# Download a third-party trusted certificate library in the latest PEM (privacy-enhanced mail) format [[email protected] ~] # Wget -- no-check-certificate https://curl.haxx.se/ca/cacert.pem
- Use the s_client command for testing
[[Email protected] ~] # OpenSSL s_client-cafile/root/cacert. pem-connect www.baidu.com: 443-msgconnected (00000005) >>> ??? [Length 0005] 16 03 01 01 36 ......> TLS 1.3, handshake [length 0136], ClientHello 01 00 01 32 03 03 84 A2 23 07 E5 53 46 00 E1 FB ...... <??? [Length 0005] 16 03 03 00 35 ...... <TLS 1.3, handshake [length 0035], serverhello 02 00 00 31 03 03 5B D2 A9 6D F4 A3 ca 9d 46 08 ...... <??? [Length 0005] 16 03 03 0d ad ...... <TLS 1.2, handshake [length 0dad], certificate 0b 00 0d A9 00 0d A6 00 09 33 30 82 09 2f 30 82 ...... depth = 2 c = be, O = globalsign Nv-Sa, ou = Root CA, Cn = globalsign root caverify return: 1 depth = 1 c = be, O = globalsign Nv-Sa, Cn = globalsign organization validation ca-sha256-g2verify return: 1 depth = 0 C = Cn, St = Beijing, L = Beijing, ou = service operat Ion department, O = "Beijing Baidu Netcom Science Technology Co., Ltd", Cn = Baidu. comverify return: 1 <??? [Length 0005] 16 03 03 01 4D <TLS 1.2, handshake [length 014d], serverkeyexchange 0C 00 01 49 03 00 17 41 04 5A 0d A7 D6 06 B2 C6 <<< ??? [Length 0005] 16 03 03 00 04 <TLS 1.2, handshake [length 0004], serverhellodone 0e 00 00 >>> ??? [Length 0005] 16 03 03 00 46 >>> TLS 1.2, handshake [length 0046], clientkeyexchange 10 00 00 42 41 04 1D 79 be af CB 98 18 C0 8f A6 >> ??? [Length 0005] 14 03 03 00 01 >>> TLS 1.2, changecipherspec [length 0001] 01 >> ??? [Length 0005] 16 03 03 00 28 >>> TLS 1.2, handshake [length 0010], finished 14 00 00 0C 01 A2 AE CD 2C 70 C0 FB D5 1E 13 45 <??? [Length 0005] 16 03 03 00 AA <TLS 1.2, handshake [length 00aa], newsessionticket 04 00 00 A6 00 00 00 00 A0 97 C1 44 D2 4B 56 <??? [Length 0005] 14 03 03 00 01 <??? [Length 0005] 16 03 03 00 28 <TLS 1.2, handshake [length 0010], finished 14 00 00 0C C2 2E 30 1A B9 05 D1 B9 65 46 39 B5 --- certificate chain 0 s: c = Cn, St = Beijing, L = Beijing, ou = service operation department, O = "Beijing Baidu Netcom Science Technology Co ., ltd ", Cn = Baidu.com I: c = be, O = globalsign Nv-Sa, Cn = globalsign organization validation ca-sha256-G2 1 s: c = be, O = globals IGN Nv-Sa, Cn = globalsign organization validation ca-sha256-G2 I: c = be, O = globalsign Nv-Sa, ou = Root CA, CN = globalsign Root CA --- server certificate ----- begin Authorization + 6tba5mwwfkz7zimfjmjmsbqesfyjihtxnkz3x/glgszjnxi2ylk73vgzw64nks7svao + p01icllfjhhc 69a0z2ezku3li5/dzcdki/users + users/qjkds7ewcn + users + lswidaqabo4ifmtccbzuwdgydvr0paqh/users Bytes Bytes Bytes Examples/51l8 + ixdmv + 9827/vo1hvjb/srvgwbtq/examples + sqpimpbz4r651cix + hhcywdzlg3je6zargyjx2iahy Au9nfvb + release/mm + np7c3hd9n/syfe/fj5n23fkil2rt9ocigljl1f2suma/release/T + epnttelspwshrfpvzpm97kwe + release Export/pepmzapdtd3a + xw7mo6n0vasv/export ----- end certificate ----- subject = c = Cn, St = Beijing, L = Beijing, ou = service operation department, O = "Beijing Baidu Netcom Science Technology Co ., ltd ", Cn = Baidu. comissuer = c = be, O = globalsign Nv-Sa, Cn = globalsign organization validation ca-sha256-G2 --- no CLI Ent certificate ca names sentpeer signing Digest: sha256peer signature type: rsaserver temp key: ecdh, P-256, 256 bits --- SSL handshake has read 4137 bytes and written 441 bytesverification: OK --- New, tlsv1.2, cipher is ECDHE-RSA-AES128-GCM-SHA256Server Public Key is 2048 bitsecure renegotiation is supportedcompression: noneexpansion: noneno alpn negotiatedssl-session: Protocol: tlsv1.2 cipher: E CDHE-RSA-AES128-GCM-SHA256 session-ID: reset session-ID-CTX: Master-key: Secure PSK Identity: None PSK Identity hint: None SRP Username: None TLS session ticket: 0000-97 C1 44 D2 4B 56 83 ef-77 5f 08 CD 94 15 be AC .. d. KV .. W _...... 0010-ce 1E B0 2 B 43 9d 79 08-90 D6 2C DF 47 63 1A 00... + C. Y ...,. GC .. 0020-15 43 24 94 43 5E 82 41-25 2C D0 18 1C D9 F5 3A. C $. C ^. A % ,.....: 0030-85 EF D5 93 43 C2 D1 25-48 2C 97 FB 7d B2 22 C6 .... c .. % H ,..}. ". 0040-15 80 71 07 Fe 0a E0 45-ff D7 4C 5f D3 B6 8e 4D .. Q .... E .. l_...m 0050-94 6a 62 F9 93 F6 93 b9-18 AB 40 9C 1D EE 01 E5 [email protected] 0060-3B C5 8e 56 49 DF 7E c4-6f 3A 68 0a ed ca 2C B4;... Vi .~. O: h ...,. 0070-1f B8 1D C9 39 66 AB f8-f5 9C 96 F8 00 07 47 45 .... 9f ........ GE 0080-AB C6 29 D7 91 A2 78 d1-2a 67 25 D2 5B 1B DC 92 ..)... x. * g %. [... 0090-4c CD 0d 36 47 6f 5B 76-e7 44 7b CC 9A 08 20 22 l .. 6go [v. d {... "Start Time: 1540532589 Timeout: 7200 (SEC) Verify return code: 0 (OK) extended master secret: No --- <??? [Length 0005] 15 03 03 00 1A <TLS 1.2, alert [length 0002], warning close_0000y 01 00 closed >>> ??? [Length 0005] 15 03 03 00 1A >>> TLS 1.2, alert [length 0002], warning close_0000y 01 00 #-MSG: print the handshake protocol information #-msgfile: the test output result is saved to the file.
- Protocols Supported by the test
[[email protected] ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -tls1_2SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 593AE9088214B92F0184214C8CF6FC7D273636100521AE9598CA87AB6400E67C Session-ID-ctx: [[email protected] ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -tls1_1SSL-Session: Protocol : TLSv1.1 Cipher : ECDHE-RSA-AES128-SHA Session-ID: ECFAAE748434BC5C16A8274A733307A8B2E28B4834EC57EE8BF10B961FFB0F47 Session-ID-ctx: [[email protected] ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -tls1SSL-Session: Protocol : TLSv1 Cipher : ECDHE-RSA-AES128-SHA Session-ID: 1D388296763561AC5EBA189D6296046FDAE7E821F048ECCC2173EFD9312D0D3D Session-ID-ctx:
- Test Supported Cipher Suites
[[email protected] ~]# openssl ciphers -vTLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEADTLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEADTLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEADECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEADECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEADDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEADECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEADECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEADDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEADECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEADECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEADDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEADECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1RSA-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=RSAPSK Au=RSA Enc=AESGCM(256) Mac=AEADDHE-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESGCM(256) Mac=AEADRSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEADDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK Au=PSK Enc=CHACHA20/POLY1305(256) Mac=AEADECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=ECDHEPSK Au=PSK Enc=CHACHA20/POLY1305(256) Mac=AEADAES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEADPSK-AES256-GCM-SHA384 TLSv1.2 Kx=PSK Au=PSK Enc=AESGCM(256) Mac=AEADPSK-CHACHA20-POLY1305 TLSv1.2 Kx=PSK Au=PSK Enc=CHACHA20/POLY1305(256) Mac=AEADRSA-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=RSAPSK Au=RSA Enc=AESGCM(128) Mac=AEADDHE-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESGCM(128) Mac=AEADAES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEADPSK-AES128-GCM-SHA256 TLSv1.2 Kx=PSK Au=PSK Enc=AESGCM(128) Mac=AEADAES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256ECDHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(256) Mac=SHA384ECDHE-PSK-AES256-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(256) Mac=SHA1SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(256) Mac=SHA1SRP-AES-256-CBC-SHA SSLv3 Kx=SRP Au=SRP Enc=AES(256) Mac=SHA1RSA-PSK-AES256-CBC-SHA384 TLSv1 Kx=RSAPSK Au=RSA Enc=AES(256) Mac=SHA384DHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=DHEPSK Au=PSK Enc=AES(256) Mac=SHA384RSA-PSK-AES256-CBC-SHA SSLv3 Kx=RSAPSK Au=RSA Enc=AES(256) Mac=SHA1DHE-PSK-AES256-CBC-SHA SSLv3 Kx=DHEPSK Au=PSK Enc=AES(256) Mac=SHA1AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1PSK-AES256-CBC-SHA384 TLSv1 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA384PSK-AES256-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1ECDHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(128) Mac=SHA256ECDHE-PSK-AES128-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(128) Mac=SHA1SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(128) Mac=SHA1SRP-AES-128-CBC-SHA SSLv3 Kx=SRP Au=SRP Enc=AES(128) Mac=SHA1RSA-PSK-AES128-CBC-SHA256 TLSv1 Kx=RSAPSK Au=RSA Enc=AES(128) Mac=SHA256DHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=DHEPSK Au=PSK Enc=AES(128) Mac=SHA256RSA-PSK-AES128-CBC-SHA SSLv3 Kx=RSAPSK Au=RSA Enc=AES(128) Mac=SHA1DHE-PSK-AES128-CBC-SHA SSLv3 Kx=DHEPSK Au=PSK Enc=AES(128) Mac=SHA1AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1PSK-AES128-CBC-SHA256 TLSv1 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA256PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1[[email protected] ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -cipher ECDHE-ECDSA-AES128-SHA256CONNECTED(00000005)140378681091904:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1528:SSL alert number 40---no peer certificate available---No client certificate CA names sent---SSL handshake has read 7 bytes and written 263 bytesVerification: OK---New, (NONE), Cipher is (NONE)Secure Renegotiation IS NOT supportedCompression: NONEExpansion: NONENo ALPN negotiatedEarly data was not sentVerify return code: 0 (ok)---
- Test whether session multiplexing is supported
[[email protected] ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -reconnect 2>/dev/null |grep -i ‘new\|reused‘New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
If reuse is supported, the second link is not new, but reused. If reuse is not supported, each connection is new.
[[email protected] ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -showcerts
[[email protected] ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -status
SSL/TLS deep resolution-OpenSSL s_client test sub-command