Monday, May 2, 2016

SslTroubleShooting

SSL 동작 확인


CURL 이용

$ curl -v -o /dev/null https://facebook.com

* About to connect() to facebook.com port 443 (#0)
*   Trying 173.252.110.27... connected
* Connected to facebook.com (173.252.110.27) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using SSL_RSA_WITH_RC4_128_SHA
* Server certificate:
*       subject: CN=*.facebook.com,O="Facebook, Inc.",L=Palo Alto,ST=California,C=US
*       start date:  621 00:00:00 2012 GMT
*       expire date: 1231 23:59:59 2013 GMT
*       common name: *.facebook.com
*       issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU="VeriSign, Inc.",O=VeriSign Trust Network
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: facebook.com
> Accept: */*
>
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0< HTTP/1.1 301 Moved Permanently
< Location: https://www.facebook.com/
< Content-Type: text/html; charset=utf-8
< X-FB-Debug: Pa57tDp1kmdZ5sUEZeCJAHkYs58+0jXIm6rFl1xZJ04=
< Date: Mon, 05 Aug 2013 09:47:36 GMT
< Connection: keep-alive
< Content-Length: 0
<
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connection #0 to host facebook.com left intact

* Closing connection #0

openssl 이용

$ openssl s_client -connect facebook.com:443 -showcerts

depth=2 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=1 O = VeriSign Trust Network, OU = "VeriSign, Inc.", OU = VeriSign International Server CA - Class 3, OU = www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
verify return:1
depth=0 C = US, ST = California, L = Palo Alto, O = "Facebook, Inc.", CN = *.facebook.com
verify return:1
CONNECTED(00000003)
.
.
.
Server certificate
subject=/C=US/ST=California/L=Palo Alto/O=Facebook, Inc./CN=*.facebook.com
issuer=/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
---
No client certificate CA names sent
---
SSL handshake has read 2198 bytes and written 298 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: 82FC7E105FE2749FA1AC20793891CBFA6C399D1E4A12D3E0A782F160B882BC1D
    Session-ID-ctx:
    Master-Key: 08C1914199F644CAB85E3B8F749B1A85C05D8226E8EFD7373D9E9E958F68CEDD51E8593E893BD472C6C660A45449E0F0
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 86000 (seconds)
    TLS session ticket:
    0000 - 9d da 29 68 96 e4 b9 fe-9d ed cc 27 d5 15 a2 f6   ..)h.......'....
    0010 - a6 dc 77 cb ee 93 61 f7-db 32 97 06 27 e9 4a 97   ..w...a..2..'.J.
    0020 - a4 54 10 38 85 7f bd 9a-82 1e 8a 41 ec 1b d1 32   .T.8.......A...2
    0030 - a7 ee 98 44 a4 70 ab 27-d6 11 79 c0 b3 3a 1f 4f   ...D.p.'..y..:.O
    0040 - ed 32 7b 1e a2 f8 e6 97-fc 15 1a 1e 96 d3 19 0a   .2{.............
    0050 - e8 e6 15 8d 3d 67 5d 50-92 fa 97 4c 1b ae a3 00   ....=g]P...L....
    0060 - f2 ba 2a 6c ea fe 47 09-7e e8 e4 87 98 cb a4 56   ..*l..G.~......V
    0070 - ce eb e0 eb 93 e6 13 ac-20 a9 a1 a0 8d 9e 1a 9a   ........ .......
    0080 - 0c fc cd ea 94 3e 2e 06-8a cd 31 16 8c b6 23 a4   .....>....1...#.
    0090 - 5e a7 10 d3 ad 45 b4 04-ee 94 9b 76 0a a5 2a f9   ^....E.....v..*.
    00a0 - 7f e6 bf c6 39 c7 65 75-d9 2e e6 7d 05 55 dd 7a   ....9.eu...}.U.z

    Start Time: 1375696759
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

SSL 에러 예제


Client 인증서 에러

$curl -v -o /dev/null https://example.com

* About to connect() to example.com port 443 (#0)
*   Trying 10.10.10.18... connected
* Connected to example.com (10.10.10.18) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Peer's certificate issuer is not recognized: 'CN=Thawte SSL CA,O="Thawte, Inc.",C=US'
* NSS error -8179
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates

curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Client 인증서 설정(Apache)

SSLCACertificateFile /etc/pki/CA/certs/ca.crt

Client 인증서 설정(Nginx)

ssl_client_certificate /etc/pki/CA/certs/ca.crt;
ssl_verify_client optional;

SSL Cipher 지원 확인


openssl 이용

$ openssl s_client -connect google.com:443 -tls1_2

.
.
.
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
.
.
.

nmap 이용

$ nmap --script ssl-enum-ciphers -p 443 google.com

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   SSLv3
|     Ciphers (9)
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
.
.
.
|     Compressors (1)
|       uncompressed
|   TLSv1.0
|     Ciphers (9)
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
.
.
.
|     Compressors (1)
|       uncompressed
|   TLSv1.1
|     Ciphers (9)
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
.
.
.
|     Compressors (1)
|       uncompressed
|   TLSv1.2
|     Ciphers (17)
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
.
.
.
|     Compressors (1)
|_      uncompressed


Post a Comment