[root@localhost ~]# tree tls
tls
├── 1
│ ├── 1.crt
│ ├── 1.csr
│ └── 1.key
├── 2
│ ├── 2.crt
│ ├── 2.csr
│ └── 2.key
├── certs
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ ├── 01.pem
│ └── 02.pem
├── serial
├── serial.old
├── server.crt
└── server.key
【命令】生成key命令:
[root@localhost ~]# openssl genrsa -out server.key -des3 2048
【结果】
Generating RSA private key, 2048 bit long modulus
.........................................................................+++
.......+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@localhost ~]# openssl req -new -x509 -key server.key -days 7300 -out srv_cacert.pem
【结果】
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:FJ
Locality Name (eg, city) [Default City]:XM
Organization Name (eg, company) [Default Company Ltd]:YL
Organizational Unit Name (eg, section) []:YL
Common Name (eg, your name or your server's hostname) []:www.testlm.com
Email Address []:
【命令】
[root@localhost 1]# openssl genrsa -out 1.key -des3 2048
【结果】
Generating RSA private key, 2048 bit long modulus
......................................+++
............................................................+++
e is 65537 (0x10001)
Enter pass phrase for 1.key:
Verifying - Enter pass phrase for 1.key:
【命令】
[root@localhost 1]# openssl req -new -key 1.key -out 1.csr -days 3650
【结果】
Enter pass phrase for 1.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:FJ
Locality Name (eg, city) [Default City]:XM
Organization Name (eg, company) [Default Company Ltd]:YL
Organizational Unit Name (eg, section) []:YL
Common Name (eg, your name or your server's hostname) []:www.testlm.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
【命令】
[root@localhost 1]# openssl ca -in 1.csr -out 1.crt -days 7300 -name my_caset
【结果】
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /root/tls/server.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 6 (0x6)
Validity
Not Before: Mar 5 08:20:29 2018 GMT
Not After : Feb 28 08:20:29 2038 GMT
Subject:
countryName = CN
stateOrProvinceName = FJ
organizationName = YL
organizationalUnitName = YL
commonName = www.testlm.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
47:34:D8:EF:55:BB:BF:74:16:E1:DD:22:65:00:56:C8:96:26:B9:BC
X509v3 Authority Key Identifier:
keyid:B9:BD:D3:60:79:26:CF:82:E1:FE:1B:6B:DF:F5:A7:7D:35:7F:13:C1
Certificate is to be certified until Feb 28 08:20:29 2038 GMT (7300 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost ~]# openssl genrsa -out 2.key -des3 2048
[root@localhost 2]# openssl req -new -key 2.key -out 2.csr -days 3650
[root@localhost 2]# openssl ca -in 2.csr -out 2.crt -name my_caset
在.../tls/1/
【命令】
[root@localhost 1]# openssl s_server -key 1.key -cert 1.crt -CAfile ../srv_cacert.pem
【结果】
Enter pass phrase for 1.key:
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MFUCAQECAgMDBALAMAQABDBQ8pE6Ghvl2EqJF7hD5i7xjGgiMmhrmt2fGUq9r6YV
RAe7dBhKn9+QycUH+g+3jO6hBgIEWpz+t6IEAgIBLKQGBAQBAAAA
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5
Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported Elliptic Curves: P-256:P-521:P-384:secp256k1
Shared Elliptic curves: P-256:P-521:P-384:secp256k1
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
test-hello
【命令】
[root@localhost 2]# openssl s_client -CAfile ../srv_cacert.pem -cert 2.crt -key 2.key -showcerts
【结果】
Enter pass phrase for 2.key:
CONNECTED(00000003)
depth=1 C = CN, ST = FJ, L = XM, O = YL, OU = YL, CN = www.testlm.com
verify return:1
depth=0 C = CN, ST = FJ, O = YL, OU = YL, CN = www.testlm.com
verify return:1
---
Certificate chain
0 s:/C=CN/ST=FJ/O=YL/OU=YL/CN=www.testlm.com
i:/C=CN/ST=FJ/L=XM/O=YL/OU=YL/CN=www.testlm.com
-----BEGIN CERTIFICATE-----
MIIDnTCCAoWgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDTjEL
MAkGA1UECAwCRkoxCzAJBgNVBAcMAlhNMQswCQYDVQQKDAJZTDELMAkGA1UECwwC
WUwxFzAVBgNVBAMMDnd3dy50ZXN0bG0uY29tMB4XDTE4MDMwNTA4MjAyOVoXDTM4
MDIyODA4MjAyOVowTTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkZKMQswCQYDVQQK
DAJZTDELMAkGA1UECwwCWUwxFzAVBgNVBAMMDnd3dy50ZXN0bG0uY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvT12iL5PNWrF/gEp3S3k0lAukOJK
SlsC53xNToUfwFiM14J4Nsh+MZs1foYPycuJTincdh/BH26LEs6M647NsEk4C1Qt
90wPXvq77EZ2bElEIkJRIANP2l0dVtRF4rmMskCuKwMcZ534nEWWKi9fdQ/ebPIy
xF35o1ke+8NDa4E5bBCSLhCuxGHluv1wzHUqTlS6u0T2c+3GpNsZLgRd9aoVFIuF
WrtrZkWvewmDM3aves5/w/nRV1JU8y0Dx/gE8EwFliPXJCZh/4lrS9Q24F4IwsFf
n1nLU0lbxK+5TbK9uPVoSUKx1EluP75VSTtj845wBYWERHbXg69mwINCTwIDAQAB
o3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRl
ZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQURzTY71W7v3QW4d0iZQBWyJYmubwwHwYD
VR0jBBgwFoAUub3TYHkmz4Lh/htr3/WnfTV/E8EwDQYJKoZIhvcNAQELBQADggEB
ABPY3wJYb4wFEbgu/R2nmQKHo8MW14CIcrTtzhXSFip3isvWUreTeiKkV9eVWUp5
notiLaut79bbYgOuGYJy+4Dy/KvjxVH0rbrAFpWeJD93mATFCyO9pNVPbAUJd1XU
87ePG2L32ZCGwuh/11WAdGBx91LWlN0y4aH31WH1cWOThmS9pGnYLEXnpqamn55j
nZ/PVovXmlFtDLf3TOWovGNEFMdpzaUvQnDoqiIJ1cVIixfGTQnMHB4cO/xGpkKR
rU44fPVaNhveWOFIfCwzxG+e7HwfrgA+W810JeSyhgSSxgg7mOpaecmI2vJnuHBs
pwzrpGzPUJDC7R8w9wuzVEU=
-----END CERTIFICATE-----
1 s:/C=CN/ST=FJ/L=XM/O=YL/OU=YL/CN=www.testlm.com
i:/C=CN/ST=FJ/L=XM/O=YL/OU=YL/CN=www.testlm.com
-----BEGIN CERTIFICATE-----
MIIDhzCCAm+gAwIBAgIJAIHcfzytTBCmMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
BAYTAkNOMQswCQYDVQQIDAJGSjELMAkGA1UEBwwCWE0xCzAJBgNVBAoMAllMMQsw
CQYDVQQLDAJZTDEXMBUGA1UEAwwOd3d3LnRlc3RsbS5jb20wHhcNMTgwMzA1MDgw
MzU3WhcNMzgwMjI4MDgwMzU3WjBaMQswCQYDVQQGEwJDTjELMAkGA1UECAwCRkox
CzAJBgNVBAcMAlhNMQswCQYDVQQKDAJZTDELMAkGA1UECwwCWUwxFzAVBgNVBAMM
Dnd3dy50ZXN0bG0uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
tsdBWaR05cjGgIBUE7hVTfq7fI8TpAxEFl0TuCEK/PIB38KJ0e0vZzPufBtwpp5S
VdKuIYOzrU4C71SROnCXgWfVd4EUu8OTqzalzyjbAzJCcHwHX9Bm1TYb7vEPHigI
WiiQwFjtpiQoLcBYbltPyIkdwlRYtlHC1h4P/CO7bzv4EZfWlsyRndf2gA4DVX2f
LnpnWn52tuZBW6jv3Mt0PeUzOj0dswPvKrCRbmA/UTKhVv+NgpjldiXPCd56lHI+
/FBpJ978v+AenafgXym6Btc3qInD5Fw2WzBMq7L7OYAKioNIQnQrlo7lCkUlby6j
bowjd6pR1PsLWw6UPR9raQIDAQABo1AwTjAdBgNVHQ4EFgQUub3TYHkmz4Lh/htr
3/WnfTV/E8EwHwYDVR0jBBgwFoAUub3TYHkmz4Lh/htr3/WnfTV/E8EwDAYDVR0T
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANDvEP/G0xsOij8DJR9RP5fu94mrH
P3xuqZjJnr/lSBep4bpoTdpTVILYAZWd0GnskPKxMDxXFE+Mu4NG4J5yhG+9secs
G/JPB2IBvXWeDgCfP8enR2pGUR7g2oElbhsr34bCbN79AEmfQwomfE5m7LWyyd56
bUG4/wQQCxfVZbojOzz/kQpR5dwrVbPGHntSC1jMAIw4GPAXycnX4BtHUw3KOorT
v9xUK6ffhglcnaxLB74tZXfdzmcvopOaWYUe3DVbdzj2J9NP+bcvcsZRznEde8y9
OgUy1tczjdy1OEs2rdp9J39NZzEMdhAwc/X+Knd9R/uoZ6OBddCTQZFBRw==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=CN/ST=FJ/O=YL/OU=YL/CN=www.testlm.com
issuer=/C=CN/ST=FJ/L=XM/O=YL/OU=YL/CN=www.testlm.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2498 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 9B9930C6610B975D8A00D7B5C94BF267E92CB54395DE65A4DD9A838CADF3F28F
Session-ID-ctx:
Master-Key: 50F2913A1A1BE5D84A8917B843E62EF18C682232686B9ADD9F194ABDAFA6154407BB74184A9FDF90C9C507FA0FB78CEE
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - e0 5e 38 0a ac 9d 08 ec-38 6f 75 06 64 1d b3 70 .^8.....8ou.d..p
0010 - c3 f9 3f 6f 73 2b 82 4a-e8 7d ff e0 2d ab 33 f0 ..?os+.J.}..-.3.
0020 - b1 fe ed 75 76 1d fa 22-aa 79 da 00 93 48 d9 36 ...uv..".y...H.6
0030 - 78 1c 61 ff f4 91 74 77-0e 20 07 c5 55 62 6e 7a x.a...tw. ..Ubnz
0040 - bb 0e a8 7a 75 28 b8 67-e5 3d b2 47 c7 b1 ea 32 ...zu(.g.=.G...2
0050 - d5 1f c3 83 f5 df be 0d-98 8b 70 f3 02 b9 1b 51 ..........p....Q
0060 - 21 14 dd 78 f9 d8 c6 1b-0a ab e6 57 86 b5 d2 dc !..x.......W....
0070 - 6d 3c b5 53 cb 21 81 fd-6e 35 7b 93 33 65 6b 94 m<.S.!..n5{.3ek.
0080 - 86 e8 cf 49 de bd 21 ff-b3 6f de 06 22 e4 04 30 ...I..!..o.."..0
0090 - 1e 52 2e 7d e4 28 f6 f6-dc cf 98 25 d6 69 f3 40 .R.}.(.....%.i.@
Start Time: 1520238263
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
test hello
【命令】
[root@localhost 1]# openssl s_server -key 1.key -cert 1.crt -CAfile ../srv_cacert.pem -Verify 1
【结果】
verify depth is 1, must return a certificate
Enter pass phrase for 1.key:
Using default temp DH parameters
ACCEPT
depth=1 C = CN, ST = FJ, L = XM, O = YL, OU = YL, CN = www.testlm.com
verify return:1
depth=0 C = CN, ST = FJ, O = YL, OU = YL, CN = www.testlm.com
verify return:1
-----BEGIN SSL SESSION PARAMETERS-----
MIID+gIBAQICAwMEAsAwBAAEMAd+sjQFGfb8tCDXYbHZNZ244BI1v1YmkP6elUvE
pPGnlnp+VRcQy1bME3ZrrOgOEKEGAgRanP99ogQCAgEso4IDoTCCA50wggKFoAMC
AQICAQUwDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkZK
MQswCQYDVQQHDAJYTTELMAkGA1UECgwCWUwxCzAJBgNVBAsMAllMMRcwFQYDVQQD
DA53d3cudGVzdGxtLmNvbTAeFw0xODAzMDUwODIwMDhaFw0zODAyMjgwODIwMDha
ME0xCzAJBgNVBAYTAkNOMQswCQYDVQQIDAJGSjELMAkGA1UECgwCWUwxCzAJBgNV
BAsMAllMMRcwFQYDVQQDDA53d3cudGVzdGxtLmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBANbtEsYjE/51Lyl+/RF72AaXk2bXrQIuV6MEXbR9PsIy
UNWps+EWwnZjBqkAwewE01vwMTs1MpuFs0vEdO51cCamhtc3p2sJ1yVA08Q61i3O
ddlOKbN8BomF9ZT9mzYOYxRpbi0ZSeEaVI/oqqi1MerlZWw9AvA8SogpmTJq+761
21gGAOYu1DM0Ph2Q1Xsmsv6nJqc1m8ecqtkoEHGwNAHrTtw/JO0ZWGHCb0Ab70jC
Jjgw8xRC3JDHozkFUe/FJHtQLEZ/SBMEABLJGM4Tzsm2LXnNMXESVIImpN9l9tGY
NlUlh9KLjoWxSslHjDZEXNJ6ygu26FQIYAsCfsHgf30CAwEAAaN7MHkwCQYDVR0T
BAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNh
dGUwHQYDVR0OBBYEFGu571ZmVbjC8jSYUPHjmuNClZpSMB8GA1UdIwQYMBaAFLm9
02B5Js+C4f4ba9/1p301fxPBMA0GCSqGSIb3DQEBCwUAA4IBAQATnYcnmfCf+eS7
8fWbb/gRMTVqLzjmu9Sdae7o+B0daNF+a4fOBmk9qD7zsyKLpwOd6V5BabbhxU+d
pFWu2Nv56hU9M5QdflWH/WIPpBhmcbrrEqZGcm7jrGys3ExZvWDysWiInGFxt9Yu
zUAxFaly57PyIpR+FB8pjPKja2LV8TkIlj7dcUN7LeJRxh76GgGvZiUkJPILM0ou
iCqMnQI3NuXrJz1rsZ2w8AhpqJIHElugrxdY1GB9Jr7KssV91+p5stZ5vPozYX07
bZ54mpJrAZvzMbU0BaKu+4YW0j3rQfJJQibdbtpKrQojMAP1yE/oX70vmOs7DWDt
wOG7SCtApAYEBAEAAAA=
-----END SSL SESSION PARAMETERS-----
Client certificate
-----BEGIN CERTIFICATE-----
MIIDnTCCAoWgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDTjEL
MAkGA1UECAwCRkoxCzAJBgNVBAcMAlhNMQswCQYDVQQKDAJZTDELMAkGA1UECwwC
WUwxFzAVBgNVBAMMDnd3dy50ZXN0bG0uY29tMB4XDTE4MDMwNTA4MjAwOFoXDTM4
MDIyODA4MjAwOFowTTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkZKMQswCQYDVQQK
DAJZTDELMAkGA1UECwwCWUwxFzAVBgNVBAMMDnd3dy50ZXN0bG0uY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1u0SxiMT/nUvKX79EXvYBpeTZtet
Ai5XowRdtH0+wjJQ1amz4RbCdmMGqQDB7ATTW/AxOzUym4WzS8R07nVwJqaG1zen
awnXJUDTxDrWLc512U4ps3wGiYX1lP2bNg5jFGluLRlJ4RpUj+iqqLUx6uVlbD0C
8DxKiCmZMmr7vrXbWAYA5i7UMzQ+HZDVeyay/qcmpzWbx5yq2SgQcbA0AetO3D8k
7RlYYcJvQBvvSMImODDzFELckMejOQVR78Uke1AsRn9IEwQAEskYzhPOybYtec0x
cRJUgiak32X20Zg2VSWH0ouOhbFKyUeMNkRc0nrKC7boVAhgCwJ+weB/fQIDAQAB
o3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRl
ZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUa7nvVmZVuMLyNJhQ8eOa40KVmlIwHwYD
VR0jBBgwFoAUub3TYHkmz4Lh/htr3/WnfTV/E8EwDQYJKoZIhvcNAQELBQADggEB
ABOdhyeZ8J/55Lvx9Ztv+BExNWovOOa71J1p7uj4HR1o0X5rh84GaT2oPvOzIoun
A53pXkFptuHFT52kVa7Y2/nqFT0zlB1+VYf9Yg+kGGZxuusSpkZybuOsbKzcTFm9
YPKxaIicYXG31i7NQDEVqXLns/IilH4UHymM8qNrYtXxOQiWPt1xQ3st4lHGHvoa
Aa9mJSQk8gszSi6IKoydAjc25esnPWuxnbDwCGmokgcSW6CvF1jUYH0mvsqyxX3X
6nmy1nm8+jNhfTttnniakmsBm/MxtTQFoq77hhbSPetB8klCJt1u2kqtCiMwA/XI
T+hfvS+Y6zsNYO3A4btIK0A=
-----END CERTIFICATE-----
subject=/C=CN/ST=FJ/O=YL/OU=YL/CN=www.testlm.com
issuer=/C=CN/ST=FJ/L=XM/O=YL/OU=YL/CN=www.testlm.com
Shared ciphers:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5
Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported Elliptic Curves: P-256:P-521:P-384:secp256k1
Shared Elliptic curves: P-256:P-521:P-384:secp256k1
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
test-hello
【命令】
[root@localhost 2]# openssl s_client -CAfile ../srv_cacert.pem -cert 2.crt -key 2.key -showcerts
【结果】
Enter pass phrase for 2.key:
CONNECTED(00000003)
depth=1 C = CN, ST = FJ, L = XM, O = YL, OU = YL, CN = www.testlm.com
verify return:1
depth=0 C = CN, ST = FJ, O = YL, OU = YL, CN = www.testlm.com
verify return:1
---
Certificate chain
0 s:/C=CN/ST=FJ/O=YL/OU=YL/CN=www.testlm.com
i:/C=CN/ST=FJ/L=XM/O=YL/OU=YL/CN=www.testlm.com
-----BEGIN CERTIFICATE-----
MIIDnTCCAoWgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDTjEL
MAkGA1UECAwCRkoxCzAJBgNVBAcMAlhNMQswCQYDVQQKDAJZTDELMAkGA1UECwwC
WUwxFzAVBgNVBAMMDnd3dy50ZXN0bG0uY29tMB4XDTE4MDMwNTA4MjAyOVoXDTM4
MDIyODA4MjAyOVowTTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkZKMQswCQYDVQQK
DAJZTDELMAkGA1UECwwCWUwxFzAVBgNVBAMMDnd3dy50ZXN0bG0uY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvT12iL5PNWrF/gEp3S3k0lAukOJK
SlsC53xNToUfwFiM14J4Nsh+MZs1foYPycuJTincdh/BH26LEs6M647NsEk4C1Qt
90wPXvq77EZ2bElEIkJRIANP2l0dVtRF4rmMskCuKwMcZ534nEWWKi9fdQ/ebPIy
xF35o1ke+8NDa4E5bBCSLhCuxGHluv1wzHUqTlS6u0T2c+3GpNsZLgRd9aoVFIuF
WrtrZkWvewmDM3aves5/w/nRV1JU8y0Dx/gE8EwFliPXJCZh/4lrS9Q24F4IwsFf
n1nLU0lbxK+5TbK9uPVoSUKx1EluP75VSTtj845wBYWERHbXg69mwINCTwIDAQAB
o3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRl
ZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQURzTY71W7v3QW4d0iZQBWyJYmubwwHwYD
VR0jBBgwFoAUub3TYHkmz4Lh/htr3/WnfTV/E8EwDQYJKoZIhvcNAQELBQADggEB
ABPY3wJYb4wFEbgu/R2nmQKHo8MW14CIcrTtzhXSFip3isvWUreTeiKkV9eVWUp5
notiLaut79bbYgOuGYJy+4Dy/KvjxVH0rbrAFpWeJD93mATFCyO9pNVPbAUJd1XU
87ePG2L32ZCGwuh/11WAdGBx91LWlN0y4aH31WH1cWOThmS9pGnYLEXnpqamn55j
nZ/PVovXmlFtDLf3TOWovGNEFMdpzaUvQnDoqiIJ1cVIixfGTQnMHB4cO/xGpkKR
rU44fPVaNhveWOFIfCwzxG+e7HwfrgA+W810JeSyhgSSxgg7mOpaecmI2vJnuHBs
pwzrpGzPUJDC7R8w9wuzVEU=
-----END CERTIFICATE-----
1 s:/C=CN/ST=FJ/L=XM/O=YL/OU=YL/CN=www.testlm.com
i:/C=CN/ST=FJ/L=XM/O=YL/OU=YL/CN=www.testlm.com
-----BEGIN CERTIFICATE-----
MIIDhzCCAm+gAwIBAgIJAIHcfzytTBCmMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
BAYTAkNOMQswCQYDVQQIDAJGSjELMAkGA1UEBwwCWE0xCzAJBgNVBAoMAllMMQsw
CQYDVQQLDAJZTDEXMBUGA1UEAwwOd3d3LnRlc3RsbS5jb20wHhcNMTgwMzA1MDgw
MzU3WhcNMzgwMjI4MDgwMzU3WjBaMQswCQYDVQQGEwJDTjELMAkGA1UECAwCRkox
CzAJBgNVBAcMAlhNMQswCQYDVQQKDAJZTDELMAkGA1UECwwCWUwxFzAVBgNVBAMM
Dnd3dy50ZXN0bG0uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
tsdBWaR05cjGgIBUE7hVTfq7fI8TpAxEFl0TuCEK/PIB38KJ0e0vZzPufBtwpp5S
VdKuIYOzrU4C71SROnCXgWfVd4EUu8OTqzalzyjbAzJCcHwHX9Bm1TYb7vEPHigI
WiiQwFjtpiQoLcBYbltPyIkdwlRYtlHC1h4P/CO7bzv4EZfWlsyRndf2gA4DVX2f
LnpnWn52tuZBW6jv3Mt0PeUzOj0dswPvKrCRbmA/UTKhVv+NgpjldiXPCd56lHI+
/FBpJ978v+AenafgXym6Btc3qInD5Fw2WzBMq7L7OYAKioNIQnQrlo7lCkUlby6j
bowjd6pR1PsLWw6UPR9raQIDAQABo1AwTjAdBgNVHQ4EFgQUub3TYHkmz4Lh/htr
3/WnfTV/E8EwHwYDVR0jBBgwFoAUub3TYHkmz4Lh/htr3/WnfTV/E8EwDAYDVR0T
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANDvEP/G0xsOij8DJR9RP5fu94mrH
P3xuqZjJnr/lSBep4bpoTdpTVILYAZWd0GnskPKxMDxXFE+Mu4NG4J5yhG+9secs
G/JPB2IBvXWeDgCfP8enR2pGUR7g2oElbhsr34bCbN79AEmfQwomfE5m7LWyyd56
bUG4/wQQCxfVZbojOzz/kQpR5dwrVbPGHntSC1jMAIw4GPAXycnX4BtHUw3KOorT
v9xUK6ffhglcnaxLB74tZXfdzmcvopOaWYUe3DVbdzj2J9NP+bcvcsZRznEde8y9
OgUy1tczjdy1OEs2rdp9J39NZzEMdhAwc/X+Knd9R/uoZ6OBddCTQZFBRw==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=CN/ST=FJ/O=YL/OU=YL/CN=www.testlm.com
issuer=/C=CN/ST=FJ/L=XM/O=YL/OU=YL/CN=www.testlm.com
---
Acceptable client certificate CA names
/C=CN/ST=FJ/L=XM/O=YL/OU=YL/CN=www.testlm.com
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3562 bytes and written 2538 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 92E6A8CB65CE360934807E75B5F7F93A0F966F1BBAD765A6AE60EBDA3CE9A223
Session-ID-ctx:
Master-Key: 077EB2340519F6FCB420D761B1D9359DB8E01235BF562690FE9E954BC4A4F1A7967A7E551710CB56CC13766BACE80E10
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 77 8a 5f e5 98 90 90 8e-d9 ba f1 74 dc 33 d3 31 w._........t.3.1
0010 - 29 7e e8 e6 46 4c f4 26-28 be 35 3d f3 13 81 39 )~..FL.&(.5=...9
0020 - b5 e9 19 07 03 7b de be-02 1d e0 52 1a cd 3d 96 .....{.....R..=.
0030 - 38 5b 41 93 26 61 07 ff-37 5e c8 67 9f 65 22 60 8[A.&a..7^.g.e"`
0040 - 29 1b 4f ad ff 0f 2d c7-49 92 eb 32 d0 7c a5 d4 ).O...-.I..2.|..
0050 - 29 73 47 a5 cf f4 e6 09-73 cc c6 20 36 b6 28 22 )sG.....s.. 6.("
0060 - 2e c5 2f ae d5 d1 91 bf-54 ea fa d9 c0 27 31 b0 ../.....T....'1.
0070 - a5 c1 6b 32 0d cf 10 75-2b f0 bb e6 d4 67 b3 dc ..k2...u+....g..
0080 - f6 e9 4f 13 ac f3 2d f7-e3 52 90 7f 6f 8f ce ed ..O...-..R..o...
0090 - 4c 70 b8 d1 0c aa d6 bb-ed 10 b8 6e aa e5 af 20 Lp.........n...
00a0 - 2c 0a fe 7f 9b 1c c8 07-0e 44 1a 39 09 25 db ef ,........D.9.%..
00b0 - 45 4d 28 c9 d9 1d 59 31-0c eb 2a c5 80 0e c2 1f EM(...Y1..*.....
00c0 - 29 1f a6 09 29 a1 44 20-9d de 17 17 b7 79 41 01 )...).D .....yA.
00d0 - 91 8d b8 b2 8f f9 a0 02-a2 3a 87 ed d2 d6 4f ec .........:....O.
00e0 - 27 72 69 a6 24 b8 40 29-5f 1c 26 0b ac 3a 66 76 'ri.$.@)_.&..:fv
00f0 - fd 0a 06 7c 74 3e ec 97-2a 82 da fb 2f 3b 2f f4 ...|t>..*.../;/.
0100 - c8 84 0f 45 7e 1e 7b bd-09 5d b6 79 06 f9 a3 bf ...E~.{..].y....
0110 - d2 6f 38 3b 33 47 97 94-c5 a6 8f cc 95 8e 11 aa .o8;3G..........
0120 - ba d6 a8 77 19 28 e6 79-a3 1a 74 dc 91 a1 38 55 ...w.(.y..t...8U
0130 - 2b 9d e8 87 9f b3 9e 54-59 45 3f e5 34 b2 23 7c +......TYE?.4.#|
0140 - 0c d1 9a 5b 56 a7 69 4e-ea 4a 77 f9 87 53 22 c8 ...[V.iN.Jw..S".
0150 - 26 5d 0b f1 09 9b 10 b5-7d be 51 d7 02 90 81 95 &]......}.Q.....
0160 - 47 ba 70 a5 e9 12 4a 85-a6 57 47 2e 73 98 8e 58 G.p...J..WG.s..X
0170 - 71 76 4c b8 4c 07 18 de-4a a9 e4 8a cb e5 4c 07 qvL.L...J.....L.
0180 - e5 23 16 77 8c a0 a4 7c-c5 71 15 8d 0f c5 36 6c .#.w...|.q....6l
0190 - 6b fb 95 43 f1 6d d3 01-04 e2 a1 0c 72 d3 80 89 k..C.m......r...
01a0 - 0c 3a 74 e4 72 4e 8a e7-fa ad 8f bc 95 c6 2f 43 .:t.rN......../C
01b0 - ca 32 7a bc 49 d1 5b e9-db 7e 33 b6 9d a5 58 2e .2z.I.[..~3...X.
01c0 - 0d 56 3c 47 74 61 98 4e-95 f6 42 e6 54 0f ce 9f .V]F!.......j1..
02a0 - ad e6 32 c3 1f 5f d3 7f-69 19 bc 6f 5a ce 2a 1a ..2.._..i..oZ.*.
02b0 - 12 f4 bb 50 08 51 de 10-67 7e 1d 4f 84 36 3f e6 ...P.Q..g~.O.6?.
02c0 - 3b ee 78 5e c3 b8 50 91-2d 0d 87 83 13 74 9f 21 ;.x^..P.-....t.!
02d0 - 81 45 fe 07 eb 56 a9 71-be 32 b6 5b 0d 7b ba 95 .E...V.q.2.[.{..
02e0 - 2d 67 89 6b 87 a7 5b 2f-fb 41 10 2b 8f 3f 09 f9 -g.k..[/.A.+.?..
02f0 - 44 53 00 fd 90 74 dd 95-40 d1 34 e7 7f 3e cb f2 [email protected]..>..
0300 - 50 b0 1a db 2c 87 e0 21-ae b4 77 4e c3 d8 3f 78 P...,..!..wN..?x
0310 - c4 2a 45 ed cb d2 6c 31-bd c9 e6 dc 91 5c 13 02 .*E...l1.....\..
0320 - 99 21 8d 3f 09 20 f3 e8-b9 9c 2a b3 ae 69 74 2c .!.?. ....*..it,
0330 - 8d 57 7e eb 5a c6 03 da-94 08 0f 87 04 e5 55 dd .W~.Z.........U.
0340 - 2c dc 8f c9 75 e9 6b 44-c4 69 f3 8d ae 7c d5 dc ,...u.kD.i...|..
0350 - f3 97 d4 87 24 75 a1 ee-eb b9 3a 60 07 83 7e b1 ....$u....:`..~.
0360 - 94 5c bd 77 b7 e7 2a 17-87 c0 a5 e9 9b 07 a0 8f .\.w..*.........
0370 - 8c 8b d3 f9 78 eb 88 9d-00 a0 88 50 04 72 e8 ce ....x......P.r..
0380 - df 09 13 67 c2 47 e4 e0-f4 87 cc 68 f3 07 6d 10 ...g.G.....h..m.
0390 - d5 21 f7 fc 50 81 5b 33-4e 0b e6 01 cb 17 10 e5 .!..P.[3N.......
03a0 - d6 d9 19 da f9 4f ab 27-c8 06 c6 a0 f8 48 75 4b .....O.'.....HuK
03b0 - 9b b8 8f 39 94 7c 2f 9c-9e fa e7 d1 da 54 7e 1c ...9.|/......T~.
03c0 - dc 3b 98 40 b0 80 db 23-85 69 bc 7a dd e0 87 4b .;.@...#.i.z...K
03d0 - 36 1a 1f a1 3a d5 0f 3d-bf 97 ed d7 3a 5c 13 bc 6...:..=....:\..
03e0 - 6e 5c fe d2 a9 61 dd 6b-ba 26 2c e5 a2 52 01 a7 n\...a.k.&,..R..
03f0 - c8 c1 98 34 1a 5a 7b 74-46 bd df 0c c1 fb 7a b7 ...4.Z{tF.....z.
0400 - 80 96 16 5c ea 8d 30 aa-17 51 08 73 07 db 38 ea ...\..0..Q.s..8.
0410 - 96 92 1b d3 b7 7d ac e2-6f 1b 1c 6c b9 7e 0a 04 .....}..o..l.~..
0420 - 46 99 a8 7e 0a 41 73 f5-84 b5 e5 59 c9 2f 45 24 F..~.As....Y./E$
0430 - 62 bb 7c f4 1e 46 b5 8b-4e e7 b6 f4 27 ce 90 1b b.|..F..N...'...
Start Time: 1520238461
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
test-hello
参考:https://stackoverflow.com/questions/16646557/verify-incoming-ssl-using-openssl-s-server