SSL/TLS深度解析--OpenSSL s_client测试子命令

#下载第三方的最新的PEM(privacy-enhanced mail)格式的可信证书库
[root@localhost ~]# wget --no-check-certificate   https://curl.haxx.se/ca/cacert.pem
  • 使用s_client 命令进行测试
[root@localhost ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -msg
CONNECTED(00000005)
>>> ??? [length 0005]
    16 03 01 01 36
    ......
>>> TLS 1.3, Handshake [length 0136], ClientHello
    01 00 01 32 03 03 84 a2 23 07 e5 53 46 00 e1 fb
    ......
    <<< ??? [length 0005]
    16 03 03 00 35
    ......
<<< TLS 1.3, Handshake [length 0035], ServerHello
    02 00 00 31 03 03 5b d2 a9 6d f4 a3 ca 9d 46 08
    ......
    <<< ??? [length 0005]
    16 03 03 0d ad
    ......
<<< TLS 1.2, Handshake [length 0dad], Certificate
    0b 00 0d a9 00 0d a6 00 09 33 30 82 09 2f 30 82
    ......
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
verify return:1
depth=0 C = CN, ST = beijing, L = beijing, OU = service operation department, O = "Beijing Baidu Netcom Science Technology Co., Ltd", CN = baidu.com
verify return:1
<<< ??? [length 0005]
    16 03 03 01 4d
<<< TLS 1.2, Handshake [length 014d], ServerKeyExchange
    0c 00 01 49 03 00 17 41 04 5a 0d a7 d6 06 b2 c6
   <<< ??? [length 0005]
    16 03 03 00 04
<<< TLS 1.2, Handshake [length 0004], ServerHelloDone
    0e 00 00 00
>>> ??? [length 0005]
    16 03 03 00 46
>>> TLS 1.2, Handshake [length 0046], ClientKeyExchange
    10 00 00 42 41 04 1d 79 be af cb 98 18 c0 8f a6
    >>> ??? [length 0005]
    14 03 03 00 01
>>> TLS 1.2, ChangeCipherSpec [length 0001]
    01
>>> ??? [length 0005]
    16 03 03 00 28
>>> TLS 1.2, Handshake [length 0010], Finished
    14 00 00 0c 01 a2 ae cd 2c 70 c0 fb d5 1e 13 45
<<< ??? [length 0005]
    16 03 03 00 aa
<<< TLS 1.2, Handshake [length 00aa], NewSessionTicket
    04 00 00 a6 00 00 00 00 00 a0 97 c1 44 d2 4b 56
<<< ??? [length 0005]
    14 03 03 00 01
<<< ??? [length 0005]
    16 03 03 00 28
<<< TLS 1.2, Handshake [length 0010], Finished
    14 00 00 0c c2 2e 30 1a b9 05 d1 b9 65 46 39 b5
---
Certificate chain
 0 s:C = CN, ST = beijing, L = beijing, OU = service operation department, O = "Beijing Baidu Netcom Science Technology Co., Ltd", CN = baidu.com
   i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIJLzCCCBegAwIBAgIMIe0swvEJLGZrFeUnMA0GCSqGSIb3DQEBCwUAMGYxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTwwOgYDVQQDEzNH
bG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g
RzIwHhcNMTgwNDAzMDMyNjAzWhcNMTkwNTI2MDUzMTAyWjCBpzELMAkGA1UEBhMC
Q04xEDAOBgNVBAgTB2JlaWppbmcxEDAOBgNVBAcTB2JlaWppbmcxJTAjBgNVBAsT
HHNlcnZpY2Ugb3BlcmF0aW9uIGRlcGFydG1lbnQxOTA3BgNVBAoTMEJlaWppbmcg
QmFpZHUgTmV0Y29tIFNjaWVuY2UgVGVjaG5vbG9neSBDby4sIEx0ZDESMBAGA1UE
AxMJYmFpZHUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr6TD
KhmBjiKc5USSOTCKxoz7yh+6TbA5MwWfKz7ZIMFjMJmSbqEsfyjIHtXnkz3x/GLG
szJnXI2Ylk73VGzW64Nks7svAo+p01icllfjHHc69A0Z2EZKU3LI5/DzcdKI/vdz
kSi6PXgbHsV2Y8aIIbcXbD5YA0DyhpWA5yBrmneSr2E2Xo+s88KFcg0yieS6opsq
xdKMSpS6ixbFEQLr2XgyGmb2tbslOD6UuxGNRhRgXhx0kcGLJzhLh4IDFZemxYZ8
fScewYkrFGZm6WzNdQZAWkw/QjkdS7EWCN+DBqToDaEBLtQkhiCiLLHLwsK69gfF
fQvf4f79dJK3fo+lswIDAQABo4IFmTCCBZUwDgYDVR0PAQH/BAQDAgWgMIGgBggr
BgEFBQcBAQSBkzCBkDBNBggrBgEFBQcwAoZBaHR0cDovL3NlY3VyZS5nbG9iYWxz
aWduLmNvbS9jYWNlcnQvZ3Nvcmdhbml6YXRpb252YWxzaGEyZzJyMS5jcnQwPwYI
KwYBBQUHMAGGM2h0dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9nc29yZ2FuaXph
dGlvbnZhbHNoYTJnMjBWBgNVHSAETzBNMEEGCSsGAQQBoDIBFDA0MDIGCCsGAQUF
BwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAIBgZn
gQwBAgIwCQYDVR0TBAIwADCCAxQGA1UdEQSCAwswggMHggliYWlkdS5jb22CDGJh
aWZ1YmFvLmNvbYIMd3d3LmJhaWR1LmNughB3d3cuYmFpZHUuY29tLmNugg9tY3Qu
eS5udW9taS5jb22CCmJhaWZhZS5jb22CC2Fwb2xsby5hdXRvggsqLmJhaWR1LmNv
bYIOKi5iYWlmdWJhby5jb22CESouYmFpZHVzdGF0aWMuY29tgg4qLmJkc3RhdGlj
LmNvbYILKi5iZGltZy5jb22CDCouaGFvMTIzLmNvbYILKi5udW9taS5jb22CDSou
Y2h1YW5rZS5jb22CDSoudHJ1c3Rnby5jb22CDyouYmNlLmJhaWR1LmNvbYIQKi5l
eXVuLmJhaWR1LmNvbYIPKi5tYXAuYmFpZHUuY29tgg8qLm1iZC5iYWlkdS5jb22C
ESouZmFueWkuYmFpZHUuY29tgg4qLmJhaWR1YmNlLmNvbYIMKi5taXBjZG4uY29t
ghAqLm5ld3MuYmFpZHUuY29tgg4qLmJhaWR1cGNzLmNvbYIMKi5haXBhZ2UuY29t
ggsqLmFpcGFnZS5jboINKi5iY2Vob3N0LmNvbYIQKi5zYWZlLmJhaWR1LmNvbYIO
Ki5pbS5iYWlkdS5jb22CESouc3NsMi5kdWFwcHMuY29tggwqLmJhaWZhZS5jb22C
EiouYmFpZHVjb250ZW50LmNvbYILKi5kbG5lbC5jb22CCyouZGxuZWwub3JnghIq
LmR1ZXJvcy5iYWlkdS5jb22CDiouc3UuYmFpZHUuY29tgggqLjkxLmNvbYISKi5o
YW8xMjMuYmFpZHUuY29tgg0qLmFwb2xsby5hdXRvghIqLnh1ZXNodS5iYWlkdS5j
b22CESouYmouYmFpZHViY2UuY29tghEqLmd6LmJhaWR1YmNlLmNvbYISY2xpY2su
aG0uYmFpZHUuY29tghBsb2cuaG0uYmFpZHUuY29tghBjbS5wb3MuYmFpZHUuY29t
ghB3bi5wb3MuYmFpZHUuY29tghR1cGRhdGUucGFuLmJhaWR1LmNvbTAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFEU2rOodiWjhKzkRrSOc
0Vk2i7DMMB8GA1UdIwQYMBaAFJbeYfG9HBYpUxzAzH07gwBA5hp8MIIBBAYKKwYB
BAHWeQIEAgSB9QSB8gDwAHYAh3W/51l8+IxDmV+9827/Vo1HVjb/SrVgwbTq/16g
gw8AAAFiiYpPCgAABAMARzBFAiAbbac6UM3Au0f5IiujWCEPmZR3sYrRrxzc2EB7
NTyu3AIhANaM+Sqpimpbz4r651CIX+hhCywdzLG3JE6zArgyjx2IAHYAu9nfvB+K
cbWTlCOXqpJ7RzhXlQqrUugakJZkNo4e0YUAAAFiiYpRRAAABAMARzBFAiEAmE6A
rGctn/Mm+nP7c3HD9n/sYFe/FJ5n23FkiL2rT9oCIGLJJl1F2sUmA/su4YT7dic5
R733IMJlZic9HQOJoITIMA0GCSqGSIb3DQEBCwUAA4IBAQC57KcI343ViCL8VmrQ
A2EAzC/T+ePnTtelSpWshrfpVZPM97kWe+i4CY2sCmtClkXY2rdM7sAJbtnxQ78A
FlepduenlaXVyOHZU5hacG5BD4MDz3LtkgU5Q8o8GqfCbnoFBTONPgAdj8OUiizx
dtzNoF+C7MpjoCgZO0qrNp2QEbWyjHZnE36OUf8yoy89MNXIDFi50oFCZpHKd47X
rgIxcjuWmQqd5waBhyakBf2zlCnguDKj0w8Cy9auX8WYaNEYUuTF4OmPOqICzBd/
pepMzaPDTd3A+xW7Mo6n0vasV/sZI1y2qMrqs7qvItqC0YMJSlxSZ67SnWZjAwgG
lxua
-----END CERTIFICATE-----
subject=C = CN, ST = beijing, L = beijing, OU = service operation department, O = "Beijing Baidu Netcom Science Technology Co., Ltd", CN = baidu.com

issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4137 bytes and written 441 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 415050DDCFA0D76788B2A26E8A379B087783558EDA8DB8E79EF70DD0E6DE4888
    Session-ID-ctx: 
    Master-Key: DC36584FD340F9CB637ABCB2686CB8EC25A748339DCBCC8064B274A679ABF64BD7AE0FA2A52C1DCFFDB12C9C98C02A89
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:
    0000 - 97 c1 44 d2 4b 56 83 ef-77 5f 08 cd 94 15 be ac   ..D.KV..w_......
    0010 - ce 1e b0 2b 43 9d 79 08-90 d6 2c df 47 63 1a 00   ...+C.y...,.Gc..
    0020 - 15 43 24 94 43 5e 82 41-25 2c d0 18 1c d9 f5 3a   .C$.C^.A%,.....:
    0030 - 85 ef d5 93 43 c2 d1 25-48 2c 97 fb 7d b2 22 c6   ....C..%H,..}.".
    0040 - 15 80 71 07 fe 0a e0 45-ff d7 4c 5f d3 b6 8e 4d   ..q....E..L_...M
    0050 - 94 6a 62 f9 93 f6 93 b9-18 ab 40 9c 1d ee 01 e5   .jb.......@.....
    0060 - 3b c5 8e 56 49 df 7e c4-6f 3a 68 0a ed ca 2c b4   ;..VI.~.o:h...,.
    0070 - 1f b8 1d c9 39 66 ab f8-f5 9c 96 f8 00 07 47 45   ....9f........GE
    0080 - ab c6 29 d7 91 a2 78 d1-2a 67 25 d2 5b 1b dc 92   ..)...x.*g%.[...
    0090 - 4c cd 0d 36 47 6f 5b 76-e7 44 7b cc 9a 08 20 22   L..6Go[v.D{... "

    Start Time: 1540532589
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
<<< ??? [length 0005]
    15 03 03 00 1a
<<< TLS 1.2, Alert [length 0002], warning close_notify
    01 00
closed
>>> ??? [length 0005]
    15 03 03 00 1a
>>> TLS 1.2, Alert [length 0002], warning close_notify
    01 00

#-msg:打印出握手协议信息
#-msgfile:测试的输出结果保存到文件里
  • 测试支持的协议
[root@localhost ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -tls1_2
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 593AE9088214B92F0184214C8CF6FC7D273636100521AE9598CA87AB6400E67C
    Session-ID-ctx: 

[root@localhost ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -tls1_1
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-AES128-SHA
    Session-ID: ECFAAE748434BC5C16A8274A733307A8B2E28B4834EC57EE8BF10B961FFB0F47
    Session-ID-ctx: 

[root@localhost ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -tls1
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES128-SHA
    Session-ID: 1D388296763561AC5EBA189D6296046FDAE7E821F048ECCC2173EFD9312D0D3D
    Session-ID-ctx: 
  • 测试支持的密码套件
[root@localhost ~]# openssl ciphers -v
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
RSA-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(256) Mac=AEAD
RSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=ECDHEPSK Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
PSK-AES256-GCM-SHA384   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(256) Mac=AEAD
PSK-CHACHA20-POLY1305   TLSv1.2 Kx=PSK      Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
RSA-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(128) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
PSK-AES128-GCM-SHA256   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA384
ECDHE-PSK-AES256-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA1
SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(256)  Mac=SHA1
SRP-AES-256-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(256)  Mac=SHA1
RSA-PSK-AES256-CBC-SHA384 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA384
RSA-PSK-AES256-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-PSK-AES256-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
PSK-AES256-CBC-SHA384   TLSv1 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA384
PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
ECDHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA256
ECDHE-PSK-AES128-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA1
SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(128)  Mac=SHA1
SRP-AES-128-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(128)  Mac=SHA1
RSA-PSK-AES128-CBC-SHA256 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA256
RSA-PSK-AES128-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-PSK-AES128-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
PSK-AES128-CBC-SHA256   TLSv1 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA256
PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1
[root@localhost ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -cipher ECDHE-ECDSA-AES128-SHA256
CONNECTED(00000005)
140378681091904:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1528:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 263 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
  • 测试是否支持会话复用
[root@localhost ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -reconnect 2>/dev/null |grep -i 'new\|reused'
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256

如果支持复用,第二次链接就不是 New, 而是 reused 。不支持的复用的话,每次再连接都是 New。

  • 显示证书链
[root@localhost ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -showcerts
  • 测试OCSP stapling
[root@localhost ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -status

转载于:https://blog.51cto.com/stuart/2310584

你可能感兴趣的:(SSL/TLS深度解析--OpenSSL s_client测试子命令)