OpenSSL
Пока не забыл, хочу рассказать ещё немного про утилиту OpenSSL – вдогонку к примеру о тестировании TLS соединения . Сегодня я покажу, как OpenSSL может проверить правильность безопасного подсоединения к вебсайту.
Я перенёс этот сайт на Jekyll CMS и хотел убедиться, что хостер Netlify правильно создал сертификат после переключения DNS.
Единственная разница от предыдущего моего примера про OpenSSL - это то, что мы указываем стандартный порт для HTTPS - 443:
greys@maverick:~ $ openssl s_client -connect www.unixtutorial.ru:443
CONNECTED(00000005)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = US, ST = ca, L = San Francisco, O = "Netlify, Inc", CN = *.netlify.com
verify return:1
Certificate chain
0 s:/C=US/ST=ca/L=San Francisco/O=Netlify, Inc/CN=*.netlify.com
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
Server certificate
-----BEGIN CERTIFICATE-----
MIIGIzCCBQugAwIBAgIQC1W/C9syOFclqIEumW8/STANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTkwNzAzMDAwMDAwWhcN
MjAwNzA3MTIwMDAwWjBhMQswCQYDVQQGEwJVUzELMAkGA1UECBMCY2ExFjAUBgNV
BAcTDVNhbiBGcmFuY2lzY28xFTATBgNVBAoTDE5ldGxpZnksIEluYzEWMBQGA1UE
AwwNKi5uZXRsaWZ5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AOwJHctI1oxqg0wlz9CZYvbhlVZ6sB0COANCfC9qIjTUpw+TxVnG9/tuRDNkfXes
f7nvjmPlZcfQQKgpmGahX5ndFZmXvCXGMtvO5ZWnqzfv0mxkzTQb6RdDMtPA9Xn/
LvzaFRlxVpeg6xGMweUpLDTJAJWkcMnGAR2mNUc6nuQgteQsg/7I6YpspYZKasR/
2xDj5FasQf2+9HqbJgdSSzQKF46VXL2QRBK5UF1lFeBFWMAiUk42Su+YZy/w5pVF
jlHaVVE42/uG1dyudWAaT65AIIT91eK7GghHv5ppuMZUUmEMV0FUdktMXECqClrt
kknMNie30oRFj1ADXJGGHd0CAwEAAaOCAukwggLlMB8GA1UdIwQYMBaAFA+AYRyC
MWHVLyjnjUY4tCzhxtniMB0GA1UdDgQWBBSJl47dfzdwOfakpcJRog3jMU/JUzAl
BgNVHREEHjAcgg0qLm5ldGxpZnkuY29tggtuZXRsaWZ5LmNvbTAOBgNVHQ8BAf8E
BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGsGA1UdHwRkMGIw
L6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLXNoYTItZzYuY3Js
MC+gLaArhilodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc3NjYS1zaGEyLWc2LmNy
bDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczov
L3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjB8BggrBgEFBQcBAQRwMG4w
JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBGBggrBgEFBQcw
AoY6aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMlNlY3Vy
ZVNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAAMIIBBAYKKwYBBAHWeQIEAgSB9QSB
8gDwAHUA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFruE2Z1AAA
BAMARjBEAiBaMAQ2lhU9A/zF2waHg1jyKezSioWSrngikJo9ur9sTgIgSJlL/lpv
paD9QVDLMjZi3GCE6uIIIJbb0GM3hliV+MsAdwCHdb/nWXz4jEOZX73zbv9WjUdW
Nv9KtWDBtOr/XqCDDwAAAWu4TZogAAAEAwBIMEYCIQCNuzKN42qTaCdQvNu5P2b1
Nr/bTj37qaPUfP9iiTLNRgIhALHf05TguQDpldNVWwI5HZjJXybMS4M1XwBhBe2j
voCgMA0GCSqGSIb3DQEBCwUAA4IBAQA7Va9atxzWXysR5FtM0kDftriiBWvFfD1I
e1zMJ40ZvUHh7+St+YB2okv0SqrUsJchQ2mQsvyyX3bKn1d7bmfSBSFdeAeE8haK
hCFcf4RFsgm76X2rECIr8qZeCuUguaAFEATN82FWYfPpdCH7k30OIjC4xXpz9XPz
ZlIn5tB7pkfDfc9LJ1h68hFsdu1hP8nOKUQnVuEUCvz9raikjg3J1Mz3kiDx7W8l
UEnuc4q2odt6E4jeGcu0pbc/2v5cmc4JTTJlvVD7qk2Q7Y9v39vRCT0LK/JSY+8x
kZAJNiddue8vgageQpXojzNT8NN7INbdepRjp4wlAGc8ieDgTfEU
-----END CERTIFICATE-----
subject=/C=US/ST=ca/L=San Francisco/O=Netlify, Inc/CN=*.netlify.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
SSL handshake has read 3407 bytes and written 289 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: DA5D473C1896A1F1A2714F88E3D6AA70D3B3E90B1F15AECDC20F2AB1B0A89FFF
Session-ID-ctx:
Master-Key: 862C7889A4F0A1C44E165D592F004D11C7A5E3AAEE6B897F32DB4789683988656920A5D2CCF8326477408F85DC9F299B
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - a7 ec 5a e8 a3 3d 35 21-68 b9 2a 9c 5c f0 5e f2 ..Z..=5!h...^. 0010 - d3 dd de 9f d8 d8 f1 6c-fc 8c 77 5d ba 40 fd 24 …….l..w].@.$ 0020 - 58 05 da d8 df 9f eb e0-41 6c 2c 0d 6c 51 ca 1e X…….Al,.lQ.. 0030 - ae db 9d ac 72 aa fa d2-2e 70 08 e6 0f bb a7 45 ….r….p…..E 0040 - 4d d2 d4 bb 62 84 81 b5-d5 9b 8d 7e a6 2a 30 80 M…b……~.0.
0050 - af b2 4b 8f 41 eb a0 98-b8 92 59 90 a8 dd 67 7d ..K.A…..Y…g}
0060 - 89 ff 61 eb 37 a1 d8 e6-f8 05 ea d4 de 04 46 24 ..a.7………F$
0070 - 69 fc a9 6a ad 94 02 c4-11 19 d4 c6 d4 03 3b 33 i..j……….; 3
0080 - 24 2b 30 d2 af f3 86 3e-ec 4b f7 c4 87 9a b2 24 $ +0….>.K…..$
0090 - 08 cb e4 83 75 35 1e 34-30 9a 82 75 92 e9 42 d7 ….u5.40..u..B.
00a0 - 03 ab 09 1b a2 fe 7f 8d-9c cb 55 a7 a5 99 03 42 ……….U….B
00b0 - 30 00 d2 80 64 d9 cb 5b-fa 56 af fc 66 65 06 19 0…d..[.V..fe..
Start Time: 1584575518 Timeout : 7200 (sec)
Verify return code: 0 (ok)
^C
See Also