VNX:如何将 SHA1 哈希算法更改为更强的证书身份验证,用于 CVE-2004-2761 的控制台上的 SHA256 哈希算法

Summary: 如何将 SHA1 哈希算法更改为更强的证书身份验证,用于 CVE-2004-2761 的控制台上的 SHA256 哈希算法

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

需要将证书更改为更强的哈希算法进行身份验证,SHA256 哈希算法


Nessus 扫描程序检测到 CVE-2004-2761
NessusOutput:Port: 5989/TCP
以下证书是远程主机发送的证书链的一部分;但包含被视为较弱的哈希。

|-主题:O=VNX Control Station Administrator/CN=10.20.30.40/CN=VNX5300/CN=VNX5300.mydomain.net
|-Signature Algorithm:采用 RSA 加密
的 SHA-1|-有效期为:Jul 28 17:52:32 2014 GMT
|-Valid To :Aug 03 17:52:33 2019 GMT

需要将证书更改为更强的哈希算法进行身份验证,SHA256哈希算法 

Cause

不适用

Resolution

To see the current settings:
[root@ CA]# openssl x509 -in /nas/http/conf/current.crt -text | grep -i signature
        Signature Algorithm: sha1WithRSAEncryption
    Signature Algorithm: sha1WithRSAEncryption

To view the options:
[root@CA]# openssl dgst -?
unknown option '-?'
options are
-c              to output the digest with separating colons
-d              to output debug info
-hex            output as hex dump
-binary         output in binary form
-sign   file    sign digest using private key in file
-verify file    verify a signature using public key in file
-prverify file  verify a signature using private key in file
-keyform arg    key file format (PEM or ENGINE)
-signature file signature to verify
-binary         output in binary form
-engine e       use engine e, possibly a hardware device.
-md5            to use the md5 message digest algorithm (default)
-md4            to use the md4 message digest algorithm
-md2            to use the md2 message digest algorithm
-sha1           to use the sha1 message digest algorithm
-sha            to use the sha message digest algorithm
-sha224         to use the sha224 message digest algorithm
-sha256         to use the sha256 message digest algorithm
-sha384         to use the sha384 message digest algorithm
-sha512         to use the sha512 message digest algorithm
-ripemd160      to use the ripemd160 message digest algorithm
[root@CA]#

To change the setting, vi /nas/site/CA/ca.cnf  and change defaulf_md = sha1 to sha256.
>>>>>>As a precaution, you can save a copy first to /home/nasadmin:<<<<<<<<

[root@CA]#  cp -p /nas/site/CA/ca.cnf  /home/nasadmin/
[root@CA]#  vi /nas/site/CA/ca.cnf

Example before the change:
[ CA_default ]
dir = /nas/site/CA
database = $dir/index.txt
new_certs_dir = /tmp
certificate = $dir/ca_certificate.pem
serial = $dir/serial
private_key = $dir/key.pem
default_days = 1825
default_md = sha1 <<<<<<<<<<<<<< This is the parameter to change to sha256

Example with the change:
[ CA_default ]
dir = /nas/site/CA
database = $dir/index.txt
new_certs_dir = /tmp
certificate = $dir/ca_certificate.pem
serial = $dir/serial
private_key = $dir/key.pem
default_days = 1825
default_md = sha256  <<<<<<<<<<<<< After the change - the parameter should be this

After that, as root, please run the following command to generate new key/cert and restart the Apache/CIM all at once to apply the change:
[root@CA]#  /nas/http/nas_ezadm/bin/gen_ssl_cert.pl 


To verify the signature on the certificate, re-run the openssl x509 -in /nas/http/conf/current.crt -text | grep -i signature command:
[root@ CA]#  openssl x509 -in /nas/http/conf/current.crt -text | grep -i signature
        Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption

Additional Information

SHA(代表安全哈希算法)是证书颁发机构用来签署证书和 CRL(证书吊销列表)的哈希算法。
SHA256 哈希算法不干预加密/身份验证过程,但工具(浏览器、电子邮件客户端、服务器等)必须能够在连接/身份验证过程中读取/破译此类哈希。

Affected Products

VNX1 Series
Article Properties
Article Number: 000102888
Article Type: Solution
Last Modified: 30 Jul 2021
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.