Ä¿ÇǴнº, ½Ã½ºÅÛ ¿£Áö´Ï¾îÀÇ ½°ÅÍ
  openssl·Î ÀÎÁõ¼­ Á¤º¸ »ìÆ캸±â ÀÛ¼ºÀÏ : 2008/12/26 12:29
 
  • ±Û¾´ÀÌ : ÁÁÀºÁøÈ£ ( http://coffeenix.net/ )
  • Á¶È¸¼ö : 42648
     
    Á¦  ¸ñ : openssl·Î ÀÎÁõ¼­ Á¤º¸ »ìÆ캸±â
    ÀÛ¼ºÀÚ : ÁÁÀºÁøÈ£(truefeel, http://coffeenix.net/ )
    ÀÛ¼ºÀÏ : 2008.12.24(¼ö)
    ¼öÁ¤ÀÏ : 2015.6.16(È­) ÃÖ±Ù OpenSSLÃë¾àÁ¡ °ü·Ã Âü°íÀÚ·á Ãß°¡

    openssl ¸í·ÉÀ¸·Î ¿î¿µÁßÀÎ À¥¼­¹öÀÇ SSLÀÎÁõ¼­ Á¤º¸¸¦ »ìÆ캼 ¼ö ÀÖ´Ù.

     
    # openssl s_client -connect À¥¼­¹ö:443
     


    imaps(IMAP over SSL, 993Æ÷Æ®), pop3s(POP3 over SSL, 995Æ÷Æ®)´Â Æ÷Æ®¸¸ º¯°æÇÏ¿© ´ÙÀ½°ú °°ÀÌ È®ÀÎÇÑ´Ù.

     
    # openssl s_client -connect IMAP¼­¹ö:993
    # openssl s_client -connect POP3¼­¹ö:995
     


    1. »ùÇ÷Π»ìÆ캸ÀÚ.

     
    # echo "" | openssl s_client -connect logins.daum.net:443
    CONNECTED(00000003)
    ---
    Certificate chain
    0 s:/1.3.6.1.4.1.311.60.2.1.3=KR/2.5.4.15=V1.0, Clause 5.(b)/serialNumber=120-81-47521/C=KR/ST=Seoul/L=Seocho-gu/O=Daum Communications Corp./OU=Pi Lab/OU=Terms of use at www.verisign.com/rpa (c)05/CN=logins.daum.net
    ... »ý·« ...
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    ... »ý·« ...
    -----END CERTIFICATE-----
    subject=/1.3.6.1.4.1.311.60.2.1.3=KR/2.5.4.15=V1.0, Clause 5.(b)/serialNumber=120-81-47521/C=KR/ST=Seoul/L=Seocho-gu/O=Daum Communications Corp./OU=Pi Lab/OU=Terms of use at www.verisign.com/rpa (c)05/CN=logins.daum.net
    issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 4843 bytes and written 340 bytes
    ---
    New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
    Server public key is 1024 bit
    SSL-Session:
        Protocol  : TLSv1
        Cipher    : DHE-RSA-AES256-SHA
        Session-ID:
        Session-ID-ctx:
        Master-Key: 1160B88DAC017E265FE29B1BE9A85B30FB731B9190A96C06067570E89FEC011EDECA36BB299239959B7DB68A753570E4
        Key-Arg   : None
        Start Time: 1230104266
        Timeout   : 300 (sec)
        Verify return code: 20 (unable to get local issuer certificate)
    ---
    DONE
     


    -msg ¿É¼ÇÀ» Ãß°¡Çϸé Àü¼ÛµÇ´Â TLS/SSL ÇÁ·ÎÅäÄݱîÁö »ìÆ캼 ¼ö ÀÖ´Ù. ÀÌ ¸Þ½ÃÁö¸¦ ÅëÇؼ­ SSL handshake °úÁ¤ÀÌ ½±°Ô ÆľǵȴÙ. ¾Æ·¡´Â °á°úÁß¿¡ ¸Þ½ÃÁö ºÎºÐ¸¸ »Ì¾Æ³½ °ÍÀÌ´Ù. >>> ·Î Ç¥½Ã µÈ °ÍÀº Client -> Server·Î º¸³½ ¸Þ½ÃÁöÀÌ°í, <<< ·Î Ç¥½ÃµÈ °ÍÀº Server -> Client·Î º¸³½ ¸Þ½ÃÁöÀÌ´Ù.

     
    >>> SSL 2.0 [length 008c], CLIENT-HELLO
    <<< TLS 1.0 Handshake [length 002a], ServerHello
    <<< TLS 1.0 Handshake [length 10e1], Certificate
    <<< TLS 1.0 Handshake [length 018d], ServerKeyExchange
    <<< TLS 1.0 Handshake [length 0004], ServerHelloDone
    >>> TLS 1.0 Handshake [length 0086], ClientKeyExchange
    >>> TLS 1.0 ChangeCipherSpec [length 0001]
    >>> TLS 1.0 Handshake [length 0010], Finished
    <<< TLS 1.0 ChangeCipherSpec [length 0001]
    <<< TLS 1.0 Handshake [length 0010], Finished
    >>> TLS 1.0 Alert [length 0002], warning close_notify
     


    [ SSL handshake ]


    2. ÀÎÁõ¼­ÀÇ ¸¸·áÀÏÀÚ´Â ¾î¶»°Ô »ìÆ캼 ¼ö ÀÖÀ»±î?

     
    # echo "" | openssl s_client -connect ¼­¹ö:443 | openssl x509 -noout -dates
    notBefore=Oct 14 00:00:00 2008 GMT
    notAfter=Oct 30 23:59:59 2009 GMT
     


    notBefore= : 'ÀÌÀü¿¡´Â ¾øÀ½', ¹ß±ÞÀÏ
    notAfter=  : 'ÀÌÈÄ¿¡´Â ¾øÀ½', ¸¸·áÀÏ

    s_client ·Î ¾òÀº °á°ú¸¦ ´Ù½Ã 'openssl x509' ¸í·ÉÀ¸·Î ³Ñ°Ü¼­ ¾òÀº °á°úÀÌ´Ù. -dates ¿É¼Ç ´ë½Å -startdate -enddate¸¦ »ç¿ëÇصµ ¸¸·áÀÏÀ» È®ÀÎÇÒ ¼ö ÀÖ´Ù. ÀÌ¿Ü -purpose, -subject, -issuer, fingerprint, serial, -hash µîÀÇ ¿É¼ÇÀ¸·Î ÀÎÁõ¼­ÀÇ ºÎºÐº° Á¤º¸¸¦ ÆľÇÇÒ ¼ö ÀÖ´Ù.

    ¿ø°ÝÁöÀÇ ÀÎÁõ¼­ Á¤º¸¸¦ ÀÚ¼¼È÷ º¸·Á¸é ´ÙÀ½°ú °°ÀÌ -text ¿É¼ÇÀ» »ç¿ëÇØÁÖ¸é µÈ´Ù.

     
    # echo "" | openssl s_client -connect ¼­¹ö:443 | openssl x509 -noout -text
     


    ·ÎÄÿ¡ ÀÖ´Â ÀÎÁõ¼­ ÆÄÀÏÀ» È®ÀÎÇÒ ¶§´Â ¾î¶»°Ô ÇÒ±î? À§ÀÇ openssl x509 -noout -text Çü½ÄÀ» ±×´ë·Î ÀÌ¿ëÇÏ¸é µÈ´Ù.

     
    # openssl x509 -in ÀÎÁõ¼­ÆÄÀϸí -noout -text
     


    ÀÎÁõ¼­ Àüü°¡ ¾Æ´Ñ ¸¸·áÀÏÀÚ¸¸ º¸·Á¸é -text ´ë½Å -dates ¸¦ ÁöÁ¤ÇÑ´Ù. ÀÌ¿Ü¿¡´Â À§¿Í µ¿ÀÏÇÏ°Ô ¿É¼ÇÀ» º¯°æÇÏ¸é ¿øÇÏ´Â Á¤º¸¸¦ ¾òÀ» ¼ö ÀÖ´Ù.

    3. Âü°íÀÚ·á

    * Monitoring SSL certificate expiration date
      http://doodlog.blogspot.com/2008/11/monitoring-ssl-certificate-expiration.html

    * OpenSSL Command-Line HOWTO
      http://www.madboa.com/geek/openssl/

    * Ä¿ÇǴнºÀÇ '³×Æ®¿öÅ©(network)  > TCP/IP, ÇÁ·ÎÅäÄÝ, Æ÷Æ®' Áß SSL Handshake ÀÚ·á
      http://coffeenix.net/?cata_code=56

    * SSL ¿î¿µ(https)½Ã µµ¸ÞÀαâ¹Ý Virtual host°¡ ¾ÈµÇ´Â ÀÌÀ¯ (±Û ÁÁÀºÁøÈ£, 2007.9)
      http://coffeenix.net/board_view.php?bd_code=1543

    * OpenSSL Ãë¾àÁ¡ Á¤¸®, Logjam(·Î±×Àë)¿¡¼­ Heartbleed±îÁö (±Û ÁÁÀºÁøÈ£, 2015.6)
      http://coffeenix.net/bbs/viewtopic.php?p=10318#10318

      ÀÌ ±Û¿¡´Â openssl client·Î ¼ÂÆà Ãë¾àÁ¡ üũÇÏ´Â ¹æ¹ý µîÀÌ ¼³¸íµÇ¾î ÀÖ´Ù. ´ÙÀ½°ú °°Àº ¿¹·Î.
      $ openssl s_client -connect ¼­¹ö:443 -ssl3
      $ openssl s_client -connect ¼­¹ö:443 -cipher EXPORT


    Ä¿ÇǴнº, ½Ã½ºÅÛ ¿£Áö´Ï¾îÀÇ ½°ÅÍ / URL : http://coffeenix.net/board_view.php?bd_code=1661