如何:从 shell 提示符调试 SSL 证书问题
OpenSSL是一个加密工具包,实现了安全套接字层(SSL v2/v3)和传输层安全性(TLS v1)网络协议以及它们所需的相关加密标准。
它还包括 openssl 命令,该命令提供了丰富的命令种类,您可以使用相同的命令来调试 SSL 证书的问题。
要测试与服务器的安全连接,请在 shell 提示符下键入以下命令:
openssl s_client -connect ssl.servername.com:443
其中,
- s_client:这实现了一个通用的 SSL/TLS 客户端,可以与使用 SSL/TLS 的远程服务器建立透明连接。它仅用于测试目的,仅提供基本的接口功能,但内部使用了 OpenSSL ssl 库的几乎所有功能。您还可以连接到安全邮件服务器(例如 POP3S ~ 995)/ Web 服务器端口(443)并发出命令。
例如连接到www.example.com的443端口,输入:
openssl s_client -connect www.example.com:443
输出:
CONNECTED(00000003)
depth=0 /C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.example.com/emailAddress=vivek@example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.example.com/emailAddress=vivek@example.com
verify return:1
---
Certificate chain
0 s:/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.example.com/emailAddress=vivek@example.com
i:/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.example.com/emailAddress=vivek@example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDhDCCAu2gAwIBAgIJAMgof8IIjdD9MA0GCSqGSIb3DQEBBQUAMIGJMQswCQYD
VQQGEwJJTjESMBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcw
FQYDVQQKEw5NeSBDb21wYW55IEx0ZDEYMBYGA1UEAwwPKi5jeWJlcmNpdGkuYml6
MSEwHwYJKoZIhvcNAQkBFhJ2aXZla0BuaXhjcmFmdC5jb20wHhcNMDcwOTIwMTEw
MzExWhcNMDgwOTE5MTEwMzExWjCBiTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUJl
cmtzaGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBM
dGQxGDAWBgNVBAMMDyouY3liZXJjaXRpLmJpejEhMB8GCSqGSIb3DQEJARYSdml2
ZWtAbml4Y3JhZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzYIxz
2JGAgYUJhLnmDbtC5kc+S4AHJHGTZmFuxVZDFOacHPitS4ohwzDadruUONucVZJY
Gi1M9j1jPUBX7oZ7F/Y7pbEO/YMfEPPDGq6uEkkwHDTXRH1qgL6v7q9XtP9Dafck
n3+YeTO0eYk0Or9a6xBqJmuN6M+ajprfXmQ9cwIDAQABo4HxMIHuMB0GA1UdDgQW
BBQH94MQusbxTH8UxH83EpmMz5v5UjCBvgYDVR0jBIG2MIGzgBQH94MQusbxTH8U
xH83EpmMz5v5UqGBj6SBjDCBiTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUJlcmtz
aGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQx
GDAWBgNVBAMMDyouY3liZXJjaXRpLmJpejEhMB8GCSqGSIb3DQEJARYSdml2ZWtA
bml4Y3JhZnQuY29tggkAyCh/wgiN0P0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
AQUFAAOBgQActMUY+8CbFCcxGWvmN95/LsVxZMWWqOGoiFOgqKI9t1T/nBN6TrW5
MYeMwcMbI4OoBo5vnp6mHzcZNoMPiK9DITgb8O/P0EUhjL+QdARJYZX6lLB3qJkP
ts65VY0rFxjIhndtixKP1fLC/K2ovzo+43pE1EQB6UhjhHlHV2v34w==
-----END CERTIFICATE-----
subject=/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.example.com/emailAddress=vivek@example.com
issuer=/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.example.com/emailAddress=vivek@example.com
---
No client certificate CA names sent
---
SSL handshake has read 1066 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 989C62FBF87884C9F6904DD216A9A36189BE660059F419DAA16711AF2A7F42D4
Session-ID-ctx:
Master-Key: 9A01374F14D7300E8DD02BE2AA3C3567F26E1BB00267D5AB0156C6C11A10EB0D8424FBD06D3B15013B4FBA0F121EC99D
Key-Arg : None
Start Time: 1192732059
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
使用 grep 您可以看到 SSL 和 TLS 连接握手、安全协商、公钥以及数字证书和密钥信息到客户端的传输:
$ openssl s_client -state -nbio -connect www.example.com:443 2>&1 | grep "^SSL"
输出:
SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:error in SSLv2/v3 read server hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:error in SSLv3 read finished A SSL_connect:error in SSLv3 read finished A SSL_connect:SSLv3 read finished A SSL handshake has read 1066 bytes and written 316 bytes SSL-Session:
进一步阅读:
=> OpenSSL 手册页和文档。