Chapter 2. Testing TLS with OpenSSL - Feisty Duck
文章推薦指數: 80 %
Using OpenSSL for testing purposes has become more difficult recently because, ... The recent one is useful to test modern features (e.g., TLS 1.3), ...
OpenSSLCookbook>OpenSSLCookbook:Chapter 2. TestingTLSwithOpenSSL×Ifyoulikethis,youwillloveBulletproofSSLandTLSUsecodeCOOKBOOK5atcheckoutfor£5off.BuyNow2TestingTLSwithOpenSSLDuetothelargenumberofprotocolfeaturesandimplementationquirks,it’ssometimes
difficulttodeterminetheexactconfigurationandfeaturesofsecureservers.Althoughmany
toolsexistforthispurpose,it’softendifficulttoknowexactlyhowtheywork,andthat
sometimesmakesitdifficulttofullytrusttheirresults.EventhoughIspentyearstesting
secureserversandhaveaccesstogoodtools,whenIreallywanttounderstandwhatisgoing
on,IresorttousingOpenSSLandWireshark.IamnotsayingthatyoushoulduseOpenSSLfor
everydaytesting;onthecontrary,youshouldfindanautomatedtoolthatyoutrust.For
onlinetesting,IrecommendHardenize;22forofflinework,considertestssl.sh.23Butwhenyoureallyneedtobecertainofsomething,theonlywayistogetyour
handsdirtywithOpenSSL.Custom-CompileOpenSSLforTestingUsingOpenSSLfortestingpurposeshasbecomemoredifficultrecentlybecause,
paradoxically,OpenSSLitselfgotbetter.IntheaftermathofHeartbleed,theOpenSSL
developersundertookagreatoverhaul,oneaspectofwhichwasremovalofobsolete
cryptography.Thatisgreatnewsforeveryone,ofcourse,butdoesmake
ourlivesmoredifficult.Totestforawidevarietyof
conditions,wemayneedtousetwoversions:onerecentandoneold.Therecentoneis
usefultotestmodernfeatures(e.g.,TLS1.3),buttheoldoneiswhatyouneedtotest
obsoletefunctionality.Atthetimeofwriting,thenewversionwillmostdefinitelybefromthe1.1.1branch.
Asfortheold,aftersomeresearch,IsettledonOpenSSL1.0.2g,configuredsothatthe
removalofsomeobsoletefeaturesisreverted:$./config\
--prefix=/opt/openssl-1.0.2g\
--openssldir=/opt/openssl-1.0.2g\
no-shared\
enable-ssl2\
enable-ssl3\
enable-weak-ssl-ciphersThroughoutthischapter,IwillrefertothesetwoversionsofOpenSSLas
newandold.That’showyou’llknowwhich
versiontouseforthetesting.Refertothepreviouschapterformoreinformationon
howtoconfigureandinstallOpenSSL.ConnectingtoTLSServicesOpenSSLcomeswithaclienttoolthatyoucanusetoconnecttoasecureserver.The
toolissimilartotelnetorncinthesensethat
ithandlestheencryptionaspectbutallowsyoutofullycontrolthelayerthatcomes
next.Toconnecttoaserver,youneedtosupplyahostnameandaport.Forexample:$openssls_client-crlf\
-connectwww.feistyduck.com:443\
-servernamewww.feistyduck.comNoticethatyouhadtosupplythehostnametwice.The-connect
switchisusedtoestablishtheTCPconnection,but-servernameis
usedtospecifythehostnamesentattheTLSlevel.StartingwithOpenSSL1.1.1,the
s_clienttoolautomaticallyconfiguresthelatter.You’llstill
needtousethe-servernameswitchif(1)you’reusinganearlierversionofOpenSSL,(2)you’reconnectingtoanIPaddress,or
(3)theTLShostneedstobedifferent.
Usethe-noservernameswitchtoavoidsendinghostnameinformationin
theTLShandshake.Onceyoutypethecommand,you’regoingtoseealotofdiagnosticoutput(moreabout
thatinamoment)followedbyanopportunitytotypewhateveryouwant.Becausewe’re
talkingtoanHTTPserver,themostsensiblethingtodoistosubmitanHTTPrequest.
Inthefollowingexample,IuseaHEADrequestbecauseitinstructs
theservernottosendtheresponsebody:HEAD/HTTP/1.0
Host:www.feistyduck.com
HTTP/1.1200OK
Date:Mon,24Aug202016:38:02GMT
Server:Apache
Strict-Transport-Security:max-age=31536000;includeSubDomains;preload
Cache-control:no-cache,must-revalidate
Content-Type:text/html;charset=UTF-8
Transfer-Encoding:chunked
Set-Cookie:JSESSIONID=882D48C8842EA82E3F3AFACC4425A695;Path=/;Secure;HttpOnly
Connection:close
read:errno=0NoteIf,whenconnectingtoaremoteserverinthisway,theTLShandshakecompletes
butyou’regettingdisconnectedafterthefirstHTTPrequestline,checkthatyou’ve
specifiedthe-crlfswitchonthecommandline.Thisswitch
ensuresthatthenewlinesyoutypearetranslatedtoacarriagereturnplusline
feedcombotoensurestringHTTPcompliance.NowweknowthattheTLScommunicationlayerisworking:wegotthroughtotheHTTP
server,submittedarequest,andreceivedaresponseback.Let’sgobacktothe
diagnosticoutput.Thefirstcoupleoflineswillshowtheinformationabouttheserver
certificate:CONNECTED(00000003)
depth=2C=GB,ST=GreaterManchester,L=Salford,O=COMODOCALimited,CN=↩
COMODORSACertificationAuthority
verifyreturn:1
depth=1C=GB,ST=GreaterManchester,L=Salford,O=COMODOCALimited,CN=↩
COMODORSADomainValidationSecureServerCA
verifyreturn:1
depth=0OU=DomainControlValidated,OU=PositiveSSL,CN=www.feistyduck.com
verifyreturn:1Thenextsectionintheoutputlistsallthecertificatespresentedbytheserverin
theorderinwhichtheyweredelivered:Certificatechain
0s:OU=DomainControlValidated,OU=PositiveSSL,CN=www.feistyduck.com
i:C=GB,ST=GreaterManchester,L=Salford,O=COMODOCALimited,CN=COMODO↩
RSADomainValidationSecureServerCA
1s:C=GB,ST=GreaterManchester,L=Salford,O=COMODOCALimited,CN=COMODO↩
RSADomainValidationSecureServerCA
i:C=GB,ST=GreaterManchester,L=Salford,O=COMODOCALimited,CN=COMODO↩
RSACertificationAuthorityForeachcertificate,thefirstlineshowsthesubjectandthesecondlineshowsthe
issuerinformation.Thispartisveryusefulwhenyouneedtoseeexactlywhatcertificatesaresent;
browsercertificateviewerstypicallydisplayreconstructedcertificatechainsthatcan
bealmostcompletelydifferentfromthepresentedones.Todetermineifthechainis
nominallycorrect,youmightwishtoverifythatthesubjectsandissuersmatch.You
startwiththeleaf(webserver)certificateatthetop,andthenyougodownthelist,
matchingtheissuerofthecurrentcertificatetothesubjectofthenext.Thelast
issueryouseecanpointtosomerootcertificatethatisnotinthechain,or—ifthe
self-signedrootisincluded—itcanpointtoitself.Thenextitemintheoutputistheservercertificate;it’salotoftext,butI’m
goingtoremovemostofitforbrevity:Servercertificate
-----BEGINCERTIFICATE-----
MIIFUzCCBDugAwIBAgIRAPR/CbWZEksfCIRqxNcesPIwDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
[...]
L1MPjFiB5pyvf9jDBxv8TmG4Q6TnDDhw2t2Qil6lhsPAMZ9odP22W3uaLE1y7aB6
zbQXjVsc3E1THfFZWRzDPsU4fN/1iGlbrcAWa2sFfhJXrCDfAowFJ8A1n9jMiNEG
WfQfGgA2ar2xUtsqA7Re6XlXOlwBPuQ=
-----ENDCERTIFICATE-----
subject=OU=DomainControlValidated,OU=PositiveSSL,CN=www.feistyduck.com
issuer=C=GB,ST=GreaterManchester,L=Salford,O=COMODOCALimited,CN=COMODO↩
RSADomainValidationSecureServerCANoteBydefault,thes_clienttoolshowsjusttheleafcertificate.
Ifyouwishtoobtaintheentirechain,usethe-showcerts
switch.Ifyouwanttohaveabetterlookatthecertificate,you’llfirstneedtocopyit
fromtheoutputandstoreitinaseparatefile.I’lldiscusshowtodothatinthenext
section.ThefollowingisalotofinformationabouttheTLSconnection,mostofwhichis
self-explanatory:---
NoclientcertificateCAnamessent
Peersigningdigest:SHA512
Peersignaturetype:RSA
ServerTempKey:ECDH,P-256,256bits
---
SSLhandshakehasread3624bytesandwritten446bytes
Verification:OK
---
New,TLSv1.2,CipherisECDHE-RSA-AES128-GCM-SHA256
Serverpublickeyis2048bit
SecureRenegotiationISsupported
Compression:NONE
Expansion:NONE
NoALPNnegotiated
SSL-Session:
Protocol:TLSv1.2
Cipher:ECDHE-RSA-AES128-GCM-SHA256
Session-ID:73FC4831AF053C46291C2D8CC90BF7F1D5B12178E488FBB4DC49A302B870E8DE
Session-ID-ctx:
Master-Key:E60DA9C6669C2C7DFFD8A3AD2CD17405CC0B9B69C4184469D779A9BA19A6FD4B3D602A02↩
3BD8B23F8D9A9FF2CBB5DDF7
PSKidentity:None
PSKidentityhint:None
SRPusername:None
TLSsessionticketlifetimehint:300(seconds)
TLSsessionticket:
0000-3195ffd04c42ddd0-2464035cfc551d171...LB..$d.\.U..
0010-05c4611fb8bafdfe-f76c6ce9aea2493f..a......ll...I?
0020-c519d4e969a579d5-af1326c82ce7f001....i.y...&.,...
0030-3b42d8c0294cfa7e-88aa8dc80b3096ce;B..)L.~.....0..
0040-43402c090baa2ed5-61e3347aa3782f93C@,.....a.4z.x/.
0050-675ab99678f5e769-b7b62d8c008f04abgZ..x..i..-.....
0060-421d26db92ec2d2f-ba1cc66187640ed5B.&...-/...a.d..
0070-f2ce20d007a5e26d-c64550c24514a8ee......m.EP.E...
0080-597c63e1d7d8b0b6-7621d21397ebbd97Y|c.....v!......
0090-a1d3e85c61dada2d-8580dbaede5697e1...\a..-.....V..
00a0-e87a25f9bfcfb618-485bb003a5e6ec0a.z%.....H[......
00b0-bf2f0d1a6bae7910-809ccf4d668f9043./..k.y....Mf..C
00c0-695432be0c8957e8-6d81b53e5bcb5e8eiT2...W.m..>[.^.
StartTime:1598288068
Timeout:7200(sec)
Verifyreturncode:0(ok)
Extendedmastersecret:noThemostimportantinformationhereistheprotocolversion(TLS1.2)andciphersuite
used(ECDHE-RSA-AES128-GCM-SHA256).Donotethatprotocolinformation
appearsintwolocations,whichispotentiallyconfusingwhendifferentversionsare
shown.Thefirstlocationdescribestheminimumprotocolrequirementwiththenegotiated
ciphersuite,whilethesecondlocationpointstotheactualprotocolversioncurrently
beingnegotiated.Youwillseeadifferenceinprotocolversionswithsomeoldercipher
suites—forexample:New,TLSv1/SSLv3,CipherisDHE-RSA-AES128-SHATheselectedsuitecouldbeusedwithSSL3.0,butit’susedwithTLS1.2onthis
connection:Protocol:TLSv1.2
Cipher:DHE-RSA-AES128-SHAsYoucanalsodeterminethattheserverhasissuedtoyouasessionIDandaTLS
sessionticket(awayofresumingsessionswithouthavingtheservermaintainstate)and
thatsecurerenegotiationissupported.NoteIfyou’reconnectingtoaTLS1.3server,theoutputmaybedifferent.Sometimes
youwillobservelessinformationinitially,withadditionalinformationarriving
laterinbursts.Thisbehaviordependsontheimplementationandreflectsthe
changesinTLS1.3,whichtransmitssessionticketsasseparateprotocolmessages
thataresentonlyafterthehandshakeiscomplete.Additionally,multiplesession
ticketsareusuallysentonthesameconnection.CertificateVerificationJustbecauseyouareabletoconnecttoaTLSserver,thatdoesn’tmeanthatthe
serviceisconfiguredcorrectly,eveniftheserversupportsalltherightprotocolsand
ciphersuites.Itisequallyimportantthattheconfiguredcertificatematchesthe
correctDNSnames.Bydefault,thes_clienttoolreportsbutotherwiseignores
certificateissues.Further,beforeyoubegintotrustitsjudgmentyouneedtobe
confidentthatitcanrecognizeavalidcertificatewhenitseesone.Thisisespecially
truewhenyou’reusingacustom-compiledbinary.Intheexamplefromtheprevioussection,theverificationstatuscode(shownonthe
penultimateline)was0,whichmeansthattheverificationhasbeen
successful.Ifyou’reconnectingtoaserverthathasavalidpubliccertificatebutyou
seestatus20instead,thatprobablymeansthattrustedrootshaven’t
beencorrectlyconfigured:Verifyreturncode:20(unabletogetlocalissuercertificate)Atthispoint,ifyoudon’twishtofixyourOpenSSLinstallation,youcaninsteaduse
the-CApathswitchtopointtothelocationwheretherootsarekept.
Forexample:$openssls_client-connectwww.feistyduck.com:443-CApath/etc/ssl/certs/Ifyouinsteadhaveasinglefilewiththerootsinit,usethe
-CAfileswitch:$openssls_client-connectwww.feistyduck.com:443\
-CAfile/etc/ssl/certs/ca-certificates.crtEvenifyougetasuccessfulstatuscodeatthispoint,thatdoesn’tmeanthatthe
certificateiscorrectlyconfigured.That’sbecausethes_clienttool
doesn’tcheckthatthecertificateiscorrectforthegivenhostname;youhavetotell
ittodothatmanuallyandtellitwhichhostnametouse:$openssls_client-connectwww.feistyduck.com:443-verify_hostnamewww.feistyduck.comIfthereisamismatch,youmightseestatuscode62:Verifyreturncode:62(Hostnamemismatch)Otherwise,you’llseethefamiliarstatuscode0.Intherare
instancethatyouneedtoverifyacertificatethathasbeenissuedforanIPaddress
insteadofahostname,you’llneedtousethe-verify_ipswitchfor
theverification.TestingProtocolsthatUpgradetoTLSWhenusedwithHTTP,TLSwrapstheentireplain-textcommunicationchanneltoform
HTTPS.Someotherprotocolsstartoffasplaintext,butthentheyupgradetoencryption.
Ifyouwanttotestsuchaprotocol,you’llhavetotellOpenSSLwhichprotocolitisso
thatitcanupgradeonyourbehalf.Providetheprotocolinformationusingthe
-starttlsswitch.Forexample:$openssls_client-connectgmail-smtp-in.l.google.com:25-starttlssmtpAtthetimeofwriting,thesupportedprotocolsinrecentOpenSSLreleasesare
smtp,pop3,imap,
ftp,xmpp,xmpp-server,
irc,postgres,mysql,
lmtp,nntp,sieve,and
ldap.ThereislesschoicewithOpenSSL1.0.2g:
smtp,pop3,imap,
ftp,andxmpp.Someprotocolsrequiretheclienttoprovidetheirnames.Forexample,forSMTP,
OpenSSLwillusemail.example.combydefault,butyoucanspecifythe
correctvaluewiththe-nameswitch.Ifyou’retestingXMPP,youmay
needtospecifythecorrectservername;youcandothiswiththe
-xmpphostswitch.ExtractingRemoteCertificatesWhenyouconnecttoaremotesecureserverusings_client,itwill
dumptheserver’sPEM-encodedcertificatetostandardoutput.Ifyouneedthe
certificateforanyreason,youcancopyitfromthescroll-backbuffer.Ifyouknowin
advanceyouonlywanttoretrievethecertificate,youcanusethiscommandlineasa
shortcut:$echo|openssls_client-connectwww.feistyduck.com:4432>&1|sed--quiet'/-BEGIN↩
CERTIFICATE-/,/-ENDCERTIFICATE-/p'>feistyduck.crtThepurposeoftheechocommandatthebeginningistoseparate
yourshellfroms_client.Ifyoudon’tdothat,
s_clientwillwaitforyourinputuntiltheservertimesout
(whichmaypotentiallytakeaverylongtime).Bydefault,s_clientwillprintonlytheleafcertificate;ifyou
wanttoprinttheentirechain,giveitthe-showcertsswitch.With
thatswitchenabled,thepreviouscommandlinewillplaceallthecertificatesinthe
samefile.$echo|openssls_client-showcerts-connectwww.feistyduck.com:4432>&1|sed--quiet↩
'/-BEGINCERTIFICATE-/,/-ENDCERTIFICATE-/p'>feistyduck.chainAnotherusefultrickistopipetheoutputofs_clientdirectlyto
thex509tool.Thefollowingcommandshowsdetailedserver
information,alongwithitsSHA256fingerprint:$echo|openssls_client-connectwww.feistyduck.com:4432>&1|opensslx509-noout↩
-text-fingerprint-sha256Sometimesyouwillneedtotakethecertificatefingerprintanduseitwithother
tools.Unfortunately,OpenSSLoutputscertificatesinaformatthatshowsindividual
bytesandseparatesthemusingcolons.Thishandycommandlinenormalizescertificate
fingerprintsbyremovingthecolonsandconvertingthehexadecimalcharactersto
lowercase:$echo|openssls_client-connectwww.feistyduck.com:4432>&1|opensslx509-noout↩
-fingerprint-sha256|sed's/://g'|tr'[:upper:]''[:lower:]'|sed's/sha256↩
fingerprint=//g'NoteConnectingtoremoteTLSserversandreviewingtheircertificatesisapretty
commonoperation,butyoushouldn’tspendyourtimerememberingandtypingthese
longcommands.Instead,investintowritingacoupleofshellfunctionsthatwill
packagethisfunctionalityintoeasy-to-usecommands.TestingProtocolSupportBydefault,s_clientwilltrytousethebestprotocoltotalkto
theremoteserverandreportthenegotiatedversioninoutput.Asmentionedearlier,you
willfindtheprotocolversionintheoutputtwice,andyouwantthelinethat
explicitlytalksabouttheprotocol:24Protocol:TLSv1.2Ifyouneedtotestsupportforspecificprotocolversions,youhavetwooptions.You
canexplicitlychooseoneprotocoltotestbysupplyingoneofthe
-ssl2,-ssl3,-tls1,
-tls1_1,-tls1_2,ortls1_3
switches.Naturally,eachswitchrequiressupportforaspecificprotocolversioninthe
testingtool.Ifyouwanttoexcludeaparticularprotocolfromthetesting,thereisa
familyofswitchesthatdisableprotocols(e.g.,-no_tls_1_2forTLS
1.2).Sometimesthatmaybethebetterapproach.StartingwithOpenSSL1.1.0,thereare
twonewoptions,-min_protocoland-max_protocol,
whichcontroltheminimumandmaximumprotocolversion,respectively.Forexample,here’stheoutputyoumightgetwhentestingaserverthatdoesn’t
supportacertainprotocolversion:$openssls_client-connectwww.example.com:443-tls1_2
CONNECTED(00000003)
140455015261856:error:1408F10B:SSLroutines:SSL3_GET_RECORD:wrongversionnumber:s3↩
_pkt.c:340:
---
nopeercertificateavailable
---
NoclientcertificateCAnamessent
---
SSLhandshakehasread5bytesandwritten7bytes
---
New,(NONE),Cipheris(NONE)
SecureRenegotiationISNOTsupported
Compression:NONE
Expansion:NONE
SSL-Session:
Protocol:TLSv1.2
Cipher:0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg:None
PSKidentity:None
PSKidentityhint:None
SRPusername:None
StartTime:1339231204
Timeout:7200(sec)
Verifyreturncode:0(ok)
---UnderstandingifaserversupportsSSL2.0maysometimesrequiremorework,duetothe
factthatthisoldandveryinsecureversionoftheSSLprotocolusesadifferent
handshakefromthatusedfromSSL3.0onwards.AlthoughserversthatsupportonlySSL
2.0shouldnowbeveryrare,tocheckthiseventuality,you’llneedtosubmitaseparate
checkusingthe-ssl2switch.AnotherprotocoldifferenceisthatSSL2.0serversaresometimesseenwithoutany
configuredciphersuites.Inthatcase,althoughSSL2.0issupported,technically
speaking,anyhandshakeattemptswillstillfail.Youshouldtreatthissituationas
misconfiguration.TestingCipherSuiteConfigurationIt’snotverylikelythatyouwillbespendingalotoftimetestingciphersuite
configurationusingOpenSSLonthecommandline.Thisisbecauseyoucaneffectively
testforonlyonesuiteatatime;testingformorethan300ciphersuitesthatare
supportedbyTLS1.2andearlierprotocolrevisionswouldtakeaconsiderableamountof
time.Thisisaperfectopportunitytousethosehandytoolsthatautomatethe
process.Still,therewillbetimeswhenyouwillneedtoprobeserverstodetermineifthey
supportaparticularsuiteoracryptographicprimitive,orifthepreferenceis
correctlyconfigured.TheintroductionofTLS1.3madetestinginthisareaslightlymorecomplicated,but
it’sstillmanageable.Becauseofthedifferencesbetweenthisprotocolversionandall
otherrevisions,it’susuallybesttosplityourtestsintotwogroups.WhentestingTLS
1.3,alwaysusethe-ciphersuitesswitchincombinationwith
-tls1_3.Theusualapproachistospecifyonlyonesuiteto
determineifit’ssupported:$echo|openssls_client-connectwww.hardenize.com:443-tls1_3-ciphersuitesTLS_AES↩
_128_GCM_SHA2562>/dev/null|grepNew
New,TLSv1.3,CipherisTLS_AES_128_GCM_SHA256Theoutputwillnaturallybedifferentifyoupickasuitethatisnot
supported:$echo|openssls_client-connectwww.hardenize.com:443-tls1_3-ciphersuitesTLS_AES↩
_128_CCM_SHA2562>/dev/null|grepNew
New,(NONE),Cipheris(NONE)Whenyou’retestingtheconfigurationofTLS1.2andearlierprotocolversions,use
the-cipherswitchincombinationwith-no_tls1_3
(assumingyou’reusingaversionofOpenSSLthatsupportsTLS1.3):$echo|openssls_client-connectwww.hardenize.com:443-no_tls1_3-cipherAESGCM↩
2>/dev/null|grepNew
New,TLSv1.2,CipherisECDHE-ECDSA-AES128-GCM-SHA256Asyoucanseeinthepreviousexample,whentestingTLS1.2andearlieryoudon’t
havetospecifyonlyoneciphersuite,butinthatcaseyouwillneedtoobservewhat
hasbeennegotiated.Ifyouwanttoprobefurther,youcanalwaystweakthecommandline
toremovethepreviouslynegotiatedsuite:$echo|openssls_client-connectwww.hardenize.com:443-no_tls1_3-cipher↩
'AESGCM:!ECDHE-ECDSA-AES128-GCM-SHA256'2>/dev/null|grepNew
New,TLSv1.2,CipherisECDHE-ECDSA-AES256-GCM-SHA384Eventhoughyouwon’tbetestingforagreatmanysuitesmanually,thereisaquick
waytodetermineifaparticularserversupportsanyofthemanybadcryptographic
primitives.Todothis,useyouroldOpenSSLversionandlistall
thebadciphersuitekeywords,likethis:$echo|openssls_client-connectexample.com:443-cipher'3DESDESRC2RC4IDEASEED↩
CAMELLIAMD5aNULLeNULLEXPORTLOW'2>/dev/null|grepNew
New,TLSv1/SSLv3,CipherisDHE-RSA-CAMELLIA256-SHAAnothergoodtestistoseeifaserversupportstheRSAkeyexchangethatdoesn’t
supportforwardsecrecy:$echo|/opt/openssl-1.0.2g/bin/openssls_client-connectexample.com:443-cipherk↩
RSA2>/dev/null|grepNew
New,TLSv1/SSLv3,CipherisAES128-GCM-SHA256Ideally,you’dgetahandshakefailurehere,butit’snotterribleifyoudon’t,
providedtheserverusestheRSAkeyexchangeonlyasamatteroflastresort.Youcan
checkthisbyofferingsuiteswithforwardsecrecyasyourleastpreferred
option:$echo|/opt/openssl-1.0.2g/bin/openssls_client-connectexample.com:443-cipher'DHE↩
ECDHEkRSA+kECDHE+kDHE'2>/dev/null|grepNew
New,TLSv1/SSLv3,CipherisECDHE-RSA-AES128-GCM-SHA256TestingCipherSuitePreferenceAsageneralrule,TLSserversshouldalwaysbeconfiguredtoenforcetheircipher
suitepreferences,ensuringthattheynegotiatetheirpreferredciphersuitewithevery
client.ThisfeatureisessentialwithTLS1.2andearlierprotocolrevisions,which
supportmanyciphersuites,mostofthemundesirable.It’sadifferentstorywithTLS
1.3:itonlyhasahandfulofsuitesavailableatthistimeandallofthemaresecure,
soenforcingserverpreferencedoesn’tmatterthatmuch.25NoteBecauseciphersuitepreferencedoesn’tmattermuchwithTLS1.3,somestacks
don’tevensupportitwiththisprotocol,eveniftheydowithearlierprotocol
versions.Thus,forthebestresults,youwillwanttotestseparatelyforTLS1.3
andeverythingelse—orseparatelyforeverysupportedprotocol.Thisisanothercase
inwhichautomationisthebetterchoice.Totestforserversuitepreference,youfirstneedtohavesomeideaofwhatsuites
aresupported.Forexample,youcouldhavethecompletelistofsupportedsuites.
Alternatively,youcanprobetheserverwithdifferentsuitetypes—forexample,those
thatuseECDHEversusDHEorRSAkeyexchange.Withtwosuitesinhand,youneedtoinitiatetwoconnections,firstofferingoneof
thesuitesasyourfirstchoice,thentheother:$echo|openssls_client-connectwww.hardenize.com:443-tls1_3-ciphersuites'TLS_AES↩
_128_GCM_SHA256:TLS_AES_256_GCM_SHA384'2>/dev/null|grepNew
New,TLSv1.3,CipherisTLS_AES_128_GCM_SHA256
zoom:~ivanr$echo|openssls_client-connectwww.hardenize.com:443-tls1_3↩
-ciphersuites'TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256'2>/dev/null|grepNew
New,TLSv1.3,CipherisTLS_AES_256_GCM_SHA384Ifyouseethesamesuitenegotiatedonbothconnections,thatmeansthattheserver
isconfiguredtoactivelyselectnegotiatedsuites.Otherwise,itisn’t.Theserverin
thepreviousexampleisoneofthoseTLS1.3serversthatdoesn’tenforcepreference.
ThatverysameserverdoeshaveapreferencewithTLS1.2;wecanseethatitalways
selectsabettersuite,evenwhenwepushittotheendofourlist:$echo|openssls_client-connectwww.hardenize.com:443-no_tls1_3-cipher↩
'ECDHE+AESGCMRSA'2>/dev/null|grepNew
New,TLSv1.2,CipherisECDHE-ECDSA-AES128-GCM-SHA256
$echo|openssls_client-connectwww.hardenize.com:443-no_tls1_3-cipher↩
'ECDHE+AESGCMRSA+ECDHE'2>/dev/null|grepNew
New,TLSv1.2,CipherisECDHE-ECDSA-AES128-GCM-SHA256Whenitcomestoserversuitepreferencetesting,theChaCha20suitesarebest
avoided.Thisisbecausesomeserverssupportanothertypeofpreference,wherethey
treatAES-GCMandChaCha20suitesasequalintermsofsecurityandrespectclient
preferenceasaspecialcase.Theideaisthattheclientwillpreferthefastercipher
suite,whichistypicallyChaCha20formobiledevicesandAES-GCMfordesktops.Thatsaid,withserversthatsupportthistypeofpreference,youmaywanttotestif
it’sworkingcorrectly.Todothat,you’llneedtousethreesupportedciphersuitesand
threetests.Thepurposeofthefirsttwotestsistoestablishthattheserverselects
itsfavoritesuitewhenChaCha20isnotinvolved:$echo|openssls_client-connectwww.hardenize.com:443-no_tls1_3-cipher↩
'ECDHE-RSA-AES128-GCM-SHA256ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-ECDSA-CHACHA20-POLY1305↩
'2>/dev/null|grepNew
New,TLSv1.2,CipherisECDHE-ECDSA-AES128-GCM-SHA256
$echo|openssls_client-connectwww.hardenize.com:443-no_tls1_3-cipher↩
'ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-RSA-AES128-GCM-SHA256ECDHE-ECDSA-CHACHA20-POLY130↩
5'2>/dev/null|grepNew
New,TLSv1.2,CipherisECDHE-ECDSA-AES128-GCM-SHA256Ifyouseethattheserverrespondswiththesamesuiteinbothcases,youcansubmit
anothertestwithasupportedChaCha20suitefirst.Ifyouseetheserverselectingit,
youknowit’sconfiguredtosupporttheclient-preferredsuite:$echo|openssls_client-connectwww.hardenize.com:443-no_tls1_3-cipher↩
'ECDHE-ECDSA-CHACHA20-POLY1305ECDHE-RSA-AES128-GCM-SHA256ECDHE-ECDSA-AES128-GCM-SHA256↩
'2>/dev/null|grepNew
New,TLSv1.2,CipherisECDHE-ECDSA-CHACHA20-POLY1305TestingNamedGroupsNamedgroupsarepredefinedcryptographicparametersthatare
usedforkeyexchange.InTLS1.3,namedgroupsincludebothellipticcurve(EC)and
finitefield(DH)parameters.TLS1.2andearliergenerallyuseonlypredefinedelliptic
curves;theserverprovidesDHparametersoneveryconnection.26Inahandshake,theclientandserverhavetoagreeonacommonnamedgroup
overwhichthekeyexchangewilltakeplace,andit’simportantthattheselectedgroup
satisfiesdesiredsecurityrequirements.Inpractice,thereisseldomaneedtotestserversfornamedgroups.Althoughthere’s
afairnumberofnamedgroupsinvariousRFCs,OpenSSLisprobablytheonlymajorclient
tohaveextensivesupport.Historically,youcouldonlyuseNIST’sP-256andP-384EC
groupsbecausetheseweretheonlywidelysupportedcurves.Relativelyrecently,X25519
andX448groupswereaddedasanalternative.Becauseallthesecurvesarestrong,there
islittleneedtospendtimethinkingaboutthem.Youmayfindyourselftestingnamedgroupconfigurationusuallytounderstandwhat
yourwebserverisdoing.Forexample,youmaycareaboutX25519andwanttoensureit’s
availableandpreferred.Totestforthis,usethes_clienttooland
the-curvesswitch.Forexample,here’showtodetermineifasingle
namedgroupissupported:$echo|openssls_client-connecthardenize.com:443-curvesX255192>/dev/null|grep↩
"ServerTempKey"
ServerTempKey:X25519,253bitsOnsuccess,youwillseethenamedgroupintheoutput,becausethat’sthegroupthat
wasselectedforthehandshake.Onfailure,youmayseenooutput,whichmeansthatthe
handshakefailed.Alternatively,theserver,unabletonegotiateanECDHEsuite,may
fallbacktoaDHEsuite,indicatedbythefollowingoutput:ServerTempKey:DH,2048bitsIfyouneedtotestfornamedgrouppreference,youneedtooffertwoormorenamed
groups,withyourpreferredonelast.Ifyouseeitnegotiated,thatwillmeanthatthe
serveractivelychoosesthegroupitconsidersmostappropriate.Usecolonstoseparate
thegroupsandbeawarethatthenamesarecase-sensitive.$echo|openssls_client-connecthardenize.com:443-curvesprime256v1:X255192>/dev↩
/null|grep"ServerTempKey"
ServerTempKey:X25519,253bitsNoteYoucangetthecompletelistofellipticcurvessupportedbyOpenSSLusingthe
ecparamtoolandthe-list_curvesswitch.
Tothatlist,addX25519andX448.Supportforfinitefieldgroupsiscurrentlynot
availablebutshouldarrivewithOpenSSL3.0.TestingDANEDNS-basedAuthenticationofNamedEntities(DANE)issetof
standardsthatenablesyoutoendorsetheTLScertificatesyouuseviaDNS
configuration.Forthistowork,DANErequiresDNSitselftobesecure,whichmeansthat
DNSSECisnecessary.Therefore,DANEisessentiallyamechanismforpinning;onlythe
certificatesyouapprovewillbeacceptedasvalidbyDANE-enabledclients.DANEitself
isnotcontroversial,butDNSSEC,onwhichitrelies,isaverydivisivetopic,withthe
worldsplitbetweenthosewholoveitandthosewhohateit.Asaresult,DANEis
currentlynotuniversallysupported.It’smorecommonlyusedtosecureSMTPservers;
thereisnosupportatthebrowserlevel.SupportingDANEaddssomecomplexitytoyourTLSdeploymentsbecauseofthewayDNS
configurationispropagatedandcached.Beforeyouuseanewcertificateyouneedto
ensurethatyournewDNSconfiguration(endorsingthatcertificate)isfullypropagated.
Thus,youwouldtypicallyfirstpublishyourDNSchanges,waitforaperiodtime
sufficientforthecachestoclear,andonlythendeploythecertificates.27Thetestingitselfisstraightforward;youusethes_clienttool
whilefeedingitDANEdata.Thisishandybecauseitenablesyoutotestaconnection
evenbeforemakingDNSchanges.First,let’sseewhatDANEconfigurationlooks
like.DANEstoresconfigurationinTLSAresourcerecords,usingtwoprefixlabelsto
indicatetheprotocolandport:$host-tTLSA_25._tcp.mail.protonmail.ch
_25._tcp.mail.protonmail.chhasTLSArecord31176BB66711DA416433CA890A5B2E5A0533C6006↩
478F7D10A4469A947ACC8399E1
_25._tcp.mail.protonmail.chhasTLSArecord3116111A5698D23C89E09C36FF833C1487EDC1B0C↩
841F87C49DAE8F7A09E11E979EThisoutputcontainstwoendorsements,onepercertificate.Havingtwoendorsementsis
notunusual.Forexample,perhapsyoumighthaveaservicethatusestwocertificates
(e.g.,onewithanRSAkeyandanotherwithanECDSAkey),oryouhaveabackup
certificate,oryou’resimplyinatransitionalperiodwhenyou’reswitching
certificates.Thethreenumbersatthebeginningindicatethattheendorsementtargets
thecertificatedirectly(3)viaitspublickey(1)andaSHA256hash(1).Therestof
thedataisthehashitself.Totest,youconnecttotheSMTPservicewhileprovidingtheDANEdatausingthe
-dane_tlsa_domainand-dane_tlsa_rrdata
switches:$openssls_client-starttlssmtp\
-connectmail.protonmail.ch:25\
-dane_tlsa_domainmail.protonmail.ch\
-dane_tlsa_rrdata"31176BB66711DA416433CA890A5B2E5A0533C6006478F7D10A4469A947ACC8399E↩
1"Iftheverificationissuccessful,youwillseesomethinglikethisinthe
output:---
SSLhandshakehasread5209bytesandwritten433bytes
Verification:OK
Verifiedpeername:*.protonmail.ch
DANETLSA311...8f7d10a4469a947acc8399e1matchedEEcertificateatdepth0
---Ifyou’dliketotestforvalidationfailure,justbreakthesuppliedhash.Theresult
willbesimilartothefollowingoutput:---
SSLhandshakehasread5209bytesandwritten433bytes
Verificationerror:NomatchingDANETLSArecords
---Forthebestresults,whentestingDANEinthisway,alwaysprovideallknownTLSA
records(oneper-dane_tlsa_rrdataswitch).Ifyoudo,servicesthat
usemultiplecertificatessimultaneouslywillcheckoutnomatterwhatcertificateis
negotiated.ForTLS1.2andearlier,it’spossibletoforceaparticularcertificatevia
achoiceofclient-supportedciphersuites(the-cipherswitch).TLS
1.3suitesaredifferent,andforthisprotocolversionyouwouldneedtousethe
-sigalgsswitchwithavaluesuchas
ecdsa_secp256r1_sha256or
rsa_pss_rsae_sha256.TestingSessionResumptionWhencoupledwiththe-reconnectswitch,the
s_clientcommandcanbeusedtotestsessionreuse.Inthismode,
s_clientwillconnecttothetargetserversixtimes.Itwill
createanewsessiononthefirstconnection,thentrytoreusethesamesessioninthe
subsequentfiveconnections:$echo|openssls_client-connectwww.feistyduck.com:443-reconnectNoteDuetoabuginOpenSSL,atthetimeofwritingsessionresumptiontestingdoesn’t
workincombinationwithTLS1.3.Untilthebugisresolved,28thebestyoucandoistesttheearlierprotocolversions.Usethe
-no_tls1_3switch.Thepreviouscommandwillproduceaseaofoutput,mostofwhichyouwon’tcareabout.
Thekeypartsaretheinformationaboutnewandreusedsessions.Thereshouldbeonly
onenewsessionatthebeginning,indicatedbythefollowingline:New,TLSv1.2,CipherisECDHE-RSA-AES128-GCM-SHA256Thisisfollowedbyfivesessionreuses,indicatedbylineslikethis:Reused,TLSv1.2,CipherisECDHE-RSA-AES128-GCM-SHA256Mostofthetime,youdon’twanttolookatallthatoutputandwantananswer
quickly.Youcangetitusingthefollowingcommandline:$echo|openssls_client-connectwww.feistyduck.com:443-reconnect2>/dev/null|↩
grep'New\|Reuse'
New,TLSv1.2,CipherisECDHE-RSA-AES128-GCM-SHA256
Reused,TLSv1.2,CipherisECDHE-RSA-AES128-GCM-SHA256
Reused,TLSv1.2,CipherisECDHE-RSA-AES128-GCM-SHA256
Reused,TLSv1.2,CipherisECDHE-RSA-AES128-GCM-SHA256
Reused,TLSv1.2,CipherisECDHE-RSA-AES128-GCM-SHA256
Reused,TLSv1.2,CipherisECDHE-RSA-AES128-GCM-SHA256Here’swhatthecommanddoes:The-reconnectswitchactivatesthesessionreuse
mode.The2>/dev/nullparthidesstderr
output,whichyoudon’tcareabout.Finally,thepipedgrepcommandfiltersouttherestofthe
fluffandletsthroughonlythelinesthatyoucareabout.NoteIfyoudon’twanttoincludesessionticketsinthetest—forexample,becausenot
allclientssupportthisfeatureyet—youcandisablethismethodofresumptionusing
the-no_ticketswitch.Thisoptiondoesn’tapplytoTLS
1.3.KeepingSessionStateacrossConnectionsIfyouneedbettercontroloverresumption,thes_clienttool
providesoptionstopersisttheconnectionstatetoafile.Onyourfirstconnection,
usethe-sess_outswitchtorecordthestate:$openssls_client-connectwww.feistyduck.com:443-sess_outsess.pemToviewtherecordedstate,usethesess_idtool:$opensslsess_id-insess.pem-noout-text
SSL-Session:
Protocol:TLSv1.2
Cipher:ECDHE-ECDSA-AES128-GCM-SHA256
Session-ID:F7384C2C4BE621F66045ECE12A89821FEE789C2E75B78C90C428BE37E0FE4599
Session-ID-ctx:
Master-Key:9D39C582D9AA1618B2F16C7911C4BFFB61D6D1FD578A93B1145FD2B4DBFDE76EB2279BA5↩
0AEFFCD95320BEEBC9489FAF
PSKidentity:None
PSKidentityhint:None
SRPusername:None
TLSsessionticketlifetimehint:64800(seconds)
TLSsessionticket:
0000-a2d3e3040321856d-1a4f9c82fc4e15e0.....!.m.O...N..
0010-9bb8b1240d95a30a-b824d4f5d2beb856...$.....$.....V
0020-b2f0e9c5e55331b5-247496bae4563268.....S1.$t...V2h
0030-febb7a7f28d7c419-6ac5ca223aa72d45..z.(...j..":.-E
0040-529174f7a8fa7540-02b9849c840da806R.t...u@........
0050-c7a165af8b541974-52e8c4f4471c3ff0..e..T.tR...G.?.
0060-46351a3ca9a57330-33b720bddc8ab8f9F5.<..s03...... starttime:1602414785 timeout:300 verifyreturncode:20 extendedmastersecret:nofinally youtocompletelychangeconnectionparametersfromoneconnectiontoanother.for example yoursecond.thismaybeofusewhenyouneedtotestifsessionresumptioniscorrectly implementedonawebservercluster.manualcontrolofyourconnectionsallowsyouto spreadthemovertime rotation.checkingocsprevocationifanocspresponderismalfunctioning why.checkingcertificaterevocationstatusfromthecommandlineispossible notquitestraightforward.youneedtoperformthefollowingsteps:obtainthecertificatethatyouwishtocheckforr evocation.obtaintheissuingcertificate.determinetheurloftheocspresponder.submitanocsprequestandobserv etheresponse.forthefirsttwosteps switchspecified: certificatechainisproperlyconfigured issuer.toconfirm ofthesecond:certificatechain i:c="GB,ST=GreaterManchester,L=Salford,O=COMODOCALimited,CN=COMODO↩" rsadomainvalidationsecureserverca miifuzccbdugawibagirapr zbqxjvsc3e1thffzwrzdpsu4fn wfqfgga2ar2xutsqa7re6xlxolwbpuq="-----ENDCERTIFICATE-----" rsacertificationauthority miigcdcca htelmakga1uebhmcr0ixgzazbgnvbagtekdyzwf0zxigtwfuy2hlc3rlcjeqma4g serversdon certificateinthechain tolookfortheauthorityinformationaccessextensionintheleaf certificate: authorityinformationaccess: caissuers-uri:http: .crt ocsp-uri:http: urloftheissuercertificate.iftheissuercertificateinformationisn youcantrytoopenthesiteinabrowser theissuingcertificatefromitscertificateviewer.ifallthatfails thecertificateinyourtruststoreorvisittheca responder commandasashortcut: http: issuer.crt warning:nononceinresponse responseverifyok fd.crt:good thisupdate:aug3022:35:122020gmt nextupdate:sep622:35:122020gmtyouwanttolookfortwothingsintheresponse.first isvalid checkwhattheresponsesaid.whenyouseegoodasthestatus meansthatthecertificatehasn revokedforrevokedcertificates.notethewarningmessageaboutthemissingnonceistellingyouthatopensslwanted to useanonceasaprotectionagainstreplayattacks notreplywithone.thisgenerallyhappensbecausecaswanttoimprovethe performanceoftheirocspresponders.whentheydisablethenonceprotection standardallowsit reusedforaperiodoftime.youmayencounterocsprespondersthatdonotrespondsuccessfullytotheprevious commandline.thefollowingsuggestionsmayhelpinsuchsituations.donotrequestanoncesomeserverscannothandle noncerequestsandrespondwitherrors.openssl willrequestanoncebydefault.todisablenonces correcthostnameinthehostheader encounteranerrormessagethatincludesanhttperrorcode addingthehostnametoyourocsprequest.youcandothiswiththehelpof the-headerswitch.withtheprevioustwopointsinmind following: issuer.crt-no_nonce-headerhostocsp.comodoca.comtestingocspstaplingocspstaplingisanoptionalfeaturetha tallowsaservercertificatetobe accompaniedbyanocspresponsethatprovesitsvalidity.becausetheocspresponseis deliveredoveranalreadyexistingconnection separately.ocspstaplingisusedonlyifrequestedbyaclient status_requestextensioninthehandshakerequest.aserverthat supportsocspstaplingwillrespondbyincludinganocspresponseaspartofthe handshake.whenusingthes_clienttool output.forexample nearthetopoftheoutput:connected ocspresponse:noresponsesentwithaserverthatdoessupportstapling output:ocspresponsedata: ocspresponsestatus:successful responsetype:basicocspresponse version:1 responderid:90af6a3a945a0bd890ea125673df43b43a28dae7 producedat:aug3022:35:122020gmt responses: certificateid: hashalgorithm:sha1 issuernamehash:7ae13ee8a0c42a2cb428cbe7a605461940e2a1e9 issuerkeyhash:90af6a3a945a0bd890ea125673df43b43a28dae7 serialnumber:f47f09b599124b1f08846ac4d71eb0f2 certstatus:good nextupdate:sep622:35:122020gmt signaturealgorithm:sha256withrsaencryption revoked.checkingcrlrevocationcheckingcertificateverificationwithacertificaterevocation list processisasfollows:obtainthecertificateyouwishtocheckforrevocation.obtaintheissuingcertificate.downl oadandverifythecrl.lookforthecertificateserialnumberinthecrl.thefirststepsoverlapwithocspchecking inthesectioncalled distributionpoints uri:http: lthenfetchthecrlfromtheca: verifyoknow serial="F47F09B599124B1F08846AC4D71EB0F2Atthispoint,youcanconverttheCRLintoahuman-readableformatandinspectit" manually: certificaterevocationlist version2 issuer:c="GB,ST=GreaterManchester,L=Salford,O=COMODOCALimited,CN↩" lastupdate:aug3107:52:032020gmt nextupdate:sep707:52:032020gmt crlextensions: x509v3authoritykeyidentifier: keyid:90:af:6a:3a:94:5a:0b:d8:90:ea:12:56:73:df:43:b4:3a:28:da:e7 x509v3crlnumber: revokedcertificates: serialnumber:70dab4b3229280f04364bc58db2ab922 revocationdate:may2912:18:272017gmt serialnumber:51894d40389cdab84a7a6f3374e1d893 revocationdate:may3023:20:552017gmt certificates theserialnumberoftheservercertificateisonthelist revoked.ifyoudon long crltool.forexample: eb0f2testingrenegotiationintls weaknesses renegotiation protocolrevisions.thes_clienttoolhasacoupleoffeaturesthatcanassistyouwith manualtestingofrenegotiation.firstofall theremoteserversupportssecurerenegotiation.thisisbecauseaserverthatsupports securerenegotiationindicatesitssupportforitviaaspecialtlsextensionthatis exchangedduringthehandshakephase.whensupportisavailable likethis:new serverpublickeyis2048bit securerenegotiationissupported compression:none expansion:none ssl-session: different:securerenegotiationisnotsupportednotebecausetls1.3doesn toolwillalwaysgiveanegativeanswerifthisprotocolversionisnegotiated.to ensurereliableresults negotiationofanearlierprotocolversion.eveniftheserverindicatessupportforsecurerenegotiation whetheritalsoallowsclientstoinitiaterenegotiation.client-initiated renegotiationisaprotocolfeaturethatdoesn practice makestheservermoresusceptibletodenialofserviceattacks.toinitiaterenegotiation rcharacteronalinebyitself.forexample talkingtoanhttpserver awebserverthatsupportsclient-initiatedrenegotiation:get r renegotiating depth="2C=US,O=DigiCertInc,OU=www.digicert.com,CN=DigiCertHighAssurance↩" evrootca verifyreturn:1 validationserverca california mozillafoundation host:addons.mozilla.org http content-type:text date:mon location: strict-transport-security:max-age="31536000" content-length:49 connection:close movedpermanently.redirectingto clientagain.youcanseetheverificationofthecertificatechainintheoutput.the nextlineafterthatcontinueswiththehostrequestheader.seeing thewebserver variouswaystherenegotiationissuewasaddressedinvariousversionsofssl libraries keepitopenbutrefusetocontinuetotalkoverit timeout ontheconnection:head _pkt.c:592:atthetimeofwriting don successfulwithaserverthatdoesn theserversupportsinsecureclient-initiatedrenegotiation.notethemostreliablewaytotestforinsecurerenego tiationistousethemethod describedinthissection thediscoveryofinsecurerenegotiation isasmallnumberofserversthatsupportbothsecureandinsecurerenegotiation. thisvulnerabilityisdifficulttodetectwithmodernversionsofopenssl alwayspreferthesecureoption.testingforheartbleedyoucantestforheartbleedmanuallywithopensslorbyusingo neofthetools designedforthispurpose.therearenowmanyutilitiesavailable veryeasytoexploit.but accuracy.thereisevidencethatsometoolsfailtodetectvulnerableservers.29giventheseriousnessofheartbleed usingatoolthatgivesyoufullvisibilityoftheprocess.iamgoingtodescribean approachyoucanusewithonlyamodifiedversionofopenssl.somepartsofthetestdon versionthatsupportstheheartbeatprotocol forexample connecting: connected tlsserverextension>
TLSserverextension"ECpointformats"(id=11),len=4
0000-03000102....
TLSserverextension"sessionticket"(id=35),len=0
TLSserverextension"heartbeat"(id=15),len=1
0000-01
[...]AserverthatdoesnotreturntheheartbeatextensionisnotvulnerabletoHeartbleed.
Totestifaserverrespondstoheartbeatrequests,usethe-msg
switchtorequestthatprotocolmessagesareshown,connecttotheserver,waituntil
thehandshakecompletes,thentypeBandpressreturn:$openssls_client-connectwww.feistyduck.com:443-tlsextdebug-msg
[...]
---
B
HEARTBEATING
>>>TLS1.2[length0025],HeartbeatRequest
01001200003c831a9f1a5c84aa869e20
c7a2acd76ff0c9639bd585bf9a476127
d5224c7075
<<
延伸文章資訊
- 1s_client - OpenSSL
NAME. openssl-s_client, s_client - SSL/TLS client program. SYNOPSIS. openssl s_client [-connect h...
- 2SSL Server Test (Powered by Qualys SSL Labs)
SSL Server Test ... This free online service performs a deep analysis of the configuration of any...
- 3openssl/README.ssltest.md at master - GitHub
SSL tests. SSL testcases are configured in the ssl-tests directory. Each ssl_*.cnf.in file contai...
- 4Test TLS Connectivity with OpenSSL Command Line - django ...
openssl s_client is a SSL/TLS client program can be used to test TLS server connectivity, check s...
- 5How to verify SSL certificates with OpenSSL on Command Line
How to verify SSL certificates with SNI (Server Name Indication) using OpenSSL ... Using SNI with...