[Linux] 讓 yum 關閉 SSL 驗證,讓它通過 MITM

[Linux] 讓 yum 關閉 SSL 驗證,讓它通過 MITM

今天裝好了一台 Cloud Linux 8,

本想在裡面跑 yum 裝一下 net-tools,結果遇到 SSL certificate 問題:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# yum install net-tools
AlmaLinux 8.7 - AppStream 0.0 B/s | 0 B 00:08
Errors during downloading metadata for repository 'appstream':
- Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8.7/appstream [SSL certificate problem: unable to get local issuer certificate]
Error: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8.7/appstream [SSL certificate problem: unable to get local issuer certificate]
# yum install net-tools AlmaLinux 8.7 - AppStream 0.0 B/s | 0 B 00:08 Errors during downloading metadata for repository 'appstream': - Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8.7/appstream [SSL certificate problem: unable to get local issuer certificate] Error: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8.7/appstream [SSL certificate problem: unable to get local issuer certificate]
# yum install net-tools

AlmaLinux 8.7 - AppStream                                                                                      0.0  B/s |   0  B     00:08
Errors during downloading metadata for repository 'appstream':
  - Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8.7/appstream [SSL certificate problem: unable to get local issuer certificate]
Error: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8.7/appstream [SSL certificate problem: unable to get local issuer certificate]

 

用 openssl 指令連的時候,看到它中間出現了另一個憑證,

應該是公司有在網路裡放了一台 MITM 設備造成的:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# openssl s_client -connect mirrors.almalinux.org:443
CONNECTED(00000003)
depth=1 C = TW, ST = Taiwan, L = Taipei, O = MITM Inc., OU = Infosec
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.almalinux.org
verify return:1
---
Certificate chain
0 s:CN = *.almalinux.org
i:C = TW, ST = Taiwan, L = Taipei, O = MITM Inc., OU = Infosec
1 s:C = TW, ST = Taiwan, L = Taipei, O = MITM Inc., OU = Infosec
i:DC = org, DC = us, CN = MITMCA
---
# openssl s_client -connect mirrors.almalinux.org:443 CONNECTED(00000003) depth=1 C = TW, ST = Taiwan, L = Taipei, O = MITM Inc., OU = Infosec verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = *.almalinux.org verify return:1 --- Certificate chain 0 s:CN = *.almalinux.org i:C = TW, ST = Taiwan, L = Taipei, O = MITM Inc., OU = Infosec 1 s:C = TW, ST = Taiwan, L = Taipei, O = MITM Inc., OU = Infosec i:DC = org, DC = us, CN = MITMCA ---
# openssl s_client -connect mirrors.almalinux.org:443

CONNECTED(00000003)
depth=1 C = TW, ST = Taiwan, L = Taipei, O = MITM Inc., OU = Infosec
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.almalinux.org
verify return:1
---
Certificate chain
 0 s:CN = *.almalinux.org
   i:C = TW, ST = Taiwan, L = Taipei, O = MITM Inc., OU = Infosec
 1 s:C = TW, ST = Taiwan, L = Taipei, O = MITM Inc., OU = Infosec
   i:DC = org, DC = us, CN = MITMCA
---

 

我移不走 MITM 設備,要怎麼讓 yum 成功呢?

一種方法可能是把 MITM 的 Root CA 加入信任清單,

另一種我採用的方法是修改 /etc/yum.conf,將  

sslverify
sslverify 設成  
false
false :

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
[main]
sslverify=False
[main] sslverify=False
[main]
sslverify=False

 

改好之後,再執行 yum 就可以成功安裝套件了:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# yum install net-tools
......
Downloading Packages:
net-tools-2.0-0.52.20160912git.el8.x86_64.rpm 198 kB/s | 321 kB 00:01
......
# yum install net-tools ...... Downloading Packages: net-tools-2.0-0.52.20160912git.el8.x86_64.rpm 198 kB/s | 321 kB 00:01 ......
# yum install net-tools

......
Downloading Packages:
net-tools-2.0-0.52.20160912git.el8.x86_64.rpm   198 kB/s | 321 kB     00:01
......

 

(本頁面已被瀏覽過 425 次)

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料