VNX:如何將 SHA1 哈希演演演演算法更改為更強的證書身份驗證,控制站上的 SHA256 哈希演演演演算法適用於 CVE-2004-2761

Resumo: 如何將 SHA1 哈希演演演演算法更改為更強的證書身份驗證,控制站上的 SHA256 哈希演演演演算法適用於 CVE-2004-2761

Este artigo aplica-se a Este artigo não se aplica a Este artigo não está vinculado a nenhum produto específico. Nem todas as versões do produto estão identificadas neste artigo.
Confira outros recursos

Sintomas

需要將憑證變更為更強的雜湊演算法以進行驗證,SHA256 雜湊演算法


Nessus 掃描器偵測到 CVE-2004-2761
NessusOutput:連接埠:5989/tcp
以下證書是遠端主機發送的證書鏈的一部分;但包含被視為弱的哈希。

|-主題 :O=VNX Control Station Administrator/CN=10.20.30.40/CN=VNX5300/CN=VNX5300.mydomain.net
|-簽名演算法:SHA-1 含 RSA Encryption
|-有效期自 :Jul 28 17:52:32 2014 GMT
|-有效期為:Aug 03 17:52:33 2019 GMT

需要將憑證變更為更強的雜湊演算法以進行驗證,SHA256 雜湊演算法 

Causa

不適用

Resolução

To see the current settings:
[root@ CA]# openssl x509 -in /nas/http/conf/current.crt -text | grep -i signature
        Signature Algorithm: sha1WithRSAEncryption
    Signature Algorithm: sha1WithRSAEncryption

To view the options:
[root@CA]# openssl dgst -?
unknown option '-?'
options are
-c              to output the digest with separating colons
-d              to output debug info
-hex            output as hex dump
-binary         output in binary form
-sign   file    sign digest using private key in file
-verify file    verify a signature using public key in file
-prverify file  verify a signature using private key in file
-keyform arg    key file format (PEM or ENGINE)
-signature file signature to verify
-binary         output in binary form
-engine e       use engine e, possibly a hardware device.
-md5            to use the md5 message digest algorithm (default)
-md4            to use the md4 message digest algorithm
-md2            to use the md2 message digest algorithm
-sha1           to use the sha1 message digest algorithm
-sha            to use the sha message digest algorithm
-sha224         to use the sha224 message digest algorithm
-sha256         to use the sha256 message digest algorithm
-sha384         to use the sha384 message digest algorithm
-sha512         to use the sha512 message digest algorithm
-ripemd160      to use the ripemd160 message digest algorithm
[root@CA]#

To change the setting, vi /nas/site/CA/ca.cnf  and change defaulf_md = sha1 to sha256.
>>>>>>As a precaution, you can save a copy first to /home/nasadmin:<<<<<<<<

[root@CA]#  cp -p /nas/site/CA/ca.cnf  /home/nasadmin/
[root@CA]#  vi /nas/site/CA/ca.cnf

Example before the change:
[ CA_default ]
dir = /nas/site/CA
database = $dir/index.txt
new_certs_dir = /tmp
certificate = $dir/ca_certificate.pem
serial = $dir/serial
private_key = $dir/key.pem
default_days = 1825
default_md = sha1 <<<<<<<<<<<<<< This is the parameter to change to sha256

Example with the change:
[ CA_default ]
dir = /nas/site/CA
database = $dir/index.txt
new_certs_dir = /tmp
certificate = $dir/ca_certificate.pem
serial = $dir/serial
private_key = $dir/key.pem
default_days = 1825
default_md = sha256  <<<<<<<<<<<<< After the change - the parameter should be this

After that, as root, please run the following command to generate new key/cert and restart the Apache/CIM all at once to apply the change:
[root@CA]#  /nas/http/nas_ezadm/bin/gen_ssl_cert.pl 


To verify the signature on the certificate, re-run the openssl x509 -in /nas/http/conf/current.crt -text | grep -i signature command:
[root@ CA]#  openssl x509 -in /nas/http/conf/current.crt -text | grep -i signature
        Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption

Mais informações

SHA - 代表安全雜湊演算法 - 是證書頒發機構用來簽署證書和 CRL(證書吊銷清單)的哈希演演演算法。
SHA256哈希演演演算法不會干預加密/身份驗證過程,但工具(瀏覽器,電子郵件用戶端,伺服器等)必須能夠在連接/身份驗證過程中讀取/破譯此類哈希。

Produtos afetados

VNX1 Series
Propriedades do artigo
Número do artigo: 000102888
Tipo de artigo: Solution
Último modificado: 30 jul. 2021
Versão:  4
Encontre as respostas de outros usuários da Dell para suas perguntas.
Serviços de suporte
Verifique se o dispositivo está coberto pelos serviços de suporte.