什么是 OpenSSL?
OpenSSL 是一个免费的开源软件加密库,它为应用程序提供加密功能以确保安全的互联网通信。 它广泛用于许多服务器应用程序,并且可用于大多数类 Unix 操作系统(包括 Solaris、Linux、Mac OS X、四种开源 BSD 操作系统)、OpenVMS 和 Microsoft Windows。
除此之外,OpenSSL 还是一个设备齐全的工具,用于实现传输层安全 (TLS) 和安全套接字层 (SSL) 协议。
使用 OpenSSL 工具包,我们可以执行各种与 SSL 相关的任务以及各种加密功能。 在这些其他任务中,我们可以生成 CSR(证书签名请求)和私钥。 我们可以执行 SSL 证书安装,或者我们可以将我们的证书转换为不同的格式。 然后,我们可以验证其详细信息,甚至可以提取有关证书的信息。
如果我们谈论加密功能,我们可以将它用于文件加密和解密目的以及生成密码哈希。
但是,今天,我们将致力于这个免费工具包的完全不同的功能 – 验证安全连接。
先决条件
Unix/Linux OS 平台之一,默认包含 OpenSSL 程序。 在 Microsoft Windows 上,我们必须从二进制文件下载并安装 OpenSSL 并进行安装。
入门
由于 OpenSSL 的自然环境是一个 Unix 平台,我们假设我们正在开发一个平台。 在我们开始检查我们的连接之前,我们需要确保我们的 OpenSSL 是最新的,所以让我们使用以下命令检查我们正在运行的版本。
[root@host ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017对于那些更有经验和对完整细节感兴趣的人,我们可以附加 -a 标志。
[root@host ~]# openssl version -a
OpenSSL 1.0.2k-fips 26 Jan 2017
built on: reproducible build, date unspecified
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/etc/pki/tls"
engines: rdrand dynamic
[root@host ~]# 在大多数情况下,我们将使用系统提供的 OpenSSL 版本。 但是,如果我们发现自己需要升级,我们需要下载最新版本,解压并从源代码编译。
OpenSSL 命令中没有特定的帮助关键字,但是如果我们在命令中附加 OpenSSL 无法识别的标志,则会向我们提供帮助文本。 要检查这个强大工具的可用选项,我们可以使用以下命令。
root@host:~# openssl help
Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dhparam
dsa dsaparam ec ecparam
enc engine errstr gendsa
genpkey genrsa help list
nseq ocsp passwd pkcs12
pkcs7 pkcs8 pkey pkeyparam
pkeyutl prime rand rehash
req rsa rsautl s_client
s_server s_time sess_id smime
speed spkac srp storeutl
ts verify version x509
Message Digest commands (see the `dgst' command for more details)
blake2b512 blake2s256 gost md4
md5 rmd160 sha1 sha224
sha256 sha3-224 sha3-256 sha3-384
sha3-512 sha384 sha512 sha512-224
sha512-256 shake128 shake256 sm3
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
aria-256-ctr aria-256-ecb aria-256-ofb base64
bf bf-cbc bf-cfb bf-ecb
bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
cast-cbc cast5-cbc cast5-cfb cast5-ecb
cast5-ofb des des-cbc des-cfb
des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
des-ede3-ofb des-ofb des3 desx
rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
rc2-cfb rc2-ecb rc2-ofb rc4
rc4-40 seed seed-cbc seed-cfb
seed-ecb seed-ofb sm4-cbc sm4-cfb
sm4-ctr sm4-ecb sm4-ofb
root@host:~#如需更多指导,请随时使用以下命令浏览手册页。
[root@host ~]# man openssl检查与 OpenSSL 的连接
在 OpenSSL 提供的众多命令中,为了测试安全连接,我们将使用 openssl s_client 命令。 基本命令大纲如下:
[root@host ~]# openssl s_client -connect <domain name or IP>:<port>为了测试连接,我们需要一个域名和一个端口。 出于本次测试的目的,我们将使用BYNSS.com 域。 由于我们试图确认我们的连接是否安全,我们将使用端口 443,这是所有安全 HTTP(基于 TLS/SSL 的超文本传输协议)流量的标准端口。
我们将要使用的命令将在端口 443 上打开与 www.BYNSS.com 域的连接,并向我们显示其上使用的 SSL 证书。 它将为我们提供大量其他相关输出,例如证书链、正在使用的密码以及 SSL/TLS 会话的其他特征。
但是,一旦连接,我们将能够输入任何我们想要的内容,这将为我们提供手动发送 HTTP 请求的机会。 对于那些以前使用过 telnet 命令的人来说,这会感觉很熟悉,因为该工具本身与它相似。 要在端口 443 上测试到 BYNSS.com 域的连接,我们将使用以下命令:
[root@host ~]# openssl s_client -connect www.BYNSS.com:443这是此命令的完整输出。
[root@host ~]# openssl s_client -connect www.BYNSS.com:443
CONNECTED(00000005)
---
Certificate chain
0 s:businessCategory = Private Organization, serialNumber = D9406J, jurisdictionC = US, jurisdictionST = Michigan, C = US, ST = Michigan, L = Plymouth, street = 40600 Ann Arbor Rd E Ste 201, O = "Liquid Web, LLC", CN = www.BYNSS.com
i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
2 s:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHwTCCBqmgAwIBAgIMZuWs07WLoi8uhNCpMA0GCSqGSIb3DQEBCwUAMGIxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTgwNgYDVQQDEy9H
bG9iYWxTaWduIEV4dGVuZGVkIFZhbGlkYXRpb24gQ0EgLSBTSEEyNTYgLSBHMzAe
Fw0yMDAyMTAxOTI1MzBaFw0yMjAzMjIxODIzNDBaMIHwMR0wGwYDVQQPDBRQcml2
YXRlIE9yZ2FuaXphdGlvbjEPMA0GA1UEBRMGRDk0MDZKMRMwEQYLKwYBBAGCNzwC
AQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCE1pY2hpZ2FuMQswCQYDVQQGEwJVUzER
MA8GA1UECBMITWljaGlnYW4xETAPBgNVBAcTCFBseW1vdXRoMSUwIwYDVQQJExw0
MDYwMCBBbm4gQXJib3IgUmQgRSBTdGUgMjAxMRgwFgYDVQQKEw9MaXF1aWQgV2Vi
LCBMTEMxGjAYBgNVBAMTEXd3dy5saXF1aWR3ZWIuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEArPlau7eH8GjzmN6Q9dNDQ/A5O2D8putk4F4S6LiQ
w/CO7KQS5YFCPhxW42AyiBImhzdrHL8TZ00srvOYGhDmlwt78Pnb+aFBsrAJNq65
Ty0BOlKF0uDJe01DH9amdphuQEyiNXtSN5OlSSPRGrypiTm8MOnGt/2pJxK49YGX
0XVMMdxtrgDViAoRW3WWqpcSsTtCRx4rGKUIC60e/+z8QAVADyy/9QzLBuJSyjkG
GLanR8Dn/4lNo8dJg5ovkcmghXSo0BpLvBWtZBhTS0eAe/VODD2I6uXohDDkBzW6
pEN5wTcOotxXP6neqdD5jbxs49D+dicWVrsUv4+QoeUT+QIDAQABo4ID5jCCA+Iw
DgYDVR0PAQH/BAQDAgWgMIGWBggrBgEFBQcBAQSBiTCBhjBHBggrBgEFBQcwAoY7
aHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3NleHRlbmR2YWxz
aGEyZzNyMy5jcnQwOwYIKwYBBQUHMAGGL2h0dHA6Ly9vY3NwMi5nbG9iYWxzaWdu
LmNvbS9nc2V4dGVuZHZhbHNoYTJnM3IzMFUGA1UdIAROMEwwQQYJKwYBBAGgMgEB
MDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9z
aXRvcnkvMAcGBWeBDAEBMAkGA1UdEwQCMAAwRQYDVR0fBD4wPDA6oDigNoY0aHR0
cDovL2NybC5nbG9iYWxzaWduLmNvbS9ncy9nc2V4dGVuZHZhbHNoYTJnM3IzLmNy
bDCBqwYDVR0RBIGjMIGgghF3d3cubGlxdWlkd2ViLmNvbYISY2FydC5saXF1aWR3
ZWIuY29tghRtYW5hZ2UubGlxdWlkd2ViLmNvbYIRbmV3LmxpcXVpZHdlYi5jb22C
GG1hbmFnZS5zdG9ybW9uZGVtYW5kLmNvbYIOd3d3LnNvbmV0Ny5jb22CFXd3dy5z
dG9ybW9uZGVtYW5kLmNvbYINbGlxdWlkd2ViLmNvbTAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAU3bPnbagu6MVObs905nU8lBXO6B0w
HQYDVR0OBBYEFPhVNQlDuYjW8he+m/phOpW9dlNRMIIBfwYKKwYBBAHWeQIEAgSC
AW8EggFrAWkAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAXAw
kGUSAAAEAwBHMEUCIQD4dzIeqx4PkeoPSRoljPjqexdZPntdUXXHBhU7hkfdUQIg
AshbvBANLIqKBLGN0vpU8Lq6LAdc0hwq2536VEarag8AdgAiRUUHWVUkVpY/oS/x
922G4CMmY63AS39dxoNcbuIPAgAAAXAwkGOpAAAEAwBHMEUCIDVT3mV7GHfu5Wz9
QVxm/ewe/NaFTFMXjXtQpH6FNZP8AiEA50qff+xJDgYuvYWqcGo67+pOfP+BiCgW
L6b34XIwbQIAdwBRo7D1/QF5nFZtuDd4jwykeswbJ8v3nohCmg3+1IsF5QAAAXAw
kGSXAAAEAwBIMEYCIQDHY+1MVRlxSR7Gfv3SQ6us7nawS4dqFcRMEztDTlYWmwIh
AOkXVShugJdmRvTEXLbVhGNIf1Jcrmxb3ssH39GD8y8RMA0GCSqGSIb3DQEBCwUA
A4IBAQAOYcvVEjvLqHpYHxeO001Ywz9PLQcuM0u3oPG915hdp+a42qMZmb7kOc6S
sEG7mvytYkVE7Pghj2KoxS9ZRUplD+K/7vGJKuS9YeCTejheA0otNb6t/ui+GU6X
+HSamCru/psNe8Q15rhsaWqrGZa4rR6vBvNiJd5xCL1FBYtVRoHliYjWNrAqq6Ia
2Iy07Xqg7Cuk89ZexeFZa8KUqcH7S0jfLe+5M7LRV+tFvLgdiBA4U1M0hX+ME8eD
T8QBizu5zjGN6Fz4+R3zZrH9GrbahsG88HRmlsVnOPvkt4BqmXfITfDJLxImTXc3
CWWNBZJzxuISBzQvWMxQvk3nXZdB
-----END CERTIFICATE-----
subject=businessCategory = Private Organization, serialNumber = D9406J, jurisdictionC = US, jurisdictionST = Michigan, C = US, ST = Michigan, L = Plymouth, street = 40600 Ann Arbor Rd E Ste 201, O = "Liquid Web, LLC", CN = www.BYNSS.com
issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4657 bytes and written 735 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_128_GCM_SHA256
Session-ID: ECD5CD026E4FC0F951C7237E62B6C9C0250E6B711F4FFB8D053F10D34E89419F
Session-ID-ctx:
Resumption PSK: BD9B7DE5FDF601C0015BAEB6C52143850F20F7ADFFD253577681152268BD162A
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 14400 (seconds)
TLS session ticket:
0000 - 01 58 6e 4f ba 9a ae 76-f2 25 d1 be 8f 3c 30 a1 .XnO...v.%...<0.
0010 - 57 91 03 38 63 24 a9 4a-d9 cc 82 c2 bb 7e e4 80 W..8c$.J.....~..
0020 - 02 63 26 97 28 7d ce e4-0e fa 46 20 b6 ce 00 3c .c&.(}....F ...<
0030 - a4 34 66 38 ff 01 bf 36-17 9c 2b 9c 4e eb e1 32 .4f8...6..+.N..2
0040 - e2 39 e5 0c f2 55 0c 72-19 08 37 c6 be 2e 9f 22 .9...U.r..7...."
0050 - c0 b3 85 0a fe 5f b5 03-43 ec 42 7e b7 34 b7 c2 ....._..C.B~.4..
0060 - 64 ea 4f 73 7a ac 65 1d-5d 3f 5b 91 9f 05 7d 87 d.Osz.e.]?[...}.
0070 - a4 fd 4f a0 cb 65 a5 e2-d6 5c 25 db db 6a 3d 76 ..O..e...%..j=v
0080 - 92 91 3c ca 63 0b bd 22-35 b8 28 7d 8a 87 67 3e ..<.c.."5.(}..g>
0090 - 14 d9 d2 3e d0 73 68 be-ea 57 13 93 63 52 2b 9f ...>.sh..W..cR+.
00a0 - 2b 9e a9 92 84 0d 74 6c-7c 4e 5c d5 9a 00 c3 ed +.....tl|N.....
00b0 - 92 .
Start Time: 1588773944
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
现在,一旦我们连接上,我们可以用我们的 HTTP 发送一个 HEAD 命令来指示 HTTP 服务器不要发送响应正文。 要发送我们的请求,我们需要输入以下命令。
HEAD / HTTP/1.1
Host: www.BYNSS.com注意:请求后面必须有一个空行,因为这是 HTTP 格式的重要组成部分。
发送请求后,服务器将向我们发送回复。
HTTP/1.1 200 OK
Server: nginx/1.16.1
Vary: Accept-Encoding
Cache-Control: max-age=0, no-cache
Content-Type: text/html; charset=UTF-8
Date: Sun, 03 May 2020 12:07:26 GMT
Link: <https://www.BYNSS.com/lw-api/>; rel="https://api.w.org/"
Link: <https://www.BYNSS.com/>; rel=shortlink
Transfer-Encoding: chunked
X-Nginx-Cache: HIT
Connection: Keep-Alive
Set-Cookie: lwDisableCookiePrompt=1;domain=BYNSS.com;path=/;max-age=315360000
X-Page-Speed: 1
X-Frame-Options: SAMEORIGIN
X-Powered-By: PHP/7.2.20
closed现在我们已经成功确认 TLS 通信层正在工作。 使用我们的初始命令,OpenSSL 在安全的 HTTPS 端口 443 上连接到BYNSS.com 域。我们收到了有关 SSL 证书、证书颁发机构、密码等的详细信息。然后,我们发送了一个原始 HTTP HEAD 请求并收到了回复这证实了网络服务器不仅接受了我们的连接,而且还响应了我们的请求。
基本上,提到的 s_client -connect 命令有两个输出:
- 服务器接受了我们的连接,这将显示 SSL 证书以及附加输出。
- 服务器拒绝了我们的连接并向我们提供了错误消息,例如连接:连接超时或连接:errno=110。
如果连接被拒绝并且域名和端口正确,则服务器将不接受该指定端口上的安全连接。
但是,如果我们使用初始命令建立连接并且 HTTP 请求一直失败,那么我们可能会有解决方案。 为了这 example,让我们使用我们的测试域之一,yesnt.tk。 我们将尝试使用用于测试BYNSS.com 的相同命令进行连接
[root@host ~]# openssl s_client -connect yesnt.tk:443
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = US, ST = TX, L = Houston, O = "cPanel, Inc.", CN = "cPanel, Inc. Certification Authority"
verify return:1
depth=0 CN = shellbear.ga
verify error:num=10:certificate has expired
notAfter=Oct 22 23:59:59 2019 GMT
verify return:1
depth=0 CN = shellbear.ga
notAfter=Oct 22 23:59:59 2019 GMT
verify return:1
---
Certificate chain
0 s:/CN=shellbear.ga
i:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
1 s:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF/DCCBOSgAwIBAgIQeWEqm8k8c3HNVdzCT7Q/rjANBgkqhkiG9w0BAQsFADBy
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVFgxEDAOBgNVBAcTB0hvdXN0b24xFTAT
BgNVBAoTDGNQYW5lbCwgSW5jLjEtMCsGA1UEAxMkY1BhbmVsLCBJbmMuIENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MB4XDTE5MDcyNDAwMDAwMFoXDTE5MTAyMjIzNTk1
OVowFzEVMBMGA1UEAxMMc2hlbGxiZWFyLmdhMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAm1Sht3pf1nCetcyrAbQeQwE8ofny8iyGo9vbnc5zRaHJ3lnP
sfnGvOkDo1MgHCLWgn6bzOfgY+9L9NsmSG4rXqbDsJs0XQEsmjWeGklJA57P6Yng
5Hi0KjQBsOqEL5tklAACdNpWIEMoX5zSdWKTj4RmI8lQdhBdSaXK+ymNDpUu52jC
BBhXorUqFLgXuagvu2CBFNM599X66exvbvs68qRYJhwjguPKwp9i1wANqBWICcoD
+k2+sP/OCtl5i8XHvX9JOchV/MHxg0D7SiCDnaQAzOgyfDg9NLgsl3cEV+Afaasw
TYdchquAiDw4zHL14WotZ6pHlyr1cuHCr+P1mQIDAQABo4IC5zCCAuMwHwYDVR0j
BBgwFoAUfgNaZUFrp34K4bidCOodjh1qx2UwHQYDVR0OBBYEFBqgj8p3hHmwlJcb
XiStJkU7Y+7RMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgI0
MCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgG
BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv
bS9jUGFuZWxJbmNDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB9BggrBgEFBQcB
AQRxMG8wRwYIKwYBBQUHMAKGO2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL2NQYW5l
bEluY0NlcnRpZmljYXRpb25BdXRob3JpdHkuY3J0MCQGCCsGAQUFBzABhhhodHRw
Oi8vb2NzcC5jb21vZG9jYS5jb20wPAYDVR0RBDUwM4IMc2hlbGxiZWFyLmdhghFt
YWlsLnNoZWxsYmVhci5nYYIQd3d3LnNoZWxsYmVhci5nYTCCAQYGCisGAQQB1nkC
BAIEgfcEgfQA8gB3AGPy283oO8wszwtyhCdXazOkjWF3j711pjixx2hUS9iNAAAB
bCIpo84AAAQDAEgwRgIhAI80yjN/XG95oLxj0JGkmceRnZUrVK+wnqYJ4iWS/XbZ
AiEAgI92Ifz0I5kQBBHGU/ojwXlrhNIuyPT6o/mJzw4CdDcAdwB0ftqDMa0zEJEh
nM4lT0Jwwr/9XkIgCMY3NXnmEHvMVgAAAWwiKhzaAAAEAwBIMEYCIQDrEL3R/pQj
0U/IFp48w5M61Y9jkZMZL3iF2J0Qf/AdugIhAMV0HttIGa2I8xRXeXXd+7NpAjbA
Qt413brsFnLXyuGTMA0GCSqGSIb3DQEBCwUAA4IBAQAEGiu+Y2aLUM/0xy8tiPfl
vu11aolTodX4DyfqlUM0HoIIOHUWFq3zGcjU9hcDXzsq26N7/BZLqJNJMUn6BaoQ
Zvy79xwN/rgKFOZb/wK7wMr0fvM7eOHhHYGoAS+M/2g3RtVh8Fi9lAidL2tsrzHs
CxzoCY1aA6yRsRdkTNgKaSn/ZtEqmYeBeAxgrPhXSZ2GSSHU6rdnrmF6G8GQQGn1
4njMUZ2ll7077HsJbhsjhy1FtYiYt4lR2hPd2jgPNUmbTpLsR6i4SuBXLPpAwRRX
QgvpIiaFpbHKOwd1C3LFND+FdfzykW/Lp9YMmteF6NNeZFfdGRlH0u0l15HyfqRO
-----END CERTIFICATE-----
subject=/CN=shellbear.ga
issuer=/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5153 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 7E143DC254451082AABC45067936A675AD210CEDA7643F85347AA6DCE16B5615
Session-ID-ctx:
Master-Key: FD615434DC4AD0F2955F0801B2B451636CE14D1B567E400725E213245A9B80D932257F9529D05524551D5A9F1B48F37C
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 6c 1f 89 0f fb 47 fa 8d-54 85 f7 14 82 2f 7b 1f l....G..T..../{.
0010 - 1e c4 66 3a eb 28 98 b9-a2 75 fd 67 0d 0e f0 02 ..f:.(...u.g....
0020 - ce b0 bd 41 25 df d9 86-b0 39 8d 46 ce cc e5 75 ...A%....9.F...u
0030 - 2c 9c 23 e5 2e 62 1a 30-fe c2 a0 f8 86 f2 09 7c ,.#..b.0.......|
0040 - 92 29 d0 d4 14 26 22 16-c2 40 9b 3f b3 6a c9 51 .)...&"..@.?.j.Q
0050 - 85 01 ba df 90 20 41 05-e0 72 bd 97 73 d5 99 93 ..... A..r..s...
0060 - 6c a4 50 2e b0 9e d3 6a-2d 05 b1 e8 9f 03 8f 3e l.P....j-......>
0070 - 06 8f b3 29 88 6d 32 91-79 5c f2 70 b4 5d 3c 9c ...).m2.y.p.]<.
0080 - 63 ab 99 3b ce 7f cb c6-4e 12 cc 9a cb a5 e6 45 c..;....N......E
0090 - 6b 91 ae 74 13 e5 fd 76-d3 69 57 45 73 8e 74 f9 k..t...v.iWEs.t.
00a0 - df 23 cb ad 89 3f 72 10-ec a5 0b 69 45 2b 28 a3 .#...?r....iE+(.
00b0 - 4c 8e 92 c1 46 1b 13 f0-9f 48 6d 45 b5 55 11 82 L...F....HmE.U..
Start Time: 1588530922
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---
HEAD / HTTP/1.1
HTTP/1.1 400 Bad Request
Date: Sun, 03 May 2020 18:35:29 GMT
Server: Apache
Content-Length: 347
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<p>Additionally, a 400 Bad Request
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>
closed从输出中我们可以看到,连接已建立。 但是,只要我们输入 HEAD 请求,服务器就会回复错误。
有些服务器要求我们将来自终端的换行转换为 CR+LF(回车,换行)。 基本上,CR 和 LF 是控制字符或字节码,用于标记文本文件中的换行符,以帮助服务器理解我们向它请求的内容。 让我们将 -crlf 标志附加到我们的 OpenSSL 命令中。 我们将使用以下命令对其进行测试。
[root@host ~]# openssl s_client -connect yesnt.tk:443 -crlf
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = US, ST = TX, L = Houston, O = "cPanel, Inc.", CN = "cPanel, Inc. Certification Authority"
verify return:1
depth=0 CN = shellbear.ga
verify error:num=10:certificate has expired
notAfter=Oct 22 23:59:59 2019 GMT
verify return:1
depth=0 CN = shellbear.ga
notAfter=Oct 22 23:59:59 2019 GMT
verify return:1
---
Certificate chain
0 s:/CN=shellbear.ga
i:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
1 s:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF/DCCBOSgAwIBAgIQeWEqm8k8c3HNVdzCT7Q/rjANBgkqhkiG9w0BAQsFADBy
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVFgxEDAOBgNVBAcTB0hvdXN0b24xFTAT
BgNVBAoTDGNQYW5lbCwgSW5jLjEtMCsGA1UEAxMkY1BhbmVsLCBJbmMuIENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MB4XDTE5MDcyNDAwMDAwMFoXDTE5MTAyMjIzNTk1
OVowFzEVMBMGA1UEAxMMc2hlbGxiZWFyLmdhMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAm1Sht3pf1nCetcyrAbQeQwE8ofny8iyGo9vbnc5zRaHJ3lnP
sfnGvOkDo1MgHCLWgn6bzOfgY+9L9NsmSG4rXqbDsJs0XQEsmjWeGklJA57P6Yng
5Hi0KjQBsOqEL5tklAACdNpWIEMoX5zSdWKTj4RmI8lQdhBdSaXK+ymNDpUu52jC
BBhXorUqFLgXuagvu2CBFNM599X66exvbvs68qRYJhwjguPKwp9i1wANqBWICcoD
+k2+sP/OCtl5i8XHvX9JOchV/MHxg0D7SiCDnaQAzOgyfDg9NLgsl3cEV+Afaasw
TYdchquAiDw4zHL14WotZ6pHlyr1cuHCr+P1mQIDAQABo4IC5zCCAuMwHwYDVR0j
BBgwFoAUfgNaZUFrp34K4bidCOodjh1qx2UwHQYDVR0OBBYEFBqgj8p3hHmwlJcb
XiStJkU7Y+7RMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgI0
MCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgG
BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv
bS9jUGFuZWxJbmNDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB9BggrBgEFBQcB
AQRxMG8wRwYIKwYBBQUHMAKGO2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL2NQYW5l
bEluY0NlcnRpZmljYXRpb25BdXRob3JpdHkuY3J0MCQGCCsGAQUFBzABhhhodHRw
Oi8vb2NzcC5jb21vZG9jYS5jb20wPAYDVR0RBDUwM4IMc2hlbGxiZWFyLmdhghFt
YWlsLnNoZWxsYmVhci5nYYIQd3d3LnNoZWxsYmVhci5nYTCCAQYGCisGAQQB1nkC
BAIEgfcEgfQA8gB3AGPy283oO8wszwtyhCdXazOkjWF3j711pjixx2hUS9iNAAAB
bCIpo84AAAQDAEgwRgIhAI80yjN/XG95oLxj0JGkmceRnZUrVK+wnqYJ4iWS/XbZ
AiEAgI92Ifz0I5kQBBHGU/ojwXlrhNIuyPT6o/mJzw4CdDcAdwB0ftqDMa0zEJEh
nM4lT0Jwwr/9XkIgCMY3NXnmEHvMVgAAAWwiKhzaAAAEAwBIMEYCIQDrEL3R/pQj
0U/IFp48w5M61Y9jkZMZL3iF2J0Qf/AdugIhAMV0HttIGa2I8xRXeXXd+7NpAjbA
Qt413brsFnLXyuGTMA0GCSqGSIb3DQEBCwUAA4IBAQAEGiu+Y2aLUM/0xy8tiPfl
vu11aolTodX4DyfqlUM0HoIIOHUWFq3zGcjU9hcDXzsq26N7/BZLqJNJMUn6BaoQ
Zvy79xwN/rgKFOZb/wK7wMr0fvM7eOHhHYGoAS+M/2g3RtVh8Fi9lAidL2tsrzHs
CxzoCY1aA6yRsRdkTNgKaSn/ZtEqmYeBeAxgrPhXSZ2GSSHU6rdnrmF6G8GQQGn1
4njMUZ2ll7077HsJbhsjhy1FtYiYt4lR2hPd2jgPNUmbTpLsR6i4SuBXLPpAwRRX
QgvpIiaFpbHKOwd1C3LFND+FdfzykW/Lp9YMmteF6NNeZFfdGRlH0u0l15HyfqRO
-----END CERTIFICATE-----
subject=/CN=shellbear.ga
issuer=/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5153 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 6C2B159BF25C8942FE43813565753C50F23E0C2E3E5A8B8A7100C192DF295234
Session-ID-ctx:
Master-Key: B2B682A170DB961847D63AA01298ED843DD7C51D537F3E9E1B2703697307E2CFC0D8CDFE5BDE1F3BE2F90B98D95B7C81
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 6c 1f 89 0f fb 47 fa 8d-54 85 f7 14 82 2f 7b 1f l....G..T..../{.
0010 - 35 d6 6f 80 92 f9 fc 42-7a e0 be 8b c9 e6 60 f4 5.o....Bz.....`.
0020 - 90 c4 7b e1 c4 b2 56 54-ea ee e2 1c d0 13 10 18 ..{...VT........
0030 - 95 e5 15 71 45 91 2c 65-a9 34 b5 45 a3 32 c0 bd ...qE.,e.4.E.2..
0040 - d0 6c 0a 88 06 12 3e 33-0a 88 b4 93 18 55 6e d1 .l....>3.....Un.
0050 - 63 f4 72 8a 14 db 61 3f-77 4e d1 f1 b1 ee d5 9e c.r...a?wN......
0060 - 8a 99 39 65 b4 55 72 15-2d 5f a6 0e dc 35 dd 69 ..9e.Ur.-_...5.i
0070 - f5 dc 33 28 55 73 3e 40-80 d7 e2 7a e9 b9 d3 c2 ..3(Us>@...z....
0080 - c3 3c 67 d6 5f 99 ec 3a-e8 1d 1c 3c 74 16 6d 2d .<g._..:...<t.m-
0090 - e9 76 8b 31 d8 c3 5a ac-ee 32 aa 0b 23 2d c2 fc .v.1..Z..2..#-..
00a0 - df de bb b7 8c 57 40 6f-5c 67 2e bb a9 46 62 0f [email protected].
00b0 - 50 4b 20 42 5a 58 ac fa-1e 6d 2b d9 66 fa 42 84 PK BZX...m+.f.B.
Start Time: 1588531475
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---
HEAD / HTTP/1.1
Host: yesnt.tk
HTTP/1.1 200 OK
Date: Sun, 03 May 2020 18:44:38 GMT
Server: Apache
Link: <https://yesnt.tk/wp-json/>; rel="https://api.w.org/"
Cache-Control: max-age=86400
Expires: Mon, 04 May 2020 18:44:38 GMT
Content-Type: text/html; charset=UTF-8
closed现在,服务器理解了我们的请求,我们收到了响应。 多个其他标志可以与 OpenSSL s_client 命令一起使用,可以帮助我们排除连接故障,并且所有这些标志都可以在 OpenSSL 上使用 手册页 我们可以从我们的终端或通过以下 URL 进行查看:https://www.openssl.org/docs/man1.1.1/man1/s_client.html
结论
在本教程中,我们了解了 OpenSSL 是什么以及如何验证我们是否与域建立了安全连接。 本教程只是这个强大而有用的命令的一小部分。 这个实用的工具使测试连接成为一项简单的任务,并且由于它预装在大多数 Unix 平台上,它从一开始就提供了所有功能。 总体而言,OpenSSL 是我们工具包中非常宝贵的工具,可以提供很多功能。
