Visualizza i pacchetti di crittografia richiesti dal browser da OpenSSL

3

Ho installato OpenSSL localmente e ho utilizzato il comando s_server per avviare un server utilizzando anche un certificato autofirmato creato da OpenSSL.

Il comando che ho usato per avviare un server https è OpenSSL> s_server -accept 443 -www -cert c:\temp\test_server.crt -key c:\temp\test_server.key . Ho puntato il mio browser su di esso e posso vedere un elenco di cifrari supportati dal server e cifrature selezionate (Cipher comune tra entrambi gli endpoint SSL).

Sono curioso che esista un modo per visualizzare l'elenco di cifrari preferito inviato dal browser?

    
posta hardywang 12.08.2014 - 20:16
fonte

2 risposte

2

Utilizza "-brief"

Devi utilizzare l'opzione della riga di comando -brief :

$ openssl s_server -accept 443 -cert cacert.pem -key cakey.pem -brief

Output:

Protocol version: TLSv1.2
Client cipher list: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:0xCC14:0xCC13:0xCC15:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:SCSV
Ciphersuite: ECDHE-RSA-AES128-GCM-SHA256
Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA384:ECDSA+SHA384:RSA+SHA256:ECDSA+SHA256:RSA+SHA224:ECDSA+SHA224:RSA+SHA1:ECDSA+SHA1
No peer certificate
Supported Elliptic Curve Point Formats: uncompressed
Supported Elliptic Curves: P-256:P-384
Protocol version: TLSv1.2
Client cipher list: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:0xCC14:0xCC13:0xCC15:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:SCSV
Ciphersuite: ECDHE-RSA-AES128-GCM-SHA256
Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA384:ECDSA+SHA384:RSA+SHA256:ECDSA+SHA256:RSA+SHA224:ECDSA+SHA224:RSA+SHA1:ECDSA+SHA1
No peer certificate
Supported Elliptic Curve Point Formats: uncompressed
Supported Elliptic Curves: P-256:P-384
GET / HTTP/1.1
Host: localhost
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
DNT: 1
Accept-Encoding: gzip, deflate, sdch

Nota: "-brief" non significa "breve"

La riga Client cipher list: è NON visualizzata quando ometti l'opzione -brief .

Sfortunatamente la documentazione s_server fornisce solo informazioni errate / fuorvianti su questo parametro:

-brief  
  only provide a brief summary of connection parameters instead of the normal verbose output.

Sì, è giusto, per ottenere maggiori informazioni, è necessario utilizzare il parametro "dammi meno informazioni" . (OpenSSL è bizzarro con le sue opzioni da linea di comando in questo modo.)

Ulteriori letture

C'era una discussione su questo nella mailing list OpenSSL e uno sviluppatore ha fornito le informazioni sul parametro -brief :

risposta data 09.07.2015 - 11:56
fonte
0

Non sono sicuro che questo sia esattamente quello che stai cercando, ma s_server invierà l'elenco completo dei cipher così come i codici comuni condivisi tra gli endpoint quando tenti di accedere al server:

openssl s_server -accept 443 -www -cert /etc/ssl/certs/server.crt -key /etc/ssl/private/server.key

Questo è il dato inviato al client (Firefox, in questo caso):

s_server -accept 443 -www -cert /etc/ssl/certs/server.crt -key /etc/ssl/private/server.key -state 
Secure Renegotiation IS supported
Ciphers supported in s_server binary
TLSv1/SSLv3:ECDHE-RSA-AES256-GCM-SHA384TLSv1/SSLv3:ECDHE-ECDSA-AES256-GCM-SHA384
TLSv1/SSLv3:ECDHE-RSA-AES256-SHA384  TLSv1/SSLv3:ECDHE-ECDSA-AES256-SHA384
TLSv1/SSLv3:ECDHE-RSA-AES256-SHA     TLSv1/SSLv3:ECDHE-ECDSA-AES256-SHA   
TLSv1/SSLv3:SRP-DSS-AES-256-CBC-SHA  TLSv1/SSLv3:SRP-RSA-AES-256-CBC-SHA  
TLSv1/SSLv3:DHE-DSS-AES256-GCM-SHA384TLSv1/SSLv3:DHE-RSA-AES256-GCM-SHA384
TLSv1/SSLv3:DHE-RSA-AES256-SHA256    TLSv1/SSLv3:DHE-DSS-AES256-SHA256    
TLSv1/SSLv3:DHE-RSA-AES256-SHA       TLSv1/SSLv3:DHE-DSS-AES256-SHA       
TLSv1/SSLv3:DHE-RSA-CAMELLIA256-SHA  TLSv1/SSLv3:DHE-DSS-CAMELLIA256-SHA  
TLSv1/SSLv3:ECDH-RSA-AES256-GCM-SHA384TLSv1/SSLv3:ECDH-ECDSA-AES256-GCM-SHA384
TLSv1/SSLv3:ECDH-RSA-AES256-SHA384   TLSv1/SSLv3:ECDH-ECDSA-AES256-SHA384 
TLSv1/SSLv3:ECDH-RSA-AES256-SHA      TLSv1/SSLv3:ECDH-ECDSA-AES256-SHA    
TLSv1/SSLv3:AES256-GCM-SHA384        TLSv1/SSLv3:AES256-SHA256            
TLSv1/SSLv3:AES256-SHA               TLSv1/SSLv3:CAMELLIA256-SHA          
TLSv1/SSLv3:PSK-AES256-CBC-SHA       TLSv1/SSLv3:ECDHE-RSA-DES-CBC3-SHA   
TLSv1/SSLv3:ECDHE-ECDSA-DES-CBC3-SHA TLSv1/SSLv3:SRP-DSS-3DES-EDE-CBC-SHA 
TLSv1/SSLv3:SRP-RSA-3DES-EDE-CBC-SHA TLSv1/SSLv3:EDH-RSA-DES-CBC3-SHA     
TLSv1/SSLv3:EDH-DSS-DES-CBC3-SHA     TLSv1/SSLv3:ECDH-RSA-DES-CBC3-SHA    
TLSv1/SSLv3:ECDH-ECDSA-DES-CBC3-SHA  TLSv1/SSLv3:DES-CBC3-SHA             
TLSv1/SSLv3:PSK-3DES-EDE-CBC-SHA     TLSv1/SSLv3:ECDHE-RSA-AES128-GCM-SHA256
TLSv1/SSLv3:ECDHE-ECDSA-AES128-GCM-SHA256TLSv1/SSLv3:ECDHE-RSA-AES128-SHA256  
TLSv1/SSLv3:ECDHE-ECDSA-AES128-SHA256TLSv1/SSLv3:ECDHE-RSA-AES128-SHA     
TLSv1/SSLv3:ECDHE-ECDSA-AES128-SHA   TLSv1/SSLv3:SRP-DSS-AES-128-CBC-SHA  
TLSv1/SSLv3:SRP-RSA-AES-128-CBC-SHA  TLSv1/SSLv3:DHE-DSS-AES128-GCM-SHA256
TLSv1/SSLv3:DHE-RSA-AES128-GCM-SHA256TLSv1/SSLv3:DHE-RSA-AES128-SHA256    
TLSv1/SSLv3:DHE-DSS-AES128-SHA256    TLSv1/SSLv3:DHE-RSA-AES128-SHA       
TLSv1/SSLv3:DHE-DSS-AES128-SHA       TLSv1/SSLv3:DHE-RSA-SEED-SHA         
TLSv1/SSLv3:DHE-DSS-SEED-SHA         TLSv1/SSLv3:DHE-RSA-CAMELLIA128-SHA  
TLSv1/SSLv3:DHE-DSS-CAMELLIA128-SHA  TLSv1/SSLv3:ECDH-RSA-AES128-GCM-SHA256
TLSv1/SSLv3:ECDH-ECDSA-AES128-GCM-SHA256TLSv1/SSLv3:ECDH-RSA-AES128-SHA256   
TLSv1/SSLv3:ECDH-ECDSA-AES128-SHA256 TLSv1/SSLv3:ECDH-RSA-AES128-SHA      
TLSv1/SSLv3:ECDH-ECDSA-AES128-SHA    TLSv1/SSLv3:AES128-GCM-SHA256        
TLSv1/SSLv3:AES128-SHA256            TLSv1/SSLv3:AES128-SHA               
TLSv1/SSLv3:SEED-SHA                 TLSv1/SSLv3:CAMELLIA128-SHA          
TLSv1/SSLv3:PSK-AES128-CBC-SHA       TLSv1/SSLv3:ECDHE-RSA-RC4-SHA        
TLSv1/SSLv3:ECDHE-ECDSA-RC4-SHA      TLSv1/SSLv3:ECDH-RSA-RC4-SHA         
TLSv1/SSLv3:ECDH-ECDSA-RC4-SHA       TLSv1/SSLv3:RC4-SHA                  
TLSv1/SSLv3:RC4-MD5                  TLSv1/SSLv3:PSK-RC4-SHA              
TLSv1/SSLv3:EDH-RSA-DES-CBC-SHA      TLSv1/SSLv3:EDH-DSS-DES-CBC-SHA      
TLSv1/SSLv3:DES-CBC-SHA              TLSv1/SSLv3:EXP-EDH-RSA-DES-CBC-SHA  
TLSv1/SSLv3:EXP-EDH-DSS-DES-CBC-SHA  TLSv1/SSLv3:EXP-DES-CBC-SHA          
TLSv1/SSLv3:EXP-RC2-CBC-MD5          TLSv1/SSLv3:EXP-RC4-MD5              
---
Ciphers common between both SSL end points:
ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA    
ECDHE-ECDSA-AES128-SHA     ECDHE-RSA-AES128-SHA       ECDHE-RSA-AES256-SHA      
ECDHE-RSA-DES-CBC3-SHA     ECDHE-ECDSA-RC4-SHA        ECDHE-RSA-RC4-SHA         
DHE-RSA-AES128-SHA         DHE-DSS-AES128-SHA         DHE-RSA-CAMELLIA128-SHA   
DHE-RSA-AES256-SHA         DHE-DSS-AES256-SHA         DHE-RSA-CAMELLIA256-SHA   
EDH-RSA-DES-CBC3-SHA       AES128-SHA                 CAMELLIA128-SHA           
AES256-SHA                 CAMELLIA256-SHA            DES-CBC3-SHA              
RC4-SHA                    RC4-MD5
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 
    Session-ID-ctx: 01000000
    Master-Key: 73D6284EC854886CA04376CD40FD7BFF784FA36CDD0212B528803FEA9976679561721E6439D2CA8344BE5E1C74C5F69A
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1407868267
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   5 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   5 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)
---
no client certificate available
    
risposta data 12.08.2014 - 20:37
fonte

Leggi altre domande sui tag