ããã¯ããªã«ãããããŠæžãããã®ïŒ
æè¿ã®éä¿¡ã¯SSLïŒTLSäžã§è¡ãããããšãå€ããªããå¹³æã®ãã®ã¯ããŸãèŠãããªããªã£ãŠããŸããã
å¹³æã®é ã¯telnetã³ãã³ããcurlã®telnet://
ãããã³ã«ã§ã®ã¢ã¯ã»ã¹ã§ãããããã£ãŠããŸããããSSLïŒTLSãšãªããšã¡ãã£ãšå°ããŸãã
ããããæã¯ã©ããããïŒãšæã£ãã®ã§ãããOpenSSLã®ã¯ã©ã€ã¢ã³ãã³ãã³ãã䜿ãã®ãè¯ãããã§ããã
ããããã®ããšãèãããšãopenssl s_client
ã«ãã£ãšæ
£ã芪ããã æ¹ãããã®ãããããŸããã
openssl s_client
OpenSSLã®ãªãã£ã·ã£ã«ãµã€ãã¯ãã¡ãã
openssl s_clientã³ãã³ãã®manããŒãžã¯ãã¡ãã
openssl s_clientã¯ãSSLïŒTLSã䜿ã£ãŠãªã¢ãŒããã¹ãã«æ¥ç¶ããããã®æ±çšçãªSSLïŒTLSã¯ã©ã€ã¢ã³ããå®è£
ããã³ãã³ãã§ãã
SSLãµãŒããŒã®èšºæããŒã«ãšããŠäŸ¿å©ã ããšãããŠããŸãã
This command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS. It is a very useful diagnostic tool for SSL servers.
ä»åã¯ãã®ã³ãã³ãã䜿ã£ãŠããããè©ŠããŠã¿ãŸãã
ç°å¢
ä»åã®ç°å¢ã¯ããã¡ããUbuntu Linux 22.04 LTSã§ãã
$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 22.04.3 LTS Release: 22.04 Codename: jammy $ uname -srvmpio Linux 5.15.0-83-generic #92-Ubuntu SMP Mon Aug 14 09:30:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
OpenSSLã®ããŒãžã§ã³ã
$ openssl version OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
ãŸããUbuntu Linux 22.04 LTSããã1å°çšæããŠããã¡ãã«SSLïŒTLSãæå¹åããApacheãã€ã³ã¹ããŒã«ããŠãããŸãã
$ sudo apt install apache2 $ sudo systemctl enable apache2
$ sudo a2enmod ssl $ sudo a2ensite default-ssl $ sudo systemctl restart apache2
ãã®Apacheã皌åãããµãŒããŒã®IPã¢ãã¬ã¹ã¯ã192.168.33.10ãšããŸãã
ãã«ããèŠã
ãªã«ã¯ãšãããããŸãã¯ãã«ãããã
$ openssl s_client -help
SSLïŒTLSãµãŒããŒã«æ¥ç¶ãã
-connect
ã®åŸã«[host:port]
圢åŒã§ãæ¥ç¶å
ãæå®ããŸãã
$ openssl s_client -connect [host:port]
HTTPSã§ã¢ã¯ã»ã¹ããŠã¿ã
HTTPSã§ã¢ã¯ã»ã¹ããŠã¿ãŸããããçšæããApacheã«ã¢ã¯ã»ã¹ããŠã¿ãŸãã
$ openssl s_client -connect 192.168.33.10:443 -crlf
-crlf
ãªãã·ã§ã³ã¯ãæ¹è¡ãCRLFã§éä¿¡ãããã®ã§ãã
蚌ææžæ å ±ãªã©ãããããåºåãããŠãå ¥ååŸ ã¡ã«ãªããŸãã
CONNECTED(00000003) Can't use SSL_get_servername depth=0 CN = ubuntu2204.localdomain verify error:num=18:self-signed certificate verify return:1 depth=0 CN = ubuntu2204.localdomain verify return:1 --- Certificate chain 0 s:CN = ubuntu2204.localdomain i:CN = ubuntu2204.localdomain a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 9 13:39:03 2023 GMT; NotAfter: Sep 6 13:39:03 2033 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIDHzCCAgegAwIBAgIUMZMUSvCr6TT7hGfk9OoJGFmmBgAwDQYJKoZIhvcNAQEL BQAwITEfMB0GA1UEAwwWdWJ1bnR1MjIwNC5sb2NhbGRvbWFpbjAeFw0yMzA5MDkx MzM5MDNaFw0zMzA5MDYxMzM5MDNaMCExHzAdBgNVBAMMFnVidW50dTIyMDQubG9j YWxkb21haW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgsQH1T4yX TpXXNQtC/KuSPpAGk+XpwSsdSQ21MrscFWojw7T+Hv/+tmKNvVI7/4i8w6sf56Jk tQwFnF+BsaVUwMe/kFRF6A98uUjMWsOmpnP4BP4U43eqaBwQSQG+ylsqSyiwMnM1 qkrGafrc4FAUM5Oi2X+dH9TbzEUJdgijGYEc5L06IozyS/M6hul6jbGupnNxHuKG EwWj07T77DhL/0oV5asu4S8CuYLn2IGcrqlU58Nqv0lt2n97OnSlcocnFlDcdVc7 4DQ/ThmVsXaZR2CghWdsgQaN5rTM/Fn3XJxnqOp/wBgSVrJAWtKMAaVFJPm0W1KJ UcaFGJQzHsZ9AgMBAAGjTzBNMAkGA1UdEwQCMAAwIQYDVR0RBBowGIIWdWJ1bnR1 MjIwNC5sb2NhbGRvbWFpbjAdBgNVHQ4EFgQUtgGicseT4uY5IR/zyIkyAfwJJE8w DQYJKoZIhvcNAQELBQADggEBAHG39cf00tFMNNInCY6Y39H3vjjL8zzvn085jaPs PVceDWWxHNU1tPlHKgPQVJEvpbd8SX7AG66b0/vvlAOOAE0E8gxrHkbZBQXqMVSN 3ILtYQ6byDk3QazwnPBNLHLG08M5X/ySuBHxDsqx07E2Fm1jTZ/zZBxbMwWyZbKT jIbMYe5GqiAW4mXwc0uxOQx559jhP/dpO9ncUyg7ScWuZEQeaMJn9q0YiJxSIlKD Lb3brYuDNq0N4kfXLKKcfd4jcmZsLYo7a+WUO5Sg5ZUxsjOXZEqXxdVfRULnob7C r/rE3QtTqdOH1hrclCMnKfkxnZju1tk/PSaLTlxtzxNYY/E= -----END CERTIFICATE----- subject=CN = ubuntu2204.localdomain issuer=CN = ubuntu2204.localdomain ãçç¥ã --- read R BLOCK
ã¡ãªã¿ã«ãApacheã®èšŒææžã¯èªå·±çœ²å蚌ææžãªã®ã§ãããç¹ã«ãšã©ãŒã«ãªããªãããã§ãã
HTTPãªã¯ãšã¹ããå ¥åã
GET / HTTP/1.1 Host: 192.168.33.10
ã¬ã¹ãã³ã¹ã
GET / HTTP/1.1 Host: 192.168.33.10 HTTP/1.1 200 OK Date: Sat, 09 Sep 2023 13:49:48 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Sat, 09 Sep 2023 13:39:08 GMT ETag: "29af-604ed37b097b8" Accept-Ranges: bytes Content-Length: 10671 Vary: Accept-Encoding Content-Type: text/html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> ãçç¥ã
æåã®èšŒææžæ
å ±ã衚瀺ãããããªãå Žåã¯ã-quiet
ãªãã·ã§ã³ãæå®ããŸãã
$ openssl s_client -connect 192.168.33.10:443 -crlf -quiet
衚瀺å 容ã¯ããããããã«å°ãªããªããŸãã
Can't use SSL_get_servername depth=0 CN = ubuntu2204.localdomain verify error:num=18:self-signed certificate verify return:1 depth=0 CN = ubuntu2204.localdomain verify return:1
ãã®åŸã¯å ¥ååŸ ã¡ã«ãªããŸãã
ã¡ãªã¿ã«ãã¢ã¯ã»ã¹å
ãApacheã®å Žåã-crlf
ããªããšBad Requestãè¿ãããã§ãã
GET / HTTP/1.1 HTTP/1.1 400 Bad Request Date: Sat, 09 Sep 2023 13:52:23 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.<br /> </p> <hr> <address>Apache/2.4.52 (Ubuntu) Server at ubuntu2204.localdomain Port 443</address> </body></html> closed
HTTPããããŒãå ¥åããåã«åŒŸãããŠããŸããŸãã
ãµãŒããŒã®èšŒææžãååŸãã
ãµãŒããŒã®èšŒææžãååŸããã«ã¯ã以äžã®ã³ãã³ããå®è¡ããŸãã
$ echo | openssl s_client -connect 192.168.33.10:443 2>&1 | \ perl -wn -e 'print if /-BEGIN CERTIFICATE-/ .. /-END CERTIFICATE-/' > server.crt
åŸåã¯Perl One Linerã§ã蚌ææžã®éšåã ããåãåã£ãŠããŸãã䜿ããªãå Žåã¯ãå¥ã®æ¹æ³ïŒãšãã£ã¿ãªã©ïŒã§èšŒææžã®éšåã
åãåºããŸãããã
ãã®ãããªãã¡ã€ã«ãååŸã§ããŸããã
server.crt
-----BEGIN CERTIFICATE----- MIIDHzCCAgegAwIBAgIUMZMUSvCr6TT7hGfk9OoJGFmmBgAwDQYJKoZIhvcNAQEL BQAwITEfMB0GA1UEAwwWdWJ1bnR1MjIwNC5sb2NhbGRvbWFpbjAeFw0yMzA5MDkx MzM5MDNaFw0zMzA5MDYxMzM5MDNaMCExHzAdBgNVBAMMFnVidW50dTIyMDQubG9j YWxkb21haW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgsQH1T4yX TpXXNQtC/KuSPpAGk+XpwSsdSQ21MrscFWojw7T+Hv/+tmKNvVI7/4i8w6sf56Jk tQwFnF+BsaVUwMe/kFRF6A98uUjMWsOmpnP4BP4U43eqaBwQSQG+ylsqSyiwMnM1 qkrGafrc4FAUM5Oi2X+dH9TbzEUJdgijGYEc5L06IozyS/M6hul6jbGupnNxHuKG EwWj07T77DhL/0oV5asu4S8CuYLn2IGcrqlU58Nqv0lt2n97OnSlcocnFlDcdVc7 4DQ/ThmVsXaZR2CghWdsgQaN5rTM/Fn3XJxnqOp/wBgSVrJAWtKMAaVFJPm0W1KJ UcaFGJQzHsZ9AgMBAAGjTzBNMAkGA1UdEwQCMAAwIQYDVR0RBBowGIIWdWJ1bnR1 MjIwNC5sb2NhbGRvbWFpbjAdBgNVHQ4EFgQUtgGicseT4uY5IR/zyIkyAfwJJE8w DQYJKoZIhvcNAQELBQADggEBAHG39cf00tFMNNInCY6Y39H3vjjL8zzvn085jaPs PVceDWWxHNU1tPlHKgPQVJEvpbd8SX7AG66b0/vvlAOOAE0E8gxrHkbZBQXqMVSN 3ILtYQ6byDk3QazwnPBNLHLG08M5X/ySuBHxDsqx07E2Fm1jTZ/zZBxbMwWyZbKT jIbMYe5GqiAW4mXwc0uxOQx559jhP/dpO9ncUyg7ScWuZEQeaMJn9q0YiJxSIlKD Lb3brYuDNq0N4kfXLKKcfd4jcmZsLYo7a+WUO5Sg5ZUxsjOXZEqXxdVfRULnob7C r/rE3QtTqdOH1hrclCMnKfkxnZju1tk/PSaLTlxtzxNYY/E= -----END CERTIFICATE-----
SSLïŒTLS蚌ææžãæå®ããŠã¢ã¯ã»ã¹ãã
ä»åã®Apacheã¯ãèªå·±çœ²å蚌ææžã䜿ã£ãŠããã®ã§
$ openssl s_client -connect 192.168.33.10:443 -crlf
ããèŠããšã¢ã¯ã»ã¹æã«verify error
ãåºåãããŠããŸããã
CONNECTED(00000003) Can't use SSL_get_servername depth=0 CN = ubuntu2204.localdomain verify error:num=18:self-signed certificate verify return:1 depth=0 CN = ubuntu2204.localdomain verify return:1
蚌ææžã®æ€èšŒã«ã倱æããŠããŸãã
--- SSL handshake has read 1363 bytes and written 404 bytes Verification error: self-signed certificate ---
ããã§ã³ãã³ããæ¢ãŸã£ããã¯ããªãã®ã§ããã
ããã§ãå
çšååŸãããµãŒããŒèšŒææžã-CAfile
ãªãã·ã§ã³ã§æå®ããããšã§ããã®ãšã©ãŒãåºãªãããã«ããããšãã§ããŸãã
$ openssl s_client -connect 192.168.33.10:443 -crlf -CAfile server.crt
ä»åºŠã¯ã蚌ææžã®ãšã©ãŒãåºãªããªããŸããã
CONNECTED(00000003) Can't use SSL_get_servername depth=0 CN = ubuntu2204.localdomain verify return:1
ãã¡ããOKã§ãã
--- SSL handshake has read 1359 bytes and written 373 bytes Verification: OK ---
蚌ææžãšã©ãŒã«ãªãå Žåã«åæ¢ãã
-verify_return_error
ãªãã·ã§ã³ãæå®ãããšã蚌ææžãšã©ãŒã«ãªããšåŠçãåæ¢ããŸãã
$ openssl s_client -connect 192.168.33.10:443 -crlf -verify_return_error
ããã§æ¢ãŸããŸãã
CONNECTED(00000003) Can't use SSL_get_servername depth=0 CN = ubuntu2204.localdomain verify error:num=18:self-signed certificate 40671ED1CC7F0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1883: --- Certificate chain 0 s:CN = ubuntu2204.localdomain i:CN = ubuntu2204.localdomain a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 9 13:39:03 2023 GMT; NotAfter: Sep 6 13:39:03 2033 GMT --- no peer certificate available --- No client certificate CA names sent Server Temp Key: X25519, 253 bits --- SSL handshake has read 999 bytes and written 300 bytes Verification error: self-signed certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 18 (self-signed certificate) ---
æå¹ãªèšŒææžãæå®ãããšãåäœããããã«ãªããŸãã
$ openssl s_client -connect 192.168.33.10:443 -crlf -CAfile server.crt -verify_return_error
䜿çšãããããã³ã«ãæå®ãã
-tlsXXX
ãªãã·ã§ã³ã䜿çšããŸãã
$ openssl s_client -connect 192.168.33.10:443 -crlf -tls1_3
æå®å¯èœãªTLSãããã³ã«ã¯ãã¡ãã
$ openssl s_client -help 2>&1 | grep '\-tls1' -tls1 Just use TLSv1 -tls1_1 Just use TLSv1.1 -tls1_2 Just use TLSv1.2 -tls1_3 Just use TLSv1.3
ãµãŒããŒããµããŒãããŠããªããããã³ã«ãæå®ãããšããšã©ãŒã«ãªããŸãã
$ openssl s_client -connect 192.168.33.10:443 -crlf -tls1 CONNECTED(00000003) 40A7D6A9477F0000:error:0A0000BF:SSL routines:tls_setup_handshake:no protocols available:../ssl/statem/statem_lib.c:104: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 7 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) ---
ãã®ãããã¯ã以åãã¡ãã§ç¢ºèªããŸããã
サーバーが対応しているSSL/TLSプロトコルを確認する(openssl s_client、nmap) - CLOVER🍀
䜿ããããªããããã³ã«ã-no_tlsXXX
ã§æå®ããããšãã§ããŸãã
$ openssl s_client -connect 192.168.33.10:443 -crlf -no_tls1
ãã®ããããæå®ã§ããŸããã
$ openssl s_client -help 2>&1 | grep '\-no_tls1' -no_tls1 Just disable TLSv1 -no_tls1_1 Just disable TLSv1.1 -no_tls1_2 Just disable TLSv1.2 -no_tls1_3 Just disable TLSv1.3
æå·ã¹ã€ãŒããæå®ãã
-ciphersuites
ãªãã·ã§ã³ã§ãTLSv1.3ã§äœ¿çšããæå·ã¹ã€ãŒããæå®ã§ããŸãã
$ openssl s_client -connect 192.168.33.10:443 -crlf -ciphersuites TLS_AES_128_GCM_SHA256
è€æ°æå®ããå Žåã¯ã:
ã§åºåããŸãã
$ openssl s_client -connect 192.168.33.10:443 -crlf -ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384
䜿çšã§ããæå·ã¹ã€ãŒãã¯ã以äžã®ãããªã³ãã³ãã§ãããã³ã«ããšã«ç¢ºèªãããšããã§ãããã
$ openssl ciphers -v -s -tls1_3
TLSv1.2以äžã®å Žåã¯ã-cipher
ã§æå®ããŸãã
$ openssl s_client -connect 192.168.33.10:443 -crlf -cipher 'HIGH:!aNULL:!MD5' -tls1_2
ããã«ã€ããŠã¯ããã¡ãã«ãæžããŸããã
OpenSSLでの暗号スイートと指定方法を確認する(+Apache、nginxでのIPAガイド設定例含む)) - CLOVER🍀
ãããã·ãµãŒããŒãæå®ãã
-proxy
ãªãã·ã§ã³ãæå®ããããšã§ããããã·ãµãŒããŒãä»ããŠã¢ã¯ã»ã¹ããŸãã
$ openssl s_client -connect [host]:[port] -proxy [proxy-host]:[proxy-port]
-connect
ãšåãããŠäœ¿ãããšã§ãæå®ããããããã·ãµãŒããŒã«HTTP CONNECTã§ã¢ã¯ã»ã¹ããŸãã
ãµãŒããŒåãæå®ãã
ããã©ã«ãã§ã¯ã-connect
ã§æå®ãããååããµãŒããŒåãšããŠClientHelloã¡ãã»ãŒãžã§äœ¿ãããŸãã
ãããšç°ãªãååãæå®ããå Žåã¯-servername
ãªãã·ã§ã³ã§æå®ããŸãã
$ openssl s_client -connect 192.168.33.10:443 -crlf -servername ubuntu2204.localdomain
ãã©ãã£ãã¯ããã³ãããïŒãããã°ããïŒ
ããŸã䜿ãããšã¯ãªããããããŸãããã-debug
ãªãã·ã§ã³ãæå®ããŸãã
$ openssl s_client -connect 192.168.33.10:443 -crlf -debug
ãããã«
OpenSSLã®s_clientã³ãã³ãã«ã€ããŠããããã調ã¹ãŠã¿ãŸããã
軜ãè©Šããããã«ããã€ãããããªãã·ã§ã³ãçºããŠããããã£ããå¢ããŠããŸããŸãããã
ããããã¡ãããšäœ¿ããŠãããããããªãšæããŸãã