Home > Others

SSL/TLS deep resolution-OpenSSL s_client test sub-command

Source: Internet
Author: User
Tags globalsign
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
# Download a third-party trusted certificate library in the latest PEM (privacy-enhanced mail) format [[email protected] ~] # Wget -- no-check-certificate https://curl.haxx.se/ca/cacert.pem
  • Use the s_client command for testing
[[Email protected] ~] # OpenSSL s_client-cafile/root/cacert. pem-connect www.baidu.com: 443-msgconnected (00000005) >>> ??? [Length 0005] 16 03 01 01 36 ......> TLS 1.3, handshake [length 0136], ClientHello 01 00 01 32 03 03 84 A2 23 07 E5 53 46 00 E1 FB ...... <??? [Length 0005] 16 03 03 00 35 ...... <TLS 1.3, handshake [length 0035], serverhello 02 00 00 31 03 03 5B D2 A9 6D F4 A3 ca 9d 46 08 ...... <??? [Length 0005] 16 03 03 0d ad ...... <TLS 1.2, handshake [length 0dad], certificate 0b 00 0d A9 00 0d A6 00 09 33 30 82 09 2f 30 82 ...... depth = 2 c = be, O = globalsign Nv-Sa, ou = Root CA, Cn = globalsign root caverify return: 1 depth = 1 c = be, O = globalsign Nv-Sa, Cn = globalsign organization validation ca-sha256-g2verify return: 1 depth = 0 C = Cn, St = Beijing, L = Beijing, ou = service operat Ion department, O = "Beijing Baidu Netcom Science Technology Co., Ltd", Cn = Baidu. comverify return: 1 <??? [Length 0005] 16 03 03 01 4D <TLS 1.2, handshake [length 014d], serverkeyexchange 0C 00 01 49 03 00 17 41 04 5A 0d A7 D6 06 B2 C6 <<< ??? [Length 0005] 16 03 03 00 04 <TLS 1.2, handshake [length 0004], serverhellodone 0e 00 00 >>> ??? [Length 0005] 16 03 03 00 46 >>> TLS 1.2, handshake [length 0046], clientkeyexchange 10 00 00 42 41 04 1D 79 be af CB 98 18 C0 8f A6 >> ??? [Length 0005] 14 03 03 00 01 >>> TLS 1.2, changecipherspec [length 0001] 01 >> ??? [Length 0005] 16 03 03 00 28 >>> TLS 1.2, handshake [length 0010], finished 14 00 00 0C 01 A2 AE CD 2C 70 C0 FB D5 1E 13 45 <??? [Length 0005] 16 03 03 00 AA <TLS 1.2, handshake [length 00aa], newsessionticket 04 00 00 A6 00 00 00 00 A0 97 C1 44 D2 4B 56 <??? [Length 0005] 14 03 03 00 01 <??? [Length 0005] 16 03 03 00 28 <TLS 1.2, handshake [length 0010], finished 14 00 00 0C C2 2E 30 1A B9 05 D1 B9 65 46 39 B5 --- certificate chain 0 s: c = Cn, St = Beijing, L = Beijing, ou = service operation department, O = "Beijing Baidu Netcom Science Technology Co ., ltd ", Cn = Baidu.com I: c = be, O = globalsign Nv-Sa, Cn = globalsign organization validation ca-sha256-G2 1 s: c = be, O = globals IGN Nv-Sa, Cn = globalsign organization validation ca-sha256-G2 I: c = be, O = globalsign Nv-Sa, ou = Root CA, CN = globalsign Root CA --- server certificate ----- begin Authorization + 6tba5mwwfkz7zimfjmjmsbqesfyjihtxnkz3x/glgszjnxi2ylk73vgzw64nks7svao + p01icllfjhhc 69a0z2ezku3li5/dzcdki/users + users/qjkds7ewcn + users + lswidaqabo4ifmtccbzuwdgydvr0paqh/users Bytes Bytes Bytes Examples/51l8 + ixdmv + 9827/vo1hvjb/srvgwbtq/examples + sqpimpbz4r651cix + hhcywdzlg3je6zargyjx2iahy Au9nfvb + release/mm + np7c3hd9n/syfe/fj5n23fkil2rt9ocigljl1f2suma/release/T + epnttelspwshrfpvzpm97kwe + release Export/pepmzapdtd3a + xw7mo6n0vasv/export ----- end certificate ----- subject = c = Cn, St = Beijing, L = Beijing, ou = service operation department, O = "Beijing Baidu Netcom Science Technology Co ., ltd ", Cn = Baidu. comissuer = c = be, O = globalsign Nv-Sa, Cn = globalsign organization validation ca-sha256-G2 --- no CLI Ent certificate ca names sentpeer signing Digest: sha256peer signature type: rsaserver temp key: ecdh, P-256, 256 bits --- SSL handshake has read 4137 bytes and written 441 bytesverification: OK --- New, tlsv1.2, cipher is ECDHE-RSA-AES128-GCM-SHA256Server Public Key is 2048 bitsecure renegotiation is supportedcompression: noneexpansion: noneno alpn negotiatedssl-session: Protocol: tlsv1.2 cipher: E CDHE-RSA-AES128-GCM-SHA256 session-ID: reset session-ID-CTX: Master-key: Secure PSK Identity: None PSK Identity hint: None SRP Username: None TLS session ticket: 0000-97 C1 44 D2 4B 56 83 ef-77 5f 08 CD 94 15 be AC .. d. KV .. W _...... 0010-ce 1E B0 2 B 43 9d 79 08-90 D6 2C DF 47 63 1A 00... + C. Y ...,. GC .. 0020-15 43 24 94 43 5E 82 41-25 2C D0 18 1C D9 F5 3A. C $. C ^. A % ,.....: 0030-85 EF D5 93 43 C2 D1 25-48 2C 97 FB 7d B2 22 C6 .... c .. % H ,..}. ". 0040-15 80 71 07 Fe 0a E0 45-ff D7 4C 5f D3 B6 8e 4D .. Q .... E .. l_...m 0050-94 6a 62 F9 93 F6 93 b9-18 AB 40 9C 1D EE 01 E5 [email protected] 0060-3B C5 8e 56 49 DF 7E c4-6f 3A 68 0a ed ca 2C B4;... Vi .~. O: h ...,. 0070-1f B8 1D C9 39 66 AB f8-f5 9C 96 F8 00 07 47 45 .... 9f ........ GE 0080-AB C6 29 D7 91 A2 78 d1-2a 67 25 D2 5B 1B DC 92 ..)... x. * g %. [... 0090-4c CD 0d 36 47 6f 5B 76-e7 44 7b CC 9A 08 20 22 l .. 6go [v. d {... "Start Time: 1540532589 Timeout: 7200 (SEC) Verify return code: 0 (OK) extended master secret: No --- <??? [Length 0005] 15 03 03 00 1A <TLS 1.2, alert [length 0002], warning close_0000y 01 00 closed >>> ??? [Length 0005] 15 03 03 00 1A >>> TLS 1.2, alert [length 0002], warning close_0000y 01 00 #-MSG: print the handshake protocol information #-msgfile: the test output result is saved to the file.
  • Protocols Supported by the test
[[email protected] ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -tls1_2SSL-Session:    Protocol  : TLSv1.2    Cipher    : ECDHE-RSA-AES128-GCM-SHA256    Session-ID: 593AE9088214B92F0184214C8CF6FC7D273636100521AE9598CA87AB6400E67C    Session-ID-ctx: [[email protected] ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -tls1_1SSL-Session:    Protocol  : TLSv1.1    Cipher    : ECDHE-RSA-AES128-SHA    Session-ID: ECFAAE748434BC5C16A8274A733307A8B2E28B4834EC57EE8BF10B961FFB0F47    Session-ID-ctx: [[email protected] ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -tls1SSL-Session:    Protocol  : TLSv1    Cipher    : ECDHE-RSA-AES128-SHA    Session-ID: 1D388296763561AC5EBA189D6296046FDAE7E821F048ECCC2173EFD9312D0D3D    Session-ID-ctx:
  • Test Supported Cipher Suites
[[email protected] ~]# openssl ciphers -vTLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEADTLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEADTLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEADECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEADECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEADDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEADECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEADECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEADDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEADECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEADECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEADDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEADECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1RSA-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(256) Mac=AEADDHE-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(256) Mac=AEADRSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEADDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEADECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=ECDHEPSK Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEADAES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEADPSK-AES256-GCM-SHA384   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(256) Mac=AEADPSK-CHACHA20-POLY1305   TLSv1.2 Kx=PSK      Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEADRSA-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(128) Mac=AEADDHE-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(128) Mac=AEADAES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEADPSK-AES128-GCM-SHA256   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(128) Mac=AEADAES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256ECDHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA384ECDHE-PSK-AES256-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA1SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(256)  Mac=SHA1SRP-AES-256-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(256)  Mac=SHA1RSA-PSK-AES256-CBC-SHA384 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA384DHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA384RSA-PSK-AES256-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA1DHE-PSK-AES256-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA1AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1PSK-AES256-CBC-SHA384   TLSv1 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA384PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1ECDHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA256ECDHE-PSK-AES128-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA1SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(128)  Mac=SHA1SRP-AES-128-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(128)  Mac=SHA1RSA-PSK-AES128-CBC-SHA256 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA256DHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA256RSA-PSK-AES128-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA1DHE-PSK-AES128-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA1AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1PSK-AES128-CBC-SHA256   TLSv1 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA256PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1[[email protected] ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -cipher ECDHE-ECDSA-AES128-SHA256CONNECTED(00000005)140378681091904:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1528:SSL alert number 40---no peer certificate available---No client certificate CA names sent---SSL handshake has read 7 bytes and written 263 bytesVerification: OK---New, (NONE), Cipher is (NONE)Secure Renegotiation IS NOT supportedCompression: NONEExpansion: NONENo ALPN negotiatedEarly data was not sentVerify return code: 0 (ok)---
  • Test whether session multiplexing is supported
[[email protected] ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -reconnect 2>/dev/null |grep -i ‘new\|reused‘New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256

If reuse is supported, the second link is not new, but reused. If reuse is not supported, each connection is new.

  • Show certificate chain
[[email protected] ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -showcerts
  • Test OCSP stapling
[[email protected] ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -status

SSL/TLS deep resolution-OpenSSL s_client test sub-command

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
test ssl certificate openssl openssl test ssl connection test ssl certificate command line how to test ssl connection with openssl openssl test dns resolution speed test smtp tls test tool

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More