SSL 동작 확인
CURL 이용
$ curl -v -o /dev/null https://facebook.com
* About to connect() to facebook.com port 443 (#0)
* Trying 173.252.110.27... connected
* Connected to facebook.com (173.252.110.27) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using SSL_RSA_WITH_RC4_128_SHA
* Server certificate:
* subject: CN=*.facebook.com,O="Facebook, Inc.",L=Palo Alto,ST=California,C=US
* start date: 6월 21 00:00:00 2012 GMT
* expire date: 12월 31 23:59:59 2013 GMT
* common name: *.facebook.com
* issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU="VeriSign, Inc.",O=VeriSign Trust Network
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: facebook.com
> Accept: */*
>
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0< HTTP/1.1 301 Moved Permanently
< Location: https://www.facebook.com/
< Content-Type: text/html; charset=utf-8
< X-FB-Debug: Pa57tDp1kmdZ5sUEZeCJAHkYs58+0jXIm6rFl1xZJ04=
< Date: Mon, 05 Aug 2013 09:47:36 GMT
< Connection: keep-alive
< Content-Length: 0
<
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connection #0 to host facebook.com left intact
* Closing connection #0openssl 이용
$ openssl s_client -connect facebook.com:443 -showcerts
depth=2 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=1 O = VeriSign Trust Network, OU = "VeriSign, Inc.", OU = VeriSign International Server CA - Class 3, OU = www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
verify return:1
depth=0 C = US, ST = California, L = Palo Alto, O = "Facebook, Inc.", CN = *.facebook.com
verify return:1
CONNECTED(00000003)
.
.
.
Server certificate
subject=/C=US/ST=California/L=Palo Alto/O=Facebook, Inc./CN=*.facebook.com
issuer=/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
---
No client certificate CA names sent
---
SSL handshake has read 2198 bytes and written 298 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: 82FC7E105FE2749FA1AC20793891CBFA6C399D1E4A12D3E0A782F160B882BC1D
Session-ID-ctx:
Master-Key: 08C1914199F644CAB85E3B8F749B1A85C05D8226E8EFD7373D9E9E958F68CEDD51E8593E893BD472C6C660A45449E0F0
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 86000 (seconds)
TLS session ticket:
0000 - 9d da 29 68 96 e4 b9 fe-9d ed cc 27 d5 15 a2 f6 ..)h.......'....
0010 - a6 dc 77 cb ee 93 61 f7-db 32 97 06 27 e9 4a 97 ..w...a..2..'.J.
0020 - a4 54 10 38 85 7f bd 9a-82 1e 8a 41 ec 1b d1 32 .T.8.......A...2
0030 - a7 ee 98 44 a4 70 ab 27-d6 11 79 c0 b3 3a 1f 4f ...D.p.'..y..:.O
0040 - ed 32 7b 1e a2 f8 e6 97-fc 15 1a 1e 96 d3 19 0a .2{.............
0050 - e8 e6 15 8d 3d 67 5d 50-92 fa 97 4c 1b ae a3 00 ....=g]P...L....
0060 - f2 ba 2a 6c ea fe 47 09-7e e8 e4 87 98 cb a4 56 ..*l..G.~......V
0070 - ce eb e0 eb 93 e6 13 ac-20 a9 a1 a0 8d 9e 1a 9a ........ .......
0080 - 0c fc cd ea 94 3e 2e 06-8a cd 31 16 8c b6 23 a4 .....>....1...#.
0090 - 5e a7 10 d3 ad 45 b4 04-ee 94 9b 76 0a a5 2a f9 ^....E.....v..*.
00a0 - 7f e6 bf c6 39 c7 65 75-d9 2e e6 7d 05 55 dd 7a ....9.eu...}.U.z
Start Time: 1375696759
Timeout : 300 (sec)
Verify return code: 0 (ok)
---SSL 에러 예제
Client 인증서 에러
$curl -v -o /dev/null https://example.com
* About to connect() to example.com port 443 (#0)
* Trying 10.10.10.18... connected
* Connected to example.com (10.10.10.18) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Peer's certificate issuer is not recognized: 'CN=Thawte SSL CA,O="Thawte, Inc.",C=US'
* NSS error -8179
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.Client 인증서 설정(Apache)
SSLCACertificateFile /etc/pki/CA/certs/ca.crtClient 인증서 설정(Nginx)
ssl_client_certificate /etc/pki/CA/certs/ca.crt;
ssl_verify_client optional;SSL Cipher 지원 확인
openssl 이용
$ openssl s_client -connect google.com:443 -tls1_2
.
.
.
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
.
.
.nmap 이용
$ nmap --script ssl-enum-ciphers -p 443 google.com
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| SSLv3
| Ciphers (9)
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
.
.
.
| Compressors (1)
| uncompressed
| TLSv1.0
| Ciphers (9)
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
.
.
.
| Compressors (1)
| uncompressed
| TLSv1.1
| Ciphers (9)
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
.
.
.
| Compressors (1)
| uncompressed
| TLSv1.2
| Ciphers (17)
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
.
.
.
| Compressors (1)
|_ uncompressed
Post a Comment