|
Á¦ ¸ñ : openssl·Î ÀÎÁõ¼ Á¤º¸ »ìÆ캸±â
ÀÛ¼ºÀÚ : ÁÁÀºÁøÈ£(truefeel, http://coffeenix.net/ )
ÀÛ¼ºÀÏ : 2008.12.24(¼ö)
¼öÁ¤ÀÏ : 2015.6.16(È) ÃÖ±Ù OpenSSLÃë¾àÁ¡ °ü·Ã Âü°íÀÚ·á Ãß°¡
openssl ¸í·ÉÀ¸·Î ¿î¿µÁßÀÎ À¥¼¹öÀÇ SSLÀÎÁõ¼ Á¤º¸¸¦ »ìÆ캼 ¼ö ÀÖ´Ù.
|
# openssl s_client -connect À¥¼¹ö:443
| |
imaps(IMAP over SSL, 993Æ÷Æ®), pop3s(POP3 over SSL, 995Æ÷Æ®)´Â Æ÷Æ®¸¸ º¯°æÇÏ¿© ´ÙÀ½°ú °°ÀÌ È®ÀÎÇÑ´Ù.
|
# openssl s_client -connect IMAP¼¹ö:993
# openssl s_client -connect POP3¼¹ö:995
| |
1. »ùÇ÷Π»ìÆ캸ÀÚ.
|
# echo "" | openssl s_client -connect logins.daum.net:443
CONNECTED(00000003)
---
Certificate chain
0 s:/1.3.6.1.4.1.311.60.2.1.3=KR/2.5.4.15=V1.0, Clause 5.(b)/serialNumber=120-81-47521/C=KR/ST=Seoul/L=Seocho-gu/O=Daum Communications Corp./OU=Pi Lab/OU=Terms of use at www.verisign.com/rpa (c)05/CN=logins.daum.net
... »ý·« ...
---
Server certificate
-----BEGIN CERTIFICATE-----
... »ý·« ...
-----END CERTIFICATE-----
subject=/1.3.6.1.4.1.311.60.2.1.3=KR/2.5.4.15=V1.0, Clause 5.(b)/serialNumber=120-81-47521/C=KR/ST=Seoul/L=Seocho-gu/O=Daum Communications Corp./OU=Pi Lab/OU=Terms of use at www.verisign.com/rpa (c)05/CN=logins.daum.net
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
---
No client certificate CA names sent
---
SSL handshake has read 4843 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key: 1160B88DAC017E265FE29B1BE9A85B30FB731B9190A96C06067570E89FEC011EDECA36BB299239959B7DB68A753570E4
Key-Arg : None
Start Time: 1230104266
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
DONE
| |
-msg ¿É¼ÇÀ» Ãß°¡Çϸé Àü¼ÛµÇ´Â TLS/SSL ÇÁ·ÎÅäÄݱîÁö »ìÆ캼 ¼ö ÀÖ´Ù. ÀÌ ¸Þ½ÃÁö¸¦ ÅëÇؼ SSL handshake °úÁ¤ÀÌ ½±°Ô ÆľǵȴÙ. ¾Æ·¡´Â °á°úÁß¿¡ ¸Þ½ÃÁö ºÎºÐ¸¸ »Ì¾Æ³½ °ÍÀÌ´Ù. >>> ·Î Ç¥½Ã µÈ °ÍÀº Client -> Server·Î º¸³½ ¸Þ½ÃÁöÀÌ°í, <<< ·Î Ç¥½ÃµÈ °ÍÀº Server -> Client·Î º¸³½ ¸Þ½ÃÁöÀÌ´Ù.
|
>>> SSL 2.0 [length 008c], CLIENT-HELLO
<<< TLS 1.0 Handshake [length 002a], ServerHello
<<< TLS 1.0 Handshake [length 10e1], Certificate
<<< TLS 1.0 Handshake [length 018d], ServerKeyExchange
<<< TLS 1.0 Handshake [length 0004], ServerHelloDone
>>> TLS 1.0 Handshake [length 0086], ClientKeyExchange
>>> TLS 1.0 ChangeCipherSpec [length 0001]
>>> TLS 1.0 Handshake [length 0010], Finished
<<< TLS 1.0 ChangeCipherSpec [length 0001]
<<< TLS 1.0 Handshake [length 0010], Finished
>>> TLS 1.0 Alert [length 0002], warning close_notify
| |
[ SSL handshake ]

2. ÀÎÁõ¼ÀÇ ¸¸·áÀÏÀÚ´Â ¾î¶»°Ô »ìÆ캼 ¼ö ÀÖÀ»±î?
|
# echo "" | openssl s_client -connect ¼¹ö:443 | openssl x509 -noout -dates
notBefore=Oct 14 00:00:00 2008 GMT
notAfter=Oct 30 23:59:59 2009 GMT
| |
notBefore= : 'ÀÌÀü¿¡´Â ¾øÀ½', ¹ß±ÞÀÏ
notAfter= : 'ÀÌÈÄ¿¡´Â ¾øÀ½', ¸¸·áÀÏ
s_client ·Î ¾òÀº °á°ú¸¦ ´Ù½Ã 'openssl x509' ¸í·ÉÀ¸·Î ³Ñ°Ü¼ ¾òÀº °á°úÀÌ´Ù. -dates ¿É¼Ç ´ë½Å -startdate -enddate¸¦ »ç¿ëÇصµ ¸¸·áÀÏÀ» È®ÀÎÇÒ ¼ö ÀÖ´Ù. ÀÌ¿Ü -purpose, -subject, -issuer, fingerprint, serial, -hash µîÀÇ ¿É¼ÇÀ¸·Î ÀÎÁõ¼ÀÇ ºÎºÐº° Á¤º¸¸¦ ÆľÇÇÒ ¼ö ÀÖ´Ù.
¿ø°ÝÁöÀÇ ÀÎÁõ¼ Á¤º¸¸¦ ÀÚ¼¼È÷ º¸·Á¸é ´ÙÀ½°ú °°ÀÌ -text ¿É¼ÇÀ» »ç¿ëÇØÁÖ¸é µÈ´Ù.
|
# echo "" | openssl s_client -connect ¼¹ö:443 | openssl x509 -noout -text
| |
·ÎÄÿ¡ ÀÖ´Â ÀÎÁõ¼ ÆÄÀÏÀ» È®ÀÎÇÒ ¶§´Â ¾î¶»°Ô ÇÒ±î? À§ÀÇ openssl x509 -noout -text Çü½ÄÀ» ±×´ë·Î ÀÌ¿ëÇÏ¸é µÈ´Ù.
|
# openssl x509 -in ÀÎÁõ¼ÆÄÀϸí -noout -text
| |
ÀÎÁõ¼ Àüü°¡ ¾Æ´Ñ ¸¸·áÀÏÀÚ¸¸ º¸·Á¸é -text ´ë½Å -dates ¸¦ ÁöÁ¤ÇÑ´Ù. ÀÌ¿Ü¿¡´Â À§¿Í µ¿ÀÏÇÏ°Ô ¿É¼ÇÀ» º¯°æÇÏ¸é ¿øÇÏ´Â Á¤º¸¸¦ ¾òÀ» ¼ö ÀÖ´Ù.
3. Âü°íÀÚ·á
* Monitoring SSL certificate expiration date
http://doodlog.blogspot.com/2008/11/monitoring-ssl-certificate-expiration.html
* OpenSSL Command-Line HOWTO
http://www.madboa.com/geek/openssl/
* Ä¿ÇǴнºÀÇ '³×Æ®¿öÅ©(network) > TCP/IP, ÇÁ·ÎÅäÄÝ, Æ÷Æ®' Áß SSL Handshake ÀÚ·á
http://coffeenix.net/?cata_code=56
* SSL ¿î¿µ(https)½Ã µµ¸ÞÀαâ¹Ý Virtual host°¡ ¾ÈµÇ´Â ÀÌÀ¯ (±Û ÁÁÀºÁøÈ£, 2007.9)
http://coffeenix.net/board_view.php?bd_code=1543
* OpenSSL Ãë¾àÁ¡ Á¤¸®, Logjam(·Î±×Àë)¿¡¼ Heartbleed±îÁö (±Û ÁÁÀºÁøÈ£, 2015.6)
http://coffeenix.net/bbs/viewtopic.php?p=10318#10318
ÀÌ ±Û¿¡´Â openssl client·Î ¼ÂÆà Ãë¾àÁ¡ üũÇÏ´Â ¹æ¹ý µîÀÌ ¼³¸íµÇ¾î ÀÖ´Ù. ´ÙÀ½°ú °°Àº ¿¹·Î.
$ openssl s_client -connect ¼¹ö:443 -ssl3
$ openssl s_client -connect ¼¹ö:443 -cipher EXPORT
|