使用openssl工具测试服务端支持的curves

发表于 2017-04-06   |   分类于 技术

目前的曲线标准一览:

'sect163k1' # K-163
'sect163r1'
'sect163r2' # B-163
'sect193r1'
'sect193r2'
'sect233k1' # K-233
'sect233r1' # B-233
'sect239k1'
'sect283k1' # K-283
'sect283r1' # B-283
'sect409k1' # K-409
'sect409r1' # B-409
'sect571k1' # K-571
'sect571r1' # B-571
'secp160k1'
'secp160r1'
'secp160r2'
'secp192k1'
'prime192v1' # P-192 secp192r1
'secp224k1'
'secp224r1' # P-224
'secp256k1'
'prime256v1' # P-256 secp256r1
'secp384r1' # P-384
'secp521r1' # P-521
'brainpoolP256r1'
'brainpoolP384r1'
'brainpoolP512r1'

测试command例:

echo Q | /usr/bin/timeout 30 /root/bak/https/ssl_test_tool/openssl s_client -CAfile /etc/pki/tls/certs/ca-bundle.crt -status  -servername www.example.com -connect www.example.com:8443 -cipher ECDHE-ECDSA-AES128-GCM-SHA256 -trusted_first -no_ssl2 -no_ssl3 -curves "sect163k1:sect163r1:sect163r2:sect193r1:sect193r2:sect233k1:sect233r1:sect239k1:sect283k1:sect283r1:sect409k1:sect409r1:sect571k1:sect571r1:secp160k1:secp160r1:secp160r2:secp192k1:prime192v1:secp224k1:secp224r1:secp256k1:prime256v1:secp384r1:secp521r1:brainpoolP256r1:brainpoolP384r1:brainpoolP512r1"

得到的结果:

CONNECTED(00000003)
OCSP response: no response sent
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, OU = Domain Control Validated, CN = COMODO RSA Domain Validation Secure Server CA
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/C=JP/ST=Kanagawa/L=Yokosuka/O=NTT DOCOMO Inc./OU=R and D Strategy Department/CN=example.ne.jp
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/OU=Domain Control Validated/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/OU=Domain Control Validated/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/OU=Domain Control Validated/CN=COMODO RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID+DCCAuCgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBszELMAkGA1UEBhMCR0Ix
GzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBwwHU2FsZm9yZDEa
MBgGA1UECgwRQ09NT0RPIENBIExpbWl0ZWQxITAfBgNVBAsMGERvbWFpbiBDb250
cm9sIFZhbGlkYXRlZDE2MDQGA1UEAwwtQ09NT0RPIFJTQSBEb21haW4gVmFsaWRh
dGlvbiBTZWN1cmUgU2VydmVyIENBMB4XDTE3MDQwNjAxNTUxNloXDTE5MDQwNjAx
NTUxNlowgZwxCzAJBgNVBAYTAkpQMREwDwYDVQQIDAhLYW5hZ2F3YTERMA8GA1UE
BwwIWW9rb3N1a2ExGDAWBgNVBAoMD05UVCBET0NPTU8gSW5jLjEkMCIGA1UECwwb
UiBhbmQgRCBTdHJhdGVneSBEZXBhcnRtZW50MScwJQYDVQQDDB52bmZtLWZmLW5m
dm8ubWFuby5kb2NvbW8ubmUuanAwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAER
qoOcfIEyktPC3Ih/tjg0mRJaIETwMO3Oia5L6hcwVMcotlnwIteKLlHXtUIA+JWk
n26mFvIcvFYWwZ8XKjR/FwBydWgZOAurUdD0vUorMnSakbWbxS8YA7zUxqxYTz8g
oCcf1sfTEs3eNXyEv0zOHmcAvaqE61K2s37ZMnfoZlrjIKOBszCBsDAMBgNVHRMB
Af8EAjAAMA4GA1UdDwEB/wQEAwIFoDCBjwYDVR0RBIGHMIGEgh12bmZtLWZmLW9w
cy5tYW5vLmRvY29tby5uZS5qcIIedm5mbS1mZi1uZnZvLm1hbm8uZG9jb21vLm5l
LmpwgiR2bmZtLWZmLXNlcnZlcnZpZXcubWFuby5kb2NvbW8ubmUuanCCHXZuZm0t
ZmYtdm5mLm1hbm8uZG9jb21vLm5lLmpwMA0GCSqGSIb3DQEBCwUAA4IBAQDTm0ly
NASupU+BMvb4SojArokL5B3Xup65mwcsu/RCCtmorjYsiztui2fW57hENgvgrjpN
dwtDiuaw1IocDqMUy6Se0mjgtIRzoewA1TlBGUZGSbhn3foHHpP6jLKbN+ijfaju
F4k4M7+jmBjBE8GbTtmBBXmO3iLmA6/pD0at4lVnaq9nv7dJAHtn66eTdTP90SUX
PL5XHyhNLSu+fnTiyxwX0fKpLv1DqK6PW0eMGUPPt6bu7udkVYvWFiQM5ldJbGLH
IL0wGisTAyBhhyw7KCrgMQHJDoWBXq6sieJmW0eN5PlPZ8W2UJ6r3hfGNrMqCuLh
O6axAOvJjz3A8Zex
-----END CERTIFICATE-----
subject=/C=JP/ST=Kanagawa/L=Yokosuka/O=NTT DOCOMO Inc./OU=R and D Strategy Department/CN=example.ne.jp
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/OU=Domain Control Validated/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, K-163, 163 bits
---
SSL handshake has read 2686 bytes and written 314 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 521 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256
    Session-ID: 58E5B86583ABAB1CD61B600B27B7B79BE580431867940C95FD776F7E0E795A5E
    Session-ID-ctx: 
    Master-Key: 03AE2D8DC4B24864C419E3F64BDA23185ADF2EF15F526F1D1FF22A2770D24812EEE06C551D88F531B4F7B5FBA2F2A15E
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1491449957
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
DONE

结果中的Server Temp Key: ECDH, K-163, 163 bits就是使用的curves

openssl ssl curves

发表新评论

© 2017 Powered by Typecho
苏ICP备15035969号-3