
æåã®æ¥ä»ãå®å šã«å°ç¡ãã«ãããå Žåã¯ã埩å·åã«ã€ããŠå¥³ã®åã«çžè«ããŠãã ããã ã¯ãããããŠãã®åŸã®å Žå-ããã䟡å€ããããŸããã
ããªããšã®åºäŒãã¯åããŠã§ã¯ãªãã®ã§ããã®ããã¹ãã§ã¯åã³åŸ©å·åã«ã€ããŠèª¬æããŸãã
ã¯ããSSLã«ã€ããŠå床説æããŸãã ããããã®ãããã¯ã®2çªç®ã§æåŸã®è³æã§ãããšããäºå®ããç§èªèº«ãšããªãã«åã°ããããšãã§ããŸãã ããããã
ååãé·ãéèŠåŽããŠããSSLã解èªããå¿ èŠãããçç±ãèŠã€ããŸããã
ãã®èšäºã§ã¯ã蚌ææžã®çœ®æã§åŸ©å·åãã©ã®ããã«æ©èœããããåæããŸãã
ããã«ã¯äœãå¿ èŠã§ããïŒ
ãŸããSSLã®ä»çµã¿ãèŠããŠãããŠãã ããã èŠç¹ãç°¡åã«èª¬æããŸãã
TCPã»ãã·ã§ã³ã確ç«ããåŸãã¯ã©ã€ã¢ã³ããšãµãŒããŒã®éã§SSLãã³ãã·ã§ã€ã¯ãçºçããŸãã ãã®äžã§ãäž¡åœäºè ã¯Client Helloã¡ãã»ãŒãžãšServer Helloã¡ãã»ãŒãžã亀æããŸãã

vk.comãšã®SSLæ¥ç¶ã確ç«ãããã³ã
ã¯ã©ã€ã¢ã³ãHelloã¯ãµããŒããããŠããæå·åãã©ã¡ãŒã¿ãŒãèšè¿°ãããµãŒããŒHelloã¯ææ¡ãããã¯ã©ã€ã¢ã³ãããéžæããããã©ã¡ãŒã¿ãŒãå«ã¿ãŸãã ã¯ã©ã€ã¢ã³ãHelloãšãµãŒããŒHelloã®äº€æã¯ãSSLã»ãã·ã§ã³ã確ç«ããã€ã³ãžã±ãŒã¿ãŒãšããŠäœ¿çšã§ããŸãã ãããã®ã¡ãã»ãŒãžã衚瀺ããããšãããã€ã¹ïŒãã®äŸã§ã¯vFTDïŒã¯æ§ææžã¿ã®åŸ©å·åããªã·ãŒãã¹ãã£ã³ããŠãå°æ¥ã»ãã·ã§ã³ã埩å·åãããã©ããã決å®ããŸãã
èšå®ãããããªã·ãŒããã©ãã£ãã¯ã埩å·åããããã«æ瀺ããŠããå Žåãããã€ã¹ã¯äžéè ïŒMITMïŒã«ãªããéä¿¡ãããããŒã¿ã埩å·åããŸãã MITMãæ£åžžã«èµ·åãããšã2ã€ã®SSLã»ãã·ã§ã³ã確ç«ãããŸãã
1ã€ç®ã¯ãã¯ã©ã€ã¢ã³ããšåŸ©å·åããã€ã¹ïŒvFTDïŒã®éã§ãã 2ã€ç®ã¯ã埩å·åããã€ã¹ãšãµãŒããŒã®éã§ãã æå·åãããããŒã¿ã¯ãã¯ã©ã€ã¢ã³ãããvFTDã«éä¿¡ãããŸãã
解èªãããŸããã ãããã¯ãããŸããŸãªããªã·ãŒïŒã¢ã¯ã»ã¹ãIPSããã¡ã€ã«ãAMPãªã©ïŒã«ãã£ãŠã¹ãã£ã³ãããŸãã ã¯ã©ã€ã¢ã³ãããã®åŸ©å·åãããããŒã¿ãæ€èšŒããããšãå床æå·åãããŠãµãŒããŒã«éä¿¡ãããŸãã æ€èšŒã«åæ Œããªãã£ãå ŽåãããŒã¿ã¯åã«ãããã¯ãããïŒãµãŒããŒåŽã«éä¿¡ãããªãïŒããã»ãã·ã§ã³ããªã»ãããããŸãã ãµãŒããŒããã®å¿çãåæ§ã«åŠçãããŸãã
ããã€ã¹ãSSLã»ãã·ã§ã³ã§MITMã«ãªãã«ã¯ãã»ãšãã©å¿ èŠãããŸããã SSLãã³ãã·ã§ã€ã¯ã®æ®µéã§ã¯ãèªèšŒããã³ãã®ä»ã®ã¢ã¯ã·ã§ã³ã«å ããŠãå ±éã®ã»ãã·ã§ã³ããŒãçæãããŸãã éä¿¡ããŒã¿ãæå·åãããã®ã¯ããã®å©ããåããŠã§ãã ããã«ã¯å¯Ÿç§°ã¢ã«ãŽãªãºã ã䜿çšãããŸãã
ã€ã³ã¿ãŒãããã§ã¯ããªãŒãã³ãªéä¿¡ãã£ãã«ãä»ããŠå ±éã®ã»ãã·ã§ã³ããŒãçæããããã®2ã€ã®æãäžè¬çãªæ¹æ³ããããŸãïŒRSAãšECDHïŒDiffie-HellmanïŒã ã»ãã·ã§ã³ããŒãçæããããã»ã¹ãäžã®å³ã«ç€ºããŸãïŒè³æã Wiresharkã§ã®SSL / TLSãã©ãã£ãã¯åæ ãããåŒçš ïŒïŒ

RSAã䜿çšããã»ãã·ã§ã³ããŒã®çæ
RSAã®å Žåãã¯ã©ã€ã¢ã³ãã¯ããªãã¹ã¿ãŒã·ãŒã¯ã¬ãããçæããŸãã ãµãŒããŒèšŒææžã®å ¬ééµã§æå·åããŠéä¿¡ããŸãã äºåã®ç§å¯ã¯ããµãŒããŒã«ã®ã¿ç¥ãããŠããç§å¯éµã®å©ããåããŠã®ã¿è§£èªã§ããŸãã
çŸåšãåæ¹ã«ã¯äºåçãªç§å¯ããããŸãã ãããã¯ã¡ã€ã³ã·ãŒã¯ã¬ããã圢æãã次ã«å ±æã»ãã·ã§ã³ããŒã圢æããŸãã

ECDHã䜿çšããã»ãã·ã§ã³ããŒã®çæ
ECDHã®å ŽåãSSL蚌ææžã®ããŒãã¢ã¯æå·åã«ãŸã£ãã䜿çšãããŸããã ã¯ã©ã€ã¢ã³ããšãµãŒããŒã¯ããããªãã¯ããŒãšãã©ã€ããŒãããŒã®ã©ã³ãã ããŒã®ãã¢Diffie-Hellmanã圢æããŸãã ååŽã¯ãå ¬ééµãæå·åãããŠããªã圢åŒã§çžæåŽã«è»¢éããŸãã
ããã«ãDiffie-Hellmanã¢ã«ãŽãªãºã ã䜿çšããŠãã¯ã©ã€ã¢ã³ããšãµãŒããŒã¯èªåã®ç§å¯éµãšä»ã®äººã®å ¬éããå ±éã®äºåç§å¯ãèšç®ããŸãã ãã®åŸãåãµã€ãã¯å ±éã®ãã¹ã¿ãŒã·ãŒã¯ã¬ãããšã»ãã·ã§ã³ããŒã圢æããŸãã
ECDHã䜿çšããå Žåãéä¿¡ãããDiffie-Hellmanå ¬éããŒã®æŽåæ§ãç¶æããå¿ èŠããããŸãã ãµãŒããŒã¯ãç§å¯èšŒææžããŒã䜿çšããŠãèªèº«ã®Diffie-Hellmanå ¬éããŒã«çœ²åããŸãã ã¯ã©ã€ã¢ã³ãã¯ããµãŒããŒèšŒææžã®å ¬éããŒã䜿çšããŠãåä¿¡ããDiffie-Hellmanå ¬éããŒã®ä¿¡é Œæ§ãæ€èšŒã§ããŸãã
ãããã£ãŠãSSLã»ãã·ã§ã³çšã«MITMãç·šæããã«ã¯ ãã»ãšãã©ã®å ŽåããµãŒããŒèšŒææžãç¬èªã®ãã®ã«çœ®ãæããã ãã§ååã§ãã 眮æãæåãããšãã¯ã©ã€ã¢ã³ããšå ±æãããŠããã»ãã·ã§ã³ããŒãååŸããããŒã¿ã埩å·åã§ããããã«ãªããŸãã
RSAã®å ŽåãMITMããã€ã¹ã¯ãç¬èªã®ç§å¯èšŒææžããŒã䜿çšããŠäºåã·ãŒã¯ã¬ããã解èªã§ããŸãã ECDHã䜿çšããå Žåãããã€ã¹ã¯Diffie-Hellmanå ¬éããŒã«çœ²åã§ãããããã¯ã©ã€ã¢ã³ãåŽã§çœ²åãæå¹ãšèŠãªãããŸãã
ãµãŒããŒèšŒææžãç¬èªã®èšŒææžïŒç§å¯éµãããããã®ïŒã«çœ®ãæããã«ã¯ãã¯ã©ã€ã¢ã³ãåŽã§æ£ãããµãŒããŒèªèšŒãæäŸããç¬èªã®èšŒææžãå¿ èŠã§ãã ç°¡åã«èšãã°ã蚌ææžã眮ãæãããšãã«ãã¯ã©ã€ã¢ã³ãã®ãã©ãŠã¶ãŒãèŠåãããã¯ãäžããªãããšãå¿ èŠã§ãã ãã®ãããã»ãšãã©ã®å Žåã次ã®ããšãå¿ èŠã§ãã
- 蚌ææžã®ãµããžã§ã¯ããã£ãŒã«ãã«ã¯ããã©ãŠã¶ã®ã¢ãã¬ã¹ããŒã«å ¥åãããå€ãšçããå€ãæã€å ±éåãã©ã¡ãŒã¿ãŒãå«ãŸããŠããŸããã
- 蚌ææžã¯ãä¿¡é Œã§ãã蚌ææ©é¢ã«ãã£ãŠçœ²åãããŸããã
ã¯ã€ã«ãã«ãŒã蚌ææž
ããã¯ããã¡ã€ã³ããšã«æ³šæããã蚌ææžã§ãã ãã®ãããªèšŒææžã§ã¯ããµããžã§ã¯ããã£ãŒã«ãã«ã*ãmysite.ruãªã©ã®å
±éåãã©ã¡ãŒã¿ãŒãã¢ã¹ã¿ãªã¹ã¯ã§æžã蟌ãŸããŸãã ãããã£ãŠãra.mysite.ruãowa.mysite.ruãªã©ããã¹ãŠã®ãã¡ã€ã³ãµãŒãã¹ã§åäžã®èšŒææžã䜿çšã§ããŸãã ããã¯ããµãŒãã¹ããšã«åå¥ã®èšŒææžã泚æãããããå®äŸ¡ãªå ŽåããããŸãã
éåŽ-ã¯ã€ã«ãã«ãŒã蚌ææžãäœããã®æ¹æ³ã§äŸµå®³ãããå Žåããã¹ãŠã®ãµãŒãã¹ãããã«è¢«å®³ãåããŸãã å®éããã¹ãŠã®ãµãŒããŒã«åãç§å¯éµãã€ã³ã¹ããŒã«ãããŸãã
éåŽ-ã¯ã€ã«ãã«ãŒã蚌ææžãäœããã®æ¹æ³ã§äŸµå®³ãããå Žåããã¹ãŠã®ãµãŒãã¹ãããã«è¢«å®³ãåããŸãã å®éããã¹ãŠã®ãµãŒããŒã«åãç§å¯éµãã€ã³ã¹ããŒã«ãããŸãã
ãã¡ããã蚌ææžãã¯ã©ã€ã¢ã³ãåŽã§æå¹ãšèŠãªãããããã«ã¯ãä»ã®æ¡ä»¶ãæºããå¿ èŠããããŸããããã¯ã倱å¹ãããã倱å¹ãããããŠã¯ãããŸããã ãã ãããããã®ãã¹ãŠã®æ¡ä»¶ã¯ãç¬èªã®èšŒææ©é¢ã«ãã£ãŠèšŒææžã«çœ²åãã段éã§èæ ®ãããŸãã
SHA-1
çŸåšããã©ãŠã¶ã¯ããžã¿ã«çœ²åã¢ã«ãŽãªãºã ãšããŠã®SHA1RSAã®äœ¿çšãåŸã
ã«æŸæ£ããŠããŸãã ããšãã°ãã¯ãã ã¯ã¢ãã¬ã¹ããŒã«èµ€ãããå°ã®httpsã衚瀺ããŸãïŒ
Chromeã¯SHA-1ãèªã
詳现
ãã®ãããªèŠåãåé¿ããã«ã¯ã蚌ææ©é¢ã¯èšŒææžã®çœ²åã«å³å¯ãªHESçæã¢ã«ãŽãªãºã ïŒSHA-2ãã¡ããªïŒã䜿çšããå¿ èŠããããŸãã

Chromeã¯SHA-1ãèªã

詳现
ãã®ãããªèŠåãåé¿ããã«ã¯ã蚌ææ©é¢ã¯èšŒææžã®çœ²åã«å³å¯ãªHESçæã¢ã«ãŽãªãºã ïŒSHA-2ãã¡ããªïŒã䜿çšããå¿ èŠããããŸãã
蚌ææžã®ãã³çãã䜿çšããå ŽåããµãŒãã¹èšŒææžã¯å³å¯ã«å®çŸ©ããã蚌ææ©é¢ã«ãã£ãŠçœ²åãããå¿ èŠããããŸãã ããã§ãªãå Žåã蚌ææžãä¿¡é Œã§ããã»ã³ã¿ãŒã«ãã£ãŠçœ²åãããŠããŠãããªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ã¯ãããã¯ãããŸãã
ãããã£ãŠã蚌ææžã®ãã³çãããããªãœãŒã¹ã®å Žåã蚌ææžã®çœ®æã䌎ã埩å·åã¯æ©èœããŸããã
ãããã£ãŠãMITMãSSLã»ãã·ã§ã³ã§ç·šæããã«ã¯ãããã€ã¹ã¯ãªã¢ãŒããµãŒããŒã®èšŒææžãšåããã£ãŒã«ããæã€æ°ãã蚌ææžãçæããå¿ èŠããããŸãã ãã®å Žåãããç¥ãããç§å¯éµããããŸãã æ°ãã蚌ææžã¯ãä¿¡é Œã§ããèªèšŒå±ã䜿çšããŠçœ²åããå¿ èŠããããŸãã
å®éã«ã¯ãããã¯æ¬¡ã®ããã«å®è£ ãããŸãã
äŒç€Ÿã«ã¯ç¬èªã®èšŒææ©é¢ãå¿ èŠã§ãããã®èšŒææ©é¢ã®ã«ãŒã蚌ææžã¯ãäŒç€Ÿã®ãã¹ãŠã®ããã€ã¹ã§ä¿¡é Œãããç¶æ ã«çœ®ãããŸãã ããã¯åææ¡ä»¶ã§ãã
ãã³ãã¬ãŒããäžäœèªèšŒå±ãïŒäžäœèªèšŒå±ã以äžSubCAïŒã«åŸã£ãŠãèªèšŒå±ã§æ°ãã蚌ææžãèŠæ±ãããŸãã ãã®èšŒææžã®ç¹åŸŽã¯ãç§å¯éµã䜿çšããŠä»ã®èšŒææžã«çœ²åããããã«äœ¿çšã§ããããšã§ãïŒCAãã©ã°ã¯ãæ¡åŒµæ©èœãåºæ¬èšŒææžå¶éãã§èšå®ãããŸãïŒã
SubCAã¯ä¿¡é Œãããã«ãŒã蚌ææžã«ãã£ãŠçœ²åãããŠãããããã¯ã©ã€ã¢ã³ããã·ã³ã¯ãããšçœ²åããããã¹ãŠã®èšŒææžãä¿¡é ŒããŸãã SubCAãšããã«å¯Ÿå¿ããç§å¯éµãããã€ã¹ã«ã€ã³ã¹ããŒã«ãããSSLã»ãã·ã§ã³ã§MITMã«ãªããŸãã ããã«ãããã¯ã©ã€ã¢ã³ããHTTPSãµãŒããŒãšã®SSLã»ãã·ã§ã³ã確ç«ããããšãããã³ã«ãããã€ã¹ã¯æ¬¡ã®ããšãã§ããããã«ãªããŸãã
- ãµãŒããŒèšŒææžãååããŸãã
- ç§å¯éµãäœæããŸãã
- 眮ãæãããããã®ãšåããã£ãŒã«ããæã€æ°ãã蚌ææžãçæããŸãã
- SubCAã䜿çšããŠãçæããã蚌ææžã«çœ²åããŸãã
ãã¹ãŠãæ£ããã»ããã¢ãããããŠããå ŽåããŠãŒã¶ãŒã®ãã©ãŠã¶ãŒã¯httpsããŒãžãéããšãã«èŠåã衚瀺ããŸããã ãŠãŒã¶ãŒã¯ãèšå®ã«ã¢ã¯ã»ã¹ããå Žåã«ã®ã¿ã蚌ææžã®çœ®æã®äºå®ãå€æã§ããŸãã

Mozillaã®èšŒææžãã§ãŒã³
æçµèšŒææžã®ãã£ãŒã«ããèŠããšããµããžã§ã¯ããã£ãŒã«ãã«æ£ããå ±éåã®å€ãå«ãŸããŠããããšãããããŸãã

å ±éåãã£ãŒã«ã
å®éã®èšŒææžãšçœ®ãæãããã蚌ææžãæ¯èŒãããšãå®éã«ã¯å ¬ééµãšããžã¿ã«çœ²åã®å€ãç°ãªãããšãããããŸãïŒãã®å Žåãã·ãªã¢ã«çªå·ãªã©ã¯ç¡èŠããŸãïŒã
眮ãæãããã蚌ææž
Certificate: Data: Version: 3 (0x2) Serial Number: 1482311739306634470 (0x14923aac5bc36ce6) Signature Algorithm: sha256WithRSAEncryption Issuer: C=RU, ST=Moscow, O=CBS, OU=Computers, CN=proxy.cbs.com.ru/emailAddress=uskov@cbs.ru Validity Not Before: Sep 4 21:17:41 2015 GMT Not After : Sep 16 11:56:55 2018 GMT Subject: OU=Domain Control Validated, CN=*.vk.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a1:09:76:bf:21:ce:9b:e7:e2:34:03:f0:74:02: 84:13:7f:2e:51:0b:e8:4a:11:e2:34:d8:3a:d9:39: 5b:ea:87:50:33:dc:64:5b:2e:f2:0d:33:36:47:3c: 0a:97:a7:ce:23:7d:d7:8f:76:85:17:42:f9:63:b6: d1:91:ea:18:de:98:3c:e1:c5:5b:59:4a:d0:e5:e2: b7:ce:e0:75:74:93:d9:35:b4:8b:85:70:4c:8e:c9: e0:53:7c:2f:9f:4b:e1:48:f0:3f:a5:70:f7:4e:99: f1:74:0b:2a:21:6a:9d:9f:20:f4:e5:fa:94:89:43: 61:82:0b:c1:98:7a:e3:7c:4e:cf:8b:6c:ad:6b:ce: 1b:0f:4d:e3:db:d4:47:5c:e8:77:aa:71:ea:62:8f: 17:c9:3b:a3:e2:29:ce:62:e2:31:71:a8:83:2a:41: d9:6b:a7:b8:75:d0:07:fc:10:f1:6e:69:84:4b:b1: 11:f8:ae:20:94:44:0d:b0:7b:0f:d2:bd:b3:1d:1c: 7c:ae:f8:cf:37:e2:aa:4a:d2:de:24:60:50:06:f9: c6:65:f0:9c:63:4f:53:eb:db:59:a4:93:14:b2:6f: aa:b3:fb:50:ae:6e:e4:b9:3f:fa:69:b3:43:32:3f: 7a:4b:57:41:2d:7e:c8:41:00:f8:68:6a:43:53:83: 5c:c3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Subject Alternative Name: DNS:*.vk.com, DNS:vk.com X509v3 Subject Key Identifier: 18:91:5E:8A:5A:58:5D:AB:86:73:6D:C0:06:57:C2:6C:62:4E:5C:64 Signature Algorithm: sha256WithRSAEncryption 8d:bc:a8:ce:af:5d:39:fc:6a:ac:48:39:9a:7e:32:01:27:68: de:95:5c:4b:24:3a:51:5d:d2:90:e4:22:c1:55:5e:65:ea:4f: 59:2c:76:b0:48:53:d8:6e:c6:e3:2a:cb:26:e6:40:e3:9a:36: 4c:6b:29:52:1c:b5:83:c6:10:8e:cb:f8:6d:a9:ae:d7:71:1b: 92:69:99:c0:1e:de:2f:02:82:17:d6:1d:52:35:65:f7:ca:a7: 9c:fe:e6:1f:3b:a4:36:c2:4a:4e:e2:f2:7d:66:e1:c4:ea:e9: ca:d0:a9:76:fc:84:f1:55:e7:d8:04:45:04:9a:15:0d:23:c9: e1:0a:b0:9e:cb:3b:c0:86:d3:e4:23:3e:c5:8a:13:20:96:ac: 6d:d8:79:ea:b9:83:b9:a7:fe:79:67:41:3d:7d:1f:22:eb:20: b9:6c:06:34:cb:fb:17:a7:b3:fc:5a:2c:a2:4f:86:0a:80:53: ea:f2:71:4a:36:80:a3:fb:2e:42:76:c6:f8:68:6c:78:f0:5c: 5d:cd:c4:0a:05:29:a3:c5:a7:87:c4:87:af:5c:29:54:a1:8e: 94:2f:72:89:54:c4:76:cb:0b:87:f9:29:a1:18:4e:55:97:e2: 1f:86:2e:97:ca:15:40:6e:d4:29:25:eb:1c:5a:2e:b9:3d:e6: bb:5e:4d:18
ããããå®éã®èšŒææž
Certificate: Data: Version: 3 (0x2) Serial Number: 7817290772096849405 (0x6c7c988a18c595fd) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 Validity Not Before: Sep 4 21:17:41 2015 GMT Not After : Sep 16 11:56:55 2018 GMT Subject: OU=Domain Control Validated, CN=*.vk.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:db:c0:ab:97:82:f1:70:06:3f:d9:9d:79:85:a8: 7c:11:d2:17:c5:9a:61:b1:72:06:d7:5e:21:7f:3d: 3b:c2:cd:dd:f4:d8:62:8a:7b:23:b7:cb:08:70:db: bf:e8:85:f7:23:92:09:56:1c:bc:e4:f8:cd:81:01: 82:43:8d:37:b9:f1:6a:14:ac:68:fa:a4:ef:fd:5b: 99:ad:f1:df:04:00:1a:e2:8a:7e:80:6a:27:b3:60: 71:27:8d:dd:37:d2:df:2d:22:fe:f3:cb:cf:68:62: 65:d4:ff:88:47:6a:78:4d:bf:8f:8f:0d:06:47:3a: b0:84:f0:a4:ea:9e:69:59:97:e5:03:a9:36:0e:93: e6:2e:4e:d6:2a:bd:ea:bc:64:b8:9c:7d:a3:5e:c4: ce:1c:74:82:4d:95:bc:00:a0:01:3e:d1:3f:2a:18: 7c:49:7c:af:6a:41:61:4b:99:1d:af:95:f4:77:c6: e0:4e:60:aa:96:63:ee:68:96:63:33:fc:81:41:e5: 2c:15:0f:1d:39:f8:00:ac:05:13:f2:80:dd:96:00: 2d:42:4b:d5:c9:f7:26:08:67:68:f8:15:e4:25:43: cd:e1:09:4c:5c:ab:15:23:d8:30:f1:89:b7:83:92: fd:15:ad:b6:5b:e4:5c:b2:fa:7d:d1:b2:00:43:39: d9:a3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 CRL Distribution Points: Full Name: URI:http://crl.godaddy.com/gdig2s1-118.crl X509v3 Certificate Policies: Policy: 2.16.840.1.114413.1.7.23.1 CPS: http://certificates.godaddy.com/repository/ Authority Information Access: OCSP - URI:http://ocsp.godaddy.com/ CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt X509v3 Authority Key Identifier: keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE X509v3 Subject Alternative Name: DNS:*.vk.com, DNS:vk.com X509v3 Subject Key Identifier: 18:91:5E:8A:5A:58:5D:AB:86:73:6D:C0:06:57:C2:6C:62:4E:5C:64 Signature Algorithm: sha256WithRSAEncryption 80:61:fc:da:a9:f2:ea:f3:4a:70:4e:8a:39:3e:eb:9b:77:c2: c9:5d:da:30:20:7a:31:8f:19:f8:2f:b5:1b:4a:87:74:fb:99: 59:78:0f:45:1b:9d:9d:76:29:5f:48:90:08:a5:f8:c8:2e:9f: 55:ea:54:33:c1:a1:a3:7e:7f:8c:32:c5:a8:0f:9b:04:c7:d1: 55:30:7e:09:87:03:7e:88:82:32:0a:cb:0c:66:f0:50:85:b2: e4:43:67:38:88:50:84:54:41:4b:bc:3e:b0:47:8f:71:46:e4: 9a:cf:f1:a4:39:a9:4b:ca:63:44:c3:34:7d:7b:ca:de:6c:91: 5b:15:09:06:b3:4c:56:6d:23:03:1b:dc:c5:d1:e5:a3:9f:d2: 4d:be:d2:ff:62:4a:75:f7:4f:29:a4:7d:35:cf:33:06:83:6a: 50:f6:25:ce:a7:59:ac:05:fe:74:7b:c7:89:06:f5:a8:2e:4e: d4:34:a1:e1:68:7b:66:8b:53:a8:41:ba:a7:50:72:49:94:e6: 4a:ad:2d:26:95:a3:5d:ce:e3:8b:d9:6c:d2:1e:31:4b:28:ab: e2:33:c5:5e:3f:82:dd:e1:e8:36:a2:b5:08:d8:b3:2e:23:b4: 9b:b4:e6:4a:ab:21:2d:6b:aa:5f:fd:56:31:dc:86:32:85:04: 01:5a:b9:64
æåŸã«æ³šæãããã®ã¯ã vFTDãåãããŒãã¢ã䜿çšããŠã¹ããŒãã£ã³ã°ããã蚌ææžãçæããããšã§ãã ããã¯å®éã«ã¯è«ççã§ãããã§ã«æå·å/埩å·åãããããã€ã¹ã«ãªãœãŒã¹ãè²»ãããŠæ°ããããŒãã¢ãçæããçç±ã§ãã ya.ruããŒãžãéããŠåä¿¡ãã蚌ææžã衚瀺ãããšãå ¬éããŒã¯vk.comã®çœ®ãæãããã蚌ææžãšåãã§ããããšãããããŸãã

眮ãæããããå®éã®èšŒææž
ããã§ãNGFWã®SSL埩å·åã¡ã«ããºã ã®èª¬æãçµãããŸãã ãã¹ãŠã®èŠéãžã®æšæ¶ãç§ãã¡ã¯ã€ãã«ãã£ãïŒ çãã£ãã§ãããä»ã§ã¯SSLã«ã€ããŠããå°ãç¥ã£ãŠããŸãã 䟡å€ããããã©ãã-ããã¯ããªãã®è£éã§ãã
PSïŒãããŠãã¯ããååãããç¥ãã®èšèãäŒããŸãïŒãããŠåå ããŸãïŒã æ°å¹Žã«ã¯ããã°ãæŸèæãã¿ã³ããªã³ãšã®ãã³ã¹ãæžããŸãïŒ

PPSïŒãã®ãããã³ãFirePOWER-Welkamã¿ãã¯ã«çšã«ã©ã®ããã«æ§æãããŠãããã«èå³ããã人åãã
FMC v6.1.0.1ã§ã®SSL埩å·åã®æ§æ
ãŸããSubCAãæºåããŸãã ããŒãã¢ïŒãããªãã¯ãšãã©ã€ããŒãïŒãçæããŸãã ãã³ãã¬ãŒããäžäœèªèšŒå±ãïŒäžäœèªèšŒå±ïŒã«åŸã£ãŠãäŒæ¥ã®èªèšŒå±ã§èšŒææžã«çœ²åããŸãã ããã«ã¯opensslãŠãŒãã£ãªãã£ã䜿çšã§ããŸãã FMCã³ãã³ãã©ã€ã³ããå©çšã§ããŸãã CSRãçæããããã®ã³ãã³ãã®äŸïŒ
眲åæžã¿èšŒææžãåãåã£ãããFMCã«ã€ã³ã¹ããŒã«ããŸãã [ãªããžã§ã¯ã]-> [ãªããžã§ã¯ã管ç]-> [PKI]-> [å éšCA]ã¿ãã«ç§»åãã[CAã®ã€ã³ããŒã]ãã¯ãªãã¯ããŸãã
蚌ææžãšãã®ç§å¯éµãã¢ããããŒãããããã«æ±ããããŸãã 以åã«opensslãšäŒæ¥CAã䜿çšããŠååŸããŸããã æ°ããCAã®ååãèšå®ããç§å¯éµã®ãã¹ã¯ãŒããå ¥åããŸãïŒå¿ èŠãªå ŽåïŒïŒ
ãã¹ãŠã埩å·åããªã·ãŒãäœæããæºåãã§ããŠããŸãã [ããªã·ãŒ]-> [SSL]ã«ç§»åããŸãã
[æ°ããããªã·ãŒ]ãã¯ãªãã¯ããããªã·ãŒã®ååãããã©ã«ãã®ã¢ã¯ã·ã§ã³ãèšå®ããŠã説æã«Opus Magnumãèšè¿°ããŸãã
ããªãã¿ã®ã¿ãã¬ããã§ã®åŸ©å·åããªã·ãŒã ãããã®ãã£ãŒã«ãã¯ã埩å·åããããã©ãã£ãã¯ã®ãã¿ãŒã³ãèšè¿°ããŸãã
[ã«ãŒã«ã®è¿œå ]ãã¯ãªãã¯ããŠããã©ãã£ãã¯ãã¿ãŒã³ã説æããŸãã æãåçŽãªã±ãŒã¹ã§ã¯ããã©ã¡ãŒã¿ãŒãæå®ããã«ã«ãŒã«ãäœæã§ããŸãã ãã®å ŽåãSSLãã©ãã£ãã¯ã¯åŸ©å·åãããŸãã ã¢ã¯ã·ã§ã³ãšããŠãã埩å·å-èŸä»»ããéžæããŸãã ãwithããšããåèªã®åŸã®ãã£ãŒã«ãã§ãåã®æé ã§ã¢ããããŒããã蚌ææžãéžæããŸãã ããã¯ã眮æããã蚌ææžã«çœ²åãããµãCAã§ãã
ã¹ã¯ãªãŒã³ã·ã§ããã§ãããããã«ãFMCã¯ã埩å·åã®ãã©ãã£ãã¯ãã¿ãŒã³ãèšè¿°ããããã®æãåºãå¯èœæ§ãæäŸããŸãã ãã©ãã£ãã¯ã¯ããŠãŒã¶ãŒãã¢ããªã±ãŒã·ã§ã³ã¿ã€ããURLã«ããŽãªããµãŒããŒèšŒææžãã©ã¡ãŒã¿ãŒïŒDNã蚌ææžã¹ããŒã¿ã¹ãæå·ã¹ã€ãŒããããŒãžã§ã³ïŒãªã©ã«ãã£ãŠéžæã§ããŸãã
ããšãã°ãCert Statusã¿ãã®ã¹ã¯ãªãŒã³ã·ã§ããïŒ
å¿ èŠãªã«ãŒã«ããã¹ãŠèšå®ãããã[ä¿å]ãã¯ãªãã¯ããŸãã 埩å·åããªã·ãŒã®æºåãã§ããŸããã ãã ããæ©èœãéå§ããã«ã¯ãã¢ã¯ã»ã¹ããªã·ãŒã«é¢é£ä»ããããŠããå¿ èŠããããŸãã [ããªã·ãŒ]-> [ã¢ã¯ã»ã¹å¶åŸ¡]ã«ç§»åããŸãã
èå³ã®ããã¢ã¯ã»ã¹ããªã·ãŒãéžæããéçãã¯ãªãã¯ããŸãã éããã¿ãã§ãåã®æé ã§äœæãã埩å·åããªã·ãŒãéžæããå¿ èŠããããŸãã
ä¿åãã¯ãªãã¯ããŸãã 管ç察象ããã€ã¹ïŒç§ã®å Žåã¯vFTDïŒã«å€æŽããããã€ããããšãå¿ããªãã§ãã ããïŒ
openssl rand -out ./private/.rand 1024 openssl genrsa -out ./private/cakey.pem -aes256 -rand ./private/.rand 2048 openssl req -new -key ./private/cakey.pem -out subcareq.pem -config openssl.cnf -sha256
眲åæžã¿èšŒææžãåãåã£ãããFMCã«ã€ã³ã¹ããŒã«ããŸãã [ãªããžã§ã¯ã]-> [ãªããžã§ã¯ã管ç]-> [PKI]-> [å éšCA]ã¿ãã«ç§»åãã[CAã®ã€ã³ããŒã]ãã¯ãªãã¯ããŸãã

蚌ææžãšãã®ç§å¯éµãã¢ããããŒãããããã«æ±ããããŸãã 以åã«opensslãšäŒæ¥CAã䜿çšããŠååŸããŸããã æ°ããCAã®ååãèšå®ããç§å¯éµã®ãã¹ã¯ãŒããå ¥åããŸãïŒå¿ èŠãªå ŽåïŒïŒ

ãã¹ãŠã埩å·åããªã·ãŒãäœæããæºåãã§ããŠããŸãã [ããªã·ãŒ]-> [SSL]ã«ç§»åããŸãã

[æ°ããããªã·ãŒ]ãã¯ãªãã¯ããããªã·ãŒã®ååãããã©ã«ãã®ã¢ã¯ã·ã§ã³ãèšå®ããŠã説æã«Opus Magnumãèšè¿°ããŸãã

ããªãã¿ã®ã¿ãã¬ããã§ã®åŸ©å·åããªã·ãŒã ãããã®ãã£ãŒã«ãã¯ã埩å·åããããã©ãã£ãã¯ã®ãã¿ãŒã³ãèšè¿°ããŸãã

[ã«ãŒã«ã®è¿œå ]ãã¯ãªãã¯ããŠããã©ãã£ãã¯ãã¿ãŒã³ã説æããŸãã æãåçŽãªã±ãŒã¹ã§ã¯ããã©ã¡ãŒã¿ãŒãæå®ããã«ã«ãŒã«ãäœæã§ããŸãã ãã®å ŽåãSSLãã©ãã£ãã¯ã¯åŸ©å·åãããŸãã ã¢ã¯ã·ã§ã³ãšããŠãã埩å·å-èŸä»»ããéžæããŸãã ãwithããšããåèªã®åŸã®ãã£ãŒã«ãã§ãåã®æé ã§ã¢ããããŒããã蚌ææžãéžæããŸãã ããã¯ã眮æããã蚌ææžã«çœ²åãããµãCAã§ãã

ã¹ã¯ãªãŒã³ã·ã§ããã§ãããããã«ãFMCã¯ã埩å·åã®ãã©ãã£ãã¯ãã¿ãŒã³ãèšè¿°ããããã®æãåºãå¯èœæ§ãæäŸããŸãã ãã©ãã£ãã¯ã¯ããŠãŒã¶ãŒãã¢ããªã±ãŒã·ã§ã³ã¿ã€ããURLã«ããŽãªããµãŒããŒèšŒææžãã©ã¡ãŒã¿ãŒïŒDNã蚌ææžã¹ããŒã¿ã¹ãæå·ã¹ã€ãŒããããŒãžã§ã³ïŒãªã©ã«ãã£ãŠéžæã§ããŸãã
ããšãã°ãCert Statusã¿ãã®ã¹ã¯ãªãŒã³ã·ã§ããïŒ

å¿ èŠãªã«ãŒã«ããã¹ãŠèšå®ãããã[ä¿å]ãã¯ãªãã¯ããŸãã 埩å·åããªã·ãŒã®æºåãã§ããŸããã ãã ããæ©èœãéå§ããã«ã¯ãã¢ã¯ã»ã¹ããªã·ãŒã«é¢é£ä»ããããŠããå¿ èŠããããŸãã [ããªã·ãŒ]-> [ã¢ã¯ã»ã¹å¶åŸ¡]ã«ç§»åããŸãã

èå³ã®ããã¢ã¯ã»ã¹ããªã·ãŒãéžæããéçãã¯ãªãã¯ããŸãã éããã¿ãã§ãåã®æé ã§äœæãã埩å·åããªã·ãŒãéžæããå¿ èŠããããŸãã


ä¿åãã¯ãªãã¯ããŸãã 管ç察象ããã€ã¹ïŒç§ã®å Žåã¯vFTDïŒã«å€æŽããããã€ããããšãå¿ããªãã§ãã ããïŒ

