<![CDATA[
<p><span style="font-size: 9pt;">s_client 에는 다양한 옵션들이 있다.</span><br></p><p><br></p><p><span _foo="font-family: Verdana;">1. -connect host:port </span></p><p><span _foo="font-family: Verdana;"> 접속할 호스트와 포트이다 기본값은 localhost:4433으로 되어있다</span></p><p><br></p><p><span _foo="font-family: Verdana;">2. -ssl2, -ssl3, </span><span _foo="font-family: Verdana;"> -tls1_2 , </span><span _foo="font-family: Verdana;">-tls1_1, -tls1, dtls1</span></p><p><span _foo="font-family: Verdana;"> 설정한 프로토콜만 통신을 하</span><span _foo="font-family: Verdana;">겠다는 의미이다.</span></p><p><span _foo="font-family: Verdana;"> no_ 를 저 옵션 앞에 붙이면 해당 옵션을 제외하고 통신을 하겠다는 의미이다.(ex. -no_ssl2)</span></p><p><br></p><p><span _foo="font-family: Verdana;">3. -state</span></p><p><span _foo="font-family: Verdana;"> SSL 세션의 state를 print 한다</span></p><p><br></p><p><span _foo="font-family: Verdana;">4. -msg</span></p><p><span _foo="font-family: Verdana;"> 프로토콜 메세지를 보여준다</span></p><p><br></p><p><span _foo="font-family: Verdana;">5. -showcerts</span></p><p><span _foo="font-family: Verdana;"> 전체서버 certificate chain을 display한다.</span></p><p><br></p><p>옵션들은 포트뒤에 넣어주면된다</p><p><span _foo="color: rgb(58, 50, 195);" style="color: rgb(58, 50, 195);">ex) openssl -connect </span><a href="http://www.google.com:443/" target="_blank" _foo="con_link" style="color: rgb(0, 95, 193); text-decoration-line: underline; cursor: pointer; -webkit-tap-highlight-color: rgba(0, 0, 0, 0.1);"><span _foo="color: rgb(58, 50, 195);" style="color: rgb(58, 50, 195);">www.google.com:443</span></a><span _foo="color: rgb(58, 50, 195);" style="color: rgb(58, 50, 195);"> -tls1_1 => tls1.1로만 통신하겠다는 의미.</span></p><p><span _foo="font-family: Verdana;">이외에도 다양한 옵션들이 있다 그건 man s_client 페이지에서 확인하자.</span></p><p><br style="color: rgb(0, 0, 0); font-family: sans-serif; font-size: 16.002px;"></p><p><strong><span style="color: rgb(255, 0, 0);"><br></span></strong></p><p><strong><span style="color: rgb(255, 0, 0);"><br></span></strong></p><p><strong><span style="color: rgb(255, 0, 0);"><br></span></strong></p><p><strong><span style="color: rgb(255, 0, 0);">bash-4.1$ echo ""|openssl s_client -connect localhost:8989 -tls1</span></strong><br>CONNECTED(00000003)<br>depth=1 O = Oracle Corporation, OU = Oracle iPlanet Web Server 7.0, CN = admin- ca-cert<br>verify error:num=19:self signed certificate in certificate chain<br>verify return:0<br>---<br>Certificate chain<br> 0 s:/CN=olinux1<br> i:/O=Oracle Corporation/OU=Oracle iPlanet Web Server 7.0/CN=admin-ca-cert<br> 1 s:/O=Oracle Corporation/OU=Oracle iPlanet Web Server 7.0/CN=admin-ca-cert<br> i:/O=Oracle Corporation/OU=Oracle iPlanet Web Server 7.0/CN=admin-ca-cert<br>---<br>Server certificate<br>-----BEGIN CERTIFICATE-----<br>MIIDFTCCAf2gAwIBAgIEx64e4zALBgkqhkiG9w0BAQUwXTEbMBkGA1UEChMST3Jh<br>Y2xlIENvcnBvcmF0aW9uMSYwJAYDVQQLEx1PcmFjbGUgaVBsYW5ldCBXZWIgU2Vy<br>dmVyIDcuMDEWMBQGA1UEAxMNYWRtaW4tY2EtY2VydDAeFw0xNzA2MjkwNTUxMjVa<br>Fw0yNzA2MjkwNTUxMjVaMBIxEDAOBgNVBAMTB29saW51eDEwggEiMA0GCSqGSIb3<br>DQEBAQUAA4IBDwAwggEKAoIBAQC2Hnd0oS/HwYXGu2xHZpZ4Svrz1IOz9inPqdgo<br>MsX5/jbz6dnYEZWz1Gg7iUD3vf7W87/ugDMfwja5MCMFdh0GnHMxSU0/k1E/f2Mx<br>dj2mkraJZKmcrXr5DGKsP+Nx4RTnjwYq1VrXyHUVRe0lS2VEoJtKgqba+2Onwz0E<br>G13hBOxy2y0V/r0X98yHguknSHIB0fupp4MyaRqPvlMgA3c2m0/ZFj6K5E2dRsop<br>GQX7x9Uu8Wy/UtFHVZ38paq71hzWILCQkab2UblhVy9LO7izXb9wdOyH7C4OciW5<br>r0AugtNvlkBM4dUfGGuIFWrSA/G3eVKAlhB08ntiDdOxZKVHAgMBAAGjKjAoMA4G<br>A1UdDwEB/wQEAwIDKDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDATANBgkqhkiG9w0B<br>AQUFAAOCAQEAFxBrTyXsl3rZcs8qq6t22Tsp7sgGO+kmwJxnA9Iffs4dWZnSCByL<br>iUjEAfbT1oCxsYIOHSRWLNuCuGdgpgaE2hvk/BpzwR+At8grjI04DWNdUGkzWRYp<br>zMilaagrLaOz09ZIEktHb8suiMTAcXS3cPBnskVKNgLj0D8vwEp99L1ZkHjf0Jpy<br>GUHiH1pwuzuKP09Y5ujY3Z0Nckwu8SzcpTKoUxFnvFgZn5DZrri+/qaD5hI/h5A6<br>NpqjE0pGF/BRSjQxwR4Yf2RAQnsiEkFCePkO3O9czetRCx/MWABOMd+dFGn2CXGE<br>Wsx/YE44PhcSwsoVDh5cUij39U1hzUwW8A==<br>-----END CERTIFICATE-----<br>subject=/CN=olinux1<br>issuer=/O=Oracle Corporation/OU=Oracle iPlanet Web Server 7.0/CN=admin-ca-cert<br>---<br>No client certificate CA names sent<br>---<br>SSL handshake has read 2187 bytes and written 303 bytes<br>---<br>New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA<br>Server public key is 2048 bit<br>Secure Renegotiation IS supported<br>Compression: NONE<br>Expansion: NONE<br>SSL-Session:<br> Protocol : TLSv1<br> Cipher : ECDHE-RSA-AES128-SHA<br> Session-ID: 23A4B4326FF5286E69295A7A3FC32684450CA60E2C8B65428FFADE57DA3F4CC 8<br> Session-ID-ctx:<br> Master-Key: 522BDEA2F518150240847BBFC04B3F7EBEA22933A8FA290699C60ABF0002644 6CBAB2BB7058205B9567EE4A78FD4EAB4<br> Key-Arg : None<br> Krb5 Principal: None<br> PSK identity: None<br> PSK identity hint: None<br> Start Time: 1568856555<br> Timeout : 7200 (sec)<br> Verify return code: 19 (self signed certificate in certificate chain)<br>---<br>DONE<br>-bash-4.1$</p><p><br></p><p><br></p><p><br></p><p><br></p><p><br></p><p><br></p><p><br></p><p><br></p><p><br></p><p><br></p><p><strong><span style="color: rgb(255, 0, 0);">-bash-4.1$ echo ""|openssl s_client -connect localhost:8989 -state</span></strong><br>CONNECTED(00000003)<br>SSL_connect:before/connect initialization<br>SSL_connect:SSLv2/v3 write client hello A<br>SSL_connect:SSLv3 read server hello A<br>depth=1 O = Oracle Corporation, OU = Oracle iPlanet Web Server 7.0, CN = admin-ca-cert<br>verify error:num=19:self signed certificate in certificate chain<br>verify return:0<br>SSL_connect:SSLv3 read server certificate A<br>SSL_connect:SSLv3 read server key exchange A<br>SSL_connect:SSLv3 read server done A<br>SSL_connect:SSLv3 write client key exchange A<br>SSL_connect:SSLv3 write change cipher spec A<br>SSL_connect:SSLv3 write finished A<br>SSL_connect:SSLv3 flush data<br>SSL_connect:SSLv3 read finished A<br>---<br>Certificate chain<br> 0 s:/CN=olinux1<br> i:/O=Oracle Corporation/OU=Oracle iPlanet Web Server 7.0/CN=admin-ca-cert<br> 1 s:/O=Oracle Corporation/OU=Oracle iPlanet Web Server 7.0/CN=admin-ca-cert<br> i:/O=Oracle Corporation/OU=Oracle iPlanet Web Server 7.0/CN=admin-ca-cert<br>---<br>Server certificate<br>-----BEGIN CERTIFICATE-----<br>MIIDFTCCAf2gAwIBAgIEx64e4zALBgkqhkiG9w0BAQUwXTEbMBkGA1UEChMST3Jh<br>Y2xlIENvcnBvcmF0aW9uMSYwJAYDVQQLEx1PcmFjbGUgaVBsYW5ldCBXZWIgU2Vy<br>dmVyIDcuMDEWMBQGA1UEAxMNYWRtaW4tY2EtY2VydDAeFw0xNzA2MjkwNTUxMjVa<br>Fw0yNzA2MjkwNTUxMjVaMBIxEDAOBgNVBAMTB29saW51eDEwggEiMA0GCSqGSIb3<br>DQEBAQUAA4IBDwAwggEKAoIBAQC2Hnd0oS/HwYXGu2xHZpZ4Svrz1IOz9inPqdgo<br>MsX5/jbz6dnYEZWz1Gg7iUD3vf7W87/ugDMfwja5MCMFdh0GnHMxSU0/k1E/f2Mx<br>dj2mkraJZKmcrXr5DGKsP+Nx4RTnjwYq1VrXyHUVRe0lS2VEoJtKgqba+2Onwz0E<br>G13hBOxy2y0V/r0X98yHguknSHIB0fupp4MyaRqPvlMgA3c2m0/ZFj6K5E2dRsop<br>GQX7x9Uu8Wy/UtFHVZ38paq71hzWILCQkab2UblhVy9LO7izXb9wdOyH7C4OciW5<br>r0AugtNvlkBM4dUfGGuIFWrSA/G3eVKAlhB08ntiDdOxZKVHAgMBAAGjKjAoMA4G<br>A1UdDwEB/wQEAwIDKDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDATANBgkqhkiG9w0B<br>AQUFAAOCAQEAFxBrTyXsl3rZcs8qq6t22Tsp7sgGO+kmwJxnA9Iffs4dWZnSCByL<br>iUjEAfbT1oCxsYIOHSRWLNuCuGdgpgaE2hvk/BpzwR+At8grjI04DWNdUGkzWRYp<br>zMilaagrLaOz09ZIEktHb8suiMTAcXS3cPBnskVKNgLj0D8vwEp99L1ZkHjf0Jpy<br>GUHiH1pwuzuKP09Y5ujY3Z0Nckwu8SzcpTKoUxFnvFgZn5DZrri+/qaD5hI/h5A6<br>NpqjE0pGF/BRSjQxwR4Yf2RAQnsiEkFCePkO3O9czetRCx/MWABOMd+dFGn2CXGE<br>Wsx/YE44PhcSwsoVDh5cUij39U1hzUwW8A==<br>-----END CERTIFICATE-----<br>subject=/CN=olinux1<br>issuer=/O=Oracle Corporation/OU=Oracle iPlanet Web Server 7.0/CN=admin-ca-cert<br>---<br>No client certificate CA names sent<br>---<br>SSL handshake has read 2181 bytes and written 389 bytes<br>---<br>New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256<br>Server public key is 2048 bit<br>Secure Renegotiation IS supported<br>Compression: NONE<br>Expansion: NONE<br>SSL-Session:<br> Protocol : TLSv1.2<br> Cipher : ECDHE-RSA-AES128-GCM-SHA256<br> Session-ID: 23A44C1D442D3C1F72B46B2104C68901507F78C405BC7C89449F59F3C454BAEE<br> Session-ID-ctx:<br> Master-Key: D7BED4FD3C2EC992579B9B60E1EA6CB582808E48330551931906F7A6107E0345C3F3AE73BF4C5F4FCE70FE448BB116CB<br> Key-Arg : None<br> Krb5 Principal: None<br> PSK identity: None<br> PSK identity hint: None<br> Start Time: 1568856803<br> Timeout : 300 (sec)<br> Verify return code: 19 (self signed certificate in certificate chain)<br>---<br>DONE<br>SSL3 alert write:warning:close notify<br>-bash-4.1$</p><p><br></p><p><br></p><p><br></p><p>-bash-4.1$ echo ""|openssl s_client -connect localhost:5555 -tls1_3</p><p>unknown option -tls1_3</p><p>usage: s_client args</p><p><br></p><p> -host host - use -connect instead</p><p> -port port - use -connect instead</p><p> -connect host:port - who to connect to (default is localhost:4433)</p><p> -verify arg - turn on peer certificate verification</p><p> -cert arg - certificate file to use, PEM format assumed</p><p> -certform arg - certificate format (PEM or DER) PEM default</p><p> -key arg - Private key file to use, in cert file if</p><p> not specified but cert file is.</p><p> -keyform arg - key format (PEM or DER) PEM default</p><p> -pass arg - private key file pass phrase source</p><p> -CApath arg - PEM format directory of CA's</p><p> -CAfile arg - PEM format file of CA's</p><p> -trusted_first - Use trusted CA's first when building the trust chain</p><p> -reconnect - Drop and re-make the connection with the same Session-ID</p><p> -pause - sleep(1) after each read(2) and write(2) system call</p><p> -showcerts - show all certificates in the chain</p><p> -debug - extra output</p><p> -msg - Show protocol messages</p><p> -nbio_test - more ssl protocol testing</p><p> -state - print the 'ssl' states</p><p> -nbio - Run with non-blocking IO</p><p> -crlf - convert LF from terminal into CRLF</p><p> -quiet - no s_client output</p><p> -ign_eof - ignore input eof (default when -quiet)</p><p> -no_ign_eof - don't ignore input eof</p><p> -psk_identity arg - PSK identity</p><p> -psk arg - PSK in hex (without 0x)</p><p><b><span style="color: rgb(255, 0, 0);"> -ssl2 - just use SSLv2</span></b></p><p><b><span style="color: rgb(255, 0, 0);"> -ssl3 - just use SSLv3</span></b></p><p><b><span style="color: rgb(255, 0, 0);"> -tls1_2 - just use TLSv1.2</span></b></p><p><b><span style="color: rgb(255, 0, 0);"> -tls1_1 - just use TLSv1.1</span></b></p><p><b><span style="color: rgb(255, 0, 0);"> -tls1 - just use TLSv1</span></b></p><p><b><span style="color: rgb(255, 0, 0);"> -dtls1 - just use DTLSv1</span></b></p><p> -mtu - set the link layer MTU</p><p> -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol</p><p> -bugs - Switch on all SSL implementation bug workarounds</p><p> -serverpref - Use server's cipher preferences (only SSLv2)</p><p> -cipher - preferred cipher to use, use the 'openssl ciphers'</p><p> command to see what is available</p><p> -starttls prot - use the STARTTLS command before starting TLS</p><p> for those protocols that support it, where</p><p> 'prot' defines which one to assume. Currently,</p><p> only "smtp", "pop3", "imap", "ftp" and "xmpp"</p><p> are supported.</p><p> -engine id - Initialise and use the specified engine</p><p> -rand file:file:...</p><p> -sess_out arg - file to write SSL session to</p><p> -sess_in arg - file to read SSL session from</p><p> -servername host - Set TLS extension servername in ClientHello</p><p> -tlsextdebug - hex dump of all TLS extensions received</p><p> -status - request certificate status from server</p><p> -no_ticket - disable use of RFC4507bis session tickets</p><p> -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)</p><p> -legacy_renegotiation - enable use of legacy renegotiation (dangerous)</p><p> -use_srtp profiles - Offer SRTP key management with a colon-separated profile list</p><p> -keymatexport label - Export keying material using label</p><p> -keymatexportlen len - Export len bytes of keying material (default 20)</p><p>-bash-4.1$ echo ""|openssl s_client -connect localhost:5555 -tls1_3</p><div><br></div><p><br><br></p>
<!-- -->]]>
카페 게시글
검색이 허용된 게시물입니다.
web-server
[sun_one]
TLS 확인 방법 openssl s_client -connect
kiki
추천 0
조회 95
19.09.19 10:35
댓글 0
다음검색
