728x90
OHS의 ssl.conf에는 TLS 버전에 대한 항목이 존재한다.
위의 버전을 체크하는 방법 및 해당 버전을 사용 중으로 변경하는지에 대한 사용 여부 제한
## open SSL
TLS 버전을 체크하기 위해서는 openSSL을 설치해야 한다.
1. https://www.openssl.org/source/ 접속 2. 다운받고자 하는 openSSL (tar.gz 파일) 다운받고 압축 풀기 3. ./openssl1-1.ld에서 ./config shared 실행 4. make 명령어 입력 5. make install 명령어 입력 6. openssl 명령어를 통해서 접속 확인 |
## TLS 버전 사용중인지 확인
- openssl s_client -connect {ip}:{port} -tls1_2 (해당 ip, port가 tls 1.2 사용중인지 체크)
=> tls 1 / tls 1_1 / tls1_2 / tls1_3 을 통해서 각 버전 체크 가능
=> 사용중이지 않은 버전의 경우
[weblogic@localhost openssl-1.1.1p]$ openssl s_client -connect 192.168.56.242:4443 -tls1_1 CONNECTED(00000003) write:errno=0 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 104 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1656996932 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- |
=> 사용중인 버전의 경우
[weblogic@localhost openssl-1.1.1p]$ openssl s_client -connect 192.168.56.242:4443 -tls1_2 CONNECTED(00000003) Can't use SSL_get_servername depth=0 C = KR, ST = Seoul, L = DongDaeMoon, O = TESTING, OU = TEST_COMP, CN = www.JHHAN.co.kr verify error:num=66:EE certificate key too weak verify return:1 depth=0 C = KR, ST = Seoul, L = DongDaeMoon, O = TESTING, OU = TEST_COMP, CN = www.JHHAN.co.kr verify error:num=18:self signed certificate verify return:1 depth=0 C = KR, ST = Seoul, L = DongDaeMoon, O = TESTING, OU = TEST_COMP, CN = www.JHHAN.co.kr verify return:1 --- Certificate chain 0 s:C = KR, ST = Seoul, L = DongDaeMoon, O = TESTING, OU = TEST_COMP, CN = www.JHHAN.co.kr i:C = KR, ST = Seoul, L = DongDaeMoon, O = TESTING, OU = TEST_COMP, CN = www.JHHAN.co.kr --- Server certificate -----BEGIN CERTIFICATE----- MIICZjCCAc8CECCHKybA1CBaIvHDJz+CVlMwDQYJKoZIhvcNAQELBQAwczELMAkG A1UEBhMCS1IxDjAMBgNVBAgTBVNlb3VsMRQwEgYDVQQHEwtEb25nRGFlTW9vbjEQ MA4GA1UEChMHVEVTVElORzESMBAGA1UECwwJVEVTVF9DT01QMRgwFgYDVQQDEw93 d3cuSkhIQU4uY28ua3IwIBcNMjIwNTMxMDgwNzU1WhgPMjEyMjA1MDcwODA3NTVa MHMxCzAJBgNVBAYTAktSMQ4wDAYDVQQIEwVTZW91bDEUMBIGA1UEBxMLRG9uZ0Rh ZU1vb24xEDAOBgNVBAoTB1RFU1RJTkcxEjAQBgNVBAsMCVRFU1RfQ09NUDEYMBYG A1UEAxMPd3d3LkpISEFOLmNvLmtyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQCJM2H8o2OHUeUIAWRRikGm0BqrzDZmH9PMHr/4E7sOmGpWQNOKRidjWrrTiq8W SaSWxvIQgE6crPy6jWwQQM0NBGEJLRN5bpbiPVoHN+X6ypzJmffEiPaVJH5HhtZj pnu3IqE3wEo6oSl9m/vwrv6aopuktFI7BQ6fBMf12nBgEQIDAQABMA0GCSqGSIb3 DQEBCwUAA4GBAEpGHoZnWgfqzBaYpIFHIwewoxoWW72YVpKTeUiE0enmMm/SGfTO sMWVb7UEpjHA1ViT27eXDmBSWNnh5hfjpvhlu1CmzHub/qq7pw3RMTj44CHmMdh+ RSEhFE+IgpCJZc3NL07U7KYEzv85rYx64D5058sDPA7s6fqwC7TeurSR -----END CERTIFICATE----- subject=C = KR, ST = Seoul, L = DongDaeMoon, O = TESTING, OU = TEST_COMP, CN = www.JHHAN.co.kr issuer=C = KR, ST = Seoul, L = DongDaeMoon, O = TESTING, OU = TEST_COMP, CN = www.JHHAN.co.kr --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 989 bytes and written 318 bytes Verification error: self signed certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 7008E433B7C1B67F959039EECDE9B6D8334AA964AC682A5592BB532C4BD1CDD7 Session-ID-ctx: Master-Key: D4CC38811C2C1A5C9B28B1AF31CB4A72B6B2EDD3A1F95F58ED0382D98690508D36176EB6B204F35B210F86466635B047 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1656996980 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) Extended master secret: no --- closed |
## TLS 버전 제한 변경하는 방법
현재 default는 TLS 1.2만 사용하게 되어있으며, SSLProtocol ALL을 사용 시 여러 버전들의 사용을 허용할 수 있다.
728x90
'Oracle > Web Tier' 카테고리의 다른 글
OHS plug in module 버전 확인 (0) | 2022.07.15 |
---|---|
ServerTokens & ServerSignature (0) | 2022.07.05 |
orapki로 Wallet 생성 (0) | 2022.06.02 |
OHS upgrade 시 고려해야 할 점 (0) | 2022.05.24 |
OHS domain 생성 py (0) | 2022.04.15 |