PHPをダウンロードしようとしたらエラーとなった
PHP(https://www.php.net/downloads.php)で最新のPHPをwgetダウンロードしようとしたら下記エラーが発生した。
wget https://www.php.net/distributions/php-7.4.25.tar.gz
--2021-11-04 00:49:35-- https://www.php.net/distributions/php-7.4.25.tar.gz
www.php.net (www.php.net) をDNSに問いあわせています... 2a02:cb40:200::1ad, 185.85.0.29
www.php.net (www.php.net)|2a02:cb40:200::1ad|:443 に接続しています... 接続しました。
エラー: `www.php.net' の証明書は信用されません。
エラー: `www.php.net' の証明書の署名に使われているアルゴリズムが安全ではありません。
どうやらphp.netで使われているサーバ証明書の署名アルゴリズムが古いようです。
Windows(Chrome)上では特に問題なかったのですが、どうやらwgetでの判定処理で安全ではないと判断された模様。
「--no-check-certificate」を付けたらダウンロードが可能
結論から言うとwgetでダウンロードする際に「 --no-check-certificate 」をつければダウンロードは可能になる。
ただし、証明書確認などを行わなくなるので、本当に信頼しているサイトなのかどうか確認したほうがよい。
PHPのソースコードはSHA256のハッシュ値も記載されているので、一致するかどうか確認したほうがよい。
wget https://www.php.net/distributions/php-7.4.25.tar.gz --no-check-certificate
--2021-11-04 00:51:43-- https://www.php.net/distributions/php-7.4.25.tar.gz
www.php.net (www.php.net) をDNSに問いあわせています... 2a02:cb40:200::1ad, 185.85.0.29
www.php.net (www.php.net)|2a02:cb40:200::1ad|:443 に接続しています... 接続しました。
警告: `www.php.net' の証明書は信用されません。
警告: `www.php.net' の証明書の署名に使われているアルゴリズムが安全ではありません。
HTTP による接続要求を送信しました、応答を待っています... 200 OK
長さ: 16645538 (16M) [application/octet-stream]
`php-7.4.25.tar.gz.2' に保存中
php-7.4.25.tar.gz.2 100%[========================================>] 15.87M 4.16MB/s 時間 3.8s
2021-11-04 00:51:48 (4.16 MB/s) - `php-7.4.25.tar.gz.2' へ保存完了 [16645538/16645538]
原因調査(解決せず)
「警告: `www.php.net' の証明書の署名に使われているアルゴリズムが安全ではありません。」といわれているので、どんなアルゴリズムになっているのか気になったので調査してみた。
あれこれ見てみたが結局わからないままなので備忘録程度で記載しています。
wgetのバージョン
CentOS8のwgetは「GNU Wget 1.19.5」を使われている模様。
githubのNEWSを見てもそれらしきものはなかった。
wget --version
GNU Wget 1.19.5 built on linux-gnu.
-cares +digest +gpgme +https +ipv6 +iri +large-file +metalink +nls
+ntlm +opie +psl +ssl/gnutls
Wgetrc:
/etc/wgetrc (system)
ロケール:
/usr/share/locale
コンパイル:
gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc"
-DLOCALEDIR="/usr/share/locale" -I. -I../lib -I../lib
-I/usr/include/p11-kit-1 -DHAVE_LIBGNUTLS -DNDEBUG -O2 -g -pipe
-Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
-Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong
-grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection
-fcf-protection
リンク:
gcc -I/usr/include/p11-kit-1 -DHAVE_LIBGNUTLS -DNDEBUG -O2 -g -pipe
-Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
-Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong
-grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection
-fcf-protection -Wl,-z,relro -Wl,-z,now
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld -luuid -lidn2
-L/usr/lib64 -lgpgme -lmetalink -lnettle -lgnutls -lz -lpsl
ftp-opie.o gnutls.o http-ntlm.o ../lib/libgnu.a
Copyright (C) 2015 Free Software Foundation, Inc.
ライセンス GPLv3+: GNU GPL バージョン 3 あるいはそれ以降のバージョン
<http://www.gnu.org/licenses/gpl.html>.
このソフトウェアはフリーソフトウェアです。自由に変更、再配布ができます。
法律が許すかぎり、全くの無保証です。
Hrvoje Niksic <hniksic@xemacs.org> によって書かれました。
バグ報告や質問は<bug-wget@gnu.org>へ
デバッグモードで確認
wgetは「-b」をつけることでデバックモードで確認することができるが、特に得られるものはなかった。
wget -d https://www.php.net/distributions/php-7.4.25.tar.gz
DEBUG output created by Wget 1.19.5 on linux-gnu.
Reading HSTS entries from /root/.wget-hsts
URI encoding = `UTF-8'
Converted file name 'php-7.4.25.tar.gz' (UTF-8) -> 'php-7.4.25.tar.gz' (UTF-8)
--2021-11-04 01:11:20-- https://www.php.net/distributions/php-7.4.25.tar.gz
Certificates loaded: 143
www.php.net (www.php.net) をDNSに問いあわせています... 2a02:cb40:200::1ad, 185.85.0.29
Caching www.php.net => 2a02:cb40:200::1ad 185.85.0.29
www.php.net (www.php.net)|2a02:cb40:200::1ad|:443 に接続しています... 接続しました。
Created socket 3.
Releasing 0x000055a897dded10 (new refcount 1).
エラー: `www.php.net' の証明書は信用されません。
エラー: `www.php.net' の証明書の署名に使われているアルゴリズムが安全ではありません。
opensslで証明書取得
opensslコマンドでSSL証明書の取得
Peer signing digest: SHA256なので、SHA256で署名されているのでアルゴリズムが安全ではない・・・ということはなさそう。
中間証明書もSHA2で署名されているので、これも問題はなさそう。
ちなみにルート証明書はちゃんと「/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt」にあった。
openssl s_client -showcerts -connect www.php.net:443
CONNECTED(00000003)
depth=2 C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Trusted Network CA
verify return:1
depth=1 C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Domain Validation CA SHA2
verify return:1
depth=0 CN = *.php.net
verify return:1
---
Certificate chain
0 s:CN = *.php.net
i:C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Domain Validation CA SHA2
-----BEGIN CERTIFICATE-----
MIIHXDCCBkSgAwIBAgIQaerq5PNnE+ZKOcD27AXKMTANBgkqhkiG9w0BAQsFADCB
hTELMAkGA1UEBhMCUEwxIjAgBgNVBAoTGVVuaXpldG8gVGVjaG5vbG9naWVzIFMu
QS4xJzAlBgNVBAsTHkNlcnR1bSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEpMCcG
A1UEAxMgQ2VydHVtIERvbWFpbiBWYWxpZGF0aW9uIENBIFNIQTIwHhcNMjEwNTE4
MTAwNDM4WhcNMjIwNTE4MTAwNDM4WjAUMRIwEAYDVQQDDAkqLnBocC5uZXQwggIi
MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC5lXX+v2xkKl1mDGzEKDdcHIxs
lNVWhPcmZw3iB9ItRLceH333xrCJlTY2dqUt16uMbWiIzIcYszO7bxtwDx7O3mwC
7LxKBz41Gx/nLr4k97SOZPuzxkRaJLqIu9EPz3q8jChoytgR7oZW6PkTvDGZByKr
+7spMjEMckOO4jo7Q7GoCiR5ukRMljgURBDIZDP4ZcOrPmvWibT5adbQLJ6qrDxl
xUSi1FarFjr2vxWmZV4vY/vldKNss2rOt2U/O1RC1GfojBIn2A+9NTtm/QtJNWa2
+VNc0San1e3SDzQNkQKeFFRkHsjFTNtRNsbxwbqacT2boP1l32sb1s31s4m6LB5x
TTyVuznsv3+cj3qBSXtH64NU7u4wt//JOjsjMJNYESIXiFTWiBvXHv9pXrrbWUrJ
XOwicvzoP0NhZNkQQDX29aAXZxPrkGLIIqTobwhJXx2wR/IcgIcp+0M7+friHlFr
OgnEzAtWluVRR/eG2tvBaAt17O2Ta6LdZShZvYs6sEm6d/tIejbTcqhVFPIaUWHH
YyMkc8tQG+9QegZo8MEYV84nI0IDBHz/QBAJpiTfGCEKi5ZwTLMTJsszko+wjqGU
tFxdMSi2NUYFnBRupAuQCTA3xA9lUWfxylQbHfA1e28oR6cK6bjrOrPgSD1PVgR3
OTrs/Kgr6jDW2gkimQIDAQABo4IDNjCCAzIwDAYDVR0TAQH/BAIwADAyBgNVHR8E
KzApMCegJaAjhiFodHRwOi8vY3JsLmNlcnR1bS5wbC9kdmNhc2hhMi5jcmwwcQYI
KwYBBQUHAQEEZTBjMCsGCCsGAQUFBzABhh9odHRwOi8vZHZjYXNoYTIub2NzcC1j
ZXJ0dW0uY29tMDQGCCsGAQUFBzAChihodHRwOi8vcmVwb3NpdG9yeS5jZXJ0dW0u
cGwvZHZjYXNoYTIuY2VyMB8GA1UdIwQYMBaAFOUxrb86EZb0g7xQPNS3kJuQ7t4l
MB0GA1UdDgQWBBQaDqs81BhuQFJUeVUGG/FAE6o1XDAdBgNVHRIEFjAUgRJkdmNh
c2hhMkBjZXJ0dW0ucGwwSwYDVR0gBEQwQjAIBgZngQwBAgEwNgYLKoRoAYb2dwIF
AQMwJzAlBggrBgEFBQcCARYZaHR0cHM6Ly93d3cuY2VydHVtLnBsL0NQUzAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
EQQWMBSCCSoucGhwLm5ldIIHcGhwLm5ldDCCAX8GCisGAQQB1nkCBAIEggFvBIIB
awFpAHYAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMAAAF5fu8/yAAA
BAMARzBFAiBZQARMnLmqT9DtGsvRv+e4Hjo3sH9YhQSwP9UC5zaN1wIhAL/xoymC
BdeUAkD1RuCwiQw4CIu3y16zyR5w9avTo3srAHYARqVV63X6kSAwtaKJafTzfREs
QXS+/Um4havy/HD+bUcAAAF5fu8/IAAABAMARzBFAiEA4sc8QJzffYi6CPsf8RjJ
8CAurgi8QrLkgTdgyo6l15kCIAHDeogJRWOBg/XGevMtARucDL0aP3v+y3nP53Fu
5pC5AHcAVYHUwhaQNgFK6gubVzxT8MDkOHhwJQgXL6OqHQcT0wwAAAF5fu9AWgAA
BAMASDBGAiEA5tlu0swGAM13PSuc2NGAwDQkZOtMpcA0ZNm59ZvK+ooCIQDUbLJm
s1rL024AS6wh7xuVcmTrHriSr/JLxQWptPlsbzANBgkqhkiG9w0BAQsFAAOCAQEA
AJD2OyUoYPvoMxpTUeb2bAHufs8LEyX+nnlUWYhk90VhViWkCmAHPoKKxEo3gcSc
ELWONeT5bl+wscb6QgJrDSJihyFbq7Yza8Nnti4POyxZDSVS7mPfwz03ncIPZqeG
LGenC/kwr/WMoGZWedoLhyXjZkckDT8iPtegnB5NdJ3zWWianblxINH6JC6m+/Iu
qHd++L02GTKSaPRVw1jd0zEWyI7D66VnZdV7N3wSGQMi+uzM/VFyyhBXqWIKBTYA
zoLGG76Cf4YIzO3uFTXvRORab7bZrMrDXO2R+Ag2b9Ybuhd9UO2ApF7aShX1tCyl
Vs42flxpr809Mlu7YShrSw==
-----END CERTIFICATE-----
1 s:C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Domain Validation CA SHA2
i:C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Trusted Network CA
-----BEGIN CERTIFICATE-----
MIIEzjCCA7agAwIBAgIQJt3SK0bJxE1aaU05gH5yrTANBgkqhkiG9w0BAQsFADB+
MQswCQYDVQQGEwJQTDEiMCAGA1UEChMZVW5pemV0byBUZWNobm9sb2dpZXMgUy5B
LjEnMCUGA1UECxMeQ2VydHVtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSIwIAYD
VQQDExlDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENBMB4XDTE0MDkxMTEyMDAwMFoX
DTI3MDYwOTEwNDYzOVowgYUxCzAJBgNVBAYTAlBMMSIwIAYDVQQKExlVbml6ZXRv
IFRlY2hub2xvZ2llcyBTLkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlv
biBBdXRob3JpdHkxKTAnBgNVBAMTIENlcnR1bSBEb21haW4gVmFsaWRhdGlvbiBD
QSBTSEEyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoSVj343kIAfZ
VNHRBPYX4j5H+8N0JbjEvxISvOBw0TkFwhez94JwoE4H/hAq/9sNRl4klKOLRZ8Y
m85CxK7bgzO8wru0MLanN4d4e0jLJSyCuwpIEmB2ieyOzI8eUkjphgJawrCKfIU9
2f9gTzNspqGgheHXU/LqJz1lqXLBCIPMsCWcEUYk4D70p+/tUbFlk0K09uaGChB5
MjZYsmuo3NV6Hp0U7kDnskZMvZopwuz4MMFiAiriHINi0IU2GoPeEoQpZe/SMr4x
YEKoz/jd6tBWRx29dpYkE+e+2Zkr+jBk8Yo4eqbhKpYCsJ262I9tTnqUaX2wk6p0
5ZOQE/qimQIDAQABo4IBPjCCATowDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
5TGtvzoRlvSDvFA81LeQm5Du3iUwHwYDVR0jBBgwFoAUCHbNywf/JPbFze27kLzi
hDdGdfcwDgYDVR0PAQH/BAQDAgEGMC8GA1UdHwQoMCYwJKAioCCGHmh0dHA6Ly9j
cmwuY2VydHVtLnBsL2N0bmNhLmNybDBrBggrBgEFBQcBAQRfMF0wKAYIKwYBBQUH
MAGGHGh0dHA6Ly9zdWJjYS5vY3NwLWNlcnR1bS5jb20wMQYIKwYBBQUHMAKGJWh0
dHA6Ly9yZXBvc2l0b3J5LmNlcnR1bS5wbC9jdG5jYS5jZXIwOQYDVR0gBDIwMDAu
BgRVHSAAMCYwJAYIKwYBBQUHAgEWGGh0dHA6Ly93d3cuY2VydHVtLnBsL0NQUzAN
BgkqhkiG9w0BAQsFAAOCAQEAur/w4d1NK0JDZFjfZPP/gBpfVr47qbJ291R6TDDB
mSRLctLK1PoIxpDeiBLt+JD5/KmE/ZLyeOXbySJXq0EwQmsLn9dzM/sBZxxCXI8n
Z8duBwONDpbLCgPMPviHPDUwzRiM1XHdzd1hsBOjZEZO/nFOa2XpFATyP6i9DDY9
Kl2eB/LCT5DFXk0YN9EnKICkNuXKk2plDviTua9SWEt6cdi68+/S8/ail+RdFAKa
y+WutpPhI5+bP0b37o6hAFtmwx5oI4YPXXe6U635UvtwFcV16895rUl88nZirkQv
xV9RNCVBahIKX46uEMRDiTX97P8x5uweh+k6fClQRUGjFA==
-----END CERTIFICATE-----
2 s:C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Trusted Network CA
i:C = PL, O = Unizeto Sp. z o.o., CN = Certum CA
-----BEGIN CERTIFICATE-----
MIIEtDCCA5ygAwIBAgIRAJOShUABZXFflH8oj+/JmygwDQYJKoZIhvcNAQELBQAw
PjELMAkGA1UEBhMCUEwxGzAZBgNVBAoTElVuaXpldG8gU3AuIHogby5vLjESMBAG
A1UEAxMJQ2VydHVtIENBMB4XDTA4MTAyMjEyMDczN1oXDTI3MDYxMDEwNDYzOVow
fjELMAkGA1UEBhMCUEwxIjAgBgNVBAoTGVVuaXpldG8gVGVjaG5vbG9naWVzIFMu
QS4xJzAlBgNVBAsTHkNlcnR1bSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEiMCAG
A1UEAxMZQ2VydHVtIFRydXN0ZWQgTmV0d29yayBDQTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAOP7faNyusLwyRSH9WsBTuFuQAe6bSddf/dbLbNax1Ff
q6QypmGHtm4PhtIwApf412lXoRg5XWpkecYBWaw8MUo4fNIE0kso6CBfOweizE1z
2/OuT8dW1Vqnlon686to1COGWSfPCSe8rG5ygxwwct/gounS4XR1Gb0qnnsVVAQb
10M5rVUoxeIau/TA5K44STPMdoWfOUXSpJ7yEoxR+HzkLX/1rF/rFp+xLdG6zJFC
d0wlyZA4b9vwzPuOHpdZPtVgTuYFKO1JeRNLukjbL/ly0znK/h/YNHL1tEDPMQHD
7N4RLRddH7hQ0V4Zp2neBzMoylCV+adUy1SGUEWp+UkCAwEAAaOCAWswggFnMA8G
A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFAh2zcsH/yT2xc3tu5C84oQ3RnX3MFIG
A1UdIwRLMEmhQqRAMD4xCzAJBgNVBAYTAlBMMRswGQYDVQQKExJVbml6ZXRvIFNw
LiB6IG8uby4xEjAQBgNVBAMTCUNlcnR1bSBDQYIDAQAgMA4GA1UdDwEB/wQEAwIB
BjAsBgNVHR8EJTAjMCGgH6AdhhtodHRwOi8vY3JsLmNlcnR1bS5wbC9jYS5jcmww
aAYIKwYBBQUHAQEEXDBaMCgGCCsGAQUFBzABhhxodHRwOi8vc3ViY2Eub2NzcC1j
ZXJ0dW0uY29tMC4GCCsGAQUFBzAChiJodHRwOi8vcmVwb3NpdG9yeS5jZXJ0dW0u
cGwvY2EuY2VyMDkGA1UdIAQyMDAwLgYEVR0gADAmMCQGCCsGAQUFBwIBFhhodHRw
Oi8vd3d3LmNlcnR1bS5wbC9DUFMwDQYJKoZIhvcNAQELBQADggEBAI3m/UBmo0yc
p6uh2oTdHDAH5tvHLeyDoVbkHTwmoaUJK+h9Yr6ydZTdCPJ/KEHkgGcCToqPwzXQ
1aknKOrS9KsGhkOujOP5iH3g271CgYACEnWy6BdxqyGVMUZCDYgQOdNv7C9C6kBT
Yr/rynieq6LVLgXqM6vp1peUQl4E7Sztapx6lX0FKgV/CF1mrWHUdqx1lpdzY70a
QVkppV4ig8OLWfqaova9ML9yHRyZhpzyhTwd9yaWLy75ArG1qVDoOPqbCl60BMDO
TjksygtbYvBNWFA0meaaLNKQ1wmB1sCqXs7+0vehukvZ1oaOGR+mBkdCcuBWCgAc
eLmNzJkEN0k=
-----END CERTIFICATE-----
---
Server certificate
subject=CN = *.php.net
issuer=C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Domain Validation CA SHA2
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5253 bytes and written 402 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: D4B24CB917C6130B677BE33CFB62D305A0C8E59B6E78EF7B93D449EEE3E0F7EE
Session-ID-ctx:
Master-Key: A119C3AFDE3981F16CD43E60D47F4C680049F77527B0A8ED9D5A18104F8B5189406E3F3570E57AA1AB4148D30F08042A
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 900 (seconds)
TLS session ticket:
0000 - 27 fd b4 49 1a b7 81 d3-61 45 70 05 46 08 d8 fc '..I....aEp.F...
0010 - 32 2e ef bf 3e d4 9d ba-98 fc 07 59 65 bd 16 0c 2...>......Ye...
0020 - e0 41 1d 4a 11 91 05 a0-9a 4e f3 c0 bc 7a 72 bc .A.J.....N...zr.
0030 - 54 8d 17 27 40 e5 af ff-27 fb 1f ff fa 33 25 05 T..'@...'....3%.
0040 - e0 98 f5 be d3 97 2f cd-4e 45 6a 33 f9 58 8e f9 ....../.NEj3.X..
0050 - 76 8b 5d 2e 4d 64 8c 96-15 32 cd 21 58 10 58 5d v.].Md...2.!X.X]
0060 - 95 98 d1 c0 fb 6a 4e a0-1b bc 91 16 5c 12 74 76 .....jN.....\.tv
0070 - 5f e2 3f 5e 60 17 96 db-ad 53 c4 31 a3 4a 60 e1 _.?^`....S.1.J`.
0080 - 89 2c 63 49 43 a6 5a b3-1c ef cf ed 61 13 8c 20 .,cIC.Z.....a..
0090 - d7 23 1c ed ae f0 d3 bb-2c f6 9a 4c e8 a2 58 2d .#......,..L..X-
00a0 - 71 3b ba f2 7a 0d 88 4f-67 89 f4 b1 42 31 65 ad q;..z..Og...B1e.
00b0 - 27 08 84 cf 02 1d 1f 3e-71 74 d6 73 fd 6d 0a 45 '......>qt.s.m.E
Start Time: 1635955347
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
closed
パケットキャプチャから
tcpdumpでパケットキャプチャを取得し、wiresharkでTLSのCertificate部分を確認してみた。
TLSでみるとNew Session Ticket(サーバ⇒クライアント)後でエラーになっているっぽい。
ServerHelloの暗号スイートを見ると「Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)」になっているので暗号アルゴリズムが弱いことはなさそう。
Certificate部分を確認したが、署名アルゴリズムはopensslと同じく、sha256だったのであまり変わらない。
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 4346
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 4342
Certificates Length: 4339
Certificates (4339 bytes)
Certificate Length: 1888
Certificate: 3082075c30820644a003020102021069eaeae4f36713e64a39c0f6ec05ca31300d06092a… (id-at-commonName=*.php.net)
signedCertificate
version: v3 (2)
serialNumber: 0x69eaeae4f36713e64a39c0f6ec05ca31
signature (sha256WithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
issuer: rdnSequence (0)
rdnSequence: 4 items (id-at-commonName=Certum Domain Validation CA SHA2,id-at-organizationalUnitName=Certum Certification Authority,id-at-organizationName=Unizeto Technologies S.A.,id-at-countryName=PL)
RDNSequence item: 1 item (id-at-countryName=PL)
RelativeDistinguishedName item (id-at-countryName=PL)
Id: 2.5.4.6 (id-at-countryName)
CountryName: PL
RDNSequence item: 1 item (id-at-organizationName=Unizeto Technologies S.A.)
RelativeDistinguishedName item (id-at-organizationName=Unizeto Technologies S.A.)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: Unizeto Technologies S.A.
RDNSequence item: 1 item (id-at-organizationalUnitName=Certum Certification Authority)
RelativeDistinguishedName item (id-at-organizationalUnitName=Certum Certification Authority)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: Certum Certification Authority
RDNSequence item: 1 item (id-at-commonName=Certum Domain Validation CA SHA2)
RelativeDistinguishedName item (id-at-commonName=Certum Domain Validation CA SHA2)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: Certum Domain Validation CA SHA2
validity
notBefore: utcTime (0)
utcTime: 2021-05-18 10:04:38 (UTC)
notAfter: utcTime (0)
utcTime: 2022-05-18 10:04:38 (UTC)
subject: rdnSequence (0)
rdnSequence: 1 item (id-at-commonName=*.php.net)
RDNSequence item: 1 item (id-at-commonName=*.php.net)
RelativeDistinguishedName item (id-at-commonName=*.php.net)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: uTF8String (4)
uTF8String: *.php.net
subjectPublicKeyInfo
algorithm (rsaEncryption)
Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
subjectPublicKey: 3082020a0282020100b99575febf6c642a5d660c6cc428375c1c8c6c94d55684f726670d…
modulus: 0x00b99575febf6c642a5d660c6cc428375c1c8c6c94d55684f726670de207d22d44b71e1f…
publicExponent: 65537
extensions: 11 items
Extension (id-ce-basicConstraints)
Extension Id: 2.5.29.19 (id-ce-basicConstraints)
critical: True
BasicConstraintsSyntax [0 length]
Extension (id-ce-cRLDistributionPoints)
Extension Id: 2.5.29.31 (id-ce-cRLDistributionPoints)
CRLDistPointsSyntax: 1 item
DistributionPoint
distributionPoint: fullName (0)
fullName: 1 item
GeneralName: uniformResourceIdentifier (6)
uniformResourceIdentifier: http://crl.certum.pl/dvcasha2.crl
Extension (id-pe-authorityInfoAccess)
Extension Id: 1.3.6.1.5.5.7.1.1 (id-pe-authorityInfoAccess)
AuthorityInfoAccessSyntax: 2 items
AccessDescription
accessMethod: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
accessLocation: 6
uniformResourceIdentifier: http://dvcasha2.ocsp-certum.com
AccessDescription
accessMethod: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)
accessLocation: 6
uniformResourceIdentifier: http://repository.certum.pl/dvcasha2.cer
Extension (id-ce-authorityKeyIdentifier)
Extension Id: 2.5.29.35 (id-ce-authorityKeyIdentifier)
AuthorityKeyIdentifier
keyIdentifier: e531adbf3a1196f483bc503cd4b7909b90eede25
Extension (id-ce-subjectKeyIdentifier)
Extension Id: 2.5.29.14 (id-ce-subjectKeyIdentifier)
SubjectKeyIdentifier: 1a0eab3cd4186e4052547955061bf14013aa355c
Extension (id-ce-issuerAltName)
Extension Id: 2.5.29.18 (id-ce-issuerAltName)
GeneralNames: 1 item
GeneralName: rfc822Name (1)
rfc822Name: dvcasha2@certum.pl
Extension (id-ce-certificatePolicies)
Extension Id: 2.5.29.32 (id-ce-certificatePolicies)
CertificatePoliciesSyntax: 2 items
PolicyInformation
policyIdentifier: 2.23.140.1.2.1 (joint-iso-itu-t.23.140.1.2.1)
PolicyInformation
policyIdentifier: 1.2.616.1.113527.2.5.1.3 (iso.2.616.1.113527.2.5.1.3)
policyQualifiers: 1 item
PolicyQualifierInfo
Id: 1.3.6.1.5.5.7.2.1 (id-qt-cps)
DirectoryString: https://www.certum.pl/CPS
Extension (id-ce-extKeyUsage)
Extension Id: 2.5.29.37 (id-ce-extKeyUsage)
KeyPurposeIDs: 2 items
KeyPurposeId: 1.3.6.1.5.5.7.3.1 (id-kp-serverAuth)
KeyPurposeId: 1.3.6.1.5.5.7.3.2 (id-kp-clientAuth)
Extension (id-ce-keyUsage)
Extension Id: 2.5.29.15 (id-ce-keyUsage)
critical: True
Padding: 5
KeyUsage: a0
1... .... = digitalSignature: True
.0.. .... = contentCommitment: False
..1. .... = keyEncipherment: True
...0 .... = dataEncipherment: False
.... 0... = keyAgreement: False
.... .0.. = keyCertSign: False
.... ..0. = cRLSign: False
.... ...0 = encipherOnly: False
0... .... = decipherOnly: False
Extension (id-ce-subjectAltName)
Extension Id: 2.5.29.17 (id-ce-subjectAltName)
GeneralNames: 2 items
GeneralName: dNSName (2)
dNSName: *.php.net
GeneralName: dNSName (2)
dNSName: php.net
Extension (SignedCertificateTimestampList)
Extension Id: 1.3.6.1.4.1.11129.2.4.2 (SignedCertificateTimestampList)
Serialized SCT List Length: 361
Signed Certificate Timestamp (Sectigo 'Mammoth' CT log)
Serialized SCT Length: 118
SCT Version: 0
Log ID: 6f5376ac31f03119d89900a45115ff77151c11d902c10029068db2089a37d913
Timestamp: May 18, 2021 10:04:39.240000000 UTC
Extensions length: 0
Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Length: 71
Signature: 304502205940044c9cb9aa4fd0ed1acbd1bfe7b81e3a37b07f588504b03fd502e7368dd7…
Signed Certificate Timestamp (Google 'Xenon2022' log)
Serialized SCT Length: 118
SCT Version: 0
Log ID: 46a555eb75fa912030b5a28969f4f37d112c4174befd49b885abf2fc70fe6d47
Timestamp: May 18, 2021 10:04:39.072000000 UTC
Extensions length: 0
Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Length: 71
Signature: 3045022100e2c73c409cdf7d88ba08fb1ff118c9f0202eae08bc42b2e4813760ca8ea5d7…
Signed Certificate Timestamp (Sectigo 'Sabre' CT log)
Serialized SCT Length: 119
SCT Version: 0
Log ID: 5581d4c2169036014aea0b9b573c53f0c0e43878702508172fa3aa1d0713d30c
Timestamp: May 18, 2021 10:04:39.386000000 UTC
Extensions length: 0
Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Length: 72
Signature: 3046022100e6d96ed2cc0600cd773d2b9cd8d180c0342464eb4ca5c03464d9b9f59bcafa…
algorithmIdentifier (sha256WithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
Padding: 0
encrypted: 0090f63b252860fbe8331a5351e6f66c01ee7ecf0b1325fe9e7954598864f745615625a4…
Certificate Length: 1234
Certificate: 308204ce308203b6a003020102021026ddd22b46c9c44d5a694d39807e72ad300d06092a… (id-at-commonName=Certum Domain Validation CA SHA2,id-at-organizationalUnitName=Certum Certification Authority,id-at-organizationName=Unizeto Technolo
signedCertificate
version: v3 (2)
serialNumber: 0x26ddd22b46c9c44d5a694d39807e72ad
signature (sha256WithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
issuer: rdnSequence (0)
rdnSequence: 4 items (id-at-commonName=Certum Trusted Network CA,id-at-organizationalUnitName=Certum Certification Authority,id-at-organizationName=Unizeto Technologies S.A.,id-at-countryName=PL)
RDNSequence item: 1 item (id-at-countryName=PL)
RelativeDistinguishedName item (id-at-countryName=PL)
Id: 2.5.4.6 (id-at-countryName)
CountryName: PL
RDNSequence item: 1 item (id-at-organizationName=Unizeto Technologies S.A.)
RelativeDistinguishedName item (id-at-organizationName=Unizeto Technologies S.A.)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: Unizeto Technologies S.A.
RDNSequence item: 1 item (id-at-organizationalUnitName=Certum Certification Authority)
RelativeDistinguishedName item (id-at-organizationalUnitName=Certum Certification Authority)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: Certum Certification Authority
RDNSequence item: 1 item (id-at-commonName=Certum Trusted Network CA)
RelativeDistinguishedName item (id-at-commonName=Certum Trusted Network CA)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: Certum Trusted Network CA
validity
notBefore: utcTime (0)
utcTime: 2014-09-11 12:00:00 (UTC)
notAfter: utcTime (0)
utcTime: 2027-06-09 10:46:39 (UTC)
subject: rdnSequence (0)
rdnSequence: 4 items (id-at-commonName=Certum Domain Validation CA SHA2,id-at-organizationalUnitName=Certum Certification Authority,id-at-organizationName=Unizeto Technologies S.A.,id-at-countryName=PL)
RDNSequence item: 1 item (id-at-countryName=PL)
RelativeDistinguishedName item (id-at-countryName=PL)
Id: 2.5.4.6 (id-at-countryName)
CountryName: PL
RDNSequence item: 1 item (id-at-organizationName=Unizeto Technologies S.A.)
RelativeDistinguishedName item (id-at-organizationName=Unizeto Technologies S.A.)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: Unizeto Technologies S.A.
RDNSequence item: 1 item (id-at-organizationalUnitName=Certum Certification Authority)
RelativeDistinguishedName item (id-at-organizationalUnitName=Certum Certification Authority)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: Certum Certification Authority
RDNSequence item: 1 item (id-at-commonName=Certum Domain Validation CA SHA2)
RelativeDistinguishedName item (id-at-commonName=Certum Domain Validation CA SHA2)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: Certum Domain Validation CA SHA2
subjectPublicKeyInfo
algorithm (rsaEncryption)
Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
subjectPublicKey: 3082010a0282010100a12563df8de42007d954d1d104f617e23e47fbc37425b8c4bf1212…
modulus: 0x00a12563df8de42007d954d1d104f617e23e47fbc37425b8c4bf1212bce070d13905c217…
publicExponent: 65537
extensions: 7 items
Extension (id-ce-basicConstraints)
Extension Id: 2.5.29.19 (id-ce-basicConstraints)
critical: True
BasicConstraintsSyntax
cA: True
Extension (id-ce-subjectKeyIdentifier)
Extension Id: 2.5.29.14 (id-ce-subjectKeyIdentifier)
SubjectKeyIdentifier: e531adbf3a1196f483bc503cd4b7909b90eede25
Extension (id-ce-authorityKeyIdentifier)
Extension Id: 2.5.29.35 (id-ce-authorityKeyIdentifier)
AuthorityKeyIdentifier
keyIdentifier: 0876cdcb07ff24f6c5cdedbb90bce284374675f7
Extension (id-ce-keyUsage)
Extension Id: 2.5.29.15 (id-ce-keyUsage)
critical: True
Padding: 1
KeyUsage: 06
0... .... = digitalSignature: False
.0.. .... = contentCommitment: False
..0. .... = keyEncipherment: False
...0 .... = dataEncipherment: False
.... 0... = keyAgreement: False
.... .1.. = keyCertSign: True
.... ..1. = cRLSign: True
.... ...0 = encipherOnly: False
0... .... = decipherOnly: False
Extension (id-ce-cRLDistributionPoints)
Extension Id: 2.5.29.31 (id-ce-cRLDistributionPoints)
CRLDistPointsSyntax: 1 item
DistributionPoint
distributionPoint: fullName (0)
fullName: 1 item
GeneralName: uniformResourceIdentifier (6)
uniformResourceIdentifier: http://crl.certum.pl/ctnca.crl
Extension (id-pe-authorityInfoAccess)
Extension Id: 1.3.6.1.5.5.7.1.1 (id-pe-authorityInfoAccess)
AuthorityInfoAccessSyntax: 2 items
AccessDescription
accessMethod: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
accessLocation: 6
uniformResourceIdentifier: http://subca.ocsp-certum.com
AccessDescription
accessMethod: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)
accessLocation: 6
uniformResourceIdentifier: http://repository.certum.pl/ctnca.cer
Extension (id-ce-certificatePolicies)
Extension Id: 2.5.29.32 (id-ce-certificatePolicies)
CertificatePoliciesSyntax: 1 item
PolicyInformation
policyIdentifier: 2.5.29.32.0 (anyPolicy)
policyQualifiers: 1 item
PolicyQualifierInfo
Id: 1.3.6.1.5.5.7.2.1 (id-qt-cps)
DirectoryString: http://www.certum.pl/CPS
algorithmIdentifier (sha256WithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
Padding: 0
encrypted: babff0e1dd4d2b42436458df64f3ff801a5f56be3ba9b276f7547a4c30c199244b72d2ca…
Certificate Length: 1208
Certificate: 308204b43082039ca003020102021100939285400165715f947f288fefc99b28300d0609… (id-at-commonName=Certum Trusted Network CA,id-at-organizationalUnitName=Certum Certification Authority,id-at-organizationName=Unizeto Technologies S.
signedCertificate
version: v3 (2)
serialNumber: 0x00939285400165715f947f288fefc99b28
signature (sha256WithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
issuer: rdnSequence (0)
rdnSequence: 3 items (id-at-commonName=Certum CA,id-at-organizationName=Unizeto Sp. z o.o.,id-at-countryName=PL)
RDNSequence item: 1 item (id-at-countryName=PL)
RelativeDistinguishedName item (id-at-countryName=PL)
Id: 2.5.4.6 (id-at-countryName)
CountryName: PL
RDNSequence item: 1 item (id-at-organizationName=Unizeto Sp. z o.o.)
RelativeDistinguishedName item (id-at-organizationName=Unizeto Sp. z o.o.)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: Unizeto Sp. z o.o.
RDNSequence item: 1 item (id-at-commonName=Certum CA)
RelativeDistinguishedName item (id-at-commonName=Certum CA)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: Certum CA
validity
notBefore: utcTime (0)
utcTime: 2008-10-22 12:07:37 (UTC)
notAfter: utcTime (0)
utcTime: 2027-06-10 10:46:39 (UTC)
subject: rdnSequence (0)
rdnSequence: 4 items (id-at-commonName=Certum Trusted Network CA,id-at-organizationalUnitName=Certum Certification Authority,id-at-organizationName=Unizeto Technologies S.A.,id-at-countryName=PL)
RDNSequence item: 1 item (id-at-countryName=PL)
RelativeDistinguishedName item (id-at-countryName=PL)
Id: 2.5.4.6 (id-at-countryName)
CountryName: PL
RDNSequence item: 1 item (id-at-organizationName=Unizeto Technologies S.A.)
RelativeDistinguishedName item (id-at-organizationName=Unizeto Technologies S.A.)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: Unizeto Technologies S.A.
RDNSequence item: 1 item (id-at-organizationalUnitName=Certum Certification Authority)
RelativeDistinguishedName item (id-at-organizationalUnitName=Certum Certification Authority)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: Certum Certification Authority
RDNSequence item: 1 item (id-at-commonName=Certum Trusted Network CA)
RelativeDistinguishedName item (id-at-commonName=Certum Trusted Network CA)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: Certum Trusted Network CA
subjectPublicKeyInfo
algorithm (rsaEncryption)
Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
subjectPublicKey: 3082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2d…
modulus: 0x00e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432…
publicExponent: 65537
extensions: 7 items
Extension (id-ce-basicConstraints)
Extension Id: 2.5.29.19 (id-ce-basicConstraints)
critical: True
BasicConstraintsSyntax
cA: True
Extension (id-ce-subjectKeyIdentifier)
Extension Id: 2.5.29.14 (id-ce-subjectKeyIdentifier)
SubjectKeyIdentifier: 0876cdcb07ff24f6c5cdedbb90bce284374675f7
Extension (id-ce-authorityKeyIdentifier)
Extension Id: 2.5.29.35 (id-ce-authorityKeyIdentifier)
AuthorityKeyIdentifier
authorityCertIssuer: 1 item
GeneralName: directoryName (4)
directoryName: rdnSequence (0)
rdnSequence: 3 items (id-at-commonName=Certum CA,id-at-organizationName=Unizeto Sp. z o.o.,id-at-countryName=PL)
RDNSequence item: 1 item (id-at-countryName=PL)
RelativeDistinguishedName item (id-at-countryName=PL)
Id: 2.5.4.6 (id-at-countryName)
CountryName: PL
RDNSequence item: 1 item (id-at-organizationName=Unizeto Sp. z o.o.)
RelativeDistinguishedName item (id-at-organizationName=Unizeto Sp. z o.o.)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: Unizeto Sp. z o.o.
RDNSequence item: 1 item (id-at-commonName=Certum CA)
RelativeDistinguishedName item (id-at-commonName=Certum CA)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: Certum CA
authorityCertSerialNumber: 0x010020
Extension (id-ce-keyUsage)
Extension Id: 2.5.29.15 (id-ce-keyUsage)
critical: True
Padding: 1
KeyUsage: 06
0... .... = digitalSignature: False
.0.. .... = contentCommitment: False
..0. .... = keyEncipherment: False
...0 .... = dataEncipherment: False
.... 0... = keyAgreement: False
.... .1.. = keyCertSign: True
.... ..1. = cRLSign: True
.... ...0 = encipherOnly: False
0... .... = decipherOnly: False
Extension (id-ce-cRLDistributionPoints)
Extension Id: 2.5.29.31 (id-ce-cRLDistributionPoints)
CRLDistPointsSyntax: 1 item
DistributionPoint
distributionPoint: fullName (0)
fullName: 1 item
GeneralName: uniformResourceIdentifier (6)
uniformResourceIdentifier: http://crl.certum.pl/ca.crl
Extension (id-pe-authorityInfoAccess)
Extension Id: 1.3.6.1.5.5.7.1.1 (id-pe-authorityInfoAccess)
AuthorityInfoAccessSyntax: 2 items
AccessDescription
accessMethod: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
accessLocation: 6
uniformResourceIdentifier: http://subca.ocsp-certum.com
AccessDescription
accessMethod: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)
accessLocation: 6
uniformResourceIdentifier: http://repository.certum.pl/ca.cer
Extension (id-ce-certificatePolicies)
Extension Id: 2.5.29.32 (id-ce-certificatePolicies)
CertificatePoliciesSyntax: 1 item
PolicyInformation
policyIdentifier: 2.5.29.32.0 (anyPolicy)
policyQualifiers: 1 item
PolicyQualifierInfo
Id: 1.3.6.1.5.5.7.2.1 (id-qt-cps)
DirectoryString: http://www.certum.pl/CPS
algorithmIdentifier (sha256WithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
Padding: 0
encrypted: 8de6fd4066a34c9ca7aba1da84dd1c3007e6dbc72dec83a156e41d3c26a1a5092be87d62…
結果としてよくわからない
安全ではないアルゴリズムとはどこで判定しているのか、よくわからなかった。
YahooとかGoogleでwgetしても特に問題はなかったので証明書情報で何かの起因でエラーになっているのかな。