SSL/TLS深度解析--OpenSSL s_client测试子命令

#下载第三方的最新的PEM(privacy-enhanced mail)格式的可信证书库
[[email protected] ~]# wget --no-check-certificate https://curl.haxx.se/ca/cacert.pem

  • 使用s_client 命令进行测试
[[email protected] ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -msg
CONNECTED(00000005)
>>> ??? [length 0005]
    16 03 01 01 36
    ......
>>> TLS 1.3, Handshake [length 0136], ClientHello
    01 00 01 32 03 03 84 a2 23 07 e5 53 46 00 e1 fb
    ......
    <<< ??? [length 0005]
    16 03 03 00 35
    ......
<<< TLS 1.3, Handshake [length 0035], ServerHello
    02 00 00 31 03 03 5b d2 a9 6d f4 a3 ca 9d 46 08
    ......
    <<< ??? [length 0005]
    16 03 03 0d ad
    ......
<<< TLS 1.2, Handshake [length 0dad], Certificate
    0b 00 0d a9 00 0d a6 00 09 33 30 82 09 2f 30 82
    ......
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
verify return:1
depth=0 C = CN, ST = beijing, L = beijing, OU = service operation department, O = "Beijing Baidu Netcom Science Technology Co., Ltd", CN = baidu.com
verify return:1
<<< ??? [length 0005]
    16 03 03 01 4d
<<< TLS 1.2, Handshake [length 014d], ServerKeyExchange
    0c 00 01 49 03 00 17 41 04 5a 0d a7 d6 06 b2 c6
   <<< ??? [length 0005]
    16 03 03 00 04
<<< TLS 1.2, Handshake [length 0004], ServerHelloDone
    0e 00 00 00
>>> ??? [length 0005]
    16 03 03 00 46
>>> TLS 1.2, Handshake [length 0046], ClientKeyExchange
    10 00 00 42 41 04 1d 79 be af cb 98 18 c0 8f a6
    >>> ??? [length 0005]
    14 03 03 00 01
>>> TLS 1.2, ChangeCipherSpec [length 0001]
    01
>>> ??? [length 0005]
    16 03 03 00 28
>>> TLS 1.2, Handshake [length 0010], Finished
    14 00 00 0c 01 a2 ae cd 2c 70 c0 fb d5 1e 13 45
<<< ??? [length 0005]
    16 03 03 00 aa
<<< TLS 1.2, Handshake [length 00aa], NewSessionTicket
    04 00 00 a6 00 00 00 00 00 a0 97 c1 44 d2 4b 56
<<< ??? [length 0005]
    14 03 03 00 01
<<< ??? [length 0005]
    16 03 03 00 28
<<< TLS 1.2, Handshake [length 0010], Finished
    14 00 00 0c c2 2e 30 1a b9 05 d1 b9 65 46 39 b5
---
Certificate chain
 0 s:C = CN, ST = beijing, L = beijing, OU = service operation department, O = "Beijing Baidu Netcom Science Technology Co., Ltd", CN = baidu.com
   i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIJLzCCCBegAwIBAgIMIe0swvEJLGZrFeUnMA0GCSqGSIb3DQEBCwUAMGYxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTwwOgYDVQQDEzNH
bG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g
RzIwHhcNMTgwNDAzMDMyNjAzWhcNMTkwNTI2MDUzMTAyWjCBpzELMAkGA1UEBhMC
Q04xEDAOBgNVBAgTB2JlaWppbmcxEDAOBgNVBAcTB2JlaWppbmcxJTAjBgNVBAsT
HHNlcnZpY2Ugb3BlcmF0aW9uIGRlcGFydG1lbnQxOTA3BgNVBAoTMEJlaWppbmcg
QmFpZHUgTmV0Y29tIFNjaWVuY2UgVGVjaG5vbG9neSBDby4sIEx0ZDESMBAGA1UE
AxMJYmFpZHUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr6TD
KhmBjiKc5USSOTCKxoz7yh+6TbA5MwWfKz7ZIMFjMJmSbqEsfyjIHtXnkz3x/GLG
szJnXI2Ylk73VGzW64Nks7svAo+p01icllfjHHc69A0Z2EZKU3LI5/DzcdKI/vdz
kSi6PXgbHsV2Y8aIIbcXbD5YA0DyhpWA5yBrmneSr2E2Xo+s88KFcg0yieS6opsq
xdKMSpS6ixbFEQLr2XgyGmb2tbslOD6UuxGNRhRgXhx0kcGLJzhLh4IDFZemxYZ8
fScewYkrFGZm6WzNdQZAWkw/QjkdS7EWCN+DBqToDaEBLtQkhiCiLLHLwsK69gfF
fQvf4f79dJK3fo+lswIDAQABo4IFmTCCBZUwDgYDVR0PAQH/BAQDAgWgMIGgBggr
BgEFBQcBAQSBkzCBkDBNBggrBgEFBQcwAoZBaHR0cDovL3NlY3VyZS5nbG9iYWxz
aWduLmNvbS9jYWNlcnQvZ3Nvcmdhbml6YXRpb252YWxzaGEyZzJyMS5jcnQwPwYI
KwYBBQUHMAGGM2h0dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9nc29yZ2FuaXph
dGlvbnZhbHNoYTJnMjBWBgNVHSAETzBNMEEGCSsGAQQBoDIBFDA0MDIGCCsGAQUF
BwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAIBgZn
gQwBAgIwCQYDVR0TBAIwADCCAxQGA1UdEQSCAwswggMHggliYWlkdS5jb22CDGJh
aWZ1YmFvLmNvbYIMd3d3LmJhaWR1LmNughB3d3cuYmFpZHUuY29tLmNugg9tY3Qu
eS5udW9taS5jb22CCmJhaWZhZS5jb22CC2Fwb2xsby5hdXRvggsqLmJhaWR1LmNv
bYIOKi5iYWlmdWJhby5jb22CESouYmFpZHVzdGF0aWMuY29tgg4qLmJkc3RhdGlj
LmNvbYILKi5iZGltZy5jb22CDCouaGFvMTIzLmNvbYILKi5udW9taS5jb22CDSou
Y2h1YW5rZS5jb22CDSoudHJ1c3Rnby5jb22CDyouYmNlLmJhaWR1LmNvbYIQKi5l
eXVuLmJhaWR1LmNvbYIPKi5tYXAuYmFpZHUuY29tgg8qLm1iZC5iYWlkdS5jb22C
ESouZmFueWkuYmFpZHUuY29tgg4qLmJhaWR1YmNlLmNvbYIMKi5taXBjZG4uY29t
ghAqLm5ld3MuYmFpZHUuY29tgg4qLmJhaWR1cGNzLmNvbYIMKi5haXBhZ2UuY29t
ggsqLmFpcGFnZS5jboINKi5iY2Vob3N0LmNvbYIQKi5zYWZlLmJhaWR1LmNvbYIO
Ki5pbS5iYWlkdS5jb22CESouc3NsMi5kdWFwcHMuY29tggwqLmJhaWZhZS5jb22C
EiouYmFpZHVjb250ZW50LmNvbYILKi5kbG5lbC5jb22CCyouZGxuZWwub3JnghIq
LmR1ZXJvcy5iYWlkdS5jb22CDiouc3UuYmFpZHUuY29tgggqLjkxLmNvbYISKi5o
YW8xMjMuYmFpZHUuY29tgg0qLmFwb2xsby5hdXRvghIqLnh1ZXNodS5iYWlkdS5j
b22CESouYmouYmFpZHViY2UuY29tghEqLmd6LmJhaWR1YmNlLmNvbYISY2xpY2su
aG0uYmFpZHUuY29tghBsb2cuaG0uYmFpZHUuY29tghBjbS5wb3MuYmFpZHUuY29t
ghB3bi5wb3MuYmFpZHUuY29tghR1cGRhdGUucGFuLmJhaWR1LmNvbTAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFEU2rOodiWjhKzkRrSOc
0Vk2i7DMMB8GA1UdIwQYMBaAFJbeYfG9HBYpUxzAzH07gwBA5hp8MIIBBAYKKwYB
BAHWeQIEAgSB9QSB8gDwAHYAh3W/51l8+IxDmV+9827/Vo1HVjb/SrVgwbTq/16g
gw8AAAFiiYpPCgAABAMARzBFAiAbbac6UM3Au0f5IiujWCEPmZR3sYrRrxzc2EB7
NTyu3AIhANaM+Sqpimpbz4r651CIX+hhCywdzLG3JE6zArgyjx2IAHYAu9nfvB+K
cbWTlCOXqpJ7RzhXlQqrUugakJZkNo4e0YUAAAFiiYpRRAAABAMARzBFAiEAmE6A
rGctn/Mm+nP7c3HD9n/sYFe/FJ5n23FkiL2rT9oCIGLJJl1F2sUmA/su4YT7dic5
R733IMJlZic9HQOJoITIMA0GCSqGSIb3DQEBCwUAA4IBAQC57KcI343ViCL8VmrQ
A2EAzC/T+ePnTtelSpWshrfpVZPM97kWe+i4CY2sCmtClkXY2rdM7sAJbtnxQ78A
FlepduenlaXVyOHZU5hacG5BD4MDz3LtkgU5Q8o8GqfCbnoFBTONPgAdj8OUiizx
dtzNoF+C7MpjoCgZO0qrNp2QEbWyjHZnE36OUf8yoy89MNXIDFi50oFCZpHKd47X
rgIxcjuWmQqd5waBhyakBf2zlCnguDKj0w8Cy9auX8WYaNEYUuTF4OmPOqICzBd/
pepMzaPDTd3A+xW7Mo6n0vasV/sZI1y2qMrqs7qvItqC0YMJSlxSZ67SnWZjAwgG
lxua
-----END CERTIFICATE-----
subject=C = CN, ST = beijing, L = beijing, OU = service operation department, O = "Beijing Baidu Netcom Science Technology Co., Ltd", CN = baidu.com

issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4137 bytes and written 441 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 415050DDCFA0D76788B2A26E8A379B087783558EDA8DB8E79EF70DD0E6DE4888
    Session-ID-ctx:
    Master-Key: DC36584FD340F9CB637ABCB2686CB8EC25A748339DCBCC8064B274A679ABF64BD7AE0FA2A52C1DCFFDB12C9C98C02A89
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:
    0000 - 97 c1 44 d2 4b 56 83 ef-77 5f 08 cd 94 15 be ac   ..D.KV..w_......
    0010 - ce 1e b0 2b 43 9d 79 08-90 d6 2c df 47 63 1a 00   ...+C.y...,.Gc..
    0020 - 15 43 24 94 43 5e 82 41-25 2c d0 18 1c d9 f5 3a   .C$.C^.A%,.....:
    0030 - 85 ef d5 93 43 c2 d1 25-48 2c 97 fb 7d b2 22 c6   ....C..%H,..}.".
    0040 - 15 80 71 07 fe 0a e0 45-ff d7 4c 5f d3 b6 8e 4d   ..q....E..L_...M
    0050 - 94 6a 62 f9 93 f6 93 b9-18 ab 40 9c 1d ee 01 e5   [email protected]
    0060 - 3b c5 8e 56 49 df 7e c4-6f 3a 68 0a ed ca 2c b4   ;..VI.~.o:h...,.
    0070 - 1f b8 1d c9 39 66 ab f8-f5 9c 96 f8 00 07 47 45   ....9f........GE
    0080 - ab c6 29 d7 91 a2 78 d1-2a 67 25 d2 5b 1b dc 92   ..)...x.*g%.[...
    0090 - 4c cd 0d 36 47 6f 5b 76-e7 44 7b cc 9a 08 20 22   L..6Go[v.D{... "

    Start Time: 1540532589
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
<<< ??? [length 0005]
    15 03 03 00 1a
<<< TLS 1.2, Alert [length 0002], warning close_notify
    01 00
closed
>>> ??? [length 0005]
    15 03 03 00 1a
>>> TLS 1.2, Alert [length 0002], warning close_notify
    01 00

#-msg:打印出握手协议信息
#-msgfile:测试的输出结果保存到文件里
  • 测试支持的协议
[[email protected] ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -tls1_2
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 593AE9088214B92F0184214C8CF6FC7D273636100521AE9598CA87AB6400E67C
    Session-ID-ctx: 

[[email protected] ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -tls1_1
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-AES128-SHA
    Session-ID: ECFAAE748434BC5C16A8274A733307A8B2E28B4834EC57EE8BF10B961FFB0F47
    Session-ID-ctx: 

[[email protected] ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -tls1
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES128-SHA
    Session-ID: 1D388296763561AC5EBA189D6296046FDAE7E821F048ECCC2173EFD9312D0D3D
    Session-ID-ctx:
  • 测试支持的密码套件
[[email protected] ~]# openssl ciphers -v
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
RSA-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(256) Mac=AEAD
RSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=ECDHEPSK Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
PSK-AES256-GCM-SHA384   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(256) Mac=AEAD
PSK-CHACHA20-POLY1305   TLSv1.2 Kx=PSK      Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
RSA-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(128) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
PSK-AES128-GCM-SHA256   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA384
ECDHE-PSK-AES256-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA1
SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(256)  Mac=SHA1
SRP-AES-256-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(256)  Mac=SHA1
RSA-PSK-AES256-CBC-SHA384 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA384
RSA-PSK-AES256-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-PSK-AES256-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
PSK-AES256-CBC-SHA384   TLSv1 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA384
PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
ECDHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA256
ECDHE-PSK-AES128-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA1
SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(128)  Mac=SHA1
SRP-AES-128-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(128)  Mac=SHA1
RSA-PSK-AES128-CBC-SHA256 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA256
RSA-PSK-AES128-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-PSK-AES128-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
PSK-AES128-CBC-SHA256   TLSv1 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA256
PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1
[[email protected] ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -cipher ECDHE-ECDSA-AES128-SHA256
CONNECTED(00000005)
140378681091904:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1528:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 263 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
  • 测试是否支持会话复用
[[email protected] ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -reconnect 2>/dev/null |grep -i ‘new\|reused‘
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256

如果支持复用,第二次链接就不是 New, 而是 reused 。不支持的复用的话,每次再连接都是 New。

  • 显示证书链
[[email protected] ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -showcerts
  • 测试OCSP stapling
[[email protected] ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -status

原文地址:http://blog.51cto.com/stuart/2310584

时间: 2024-11-08 02:15:36

SSL/TLS深度解析--OpenSSL s_client测试子命令的相关文章

SSL/TLS深度解析--OpenSSL 生成自签证书

密钥算法 OpenSSL 支持 RSA.DSA 和 ECDSA 密钥,但是在实际场景中只是用 RSA 和 ECDSA 密钥.例如 Web 服务器的密钥,都使用RSA或ECDSA,因为DSA效率问题会限制在1024位(相对旧版本浏览器不支持更长的DSA密钥),ECDSA还没有全面范围的普及.比如SSH,一般都是使用DSA和RSA,而不是所有的客户端(不只是浏览器)都支持ECDSA算法. 密钥长度 默认的密钥长度一般都不够安全,老版本的 OpenSSL 默认 RSA 私钥是1024位,所以我们需要指

SSL/TLS深度解析--OpenSSL的基本使用

摘要算法 [[email protected] ~]# openssl dgst -help #默认sha256 Usage: dgst [options] [file...] file... files to digest (default is stdin) -help Display this summary -c Print the digest with separating colons -r Print the digest in coreutils format -out out

SSL/TLS深度解析--在 Nginx 上部署 TLS

利用 openssl 源代码安装 Nginx [[email protected] software]# tar xf nginx-1.15.5.tar.gz [[email protected] software]# cd nginx-1.15.5/ [[email protected] nginx-1.15.5]# groupadd nginx [[email protected] nginx-1.15.5]# useradd nginx -M -s /sbin/nologin -g ngi

SSL/TLS深度解析--测试TLS/SSL加密

项目地址 https://github.com/drwetter/testssl.sh testssl.sh 是一个免费且开源的功能丰富的命令行工具,用于在 Linux/BSD 服务器上检查支持加密,协议和一些加密缺陷的支持 TLS/SSL 加密的服务. testssl git clone --depth 1 --branch 2.9.5 https://github.com/drwetter/testssl.sh.git 错误 Fatal error: Neither "dig",

SSL/TLS深度解析--在 Nginx上配置 HSTS、CSP 与其他

在 Nginx 上配置 HSTS HTTP响应中包含 Strict-Transport-Security 头实现网站HSTS,像下面这样配置: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload,就实现了HSTS,即-- HTTP Strict Transport Security,HTTP严格传输安全.假设TLS连接没有错误,兼容的浏览器将会在 max-age 参数指定的保留期内激活HSTS. 一旦站点

SSL/TLS深度解析--在Nginx上配置证书链及多域名证书

生成私钥与自签根证书(这次使用aes256加密,密码是redhat) # 进行简单处理 [[email protected] ~]# cd /usr/local/openssl/ [[email protected] openssl]# mkdir root-CA sub-CA [[email protected] openssl]# cp -rf CA/* root-CA/ [[email protected] root-CA]# rm -rf root_cacert_ecc.pem crln

SSL/TLS算法流程解析

SSL/TLS 早已不是陌生的词汇,然而其原理及细则却不是太容易记住.本文将试图通过一些简单图示呈现其流程原理,希望读者有所收获. 一.相关版本 Version Source Description   Browser Support SSL v2.0 Vendor Standard (from Netscape Corp.) [SSL2] First SSL protocol for which implementations exist - NS Navigator 1.x/2.x - MS

加密与解密、OpenSSL(SSL/TLS)、OpenSSH(ssh)、dropbear

下面介绍的是Linux的加密与解密.OpenSSL(SSL/TLS).OpenSSH(ssh).dropbear. 一.数据的加密与解密 1.进程间通信基础 (1).进程间通信方式 同一主机间进程间的通信方式:signal.shm.semaphore.message queue(MQ.RabbitMQ). 不同主机进程间的通信方式:socket-pair. (2).套接字 -------IP:PORT 套接字Socket:IP:PORT 套接字,是进程的地址标识,一个套接字就是指特定主机上的特定

SSL/TLS原理详解2

引用原文地址:https://segmentfault.com/a/1190000004985253#articleHeader6 在进行 HTTP 通信时,信息可能会监听.服务器或客户端身份伪装等安全问题,HTTPS 则能有效解决这些问题.在使用原始的HTTP连接的时候,因为服务器与用户之间是直接进行的明文传输,导致了用户面临着很多的风险与威胁.攻击者可以用中间人攻击来轻易的 截获或者篡改传输的数据.攻击者想要做些什么并没有任何的限制,包括窃取用户的Session信息.注入有害的代码等,乃至于