Ä¿ÇǴнº, ½Ã½ºÅÛ ¿£Áö´Ï¾îÀÇ ½°ÅÍ Ä¿ÇÇÇâÀÌ ³ª´Â *NIX
Ä¿ÇǴнº
½Ã½ºÅÛ/³×Æ®¿÷/º¸¾ÈÀ» ´Ù·ç´Â °÷
* HanIRCÀÇ #coffeenix ¹æ
[ Àåºñ ¹× ȸ¼± ÈÄ¿ø ]
HOME > ³×Æ®¿öÅ©(network) > À¥ ¼­¹ö(web, httpd, apache) > Apache SSL / mod_ssl µµ¿ò¸»
°Ë»ö : »çÀÌÆ® WHOIS À¥¼­¹ö Á¾·ù


  openssl·Î ÀÎÁõ¼­ Á¤º¸ »ìÆ캸±â ÀÛ¼ºÀÏ : 2008/12/26 12:29
 
  • ±Û¾´ÀÌ : ÁÁÀºÁøÈ£ ( http://coffeenix.net/ )
  • Á¶È¸¼ö : 42645
          [ ÀÌÀüÈ­¸é / ¼öÁ¤ ]   ºñ¹Ð¹øÈ£ :     Àμâ¿ë È­¸é
      Á¦  ¸ñ : openssl·Î ÀÎÁõ¼­ Á¤º¸ »ìÆ캸±â
    ÀÛ¼ºÀÚ : ÁÁÀºÁøÈ£(truefeel, http://coffeenix.net/ )
    ÀÛ¼ºÀÏ : 2008.12.24(¼ö)
    ¼öÁ¤ÀÏ : 2015.6.16(È­) ÃÖ±Ù OpenSSLÃë¾àÁ¡ °ü·Ã Âü°íÀÚ·á Ãß°¡

    openssl ¸í·ÉÀ¸·Î ¿î¿µÁßÀÎ À¥¼­¹öÀÇ SSLÀÎÁõ¼­ Á¤º¸¸¦ »ìÆ캼 ¼ö ÀÖ´Ù.

     
    # openssl s_client -connect À¥¼­¹ö:443
     


    imaps(IMAP over SSL, 993Æ÷Æ®), pop3s(POP3 over SSL, 995Æ÷Æ®)´Â Æ÷Æ®¸¸ º¯°æÇÏ¿© ´ÙÀ½°ú °°ÀÌ È®ÀÎÇÑ´Ù.

     
    # openssl s_client -connect IMAP¼­¹ö:993
    # openssl s_client -connect POP3¼­¹ö:995
     


    1. »ùÇ÷Π»ìÆ캸ÀÚ.

     
    # echo "" | openssl s_client -connect logins.daum.net:443
    CONNECTED(00000003)
    ---
    Certificate chain
    0 s:/1.3.6.1.4.1.311.60.2.1.3=KR/2.5.4.15=V1.0, Clause 5.(b)/serialNumber=120-81-47521/C=KR/ST=Seoul/L=Seocho-gu/O=Daum Communications Corp./OU=Pi Lab/OU=Terms of use at www.verisign.com/rpa (c)05/CN=logins.daum.net
    ... »ý·« ...
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    ... »ý·« ...
    -----END CERTIFICATE-----
    subject=/1.3.6.1.4.1.311.60.2.1.3=KR/2.5.4.15=V1.0, Clause 5.(b)/serialNumber=120-81-47521/C=KR/ST=Seoul/L=Seocho-gu/O=Daum Communications Corp./OU=Pi Lab/OU=Terms of use at www.verisign.com/rpa (c)05/CN=logins.daum.net
    issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 4843 bytes and written 340 bytes
    ---
    New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
    Server public key is 1024 bit
    SSL-Session:
        Protocol  : TLSv1
        Cipher    : DHE-RSA-AES256-SHA
        Session-ID:
        Session-ID-ctx:
        Master-Key: 1160B88DAC017E265FE29B1BE9A85B30FB731B9190A96C06067570E89FEC011EDECA36BB299239959B7DB68A753570E4
        Key-Arg   : None
        Start Time: 1230104266
        Timeout   : 300 (sec)
        Verify return code: 20 (unable to get local issuer certificate)
    ---
    DONE
     


    -msg ¿É¼ÇÀ» Ãß°¡Çϸé Àü¼ÛµÇ´Â TLS/SSL ÇÁ·ÎÅäÄݱîÁö »ìÆ캼 ¼ö ÀÖ´Ù. ÀÌ ¸Þ½ÃÁö¸¦ ÅëÇؼ­ SSL handshake °úÁ¤ÀÌ ½±°Ô ÆľǵȴÙ. ¾Æ·¡´Â °á°úÁß¿¡ ¸Þ½ÃÁö ºÎºÐ¸¸ »Ì¾Æ³½ °ÍÀÌ´Ù. >>> ·Î Ç¥½Ã µÈ °ÍÀº Client -> Server·Î º¸³½ ¸Þ½ÃÁöÀÌ°í, <<< ·Î Ç¥½ÃµÈ °ÍÀº Server -> Client·Î º¸³½ ¸Þ½ÃÁöÀÌ´Ù.

     
    >>> SSL 2.0 [length 008c], CLIENT-HELLO
    <<< TLS 1.0 Handshake [length 002a], ServerHello
    <<< TLS 1.0 Handshake [length 10e1], Certificate
    <<< TLS 1.0 Handshake [length 018d], ServerKeyExchange
    <<< TLS 1.0 Handshake [length 0004], ServerHelloDone
    >>> TLS 1.0 Handshake [length 0086], ClientKeyExchange
    >>> TLS 1.0 ChangeCipherSpec [length 0001]
    >>> TLS 1.0 Handshake [length 0010], Finished
    <<< TLS 1.0 ChangeCipherSpec [length 0001]
    <<< TLS 1.0 Handshake [length 0010], Finished
    >>> TLS 1.0 Alert [length 0002], warning close_notify
     


    [ SSL handshake ]


    2. ÀÎÁõ¼­ÀÇ ¸¸·áÀÏÀÚ´Â ¾î¶»°Ô »ìÆ캼 ¼ö ÀÖÀ»±î?

     
    # echo "" | openssl s_client -connect ¼­¹ö:443 | openssl x509 -noout -dates
    notBefore=Oct 14 00:00:00 2008 GMT
    notAfter=Oct 30 23:59:59 2009 GMT
     


    notBefore= : 'ÀÌÀü¿¡´Â ¾øÀ½', ¹ß±ÞÀÏ
    notAfter=  : 'ÀÌÈÄ¿¡´Â ¾øÀ½', ¸¸·áÀÏ

    s_client ·Î ¾òÀº °á°ú¸¦ ´Ù½Ã 'openssl x509' ¸í·ÉÀ¸·Î ³Ñ°Ü¼­ ¾òÀº °á°úÀÌ´Ù. -dates ¿É¼Ç ´ë½Å -startdate -enddate¸¦ »ç¿ëÇصµ ¸¸·áÀÏÀ» È®ÀÎÇÒ ¼ö ÀÖ´Ù. ÀÌ¿Ü -purpose, -subject, -issuer, fingerprint, serial, -hash µîÀÇ ¿É¼ÇÀ¸·Î ÀÎÁõ¼­ÀÇ ºÎºÐº° Á¤º¸¸¦ ÆľÇÇÒ ¼ö ÀÖ´Ù.

    ¿ø°ÝÁöÀÇ ÀÎÁõ¼­ Á¤º¸¸¦ ÀÚ¼¼È÷ º¸·Á¸é ´ÙÀ½°ú °°ÀÌ -text ¿É¼ÇÀ» »ç¿ëÇØÁÖ¸é µÈ´Ù.

     
    # echo "" | openssl s_client -connect ¼­¹ö:443 | openssl x509 -noout -text
     


    ·ÎÄÿ¡ ÀÖ´Â ÀÎÁõ¼­ ÆÄÀÏÀ» È®ÀÎÇÒ ¶§´Â ¾î¶»°Ô ÇÒ±î? À§ÀÇ openssl x509 -noout -text Çü½ÄÀ» ±×´ë·Î ÀÌ¿ëÇÏ¸é µÈ´Ù.

     
    # openssl x509 -in ÀÎÁõ¼­ÆÄÀϸí -noout -text
     


    ÀÎÁõ¼­ Àüü°¡ ¾Æ´Ñ ¸¸·áÀÏÀÚ¸¸ º¸·Á¸é -text ´ë½Å -dates ¸¦ ÁöÁ¤ÇÑ´Ù. ÀÌ¿Ü¿¡´Â À§¿Í µ¿ÀÏÇÏ°Ô ¿É¼ÇÀ» º¯°æÇÏ¸é ¿øÇÏ´Â Á¤º¸¸¦ ¾òÀ» ¼ö ÀÖ´Ù.

    3. Âü°íÀÚ·á

    * Monitoring SSL certificate expiration date
      http://doodlog.blogspot.com/2008/11/monitoring-ssl-certificate-expiration.html

    * OpenSSL Command-Line HOWTO
      http://www.madboa.com/geek/openssl/

    * Ä¿ÇǴнºÀÇ '³×Æ®¿öÅ©(network)  > TCP/IP, ÇÁ·ÎÅäÄÝ, Æ÷Æ®' Áß SSL Handshake ÀÚ·á
      http://coffeenix.net/?cata_code=56

    * SSL ¿î¿µ(https)½Ã µµ¸ÞÀαâ¹Ý Virtual host°¡ ¾ÈµÇ´Â ÀÌÀ¯ (±Û ÁÁÀºÁøÈ£, 2007.9)
      http://coffeenix.net/board_view.php?bd_code=1543

    * OpenSSL Ãë¾àÁ¡ Á¤¸®, Logjam(·Î±×Àë)¿¡¼­ Heartbleed±îÁö (±Û ÁÁÀºÁøÈ£, 2015.6)
      http://coffeenix.net/bbs/viewtopic.php?p=10318#10318

      ÀÌ ±Û¿¡´Â openssl client·Î ¼ÂÆà Ãë¾àÁ¡ üũÇÏ´Â ¹æ¹ý µîÀÌ ¼³¸íµÇ¾î ÀÖ´Ù. ´ÙÀ½°ú °°Àº ¿¹·Î.
      $ openssl s_client -connect ¼­¹ö:443 -ssl3
      $ openssl s_client -connect ¼­¹ö:443 -cipher EXPORT
      Ä¿ÇǴнº Ä«Æä ÃÖ±Ù ±Û
    [03/18] ±¹°¡&#5
    [10/20] Cross Compiler ±ò
    [07/14] SSL ¬¡¬°
    [04/26] Re: µµ½ºÈ­¸é ¿ø°ÝÁ¶Á¾ ¿©ºÎ
    [04/25] µµ½ºÈ­¸é ¿ø°ÝÁ¶Á¾ ¿©ºÎ
    [10/30] Cshell¿¡¼­ ³­¼ö ¼³Á¤
    [10/23] °øÇ×öµµÁÖ½Äȸ»ç SE ±¸ÀÎ Ëì
    [01/26] Re: wgetÀ¸·Î ´Ù¸¥¼­¹ö¿¡ÀÖ´Â µð·ºÅ丮¸¦ °¡Á®¿À·Á°íÇÕ´Ï´Ù.
    [01/25] wgetÀ¸·Î ´Ù¸¥¼­¹ö¿¡ÀÖ´Â µð·ºÅ丮¸¦ °¡Á®¿À·Á°íÇÕ´Ï´Ù.
    [01/11] ƯÁ¤ ¾Èµå·ÎÀ̵å WebView ¹öÀü¿¡¼­ SSL ¹®Á¦ (WebView ¹ö±×)
    [08/01] DNS forwarder (Àü´ÞÀÚ) ¼­¹ö¸¦ ÅëÇؼ­ Äõ¸®ÇÏ¸é ¿ª¹æÇâÀ» ¹Þ¾Æ¿ÀÁú ¸øÇÕ´Ï´Ù.
    [05/16] (ÁÖ)ÈÄÀÌÁî ½Ã½ºÅÛ¿£Áö´Ï¾î (°æ·ÂÀÚ) ¸ðÁý
    [02/15] [AWS] Cloudfront edge È®ÀÎÇϱâ
    [01/20] Mobile Service/eCommerce ±â¾÷¿¡¼­ Server / Java / PHP °³¹ßÀÚ ±¸ÀÎ
    [01/11] źźÇÑ ÆÛºí¸®½Ì ¸ð¹ÙÀϱâ¾÷¿¡¼­ Mobile °³¹ßÀÚ¸¦ ¸ð½Ê´Ï´Ù.
      New!   ÃÖ±Ù¿¡ µî·ÏÇÑ ÆäÀÌÁö
      KiCad EDA Suite project (Free/Libre/Open-Source EDA Suite) (CAD)
      ¿ÀÇÂij½ºÄÉÀ̵å ijµå (OpenCASCADE CAD)
      QCad for Windows --- GNU GPL (Free Software)
      The Hello World Collection
      IPMI¸¦ È°¿ëÇÑ ¸®´ª½º ¼­¹ö°ü¸®
      DNS ¼³Á¤ °Ë»ç
      nagiosgraph ¼³Ä¡ ¹æ¹ý
      Slony-I ¼³Ä¡ ¹æ¹ý (postgresql replication tool)
      Qmail±â¹ÝÀÇ Anti spam ½Ã½ºÅÛ ±¸ÃàÇϱâ
      clusterssh

    [ ÇÔ²²ÇÏ´Â »çÀÌÆ® ]




    ¿î¿µÁø : ÁÁÀºÁøÈ£(truefeel), ¾ß¼ö(yasu), ¹ü³ÃÀÌ, sCag
    2003³â 8¿ù 4ÀÏ~