.open("cert3/s.key").read),
SSLCertificate: OpenSSL::X509::Certificate.new(File.open("cert3/s.crt").read),
SSLCertName: [
['CN', WEBrick::Utils.getservername]
]
})
trap("INT") {
srv.shutdown
}
srv.start
openssl
で接続する場合、証明書の情報が表示された後にGET / HTTP/1.1
を送るとhtmlが取れる(リターンだけだとHTTP/1.1 400 Bad Request
)
❱❱❱ openssl s_client -connect localhost:8080
CONNECTED(00000005)
depth=0 C = JP, ST = Tokyo, L = Meguro, O = XYZ, OU = IoT, CN = iot.xyz.com, emailAddress = me@xyz.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = JP, ST = Tokyo, L = Meguro, O = XYZ, OU = IoT, CN = iot.xyz.com, emailAddress = me@xyz.com
verify return:1
write W BLOCK
---
Certificate chain
0 s:/C=JP/ST=Tokyo/L=Meguro/O=XYZ/OU=IoT/CN=iot.xyz.com/emailAddress=me@xyz.com
i:/C=JP/ST=Tokyo/L=Meguro/O=XYZ/OU=IoT/CN=iot.xyz.com/emailAddress=me@xyz.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDcjCCAloCCQDAsYo9OSgr2TANBgkqhkiG9w0BAQsFADB7MQswCQYDVQQGEwJK
UDEOMAwGA1UECAwFVG9reW8xDzANBgNVBAcMBk1lZ3VybzEMMAoGA1UECgwDWFla
MQwwCgYDVQQLDANJb1QxFDASBgNVBAMMC2lvdC54eXouY29tMRkwFwYJKoZIhvcN
AQkBFgptZUB4eXouY29tMB4XDTIzMDUyMDIzNDEzNloXDTIzMDYxOTIzNDEzNlow
ezELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMQ8wDQYDVQQHDAZNZWd1cm8x
DDAKBgNVBAoMA1hZWjEMMAoGA1UECwwDSW9UMRQwEgYDVQQDDAtpb3QueHl6LmNv
bTEZMBcGCSqGSIb3DQEJARYKbWVAeHl6LmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBANnp7jniH+IiNmkiz+sgChGw2IUX/uZiHJTvXB/oY4QEeBnb
hTdaAzdQ98YAaUt6IM58r7V14iw6endNnPHLUZtf3pgBIGhD6H9PFZMowlgwQ5SZ
AvdJfI9cxDXyPGfg5PbWjIFcaIoigWh+HZ8lpL8ETbO1eCfh08z9k5Ua+b0zhGUu
7k870Kld2LsSGvRlA/E7PPnIf1pR1a+jtypMBMRKAETkuy1xA6LehGRDGDA8qElq
YUL2nAm1oAeoLRBGcDBkvs/Ndl4XgeiiUTDdMUN6MtbzJ60DaANTsnzyBx3goe0I
JyPwvHAOqx+w7EZ5XcaDES71xqIWLrrNEV8hEyUCAwEAATANBgkqhkiG9w0BAQsF
AAOCAQEALnHlOHC9bX3SR17Wtygv3o8eJH6uvryBL1NqMVsZre32tMAipK+5mWgP
UlwILPlJ+gKi/KtcjLP5k2oOwHzGb1ptSFlFALunJOrPF9qePpRB1ZBJHhgfFdJ6
Ozc7grw3fitdgi6oc0EDVMHemAyPGf+OFyJOtijdh+VR0jzu1rAT0FFjK1exNY1C
A6IpZmjteNnvXr4iNLRnUmJsun+VfNmfsq5CQGQP5dNDtbrte8zuw7FccDiXI630
/31kUfdYwY/THzNzSSMw0W+o/JG8hupjD5T6hmc+XAdi24Zuu9dFJ+aANIAShwu8
er7iX54VZ8CpWyORSvh4bUeGCQ+ClQ==
-----END CERTIFICATE-----
subject=/C=JP/ST=Tokyo/L=Meguro/O=XYZ/OU=IoT/CN=iot.xyz.com/emailAddress=me@xyz.com
issuer=/C=JP/ST=Tokyo/L=Meguro/O=XYZ/OU=IoT/CN=iot.xyz.com/emailAddress=me@xyz.com
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 1436 bytes and written 367 bytes
---
New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.3
Cipher : AEAD-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1685252733
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
read R BLOCK
read R BLOCK
GET / HTTP/1.1
HTTP/1.1 200 OK
Etag: 3f1a6-252-647c671f
Content-Type: text/html
Content-Length: 594
Last-Modified: Sun, 04 Jun 2023 10:27:43 GMT
Server: WEBrick/1.7.0 (Ruby/3.0.2/2021-07-07) OpenSSL/3.0.2
Date: Sun, 04 Jun 2023 13:26:14 GMT
Connection: Keep-Alive
<!DOCTYPE html>
<html lang="ja">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="HandheldFriendly" content="True" />
<title>サイトタイトル</title>
<link rel="icon" href="favicon.ico" type="image/png">
<!--
<link rel="canonical" href="サイトURL">
<link rel="stylesheet" href="CSSのURL">
-->
</head>
<body>
<header>
<h1>サイトタイトル</h1>
<nav>ヘッダーナビゲーション</nav>
</header>
<article>本文</article>
<footer>
<p>© サイトタイトル</p>
</footer>
</body>
</html>
ブラウザでアクセスする場合はエラーや警告が出る。
サーバー側のエラー
[2023-06-04 10:27:50] ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 peeraddr=<ip-address>:22473 state=error: sslv3 alert certificate unknown
ブラウザーの警告。Advancedを押せばアクセスはできる。
Your connection is not private
Attackers might be trying to steal your information from <EC2 domain name> (for example, passwords, messages, or credit cards). [Learn more](chrome-error://chromewebdata/#)
NET::ERR_CERT_AUTHORITY_INVALID
ちゃんとした証明書で試してみる
これでサーバー側のエラーもブラウザの警告もなく動いた。
Macだとこうなる
OpenSSLとLibreSSLの関係について