|
s_client 에는 다양한 옵션들이 있다.
1. -connect host:port
접속할 호스트와 포트이다 기본값은 localhost:4433으로 되어있다
2. -ssl2, -ssl3, -tls1_2 , -tls1_1, -tls1, dtls1
설정한 프로토콜만 통신을 하겠다는 의미이다.
no_ 를 저 옵션 앞에 붙이면 해당 옵션을 제외하고 통신을 하겠다는 의미이다.(ex. -no_ssl2)
3. -state
SSL 세션의 state를 print 한다
4. -msg
프로토콜 메세지를 보여준다
5. -showcerts
전체서버 certificate chain을 display한다.
옵션들은 포트뒤에 넣어주면된다
ex) openssl -connect www.google.com:443 -tls1_1 => tls1.1로만 통신하겠다는 의미.
이외에도 다양한 옵션들이 있다 그건 man s_client 페이지에서 확인하자.
bash-4.1$ echo ""|openssl s_client -connect localhost:8989 -tls1
CONNECTED(00000003)
depth=1 O = Oracle Corporation, OU = Oracle iPlanet Web Server 7.0, CN = admin- ca-cert
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=olinux1
i:/O=Oracle Corporation/OU=Oracle iPlanet Web Server 7.0/CN=admin-ca-cert
1 s:/O=Oracle Corporation/OU=Oracle iPlanet Web Server 7.0/CN=admin-ca-cert
i:/O=Oracle Corporation/OU=Oracle iPlanet Web Server 7.0/CN=admin-ca-cert
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDFTCCAf2gAwIBAgIEx64e4zALBgkqhkiG9w0BAQUwXTEbMBkGA1UEChMST3Jh
Y2xlIENvcnBvcmF0aW9uMSYwJAYDVQQLEx1PcmFjbGUgaVBsYW5ldCBXZWIgU2Vy
dmVyIDcuMDEWMBQGA1UEAxMNYWRtaW4tY2EtY2VydDAeFw0xNzA2MjkwNTUxMjVa
Fw0yNzA2MjkwNTUxMjVaMBIxEDAOBgNVBAMTB29saW51eDEwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC2Hnd0oS/HwYXGu2xHZpZ4Svrz1IOz9inPqdgo
MsX5/jbz6dnYEZWz1Gg7iUD3vf7W87/ugDMfwja5MCMFdh0GnHMxSU0/k1E/f2Mx
dj2mkraJZKmcrXr5DGKsP+Nx4RTnjwYq1VrXyHUVRe0lS2VEoJtKgqba+2Onwz0E
G13hBOxy2y0V/r0X98yHguknSHIB0fupp4MyaRqPvlMgA3c2m0/ZFj6K5E2dRsop
GQX7x9Uu8Wy/UtFHVZ38paq71hzWILCQkab2UblhVy9LO7izXb9wdOyH7C4OciW5
r0AugtNvlkBM4dUfGGuIFWrSA/G3eVKAlhB08ntiDdOxZKVHAgMBAAGjKjAoMA4G
A1UdDwEB/wQEAwIDKDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDATANBgkqhkiG9w0B
AQUFAAOCAQEAFxBrTyXsl3rZcs8qq6t22Tsp7sgGO+kmwJxnA9Iffs4dWZnSCByL
iUjEAfbT1oCxsYIOHSRWLNuCuGdgpgaE2hvk/BpzwR+At8grjI04DWNdUGkzWRYp
zMilaagrLaOz09ZIEktHb8suiMTAcXS3cPBnskVKNgLj0D8vwEp99L1ZkHjf0Jpy
GUHiH1pwuzuKP09Y5ujY3Z0Nckwu8SzcpTKoUxFnvFgZn5DZrri+/qaD5hI/h5A6
NpqjE0pGF/BRSjQxwR4Yf2RAQnsiEkFCePkO3O9czetRCx/MWABOMd+dFGn2CXGE
Wsx/YE44PhcSwsoVDh5cUij39U1hzUwW8A==
-----END CERTIFICATE-----
subject=/CN=olinux1
issuer=/O=Oracle Corporation/OU=Oracle iPlanet Web Server 7.0/CN=admin-ca-cert
---
No client certificate CA names sent
---
SSL handshake has read 2187 bytes and written 303 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES128-SHA
Session-ID: 23A4B4326FF5286E69295A7A3FC32684450CA60E2C8B65428FFADE57DA3F4CC 8
Session-ID-ctx:
Master-Key: 522BDEA2F518150240847BBFC04B3F7EBEA22933A8FA290699C60ABF0002644 6CBAB2BB7058205B9567EE4A78FD4EAB4
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1568856555
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
DONE
-bash-4.1$
-bash-4.1$ echo ""|openssl s_client -connect localhost:8989 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 O = Oracle Corporation, OU = Oracle iPlanet Web Server 7.0, CN = admin-ca-cert
verify error:num=19:self signed certificate in certificate chain
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/CN=olinux1
i:/O=Oracle Corporation/OU=Oracle iPlanet Web Server 7.0/CN=admin-ca-cert
1 s:/O=Oracle Corporation/OU=Oracle iPlanet Web Server 7.0/CN=admin-ca-cert
i:/O=Oracle Corporation/OU=Oracle iPlanet Web Server 7.0/CN=admin-ca-cert
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDFTCCAf2gAwIBAgIEx64e4zALBgkqhkiG9w0BAQUwXTEbMBkGA1UEChMST3Jh
Y2xlIENvcnBvcmF0aW9uMSYwJAYDVQQLEx1PcmFjbGUgaVBsYW5ldCBXZWIgU2Vy
dmVyIDcuMDEWMBQGA1UEAxMNYWRtaW4tY2EtY2VydDAeFw0xNzA2MjkwNTUxMjVa
Fw0yNzA2MjkwNTUxMjVaMBIxEDAOBgNVBAMTB29saW51eDEwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC2Hnd0oS/HwYXGu2xHZpZ4Svrz1IOz9inPqdgo
MsX5/jbz6dnYEZWz1Gg7iUD3vf7W87/ugDMfwja5MCMFdh0GnHMxSU0/k1E/f2Mx
dj2mkraJZKmcrXr5DGKsP+Nx4RTnjwYq1VrXyHUVRe0lS2VEoJtKgqba+2Onwz0E
G13hBOxy2y0V/r0X98yHguknSHIB0fupp4MyaRqPvlMgA3c2m0/ZFj6K5E2dRsop
GQX7x9Uu8Wy/UtFHVZ38paq71hzWILCQkab2UblhVy9LO7izXb9wdOyH7C4OciW5
r0AugtNvlkBM4dUfGGuIFWrSA/G3eVKAlhB08ntiDdOxZKVHAgMBAAGjKjAoMA4G
A1UdDwEB/wQEAwIDKDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDATANBgkqhkiG9w0B
AQUFAAOCAQEAFxBrTyXsl3rZcs8qq6t22Tsp7sgGO+kmwJxnA9Iffs4dWZnSCByL
iUjEAfbT1oCxsYIOHSRWLNuCuGdgpgaE2hvk/BpzwR+At8grjI04DWNdUGkzWRYp
zMilaagrLaOz09ZIEktHb8suiMTAcXS3cPBnskVKNgLj0D8vwEp99L1ZkHjf0Jpy
GUHiH1pwuzuKP09Y5ujY3Z0Nckwu8SzcpTKoUxFnvFgZn5DZrri+/qaD5hI/h5A6
NpqjE0pGF/BRSjQxwR4Yf2RAQnsiEkFCePkO3O9czetRCx/MWABOMd+dFGn2CXGE
Wsx/YE44PhcSwsoVDh5cUij39U1hzUwW8A==
-----END CERTIFICATE-----
subject=/CN=olinux1
issuer=/O=Oracle Corporation/OU=Oracle iPlanet Web Server 7.0/CN=admin-ca-cert
---
No client certificate CA names sent
---
SSL handshake has read 2181 bytes and written 389 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 23A44C1D442D3C1F72B46B2104C68901507F78C405BC7C89449F59F3C454BAEE
Session-ID-ctx:
Master-Key: D7BED4FD3C2EC992579B9B60E1EA6CB582808E48330551931906F7A6107E0345C3F3AE73BF4C5F4FCE70FE448BB116CB
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1568856803
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
DONE
SSL3 alert write:warning:close notify
-bash-4.1$
-bash-4.1$ echo ""|openssl s_client -connect localhost:5555 -tls1_3
unknown option -tls1_3
usage: s_client args
-host host - use -connect instead
-port port - use -connect instead
-connect host:port - who to connect to (default is localhost:4433)
-verify arg - turn on peer certificate verification
-cert arg - certificate file to use, PEM format assumed
-certform arg - certificate format (PEM or DER) PEM default
-key arg - Private key file to use, in cert file if
not specified but cert file is.
-keyform arg - key format (PEM or DER) PEM default
-pass arg - private key file pass phrase source
-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's
-trusted_first - Use trusted CA's first when building the trust chain
-reconnect - Drop and re-make the connection with the same Session-ID
-pause - sleep(1) after each read(2) and write(2) system call
-showcerts - show all certificates in the chain
-debug - extra output
-msg - Show protocol messages
-nbio_test - more ssl protocol testing
-state - print the 'ssl' states
-nbio - Run with non-blocking IO
-crlf - convert LF from terminal into CRLF
-quiet - no s_client output
-ign_eof - ignore input eof (default when -quiet)
-no_ign_eof - don't ignore input eof
-psk_identity arg - PSK identity
-psk arg - PSK in hex (without 0x)
-ssl2 - just use SSLv2
-ssl3 - just use SSLv3
-tls1_2 - just use TLSv1.2
-tls1_1 - just use TLSv1.1
-tls1 - just use TLSv1
-dtls1 - just use DTLSv1
-mtu - set the link layer MTU
-no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol
-bugs - Switch on all SSL implementation bug workarounds
-serverpref - Use server's cipher preferences (only SSLv2)
-cipher - preferred cipher to use, use the 'openssl ciphers'
command to see what is available
-starttls prot - use the STARTTLS command before starting TLS
for those protocols that support it, where
'prot' defines which one to assume. Currently,
only "smtp", "pop3", "imap", "ftp" and "xmpp"
are supported.
-engine id - Initialise and use the specified engine
-rand file:file:...
-sess_out arg - file to write SSL session to
-sess_in arg - file to read SSL session from
-servername host - Set TLS extension servername in ClientHello
-tlsextdebug - hex dump of all TLS extensions received
-status - request certificate status from server
-no_ticket - disable use of RFC4507bis session tickets
-nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)
-legacy_renegotiation - enable use of legacy renegotiation (dangerous)
-use_srtp profiles - Offer SRTP key management with a colon-separated profile list
-keymatexport label - Export keying material using label
-keymatexportlen len - Export len bytes of keying material (default 20)
-bash-4.1$ echo ""|openssl s_client -connect localhost:5555 -tls1_3
|