por que o teste de fixação do certificado de curvatura não funciona com o resumo do sha1?

0

Eu tenho um problema usando o resumo sha1 no teste de fixação de certificado. Usando sha256 funciona bem, mas se eu usar sha1 não funciona. Por quê?

version of curl:
 
➜  src ./curl -V
curl 7.55.1 (x86_64-apple-darwin16.0.0) libcurl/7.55.1 SecureTransport zlib/1.2.8
Release-Date: 2017-08-14
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile NTLM NTLM_WB SSL libz UnixSockets

TEST 1 using sha256   ➜ src openssl s_client -connect uol.com.br:443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst sha256 -binary | openssl enc -base64 depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA verify error:num=19:self signed certificate in certificate chain verify return:0 writing RSA key d9W9zyq64Gw8JEA/siAixfvoRRwZVpSgbYJV//0CeKM=

➜ src ./curl --head --verbose --pinnedpubkey "sha256//d9W9zyq64Gw8JEA/siAixfvoRRwZVpSgbYJV//0CeKM=" https://uol.com.br * Trying 200.147.67.142... * TCP_NODELAY set * Connected to uol.com.br (200.147.67.142) port 443 (#0) * public key hash: sha256//d9W9zyq64Gw8JEA/siAixfvoRRwZVpSgbYJV//0CeKM= * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * Server certificate: www.uol.com.br * Server certificate: RapidSSL SHA256 CA * Server certificate: GeoTrust Global CA > HEAD / HTTP/1.1 > Host: uol.com.br > User-Agent: curl/7.55.1 > Accept: / > < HTTP/1.1 302 Found HTTP/1.1 302 Found < Date: Fri, 29 Sep 2017 19:32:18 GMT Date: Fri, 29 Sep 2017 19:32:18 GMT < Server: Apache Server: Apache < Connection: close Connection: close < Content-Type: text/html; charset=iso-8859-1 Content-Type: text/html; charset=iso-8859-1   < * Closing connection 0

TEST 2 using sha1   ➜ src openssl s_client -connect uol.com.br:443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha1 -binary | openssl enc -base64 depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA verify error:num=19:self signed certificate in certificate chain verify return:0 writing RSA key BQr5oEtKUmTzlcelRcWvGvMnQzk=

➜ src ./curl --head --verbose --pinnedpubkey "sha1//BQr5oEtKUmTzlcelRcWvGvMnQzk=" https://uol.com.br * Trying 200.221.2.45... * TCP_NODELAY set * Connected to uol.com.br (200.221.2.45) port 443 (#0) * SSL: public key does not match pinned public key! * Closing connection 0 curl: (90) SSL: public key does not match pinned public key!

    
por Rafael F. 29.09.2017 / 21:50

1 resposta

0

Porque curl apenas verifica os hashes SHA256; não hashes SHA1.

Da página do manual:

--pinnedpubkey <pinned public key (hashes)>

          (SSL) Tells curl to  use  the  specified  public  key  file  (or
          hashes)  to  verify the peer. This can be a path to a file which
          contains a single public key in PEM or DER format, or any number
          of base64 encoded sha256 hashes preceded by ´sha256//´ and sepa‐
          rated by ´;´
    
por 30.09.2017 / 12:42

Tags