在Linux中,使用OpenSSL进行SSL握手测试可以帮助您检查服务器的SSL/TLS配置和证书。以下是使用OpenSSL进行SSL握手测试的步骤:
打开终端。
使用以下命令连接到服务器(将your_server_address替换为您要测试的服务器的IP地址或域名,将your_port替换为SSL/TLS端口,通常为443):
openssl s_client -connect your_server_address:your_port
例如:
openssl s_client -connect www.example.com:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = www.example.com
verify return:1
---
Certificate chain
0 s:CN = www.example.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIEbK7TjANBgkqhkiG9w0BAQsFADBzMQswCQYDVQQGEwJV
...
-----END CERTIFICATE-----
subject=CN = www.example.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3544 bytes and written 434 bytes
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
-debug选项:openssl s_client -connect your_server_address:your_port -debug
-tls1_2、-tls1_3等选项指定版本:openssl s_client -connect your_server_address:your_port -tls1_2
-cipher选项指定密码套件:openssl s_client -connect your_server_address:your_port -cipher AES256-SHA256
通过这些步骤,您可以使用OpenSSL在Linux中进行SSL握手测试。根据输出结果,您可以检查服务器的SSL/TLS配置、证书和加密套件。
