点击(此处)折叠或打开
- openssl s_client -connect 127.0.0.1:80 -ssl3
- unknown option -ssl3
点击(此处)折叠或打开
- openssl version -a
- OpenSSL 1.0.1e-fips 11 Feb 2013
我后来仔细的看了ciphers,从这里我猜测到了一些,这个FIPS的openssl 编译的时候应该就去掉了sslv3的支持。(no-ssl3)
点击(此处)折叠或打开
- openssl ciphers -v
- DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
- RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
- RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
- DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
- EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
- EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
对比一下就很清楚了,FIPS的openssl 只有6个ciphers suites. 而我的rhel 7上的openssl ciphers suites 则有70多。
点击(此处)折叠或打开
- penssl version -a
- OpenSSL 1.0.1e-fips 11 Feb 2013
- openssl ciphers -v
- ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
- ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
- ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
- ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
- ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
- ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
- DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
- DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
- DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
- DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256
- DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
- DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
- DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
- DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1
- ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
- ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
- ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384
- ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384
- ECDH-RSA-AES256-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA1
- ECDH-ECDSA-AES256-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA1
- AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
- AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
- AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
- CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
- PSK-AES256-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1
- .......省略50行的输出.......................................
FIPS是需要enabled的。
在shared object 里面能看到symbol.
点击(此处)折叠或打开
- ~ #nm /usr/lib64/libssl.so.1.0.0 |grep -i fips
- U FIPS_mode
- 000000000002f860 T tls_fips_digest_extra
- ~ #nm /usr/lib64/libcrypto.so |grep -i fips_*
- 0000000000080cd0 T ERR_load_FIPS_strings
- 00000000001bc970 T FIPS_add_error_data
- 00000000001bdda0 T FIPS_add_lock
- 0000000000179fa0 T FIPS_bn_bin2bn
- 0000000000179680 T FIPS_bn_bn2bin
- ...........省略n行输出.............
- ~ # nm /usr/lib64/libcrypto.so | grep -i fips_text_*
- 00000000001beb00 T FIPS_text_end
- 0000000000170a80 T FIPS_text_start
- ~ # nm /usr/lib64/libcrypto.so | grep -i fips_rodata*
- 00000000001efbe0 R FIPS_rodata_end
- 00000000001e48e0 R FIPS_rodata_start
- ~ # nm /usr/lib64/libcrypto.so | grep -i fips_signature*
- 000000000044d6e0 B FIPS_signature
- ~ # nm /usr/lib64/libcrypto.so | grep -i fips_incore*
- 0000000000170c60 T FIPS_incore_fingerprint
1. 我可以md5命令而不报错,不知道为啥
点击(此处)折叠或打开
- env OPENSSL_FIPS=1 openssl md5 <some file>
2.另外一个就是我在rhel 上用nm 来查看查看符号,一个都看不到。
点击(此处)折叠或打开
- ldd /usr/bin/openssl
- linux-vdso.so.1 => (0x00007ffc4f9f7000)
- libssl.so.10 => /lib64/libssl.so.10 (0x00007feccddcb000)
- libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007feccdb7f000)
- libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007feccd899000)
- libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007feccd695000)
- libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007feccd463000)
- libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007feccd07a000)
- libdl.so.2 => /lib64/libdl.so.2 (0x00007feccce76000)
- libz.so.1 => /lib64/libz.so.1 (0x00007fecccc60000)
- libc.so.6 => /lib64/libc.so.6 (0x00007feccc89e000)
- libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007feccc68f000)
- libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007feccc48b000)
- libresolv.so.2 => /lib64/libresolv.so.2 (0x00007feccc270000)
- libpthread.so.0 => /lib64/libpthread.so.0 (0x00007feccc054000)
- /lib64/ld-linux-x86-64.so.2 (0x00007fecce061000)
- libselinux.so.1 => /lib64/libselinux.so.1 (0x00007feccbe2e000)
- libpcre.so.1 => /lib64/libpcre.so.1 (0x00007feccbbcd000)
- liblzma.so.5 => /lib64/liblzma.so.5 (0x00007feccb9a8000)
- nm /lib64/libssl.so.10
- nm: /lib64/libssl.so.10: no symbols
- strings /lib64/libssl.so.10 |grep ssl
- ssl2_new
- ssl2_clear
- ssl2_free
- ssl2_accept
- ssl2_connect
- ssl2_read
- ssl2_peek
- ssl2_write
- ssl2_shutdown
- ssl_ok
- ssl2_ctrl
- ssl2_ctx_ctrl
- ssl2_get_cipher_by_char
- ssl2_put_cipher_by_char
- ssl2_pending
- ssl2_num_ciphers
- ssl2_get_cipher
- ssl2_default_timeout
- ssl3_undef_enc_method
后记:
到底什么是 FIPS的openssl 呢?
官方的说法在这里:
https://www-origin.openssl.org/docs/fipsnotes.html