これは、なにをしたくて書いたもの?
サーバーが対応しているSSL/TLSプロトコルを確認する方法はないかな?と思って、ちょっと調べてみました。
OpenSSLを使えば良いみたいです。
ただ、調べられるのはOpenSSLが利用できるプロトコルの範囲で、ですが。
環境
今回の環境は、こちら。Ubuntu Linux 20.04 LTSです。
$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.1 LTS Release: 20.04 Codename: focal $ uname -srvmpio Linux 5.4.0-54-generic #60-Ubuntu SMP Fri Nov 6 10:37:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
OpenSSLは、こちらのバージョンを使います。
$ openssl version OpenSSL 1.1.1f 31 Mar 2020
お題
IPアドレス192.168.33.11のサーバーに、SSL/TLSを有効にしたApacheを用意します。
ここに、別のサーバーからOpenSSLコマンドを使ってアクセスして、構築したApacheが対応しているSSL/TLSのバージョンを
確認してみます。
Apacheの用意
まずは、Apacheをインストールします。
$ sudo apt install apache2 $ apache2 -v Server version: Apache/2.4.41 (Ubuntu) Server built: 2020-08-12T19:46:17
mod_sslを有効にして、SSL/TLS用のVirtualHostも有効にします。
$ sudo a2enmod ssl $ sudo a2ensite default-ssl $ sudo systemctl restart apache2
確認。
$ curl -I -k https://192.168.33.11 HTTP/1.1 200 OK Date: Wed, 18 Nov 2020 15:07:07 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Wed, 18 Nov 2020 15:04:52 GMT ETag: "2aa6-5b462eef36f61" Accept-Ranges: bytes Content-Length: 10918 Vary: Accept-Encoding Content-Type: text/html
自己署名証明書ですが、ApacheがHTTPSで動作していることが確認できました。
OpenSSLクライアントで、サーバーが対応しているSSL/TLSプロトコルを確認する
では、OpenSSLをクライアントとして使い、今回用意したApacheがどのSSL/TLSプロトコルに対応しているか確認してみます。
確認は、openssl s_clientで行います。
-tlsXXXオプションを使うことで、使用するプロトコルを指定できます。
$ openssl s_client --help 2>&1 | grep '\-tls1' -tls1 Just use TLSv1 -tls1_1 Just use TLSv1.1 -tls1_2 Just use TLSv1.2 -tls1_3 Just use TLSv1.3
これを利用して、以下のコマンドで指定のSSL/TLSプロトコルにサーバーが対応しているかを確認できます。
$ echo | openssl s_client -connect [ホスト]:[ポート] [使用するプロトコル]
空のechoが入っているのは、これを入れない場合に入力待ちになるのを終了させるためです。
ところで、以前は-ssl2や-ssl3というオプションもあったようですが、今は使えなくなっています。
$ openssl s_client -ssl2 s_client: Option unknown option -ssl2 s_client: Use -help for summary. $ openssl s_client -ssl3 s_client: Option unknown option -ssl3 s_client: Use -help for summary.
まあ、使わないですからね…。よって確認という意味では、このあたりには使えないことになります。
とはいえ、OpenSSLで利用できる暗号化スイートを見ると、SSLv3は入っていそうですが…。
$ openssl ciphers -v ALL | perl -wnla -e 'print $F[1]' | sort -u SSLv3 TLSv1 TLSv1.2 TLSv1.3
今回は、気にしないでおきましょう。
ここで、Apacheの設定ファイルを見て、どのSSL/TLSプロトコルが指定されているのか見てみます。
$ grep -r SSLProtocol /etc/apache2/ /etc/apache2/mods-available/ssl.conf: SSLProtocol all -SSLv3
allからSSLv3を引いたもの、ですね。
ドキュメントだけ見ると、TLS 1.0以上が使えそうな感じに見えます。
all
This is a shortcut for+SSLv3 +TLSv1'' or - when using OpenSSL 1.0.1 and later -+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2'', respectively (except for OpenSSL versions compiled with the ``no-ssl3'' configuration option, where all does not include +SSLv3).
では、確認してみます。
TLS 1.3。こちらは、接続がうまくいきます。
$ echo | openssl s_client -connect 192.168.33.11:443 -tls1_3
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = ubuntu2004.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = ubuntu2004.localdomain
verify return:1
---
Certificate chain
0 s:CN = ubuntu2004.localdomain
i:CN = ubuntu2004.localdomain
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDADCCAeigAwIBAgIUSZu0PqgWEJGZZN1ovyCtcXLpHQQwDQYJKoZIhvcNAQEL
BQAwITEfMB0GA1UEAwwWdWJ1bnR1MjAwNC5sb2NhbGRvbWFpbjAeFw0yMDExMTgx
NTA0NDdaFw0zMDExMTYxNTA0NDdaMCExHzAdBgNVBAMMFnVidW50dTIwMDQubG9j
YWxkb21haW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDapFGUGAZv
ABuD27z9SRBFbgy0vsUAl8pVewz3qNWigVWnhPDPSbh1SvT7jjM+SHXC6iXxFllJ
EiG2SIv4cBE35RaI6XUAgwgMdxyIAHOR/IVGt+Co/JxAM8Ly2xhxzrTifT8ypxyp
TZwp4ePDPi4A5DZpLUEFuhWQd/bk482B/RcIgUmc8kflW2JWIzIqcQqjKdON6bw/
DDtw2BfP+j82m84yG/dXitTA2rU6VlbeHZGYmaJb8jEdW1vwE/be9skUpkIYNHj6
pVkKgtUFy/zaDPoixLQD3R8J7mNBQjkw1BTL+6kfSVfUD/CNLLdxYiox360s+xZD
8puR0cZNrRSbAgMBAAGjMDAuMAkGA1UdEwQCMAAwIQYDVR0RBBowGIIWdWJ1bnR1
MjAwNC5sb2NhbGRvbWFpbjANBgkqhkiG9w0BAQsFAAOCAQEAE3dWIILuPyBUX/8+
82XypovL7SrmCoCZ8xa4oRqsVFfQN76CHargkhwMIhHaFb+PLyRUOHmeHHi5UYIm
VYBDnyhmFJdYO7tI8B7MLj4BTNq2PV40tEL+MyAdX/Pwlo2oxBDGC14RGUjUatKY
O0RyRz0FjwxATDNelPhPsazmXq33r/4n4WWM5Q8YtbzkYBHSnLbqSB5/LsrvO+kW
n7enhawbUv6kVB5Ph6S+khR4mlRF5xGcp0qUTKlN2rN3UcV0GyQjegnh0IGZinED
NCVSEcec0BqHcj5eTCXzJvPxt1rXKprnSWIcJtfNFibxsP50MBOEgpEnaDcz/hY0
ZhRFFg==
-----END CERTIFICATE-----
subject=CN = ubuntu2004.localdomain
issuer=CN = ubuntu2004.localdomain
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1328 bytes and written 295 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: A708A31196A289795C7B60F4B4EC20237F2201C7B8C36326BAF453DCCA668D06
Session-ID-ctx:
Resumption PSK: AE6D958DA4478714610E437A1041FC561E7917F3709A5ADC0A1EA551922A608075D661C81533800E8D1185CFE1BA2B15
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - a4 ca 94 62 e0 c0 b7 ee-95 90 3c 32 46 d4 7b 03 ...b......<2F.{.
0010 - fe 76 19 8f d1 66 18 49-ea 90 a3 70 23 d9 5f 2d .v...f.I...p#._-
0020 - 33 ef 50 38 9f 6b 3d ac-59 97 d5 5d 31 d2 3c 00 3.P8.k=.Y..]1.<.
0030 - c7 8f e3 c4 86 e7 fd 77-db e4 79 ce ff 57 dd c9 .......w..y..W..
0040 - ed e4 42 1a a0 63 ee c1-bb 15 4e dd b9 23 1b d6 ..B..c....N..#..
0050 - 29 1c a5 3c 97 73 e5 2b-93 24 93 fe fb 4d 7a c1 )..<.s.+.$...Mz.
0060 - a8 46 0f d4 ee 2d 4f e3-99 94 5d d0 9e 1b f2 91 .F...-O...].....
0070 - 7f 6b d7 b2 3f 2f 92 0a-e9 36 eb 56 92 9c 2c e6 .k..?/...6.V..,.
0080 - c2 75 3a 8f 67 36 19 34-2f 90 0a 00 9a ab ed 89 .u:.g6.4/.......
0090 - 17 e4 c3 3d 98 f7 8d c9-26 6e 90 8d e2 a7 1a d7 ...=....&n......
00a0 - da de 47 c4 62 e6 06 7e-bb 5a 90 01 3c 7b 08 14 ..G.b..~.Z..<{..
00b0 - d1 f8 eb fe 4d 32 97 6f-09 21 4e 70 fa 64 a7 87 ....M2.o.!Np.d..
00c0 - 73 61 b2 d6 6f fa 15 b9-fa ce 02 2a a8 2f 26 90 sa..o......*./&.
00d0 - e3 6c a7 a8 2e 40 c8 a9-27 57 59 fa ab 60 8f 39 .l...@..'WY..`.9
Start Time: 1605717514
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: C15FB7D0AB53DA4EC05FB4D374F4EC7AF2D75043EC63ECEA06D4EB5C30FF55BE
Session-ID-ctx:
Resumption PSK: B1F62BABD2FC0971CE6808A045C23E8B420FADB9C96C902F861CB37101113B3362BF45931F400A3E50312EAF912C9132
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - a4 ca 94 62 e0 c0 b7 ee-95 90 3c 32 46 d4 7b 03 ...b......<2F.{.
0010 - 83 60 13 b1 d7 41 e4 b1-a7 c3 76 b2 72 93 4a d8 .`...A....v.r.J.
0020 - e1 07 8f ee a8 57 15 3d-bb 4f cb c3 16 42 a8 60 .....W.=.O...B.`
0030 - c7 8e c5 c0 d6 84 42 7c-56 0a 50 24 14 97 a1 ee ......B|V.P$....
0040 - 75 79 b6 d0 85 0c 4d bc-f2 69 73 3b 5b 7b 8d 87 uy....M..is;[{..
0050 - f5 ca ad 76 0b 40 8a 23-14 a0 a1 2f d8 50 e0 b1 ...v.@.#.../.P..
0060 - ae 23 41 17 59 46 89 96-d4 59 b6 0b 7c b7 ee 46 .#A.YF...Y..|..F
0070 - 44 68 cf 0a 52 3c cb db-54 0c 28 25 d6 6b 24 c1 Dh..R<..T.(%.k$.
0080 - 2a 33 d6 ab e9 5a 90 53-a4 5d 9c ce dd 89 b8 2a *3...Z.S.].....*
0090 - 48 de a1 be ab 9c 0d 84-7a e7 17 44 e5 89 c1 cb H.......z..D....
00a0 - cb 8c 03 05 4e 24 45 69-08 49 86 01 62 f6 87 d1 ....N$Ei.I..b...
00b0 - 09 72 37 83 e5 84 2f 1b-d5 e5 02 95 fc 68 d2 c7 .r7.../......h..
00c0 - 0f d8 09 4f 45 4c 0d 39-b8 ff 37 67 99 4b 98 98 ...OEL.9..7g.K..
00d0 - 6c 1d c7 14 23 e6 50 23-90 27 4d 01 b2 c2 f9 ac l...#.P#.'M.....
Start Time: 1605717514
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
DONE
TLS 1.2。こちらもうまくいきます。
$ echo | openssl s_client -connect 192.168.33.11:443 -tls1_2
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = ubuntu2004.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = ubuntu2004.localdomain
verify return:1
---
Certificate chain
0 s:CN = ubuntu2004.localdomain
i:CN = ubuntu2004.localdomain
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDADCCAeigAwIBAgIUSZu0PqgWEJGZZN1ovyCtcXLpHQQwDQYJKoZIhvcNAQEL
BQAwITEfMB0GA1UEAwwWdWJ1bnR1MjAwNC5sb2NhbGRvbWFpbjAeFw0yMDExMTgx
NTA0NDdaFw0zMDExMTYxNTA0NDdaMCExHzAdBgNVBAMMFnVidW50dTIwMDQubG9j
YWxkb21haW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDapFGUGAZv
ABuD27z9SRBFbgy0vsUAl8pVewz3qNWigVWnhPDPSbh1SvT7jjM+SHXC6iXxFllJ
EiG2SIv4cBE35RaI6XUAgwgMdxyIAHOR/IVGt+Co/JxAM8Ly2xhxzrTifT8ypxyp
TZwp4ePDPi4A5DZpLUEFuhWQd/bk482B/RcIgUmc8kflW2JWIzIqcQqjKdON6bw/
DDtw2BfP+j82m84yG/dXitTA2rU6VlbeHZGYmaJb8jEdW1vwE/be9skUpkIYNHj6
pVkKgtUFy/zaDPoixLQD3R8J7mNBQjkw1BTL+6kfSVfUD/CNLLdxYiox360s+xZD
8puR0cZNrRSbAgMBAAGjMDAuMAkGA1UdEwQCMAAwIQYDVR0RBBowGIIWdWJ1bnR1
MjAwNC5sb2NhbGRvbWFpbjANBgkqhkiG9w0BAQsFAAOCAQEAE3dWIILuPyBUX/8+
82XypovL7SrmCoCZ8xa4oRqsVFfQN76CHargkhwMIhHaFb+PLyRUOHmeHHi5UYIm
VYBDnyhmFJdYO7tI8B7MLj4BTNq2PV40tEL+MyAdX/Pwlo2oxBDGC14RGUjUatKY
O0RyRz0FjwxATDNelPhPsazmXq33r/4n4WWM5Q8YtbzkYBHSnLbqSB5/LsrvO+kW
n7enhawbUv6kVB5Ph6S+khR4mlRF5xGcp0qUTKlN2rN3UcV0GyQjegnh0IGZinED
NCVSEcec0BqHcj5eTCXzJvPxt1rXKprnSWIcJtfNFibxsP50MBOEgpEnaDcz/hY0
ZhRFFg==
-----END CERTIFICATE-----
subject=CN = ubuntu2004.localdomain
issuer=CN = ubuntu2004.localdomain
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1429 bytes and written 281 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 21A6BDF246B2663FDDF515879D77AE2B9CA98C9E1B2E8542833CD5DC5D73950D
Session-ID-ctx:
Master-Key: 8BA6EF7E41F59386515662BA92F1EEAEC8E39AB217C7D441BC8CAC3A5FEAF2B6D91A14DE909B084E8F499AE6F9F28FF5
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - a4 ca 94 62 e0 c0 b7 ee-95 90 3c 32 46 d4 7b 03 ...b......<2F.{.
0010 - 3c b3 57 b8 ff 62 f1 4f-05 89 ea 14 b1 c8 8e 16 <.W..b.O........
0020 - 04 52 8f bf eb 6b bf 8e-a4 81 2c 87 75 c0 d1 82 .R...k....,.u...
0030 - 7c 95 3a d3 e3 05 36 ed-aa 78 0e 86 bc 28 2f a8 |.:...6..x...(/.
0040 - 8d ff c5 62 7b 52 42 25-08 96 4e e1 25 8d e1 8f ...b{RB%..N.%...
0050 - 58 4d c9 74 0c e1 bc 7f-4f e0 e2 4c 84 5c 08 3b XM.t....O..L.\.;
0060 - 68 29 05 9f 95 34 ac 9e-d5 c8 ac ef 52 d6 71 2b h)...4......R.q+
0070 - b7 f0 b5 29 71 6c 78 61-06 07 69 56 23 3c ce 3e ...)qlxa..iV#<.>
0080 - 3a 97 55 9e 14 ab e3 29-04 48 e0 93 97 48 55 30 :.U....).H...HU0
0090 - 57 2b e5 0b a6 82 67 de-8b 9a 2a 59 bf 9b 68 2b W+....g...*Y..h+
00a0 - b1 47 0c 18 53 36 06 26-cd d6 4b 4d ba 13 e3 63 .G..S6.&..KM...c
00b0 - 5b 73 45 f9 19 f1 26 12-b6 fa e6 3e cd cc fa 80 [sE...&....>....
Start Time: 1605717604
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: yes
---
DONE
## TLS 1.1 $ echo | openssl s_client -connect 192.168.33.11:443 -tls1_1 CONNECTED(00000003) 139968696386880:error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available:../ssl/statem/statem_clnt.c:1112: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 7 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- ## TLS 1.0 $ echo | openssl s_client -connect 192.168.33.11:443 -tls1 CONNECTED(00000003) 140670905648448:error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available:../ssl/statem/statem_clnt.c:1112: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 7 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) ---
つまり、TLS 1.2およびTLS 1.3に対応している状態ですね。
ここで、ApacheをTLS 1.3のみに対応するように変更してみます。
/etc/apache2/mods-enabled/ssl.conf
SSLProtocol TLSv1.3
再起動。
$ sudo systemctl restart apache2
確認。TLS 1.3はOKです。
$ echo | openssl s_client -connect 192.168.33.11:443 -tls1_3 CONNECTED(00000003) Can't use SSL_get_servername depth=0 CN = ubuntu2004.localdomain verify error:num=18:self signed certificate verify return:1 depth=0 CN = ubuntu2004.localdomain verify return:1 --- Certificate chain 0 s:CN = ubuntu2004.localdomain i:CN = ubuntu2004.localdomain --- Server certificate -----BEGIN CERTIFICATE----- MIIDADCCAeigAwIBAgIUSZu0PqgWEJGZZN1ovyCtcXLpHQQwDQYJKoZIhvcNAQEL BQAwITEfMB0GA1UEAwwWdWJ1bnR1MjAwNC5sb2NhbGRvbWFpbjAeFw0yMDExMTgx NTA0NDdaFw0zMDExMTYxNTA0NDdaMCExHzAdBgNVBAMMFnVidW50dTIwMDQubG9j YWxkb21haW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDapFGUGAZv ABuD27z9SRBFbgy0vsUAl8pVewz3qNWigVWnhPDPSbh1SvT7jjM+SHXC6iXxFllJ EiG2SIv4cBE35RaI6XUAgwgMdxyIAHOR/IVGt+Co/JxAM8Ly2xhxzrTifT8ypxyp TZwp4ePDPi4A5DZpLUEFuhWQd/bk482B/RcIgUmc8kflW2JWIzIqcQqjKdON6bw/ DDtw2BfP+j82m84yG/dXitTA2rU6VlbeHZGYmaJb8jEdW1vwE/be9skUpkIYNHj6 pVkKgtUFy/zaDPoixLQD3R8J7mNBQjkw1BTL+6kfSVfUD/CNLLdxYiox360s+xZD 8puR0cZNrRSbAgMBAAGjMDAuMAkGA1UdEwQCMAAwIQYDVR0RBBowGIIWdWJ1bnR1 MjAwNC5sb2NhbGRvbWFpbjANBgkqhkiG9w0BAQsFAAOCAQEAE3dWIILuPyBUX/8+ 82XypovL7SrmCoCZ8xa4oRqsVFfQN76CHargkhwMIhHaFb+PLyRUOHmeHHi5UYIm VYBDnyhmFJdYO7tI8B7MLj4BTNq2PV40tEL+MyAdX/Pwlo2oxBDGC14RGUjUatKY O0RyRz0FjwxATDNelPhPsazmXq33r/4n4WWM5Q8YtbzkYBHSnLbqSB5/LsrvO+kW n7enhawbUv6kVB5Ph6S+khR4mlRF5xGcp0qUTKlN2rN3UcV0GyQjegnh0IGZinED NCVSEcec0BqHcj5eTCXzJvPxt1rXKprnSWIcJtfNFibxsP50MBOEgpEnaDcz/hY0 ZhRFFg== -----END CERTIFICATE----- subject=CN = ubuntu2004.localdomain issuer=CN = ubuntu2004.localdomain --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 1328 bytes and written 295 bytes Verification error: self signed certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 18 (self signed certificate) --- DONE
TLS 1.2を指定すると、動作しなくなります。
$ echo | openssl s_client -connect 192.168.33.11:443 -tls1_2
CONNECTED(00000003)
140545358013760:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1543:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 188 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1605717794
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
こんな感じで確認できました、と。
nmapを使って調べてみる
別のやり方として、nmapを使う方法もあるようです。
nmapをインストール。
$ sudo apt install nmap $ nmap --version Nmap version 7.80 ( https://nmap.org ) Platform: x86_64-pc-linux-gnu Compiled with: liblua-5.3.3 openssl-1.1.1d nmap-libssh2-1.8.2 libz-1.2.11 libpcre-8.39 libpcap-1.9.1 nmap-libdnet-1.12 ipv6 Compiled without: Available nsock engines: epoll poll select
ssl-enum-ciphers NSE script — Nmap Scripting Engine documentation
ssl-enum-ciphersスクリプト指定で、通信先が対応しているSSL/TLSプロトコルを確認することができます。
先ほどのApache(SSL/TLSを有効にしただけの状態)に対して使うと、こんな感じになります。
$ nmap -sV --script ssl-enum-ciphers -p 443 192.168.33.11 Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-18 15:14 UTC Nmap scan report for 192.168.33.11 Host is up (0.00042s latency). PORT STATE SERVICE VERSION 443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 2048) - A | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A | TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A | TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) - A | compressors: | NULL | cipher preference: client |_ least strength: A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.59 seconds
ですが、TLS 1.3には対応していません。
TLS 1.2の対応をドロップした後は、こんな感じになります。
$ nmap -sV --script ssl-enum-ciphers -p 443 192.168.33.11 Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-18 15:32 UTC Nmap scan report for 192.168.33.11 Host is up (0.00036s latency). PORT STATE SERVICE VERSION 443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.41 seconds
OpenSSLが対応している暗号化スイートを調べる
OpenSSLのciphersで確認できます。ALLを付けないと、表示数がだいぶ減りますね。
$ openssl ciphers -v ALL TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM8(256) Mac=AEAD ECDHE-ECDSA-AES256-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(256) Mac=AEAD DHE-RSA-AES256-CCM8 TLSv1.2 Kx=DH Au=RSA Enc=AESCCM8(256) Mac=AEAD DHE-RSA-AES256-CCM TLSv1.2 Kx=DH Au=RSA Enc=AESCCM(256) Mac=AEAD ECDHE-ECDSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=ARIAGCM(256) Mac=AEAD ECDHE-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=ARIAGCM(256) Mac=AEAD DHE-DSS-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=ARIAGCM(256) Mac=AEAD DHE-RSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=ARIAGCM(256) Mac=AEAD ADH-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=None Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-CCM8 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM8(128) Mac=AEAD ECDHE-ECDSA-AES128-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(128) Mac=AEAD DHE-RSA-AES128-CCM8 TLSv1.2 Kx=DH Au=RSA Enc=AESCCM8(128) Mac=AEAD DHE-RSA-AES128-CCM TLSv1.2 Kx=DH Au=RSA Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=ARIAGCM(128) Mac=AEAD ECDHE-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=ARIAGCM(128) Mac=AEAD DHE-DSS-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=ARIAGCM(128) Mac=AEAD DHE-RSA-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=ARIAGCM(128) Mac=AEAD ADH-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=None Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256 ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=Camellia(256) Mac=SHA384 ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(256) Mac=SHA384 DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA256 DHE-DSS-CAMELLIA256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA256 ADH-AES256-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(256) Mac=SHA256 ADH-CAMELLIA256-SHA256 TLSv1.2 Kx=DH Au=None Enc=Camellia(256) Mac=SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256 ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=Camellia(128) Mac=SHA256 ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(128) Mac=SHA256 DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA256 DHE-DSS-CAMELLIA128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA256 ADH-AES128-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(128) Mac=SHA256 ADH-CAMELLIA128-SHA256 TLSv1.2 Kx=DH Au=None Enc=Camellia(128) Mac=SHA256 ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1 DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1 AECDH-AES256-SHA TLSv1 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1 ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1 ADH-CAMELLIA256-SHA SSLv3 Kx=DH Au=None Enc=Camellia(256) Mac=SHA1 ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 DHE-RSA-SEED-SHA SSLv3 Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1 DHE-DSS-SEED-SHA SSLv3 Kx=DH Au=DSS Enc=SEED(128) Mac=SHA1 DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1 DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1 AECDH-AES128-SHA TLSv1 Kx=ECDH Au=None Enc=AES(128) Mac=SHA1 ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1 ADH-SEED-SHA SSLv3 Kx=DH Au=None Enc=SEED(128) Mac=SHA1 ADH-CAMELLIA128-SHA SSLv3 Kx=DH Au=None Enc=Camellia(128) Mac=SHA1 RSA-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=RSAPSK Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESGCM(256) Mac=AEAD RSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD DHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK Au=PSK Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=ECDHEPSK Au=PSK Enc=CHACHA20/POLY1305(256) Mac=AEAD DHE-PSK-AES256-CCM8 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESCCM8(256) Mac=AEAD DHE-PSK-AES256-CCM TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESCCM(256) Mac=AEAD RSA-PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=RSAPSK Au=RSA Enc=ARIAGCM(256) Mac=AEAD DHE-PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=DHEPSK Au=PSK Enc=ARIAGCM(256) Mac=AEAD AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD AES256-CCM8 TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM8(256) Mac=AEAD AES256-CCM TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM(256) Mac=AEAD ARIA256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=ARIAGCM(256) Mac=AEAD PSK-AES256-GCM-SHA384 TLSv1.2 Kx=PSK Au=PSK Enc=AESGCM(256) Mac=AEAD PSK-CHACHA20-POLY1305 TLSv1.2 Kx=PSK Au=PSK Enc=CHACHA20/POLY1305(256) Mac=AEAD PSK-AES256-CCM8 TLSv1.2 Kx=PSK Au=PSK Enc=AESCCM8(256) Mac=AEAD PSK-AES256-CCM TLSv1.2 Kx=PSK Au=PSK Enc=AESCCM(256) Mac=AEAD PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=PSK Au=PSK Enc=ARIAGCM(256) Mac=AEAD RSA-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=RSAPSK Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESGCM(128) Mac=AEAD DHE-PSK-AES128-CCM8 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESCCM8(128) Mac=AEAD DHE-PSK-AES128-CCM TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESCCM(128) Mac=AEAD RSA-PSK-ARIA128-GCM-SHA256 TLSv1.2 Kx=RSAPSK Au=RSA Enc=ARIAGCM(128) Mac=AEAD DHE-PSK-ARIA128-GCM-SHA256 TLSv1.2 Kx=DHEPSK Au=PSK Enc=ARIAGCM(128) Mac=AEAD AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD AES128-CCM8 TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM8(128) Mac=AEAD AES128-CCM TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM(128) Mac=AEAD ARIA128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=ARIAGCM(128) Mac=AEAD PSK-AES128-GCM-SHA256 TLSv1.2 Kx=PSK Au=PSK Enc=AESGCM(128) Mac=AEAD PSK-AES128-CCM8 TLSv1.2 Kx=PSK Au=PSK Enc=AESCCM8(128) Mac=AEAD PSK-AES128-CCM TLSv1.2 Kx=PSK Au=PSK Enc=AESCCM(128) Mac=AEAD PSK-ARIA128-GCM-SHA256 TLSv1.2 Kx=PSK Au=PSK Enc=ARIAGCM(128) Mac=AEAD AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 CAMELLIA256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA256 AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 CAMELLIA128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA256 ECDHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(256) Mac=SHA384 ECDHE-PSK-AES256-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(256) Mac=SHA1 SRP-DSS-AES-256-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=AES(256) Mac=SHA1 SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(256) Mac=SHA1 SRP-AES-256-CBC-SHA SSLv3 Kx=SRP Au=SRP Enc=AES(256) Mac=SHA1 RSA-PSK-AES256-CBC-SHA384 TLSv1 Kx=RSAPSK Au=RSA Enc=AES(256) Mac=SHA384 DHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=DHEPSK Au=PSK Enc=AES(256) Mac=SHA384 RSA-PSK-AES256-CBC-SHA SSLv3 Kx=RSAPSK Au=RSA Enc=AES(256) Mac=SHA1 DHE-PSK-AES256-CBC-SHA SSLv3 Kx=DHEPSK Au=PSK Enc=AES(256) Mac=SHA1 ECDHE-PSK-CAMELLIA256-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK Enc=Camellia(256) Mac=SHA384 RSA-PSK-CAMELLIA256-SHA384 TLSv1 Kx=RSAPSK Au=RSA Enc=Camellia(256) Mac=SHA384 DHE-PSK-CAMELLIA256-SHA384 TLSv1 Kx=DHEPSK Au=PSK Enc=Camellia(256) Mac=SHA384 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1 PSK-AES256-CBC-SHA384 TLSv1 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA384 PSK-AES256-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1 PSK-CAMELLIA256-SHA384 TLSv1 Kx=PSK Au=PSK Enc=Camellia(256) Mac=SHA384 ECDHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(128) Mac=SHA256 ECDHE-PSK-AES128-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(128) Mac=SHA1 SRP-DSS-AES-128-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=AES(128) Mac=SHA1 SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(128) Mac=SHA1 SRP-AES-128-CBC-SHA SSLv3 Kx=SRP Au=SRP Enc=AES(128) Mac=SHA1 RSA-PSK-AES128-CBC-SHA256 TLSv1 Kx=RSAPSK Au=RSA Enc=AES(128) Mac=SHA256 DHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=DHEPSK Au=PSK Enc=AES(128) Mac=SHA256 RSA-PSK-AES128-CBC-SHA SSLv3 Kx=RSAPSK Au=RSA Enc=AES(128) Mac=SHA1 DHE-PSK-AES128-CBC-SHA SSLv3 Kx=DHEPSK Au=PSK Enc=AES(128) Mac=SHA1 ECDHE-PSK-CAMELLIA128-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK Enc=Camellia(128) Mac=SHA256 RSA-PSK-CAMELLIA128-SHA256 TLSv1 Kx=RSAPSK Au=RSA Enc=Camellia(128) Mac=SHA256 DHE-PSK-CAMELLIA128-SHA256 TLSv1 Kx=DHEPSK Au=PSK Enc=Camellia(128) Mac=SHA256 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 SEED-SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1 CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1 PSK-AES128-CBC-SHA256 TLSv1 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA256 PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1 PSK-CAMELLIA128-SHA256 TLSv1 Kx=PSK Au=PSK Enc=Camellia(128) Mac=SHA256
サーバーが特定の暗号スイートに対応しているか調べる
オマケ。
以下で確認できるようですが、今回はメモとして。
$ echo | openssl s_client -connect [ホスト]:[ポート] -cipher [暗号スイート]
