3/10/2020

SSL/TLS 기본개념 와 OpenSSL 분석방법

1. SSL 과 TLS 기본개념

일반적으로 암호화 관련 Protocol 하면, SSL(Secure Sockets Layer)/ TLS(Transport Layer Security) or 
DTLS(Datagram Transport Layer Security)를 사용하며 각 사용용도와 기본개념만을 이해하도록 하자. 

  • 약어 및 TCP/UDP 
  1. SSL(Socket Security Layer)     TCP기반
  2. TLS(Transport Layer Security)  TCP 기반 
  3. DTLS(Datagram Transport Layer Security) UDP기반 
SSL(Secure Sockets Layer)

SSL(Secure Sockets Layer)/ TLS(Transport Layer Security)

SSL(Secure Sockets Layer)/ TLS(Transport Layer Security)는 TCP를 이용하는 보안 채널로 HTTP or FTP or 
다른 Network Protocol들을 암호화하여 통신을 해주도록 한다. 
  
SSL의 경우는 SSH에 많이 사용되었으며, 여기서 더 발전된 것이  TLS인데 보통 HTTPS에서 사용을 비롯, 다양한 곳에서 
사용되어지는 암호화되는 Protocol 이다. 
SSL의 경우는 거의 사라지는 추세이며, 주요하게 볼것은 TLS or DTLS이며 관련해서 다룬다. 

DTLS의 경우, 나의 경우는  CMVP(Cryptographic Module Validation Program) or KCMVP 장비에서 주로 사용되어지는 것만 보았다.  
DTLS의 경우는 TLS를 UDP로 사용한다고 보면 될것 같다. 

OpenSSL 관련링크

OpenSSL의 Version History를 확인


1.1 SSL/TLS 지원 Library 

Linux에서는 OpenSSL를 많이 사용하지만, Embedded에서는 Size문제로 OpenSSL이외의  Library가 아래와 같이 변경되어 사용되어 질 수 있다. 

ARM 은 주로 (MbedTLS) 사용하며 , 그 다음 유명한게 wolfSSL 인 것 같다. 
iOS는 잘모르니 넘어간다. 

  • TLS version 지원확인 
보통 OpenSSL 사용하며 다른 TLS Library와 비교하며 표에서 확인하면 될 것 같다. 
최근 ARM에서 제공하는 mbed OS에서도 TLS를 지원하므로 관련사항 아래 링크확인.
Library support for TLS/SSL
ImplementationSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3
BotanNoNo[199]YesYesYes
cryptlibNoDisabled by default at compile timeYesYesYes
GnuTLSNo[a]Disabled by default[200]YesYesYesYes[201]
Java Secure Socket ExtensionNo[a]Disabled by default[202]YesYesYesYes
LibreSSLNo[203]No[204]YesYesYesAs of version 3.2.2 [205][206]
MatrixSSLNoDisabled by default at compile time[207]YesYesYesyes
(draft version)
mbed TLS (previously PolarSSL)NoDisabled by default[208]YesYesYes
Network Security ServicesNo[b]Disabled by default[209]YesYes[210]Yes[211]Yes[212]
OpenSSLNo[213]Enabled by defaultYesYes[214]Yes[214]Yes[215]
RSA BSAFE Micro Edition SuiteNoDisabled by defaultYesYesYesNot yet
RSA BSAFE SSL-JNoDisabled by defaultYesYesYesNot yet
SChannel XP / 2003[216]Disabled by default by MSIE 7Enabled by defaultEnabled by default by MSIE 7NoNoNo
SChannel Vista[217]Disabled by defaultEnabled by defaultYesNoNoNo
SChannel 2008[217]Disabled by defaultEnabled by defaultYesDisabled by default (KB4019276)[149]Disabled by default (KB4019276)[149]No
SChannel 7 / 2008 R2[218]Disabled by defaultDisabled by default in MSIE 11YesEnabled by default by MSIE 11Enabled by default by MSIE 11No
SChannel 8 / 2012[218]Disabled by defaultEnabled by defaultYesDisabled by defaultDisabled by defaultNo
SChannel 8.1 / 2012 R2, 10 v1507 & v1511[218]Disabled by defaultDisabled by default in MSIE 11YesYesYesNo
SChannel 10 v1607 / 2016[159]NoDisabled by defaultYesYesYesNo
Secure Transport OS X 10.2–10.8 / iOS 1–4YesYesYesNoNo
Secure Transport OS X 10.9–10.10 / iOS 5–8No[c]YesYesYes[c]Yes[c]
Secure Transport OS X 10.11 / iOS 9NoNo[c]YesYesYes
Seed7 TLS/SSL LibraryNoYesYesYesYes
wolfSSL (previously CyaSSL)NoDisabled by default[219]YesYesYesyes
(draft version)[220]
ImplementationSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3

출처



1.2 HTTPS 관련 Browser 관련정보 

HTTPS는 HTTP에 TLS 통신이 추가되어진 Protocol이라고 생각하면 되겠다. 

각 인터넷 Browser들의 암호화 Protocol 지원사항이며, 각각의 사항을 비교해서 알자.
위키에서 가져온 정보이기 때문에, 최신은 아래 위키에서 확인 

아래의 그림 좌측 부터 보안이 강화 될 수록 SSL -> TLS 로 점차 변경되어지는 것을 알수 있다. 
더불어 SSL/TLS의 버전도 같이 보도록 하자. 


HTTPS 의 기반의 인증서(Certifcate) CSR/CRT
  https://namjackson.tistory.com/24
  https://soul0.tistory.com/510

TLS/SSL support history of web browsers
BrowserVersionPlatformsSSL protocolsTLS protocolsCertificate supportVulnerabilities fixed[n 1]Protocol selection by user
[n 2]
SSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3EV
[n 3][70]
SHA-2
[71]
ECDSA
[72]
BEAST[n 4]CRIME[n 5]POODLE (SSLv3)[n 6]RC4[n 7]FREAK[73][74]Logjam
Google Chrome
(Chrome for Android)
[n 8]
[n 9]
1–9Windows (7+)
macOS (10.10+)
Linux
Android (4.4+)
iOS (10.0+)
Chrome OS
Disabled by defaultEnabled by defaultYesNoNoNoYes
(only desktop)
needs SHA-2 compatible OS[71]needs ECC compatible OS[72]Not affected
[79]
Vulnerable
(HTTPS)
VulnerableVulnerableVulnerable
(except Windows)
VulnerableYes[n 10]
10–20No[80]Enabled by defaultYesNoNoNoYes
(only desktop)
needs SHA-2 compatible OS[71]needs ECC compatible OS[72]Not affectedVulnerable
(HTTPS/SPDY)
VulnerableVulnerableVulnerable
(except Windows)
VulnerableYes[n 10]
21NoEnabled by defaultYesNoNoNoYes
(only desktop)
needs SHA-2 compatible OS[71]needs ECC compatible OS[72]Not affectedMitigated
[81]
VulnerableVulnerableVulnerable
(except Windows)
VulnerableYes[n 10]
22–29NoEnabled by defaultYesYes[82]No[82][83][84][85]NoYes
(only desktop)
needs SHA-2 compatible OS[71]needs ECC compatible OS[72]Not affectedMitigatedVulnerableVulnerableVulnerable
(except Windows)
VulnerableTemporary
[n 11]
30–32NoEnabled by defaultYesYesYes​[83][84][85]NoYes
(only desktop)
needs SHA-2 compatible OS[71]needs ECC compatible OS[72]Not affectedMitigatedVulnerableVulnerableVulnerable
(except Windows)
VulnerableTemporary
[n 11]
33–37NoEnabled by defaultYesYesYesNoYes
(only desktop)
needs SHA-2 compatible OS[71]needs ECC compatible OS[72]Not affectedMitigatedPartly mitigated
[n 12]
Lowest priority
[88][89][90]
Vulnerable
(except Windows)
VulnerableTemporary
[n 11]
38, 39NoEnabled by defaultYesYesYesNoYes
(only desktop)
Yesneeds ECC compatible OS[72]Not affectedMitigatedPartly mitigatedLowest priorityVulnerable
(except Windows)
VulnerableTemporary
[n 11]
40NoDisabled by default​[87][91]YesYesYesNoYes
(only desktop)
Yesneeds ECC compatible OS[72]Not affectedMitigatedMitigated
[n 13]
Lowest priorityVulnerable
(except Windows)
VulnerableYes[n 14]
41, 42NoDisabled by defaultYesYesYesNoYes
(only desktop)
Yesneeds ECC compatible OS[72]Not affectedMitigatedMitigatedLowest priorityMitigatedVulnerableYes[n 14]
43NoDisabled by defaultYesYesYesNoYes
(only desktop)
Yesneeds ECC compatible OS[72]Not affectedMitigatedMitigatedOnly as fallback
[n 15][92]
MitigatedVulnerableYes[n 14]
44–47NoNo[93]YesYesYesNoYes
(only desktop)
Yesneeds ECC compatible OS[72]Not affectedMitigatedNot affectedOnly as fallback
[n 15]
MitigatedMitigated​[94]Temporary
[n 11]
48, 49NoNoYesYesYesNoYes
(only desktop)
Yesneeds ECC compatible OS[72]Not affectedMitigatedNot affectedDisabled by default​[n 16][95][96]MitigatedMitigatedTemporary
[n 11]
50–53NoNoYesYesYesNoYes
(only desktop)
YesYesNot affectedMitigatedNot affectedDisabled by default​[n 16][95][96]MitigatedMitigatedTemporary
[n 11]
54–66NoNoYesYesYesDisabled by default
(draft version)
Yes
(only desktop)
YesYesNot affectedMitigatedNot affectedDisabled by default​[n 16][95][96]MitigatedMitigatedTemporary
[n 11]
67–69NoNoYesYesYesYes
(draft version)
Yes
(only desktop)
YesYesNot affectedMitigatedNot affectedDisabled by default​[n 16][95][96]MitigatedMitigatedTemporary
[n 11]
70–83NoNoYesYesYesYesYes
(only desktop)
YesYesNot affectedMitigatedNot affectedDisabled by default​[n 16][95][96]MitigatedMitigatedTemporary
[n 11]
84–8586NoNoWarn by defaultWarn by defaultYesYesYes
(only desktop)
YesYesNot affectedMitigatedNot affectedDisabled by default​[n 16][95][96]MitigatedMitigatedTemporary
[n 11]
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3EV certificateSHA-2 certificateECDSA certificateBEASTCRIMEPOODLE (SSLv3)RC4FREAKLogjamProtocol selection by user
Microsoft Edge
(Chromium based)
OS independent
79–83Windows (7+)
macOS (10.12+)
Linux 
Android (4.4+)
iOS (11.0+)
NoNoYesYesYesYesYesYesYesMitigatedNot affectedNot affectedDisabled by defaultMitigatedMitigatedYes[n 10]
84–8586NoNoWarn by defaultWarn by defaultYesYesYesYesYesMitigatedNot affectedNot affectedDisabled by defaultMitigatedMitigatedYes[n 10]
88[97]NoNoNoNoYesYesYesYesYesMitigatedNot affectedNot affectedDisabled by defaultMitigatedMitigatedYes[n 10]
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3EV certificateSHA-2 certificateECDSA certificateBEASTCRIMEPOODLE (SSLv3)RC4FREAKLogjamProtocol selection by user
Mozilla Firefox
(Firefox for mobile)
[n 17]
1.0, 1.5Windows (7+)
macOS (10.12+)
Linux
Android (4.1+)
iOS (10.3+)
Firefox OS
Maemo

ESR only for:
Windows (7+)
macOS (10.9+)
Linux
Enabled by default
[98]
Enabled by default
[98]
Yes[98]NoNoNoNoYes[71]NoNot affected
[99]
Not affectedVulnerableVulnerableNot affectedVulnerableYes[n 10]
2Disabled by default
[98][100]
Enabled by defaultYesNoNoNoNoYesYes[72]Not affectedNot affectedVulnerableVulnerableNot affectedVulnerableYes[n 10]
3–7Disabled by defaultEnabled by defaultYesNoNoNoYesYesYesNot affectedNot affectedVulnerableVulnerableNot affectedVulnerableYes[n 10]
8–10
ESR 10
No[100]Enabled by defaultYesNoNoNoYesYesYesNot affectedNot affectedVulnerableVulnerableNot affectedVulnerableYes[n 10]
11–14NoEnabled by defaultYesNoNoNoYesYesYesNot affectedVulnerable
(SPDY)[81]
VulnerableVulnerableNot affectedVulnerableYes[n 10]
15–22
ESR 17.0–17.0.10
NoEnabled by defaultYesNoNoNoYesYesYesNot affectedMitigatedVulnerableVulnerableNot affectedVulnerableYes[n 10]
ESR 17.0.11NoEnabled by defaultYesNoNoNoYesYesYesNot affectedMitigatedVulnerableLowest priority
[101][102]
Not affectedVulnerableYes[n 10]
23NoEnabled by defaultYesDisabled by default
[103]
NoNoYesYesYesNot affectedMitigatedVulnerableVulnerableNot affectedVulnerableYes[n 18]
24, 25.0.0
ESR 24.0–24.1.0
NoEnabled by defaultYesDisabled by defaultDisabled by default
[104]
NoYesYesYesNot affectedMitigatedVulnerableVulnerableNot affectedVulnerableYes[n 18]
25.0.1, 26
ESR 24.1.1
NoEnabled by defaultYesDisabled by defaultDisabled by defaultNoYesYesYesNot affectedMitigatedVulnerableLowest priority
[101][102]
Not affectedVulnerableYes[n 18]
27–33
ESR 31.0–31.2
NoEnabled by defaultYesYes​[105][106]Yes​[107][106]NoYesYesYesNot affectedMitigatedVulnerableLowest priorityNot affectedVulnerableYes[n 18]
34, 35
ESR 31.3–31.7
NoDisabled by default
[108][109]
YesYesYesNoYesYesYesNot affectedMitigatedMitigated
[n 19]
Lowest priorityNot affectedVulnerableYes[n 18]
ESR 31.8NoDisabled by defaultYesYesYesNoYesYesYesNot affectedMitigatedMitigatedLowest priorityNot affectedMitigated​[112]Yes[n 18]
36–38
ESR 38.0
NoDisabled by defaultYesYesYesNoYesYesYesNot affectedMitigatedMitigatedOnly as fallback
[n 15][113]
Not affectedVulnerableYes[n 18]
ESR 38.1–38.8NoDisabled by defaultYesYesYesNoYesYesYesNot affectedMitigatedMitigatedOnly as fallback
[n 15]
Not affectedMitigated​[112]Yes[n 18]
39–43NoNo[114]YesYesYesNoYesYesYesNot affectedMitigatedNot affectedOnly as fallback
[n 15]
Not affectedMitigated​[112]Yes[n 18]
44–48
ESR 45
NoNoYesYesYesNoYesYesYesNot affectedMitigatedNot affectedDisabled by default​[n 16][115][116][117][118]Not affectedMitigatedYes[n 18]
49–59
ESR 52
NoNoYesYesYesDisabled by default
(draft version)[119]
YesYesYesNot affectedMitigatedNot affectedDisabled by default​[n 16]Not affectedMitigatedYes[n 18]
60–62
ESR 60
NoNoYesYesYesYes
(draft version)
YesYesYesNot affectedMitigatedNot affectedDisabled by default​[n 16]Not affectedMitigatedYes[n 18]
63–77
ESR 68
NoNoYesYesYesYesYesYesYesNot affectedMitigatedNot affectedDisabled by default​[n 16]Not affectedMitigatedYes[n 18]
78–81
ESR 78.0–78.3
NoNoDisabled by default[120]Disabled by default[120]YesYesYesYesYesNot affectedMitigatedNot affectedDisabled by default​[n 16]Not affectedMitigatedYes[n 18]
ESR 78.482
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3EV certificateSHA-2 certificateECDSA certificateBEASTCRIMEPOODLE (SSLv3)RC4FREAKLogjamProtocol selection by user
Opera Browser
(Opera Mobile)
(Pre-Presto and Presto)
[n 20]
1–2Windows
macOS
Linux
Android
Symbian S60
Maemo
Windows Mobile
No SSL/TLS support[122]
3Yes[123]NoNoNoNoNoNoNoNoNo SSL 3.0 or TLS supportVulnerableUnknownUnknownN/A
4YesYes[124]NoNoNoNoNoNoNoVulnerableNot affectedVulnerableVulnerableUnknownUnknownUnknown
5Enabled by defaultEnabled by defaultYes[125]NoNoNoNoNoNoVulnerableNot affectedVulnerableVulnerableUnknownUnknownYes[n 10]
6–7Enabled by defaultEnabled by defaultYes[125]NoNoNoNoYes[71]NoVulnerableNot affectedVulnerableVulnerableUnknownUnknownYes[n 10]
8Enabled by defaultEnabled by defaultYesDisabled by default
[126]
NoNoNoYesNoVulnerableNot affectedVulnerableVulnerableUnknownUnknownYes[n 10]
9Disabled by default
[127]
Enabled by defaultYesYesNoNosince v9.5
(only desktop)
YesNoVulnerableNot affectedVulnerableVulnerableUnknownUnknownYes[n 10]
10–11.52No[128]Enabled by defaultYesDisabled by defaultDisabled by default
[128]
NoYes
(only desktop)
YesNoVulnerableNot affectedVulnerableVulnerableUnknownUnknownYes[n 10]
11.60–11.64NoEnabled by defaultYesDisabled by defaultDisabled by defaultNoYes
(only desktop)
YesNoMitigated
[129]
Not affectedVulnerableVulnerableUnknownUnknownYes[n 10]
12–12.14NoDisabled by default
[n 21]
YesDisabled by defaultDisabled by defaultNoYes
(only desktop)
YesNoMitigatedNot affectedMitigated
[n 21]
VulnerableUnknownMitigated​[131]Yes[n 10]
12.15–12.17NoDisabled by defaultYesDisabled by defaultDisabled by defaultNoYes
(only desktop)
YesNoMitigatedNot affectedMitigatedPartly mitigated
[132][133]
UnknownMitigated​[131]Yes[n 10]
12.18NoDisabled by defaultYesYes[134]Yes[134]NoYes
(only desktop)
YesYes[134]MitigatedNot affectedMitigatedDisabled by default​[n 16][134]Mitigated​[134]Mitigated​[131]Yes[n 10]
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3EV certificateSHA-2 certificateECDSA certificateBEASTCRIMEPOODLE (SSLv3)RC4FREAKLogjamProtocol selection by user
Opera Browser
(Opera Mobile)
(Webkit and Blink)
[n 22]
14–16Windows (7+)
macOS (10.11+)
Linux
Android (4.4+)
NoEnabled by defaultYesYes[137]No[137]NoYes
(only desktop)
needs SHA-2 compatible OS[71]needs ECC compatible OS[72]Not affectedMitigatedVulnerableVulnerableVulnerable
(except Windows)
VulnerableTemporary
[n 11]
17–19NoEnabled by defaultYesYes[138]Yes[138]NoYes
(only desktop)
needs SHA-2 compatible OS[71]needs ECC compatible OS[72]Not affectedMitigatedVulnerableVulnerableVulnerable
(except Windows)
VulnerableTemporary
[n 11]
20–24NoEnabled by defaultYesYesYesNoYes
(only desktop)
needs SHA-2 compatible OS[71]needs ECC compatible OS[72]Not affectedMitigatedPartly mitigated
[n 23]
Lowest priority
[139]
Vulnerable
(except Windows)
VulnerableTemporary
[n 11]
25, 26NoEnabled by default
[n 24]
YesYesYesNoYes
(only desktop)
Yesneeds ECC compatible OS[72]Not affectedMitigatedMitigated
[n 25]
Lowest priorityVulnerable
(except Windows)
VulnerableTemporary
[n 11]
27NoDisabled by default
[91]
YesYesYesNoYes
(only desktop)
Yesneeds ECC compatible OS[72]Not affectedMitigatedMitigated
[n 26]
Lowest priorityVulnerable
(except Windows)
VulnerableYes[n 27]
(only desktop)
28, 29NoDisabled by defaultYesYesYesNoYes
(only desktop)
Yesneeds ECC compatible OS[72]Not affectedMitigatedMitigatedLowest priorityMitigatedVulnerableYes[n 27]
(only desktop)
30NoDisabled by defaultYesYesYesNoYes
(only desktop)
Yesneeds ECC compatible OS[72]Not affectedMitigatedMitigatedOnly as fallback
[n 15][92]
MitigatedMitigated​[131]Yes[n 27]
(only desktop)
31–34NoNo[93]YesYesYesNoYes
(only desktop)
Yesneeds ECC compatible OS[72]Not affectedMitigatedNot affectedOnly as fallback
[n 15][92]
MitigatedMitigatedTemporary
[n 11]
35, 36NoNoYesYesYesNoYes
(only desktop)
Yesneeds ECC compatible OS[72]Not affectedMitigatedNot affectedDisabled by default​[n 16][95][96]MitigatedMitigatedTemporary
[n 11]
37–40NoNoYesYesYesNoYes
(only desktop)
YesYesNot affectedMitigatedNot affectedDisabled by default​[n 16][95][96]MitigatedMitigatedTemporary
[n 11]
41–56NoNoYesYesYesDisabled by default
(draft version)
Yes
(only desktop)
YesYesNot affectedMitigatedNot affectedDisabled by default​[n 16][95][96]MitigatedMitigatedTemporary
[n 11]
57–7172NoNoYesYesYesYesYes
(only desktop)
YesYesNot affectedMitigatedNot affectedDisabled by default​[n 16][95][96]MitigatedMitigatedTemporary
[n 11]
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3EV certificateSHA-2 certificateECDSA certificateBEASTCRIMEPOODLE (SSLv3)RC4FREAKLogjamProtocol selection by user
Microsoft Internet Explorer
(1–10)
[n 28]
1.xWindows 3.195NT,[n 29][n 30]
Mac OS 78
No SSL/TLS support
2YesNoNoNoNoNoNoNoNoNo SSL 3.0 or TLS supportVulnerableVulnerableVulnerableN/A
3YesYes[142]NoNoNoNoNoNoNoVulnerableNot affectedVulnerableVulnerableVulnerableVulnerableUnknown
456Windows 3.19598NT2000[n 29][n 30]
Mac OS 7.18X,
SolarisHP-UX
Enabled by defaultEnabled by defaultDisabled by default
[142]
NoNoNoNoNoNoVulnerableNot affectedVulnerableVulnerableVulnerableVulnerableYes[n 10]
6Windows XP[n 30]Enabled by defaultEnabled by defaultDisabled by defaultNoNoNoNoYes
[n 31][143]
NoMitigatedNot affectedVulnerableVulnerableVulnerableVulnerableYes[n 10]
78Disabled by default
[144]
Enabled by defaultYes[144]NoNoNoYesYes
[n 31][143]
NoMitigatedNot affectedVulnerableVulnerableVulnerableVulnerableYes[n 10]
6Server 2003[n 30]Enabled by defaultEnabled by defaultDisabled by defaultNoNoNoNoYes
[n 31][143]
NoMitigatedNot affectedVulnerableVulnerableMitigated
[147]
Mitigated
[148]
Yes[n 10]
78Disabled by default
[144]
Enabled by defaultYes[144]NoNoNoYesYes
[n 31][143]
NoMitigatedNot affectedVulnerableVulnerableMitigated
[147]
Mitigated
[148]
Yes[n 10]
789Windows VistaDisabled by defaultEnabled by defaultYesNoNoNoYesYesYes[72]MitigatedNot affectedVulnerableVulnerableMitigated
[147]
Mitigated
[148]
Yes[n 10]
789Server 2008Disabled by defaultEnabled by defaultYesDisabled by default​[149]
(KB4019276)
Disabled by default​[149]
(KB4019276)
NoYesYesYes[72]MitigatedNot affectedVulnerableVulnerableMitigated
[147]
Mitigated
[148]
Yes[n 10]
8910Windows 7 / 8
Server 2008 R2 / 2012
Disabled by defaultEnabled by defaultYesDisabled by default
[150]
Disabled by default
[150]
NoYesYesYesMitigatedNot affectedVulnerableLowest priority
[151][n 32]
Mitigated
[147]
Mitigated
[148]
Yes[n 10]
Internet Explorer 11
[n 28]
11Windows 7
Server 2008 R2
Disabled by defaultDisabled by default
[n 33]
YesYes[153]Yes[153]NoYesYesYesMitigatedNot affectedMitigated
[n 33]
Disabled by default​[157]Mitigated
[147]
Mitigated
[148]
Yes[n 10]
11[158]Windows 8.1Disabled by defaultDisabled by default
[n 33]
YesYes[153]Yes[153]NoYesYesYesMitigatedNot affectedMitigated
[n 33]
Disabled by default​[n 16]Mitigated
[147]
Mitigated
[148]
Yes[n 10]
Server 2012
Server 2012 R2
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3EV certificateSHA-2 certificateECDSA certificateBEASTCRIMEPOODLE (SSLv3)RC4FREAKLogjamProtocol selection by user
Microsoft Edge
(12–18)
(EdgeHTML based)
Client only


Internet Explorer 11
[n 28]
1112–13Windows 10
1507–1511
Disabled by defaultDisabled by defaultYesYesYesNoYesYesYesMitigatedNot affectedMitigatedDisabled by default​[n 16]MitigatedMitigatedYes[n 10]
1114–18
(client only)
Windows 10
1607–1809
Windows Server (SAC)
1709–1809
No[159]Disabled by defaultYesYesYesNoYesYesYesMitigatedNot affectedMitigatedDisabled by default​[n 16]MitigatedMitigatedYes[n 10]
1118
(client only)
Windows 10
1903
Windows Server (SAC)
1903
NoDisabled by defaultYesYesYesNoYesYesYesMitigatedNot affectedMitigatedDisabled by default​[n 16]MitigatedMitigatedYes[n 10]
1118
(client only)
Windows 10
1909
Windows Server (SAC)
1909
NoDisabled by defaultYesYesYesNoYesYesYesMitigatedNot affectedMitigatedDisabled by default​[n 16]MitigatedMitigatedYes[n 10]
1118
(client only)
Windows 10
2004
Windows Server (SAC)
2004
NoDisabled by defaultYesYesYesNoYesYesYesMitigatedNot affectedMitigatedDisabled by default​[n 16]MitigatedMitigatedYes[n 10]
Internet Explorer 11
[n 28]
11Windows 10
20H2
Windows Server (SAC) 20H2
NoDisabled by defaultYesYesYesNoYesYesYesMitigatedNot affectedMitigatedDisabled by default​[n 16]MitigatedMitigatedYes[n 10]
11Windows 10
21Hx
Windows Server (SAC) 21Hx
NoDisabled by defaultYesYesYesEnabled by default
(experimental)
since Dev 10.0.20170
[160]
YesYesYesMitigatedNot affectedMitigatedDisabled by default​[n 16]MitigatedMitigatedYes[n 10]
Internet Explorer 11
[n 28]
11Windows 10
LTSB 2015 (1507)
Disabled by defaultDisabled by defaultYesYesYesNoYesYesYesMitigatedNot affectedMitigatedDisabled by default​[n 16]MitigatedMitigatedYes[n 10]
11Windows 10
LTSB 2016 (1607)
No[159]Disabled by defaultYesYesYesNoYesYesYesMitigatedNot affectedMitigatedDisabled by default​[n 16]MitigatedMitigatedYes[n 10]
11Windows Server 2016
(LTSB / 1607)
No[159]Disabled by defaultYesYesYesNoYesYesYesMitigatedNot affectedMitigatedDisabled by default​[n 16]MitigatedMitigatedYes[n 10]
11Windows 10
LTSC 2019 (1809)
Windows Server 2019
(LTSC / 1809)
NoDisabled by defaultYesYesYesNoYesYesYesMitigatedNot affectedMitigatedDisabled by default​[n 16]MitigatedMitigatedYes[n 10]
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3EV certificateSHA-2 certificateECDSA certificateBEASTCRIMEPOODLE (SSLv3)RC4FREAKLogjamProtocol selection by user
Microsoft Internet Explorer Mobile
[n 28]
7, 9Windows Phone 7, 7.5, 7.8Disabled by default
[144]
Enabled by defaultYesNo
[citation needed]
No
[citation needed]
NoNo
[citation needed]
YesYes[161]UnknownNot affectedVulnerableVulnerableVulnerableVulnerableOnly with 3rd party tools[n 34]
10Windows Phone 8Disabled by defaultEnabled by defaultYesDisabled by default
[163]
Disabled by default
[163]
NoNo
[citation needed]
YesYes[164]MitigatedNot affectedVulnerableVulnerableVulnerableVulnerableOnly with 3rd party tools[n 34]
11Windows Phone 8.1Disabled by defaultEnabled by defaultYesYes[165]Yes[165]NoNo
[citation needed]
YesYesMitigatedNot affectedVulnerableOnly as fallback
[n 15][166][167]
VulnerableVulnerableOnly with 3rd party tools[n 34]
Microsoft Edge
(13–15)
(EdgeHTML based)
[n 35]
13Windows 10 Mobile
1511
Disabled by defaultDisabled by defaultYesYesYesNoYesYesYesMitigatedNot affectedMitigatedDisabled by default​[n 16]MitigatedMitigatedNo
14, 15Windows 10 Mobile
1607–1709
No[159]Disabled by defaultYesYesYesNoYesYesYesMitigatedNot affectedMitigatedDisabled by default​[n 16]MitigatedMitigatedNo
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3EV certificateSHA-2 certificateECDSA certificateBEASTCRIMEPOODLE (SSLv3)RC4FREAKLogjamProtocol selection by user
Apple Safari
[n 36]
1Mac OS X 10.210.3No[172]YesYesNoNoNoNoNoNoVulnerableNot affectedVulnerableVulnerableVulnerableVulnerableNo
2–5Mac OS X 10.410.5Win XPNoYesYesNoNoNosince v3.2NoNoVulnerableNot affectedVulnerableVulnerableVulnerableVulnerableNo
3–5VistaWin 7NoYesYesNoNoNosince v3.2NoYes[161]VulnerableNot affectedVulnerableVulnerableVulnerableVulnerableNo
4–6Mac OS X 10.610.7NoYesYesNoNoNoYesYes[71]Yes[72]VulnerableNot affectedVulnerableVulnerableVulnerableVulnerableNo
6OS X 10.8NoYesYesNoNoNoYesYesYes[72]Mitigated
[n 37]
Not affectedMitigated
[n 38]
Vulnerable
[n 38]
Mitigated
[178]
VulnerableNo
7, 9OS X 10.9NoYesYesYes[179]Yes[179]NoYesYesYesMitigated
[174]
Not affectedMitigated
[n 38]
Vulnerable
[n 38]
Mitigated
[178]
VulnerableNo
8–10OS X 10.10NoYesYesYesYesNoYesYesYesMitigatedNot affectedMitigated
[n 38]
Lowest priority
[180][n 38]
Mitigated
[178]
Mitigated
[181]
No
9–11OS X 10.11NoNoYesYesYesNoYesYesYesMitigatedNot affectedNot affectedLowest priorityMitigatedMitigatedNo
10–12macOS 10.12NoNoYesYesYesNoYesYesYesMitigatedNot affectedNot affectedDisabled by default​[n 16]MitigatedMitigatedNo
11, 1213macOS 10.13NoNoYesYesYesNoYesYesYesMitigatedNot affectedNot affectedDisabled by default​[n 16]MitigatedMitigatedNo
12, 1314macOS 10.14NoNoYesYesYesYes (since macOS 10.14.4)[182]YesYesYesMitigatedNot affectedNot affectedDisabled by default​[n 16]MitigatedMitigatedNo
1314macOS 10.15NoNoYesYesYesYesYesYesYesMitigatedNot affectedNot affectedDisabled by default​[n 16]MitigatedMitigatedNo
14macOS 11.0NoNoYesYesYesYesYesYesYesMitigatedNot affectedNot affectedDisabled by default​[n 16]MitigatedMitigatedNo
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3EV certificateSHA-2 certificateECDSA certificateBEASTCRIMEPOODLE (SSLv3)RC4FREAKLogjamProtocol selection by user
Apple Safari
(mobile)
[n 39]
3iPhone OS 12No[186]YesYesNoNoNoNoNoNoVulnerableNot affectedVulnerableVulnerableVulnerableVulnerableNo
4, 5iPhone OS 3iOS 4NoYesYesNoNoNoYes[187]Yessince iOS 4[161]VulnerableNot affectedVulnerableVulnerableVulnerableVulnerableNo
5, 6iOS 56NoYesYesYes[183]Yes[183]NoYesYesYesVulnerableNot affectedVulnerableVulnerableVulnerableVulnerableNo
7iOS 7NoYesYesYesYesNoYesYesYes[188]Mitigated
[189]
Not affectedVulnerableVulnerableVulnerableVulnerableNo
8iOS 8NoYesYesYesYesNoYesYesYesMitigatedNot affectedMitigated
[n 38]
Lowest priority
[190][n 38]
Mitigated
[191]
Mitigated
[192]
No
9iOS 9NoNoYesYesYesNoYesYesYesMitigatedNot affectedNot affectedLowest priorityMitigatedMitigatedNo
10–11iOS 1011NoNoYesYesYesNoYesYesYesMitigatedNot affectedNot affectedDisabled by default​[n 16]MitigatedMitigatedNo
12iOS 12NoNoYesYesYesYes (since iOS 12.2)[182]YesYesYesMitigatedNot affectedNot affectedDisabled by default​[n 16]MitigatedMitigatedNo
13iOS 13NoNoYesYesYesYesYesYesYesMitigatedNot affectedNot affectedDisabled by default​[n 16]MitigatedMitigatedNo
iPadOS 13
14iOS 14NoNoYesYesYesYesYesYesYesMitigatedNot affectedNot affectedDisabled by default​[n 16]MitigatedMitigatedNo
iPadOS 14
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3EV
[n 3]
SHA-2ECDSABEAST[n 4]CRIME[n 5]POODLE (SSLv3)[n 6]RC4[n 7]FREAK[73][74]LogjamProtocol selection by user
SSL protocolsTLS protocolsCertificate SupportVulnerabilities fixed
Google Android OS
[193]
Android 1.0–4.0.4NoEnabled by defaultYesNoNoNoUnknownYes[71]since 3.0[161][72]UnknownUnknownVulnerableVulnerableVulnerableVulnerableNo
Android 4.1–4.4.4NoEnabled by defaultYesDisabled by default​[194]Disabled by default​[194]NoUnknownYesYesUnknownUnknownVulnerableVulnerableVulnerableVulnerableNo
Android 5.0–5.0.2NoEnabled by defaultYesYes[194][195]Yes[194][195]NoUnknownYesYesUnknownUnknownVulnerableVulnerableVulnerableVulnerableNo
Android 5.1–5.1.1NoDisabled by default
[citation needed]
YesYesYesNoUnknownYesYesUnknownUnknownNot affectedOnly as fallback
[n 15]
MitigatedMitigatedNo
Android 6.07.1.2NoDisabled by default
[citation needed]
YesYesYesNoUnknownYesYesUnknownUnknownNot affectedDisabled by defaultMitigatedMitigatedNo
Android 8.09.0NoNo
[196]
YesYesYesNoUnknownYesYesUnknownUnknownNot affectedDisabled by defaultMitigatedMitigatedNo
Android 10.0NoNoYesYesYesYesUnknownYesYesUnknownUnknownNot affectedDisabled by defaultMitigatedMitigatedNo
Android 11.0NoNoYesYesYesYesUnknownYesYesUnknownUnknownNot affectedDisabled by defaultMitigatedMitigatedNo
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3EV certificateSHA-2 certificateECDSA certificateBEASTCRIMEPOODLE (SSLv3)RC4FREAKLogjamProtocol selection by user
Color or NoteSignificance
Browser versionPlatform
Browser versionOperating systemFuture release; under development
Browser versionOperating systemCurrent latest release
Browser versionOperating systemFormer release; still supported
Browser versionOperating systemFormer release; long-term support still active, but will end in less than 12 months
Browser versionOperating systemFormer release; no longer supported
n/aOperating systemMixed / Unspecified
Operating system (Version+)Minimum required operating system version (for supported versions of the browser)
Operating systemNo longer supported for this operating system

2. SSL/TLS 의 기본분석  

요즘 많이 사용도어지는 SSL/TLS 동작 방식은 주로 TCP기반으로 키를 서로 교환한 후, 
이를 암호화하여 통신하는 Protocol을 말하며, TLS Version 과 지원되는 암호화방식에 따라 달라진다. 

  • SSL/TLS 기본동작 방식
기본동작 방식은 Client/Server 암호화이며, 각각 Key 교환 후 암호화 진행 



Simple  SSL/TLS Client Source
  https://wiki.openssl.org/index.php/SSL/TLS_Client


2.1 TLS Handshake 와 Cipher Suite


TLS의 Cipher Suite설명 및 TLS 관련설명 
TLS 처음 통신할 때, Handshake 할 때 키교환 방법을 Cipher Suite
  • TLS v1.2 Handshake 방법 
HandShake 도중 Cipher Suite 하는 곳순서확인 

https://en.wikipedia.org/wiki/Cipher_suite


Cipher Suite 절차 확인 



TLSv1.2
  https://www.ietf.org/rfc/rfc5246.txt
  https://chipmaker.tistory.com/entry/%E3%85%87


  • TLS v1.3 Handshake 방법 
TLS Version에 따라 단계가 축소되며 간단하며 거의 동일 
https://en.wikipedia.org/wiki/Cipher_suite







  • TLSv1.2 의 전체흐름 분석 
WireShark로 직접 Capture 하여, 세부적으로 확인해보도록 하자.



  • 1st Message  Client->Server ( Client Hello)  
  1. Random:  Client에서 Time (4Byte) 와  Random Data (12Byte) 로 구성 
  2. Cipher Suites: Client 지원가능한 Cipher Suite 을 Server 에 제안 
  3. Client 지원가능한 Signature HASH Algorithm Server에게 제안 (Hash 와 Signature 제안) 


이후 생략 
나도 화면 캡쳐하기가 귀찮음 상위 구조대로 잘 동작함. 


2.2 TLS/DTLS Key 및 Certificate 준비

TLS를 테스트 하기전에 Cetificate를 준비 
DTLS or TLS 를 TEST를 진행을 위해서 Key 와 Certificate 아래와 같이 발급진행  


  • Client Key 와 Client Certificate 발급 
$ openssl req -x509 -newkey rsa:2048 -days 3650 -nodes  -keyout client-key.pem -out client-cert.pem 
.....
//각 본인 정보 입력  
Country Name (2 letter code) [AU]:                
State or Province Name (full name) [Some-State]:  
Locality Name (eg, city) []:                      
Organization Name (eg, company) [Internet Widgits Pty Ltd]:  
Organizational Unit Name (eg, section) []:   
Common Name (e.g. server FQDN or YOUR name) []: 
Email Address []:    

//10 (3650) 년 RSA Private Key 발급 및 이 기반으로 Certificate 발급  

  • Server Key 와 Server Certificate 발급 
$ openssl req -x509 -newkey rsa:2048 -days 3650 -nodes  -keyout server-key.pem -out server-cert.pem 
//각 본인 정보 입력  
....
//10 (3650) 년 RSA Private Key 발급 및 이 기반으로 Certificate 발급 


$ cat client-key.pem 
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDY7C6QOrmTrVcw
FbSTs8A7rXd/hXAelFb8YYhAglOKCkfhVzJyS1M7OAk052QXOfVzTMxCoYiIIGI/
Vo2GGoE2KbGrOrQi8GHYNxFVuaY9Pwd5WiV708hIBbq9zENQgbwiDrg5TOYXahnd
5DviuWMMsK/dgakbnJ58Z+UuhBE1fHLrYwBZIHq6npy0oTEiBaBPJXYTxmQdp6X5
E7O883PWUOdLNFx9K7FDaZFHhVbA0ObOpbTtLzrWNvZWwGdr/wZ3z3NKbaimkjZq
rHqs0T8ffixP4MaUJDRtwXZ1pkOIIsS30eqkV/6Z4/JqVRKu3YdTHvbveCuuogLP
/w0SM/TJAgMBAAECggEAYqHpfi0lim9r0HJeHDbENp5mUnZzB4R9lN4oHOTlZUPN
cTm7t1pmquuMzCBWU3VIFLgbvEREl1jaM2CAkzRkAiOtJGVZ2PUiGDTZzffPDdQl
6tjBaG9ghtcMFRbWmLmUuIum2m8LxCO7RThsvmd7ER8ZqAc3xFVPftOi0qa8SGvK
YzoKY630xImH6KwLCu6mKH0cfxyrxw0sVuTafDt+ufZX8YYjf7F/S5h1ZQ3NvnOf
z7yZd+uTzYHB08cF5hWYEV0Ly1wS6PvW9NlqAO7fcAteiHQnDVDECdQcmhK/xsP5
c2Q9uMc6sGVwAeoSmRsLKn8u6txp0S1+9N7nBvoZ3QKBgQDv62DvCC3Q1yMdu9R7
nE2cqfm7bdJkCFI1TUNyoBEZlOnZMwfGkhOsMTzxDuPZQGYCAqWPmUiXvl90j83P
9VyNqbsTVZVpX0zWLh4hMxMj5T0kG2RPiBx9Yv3wbgOHoul101AGujfeFm7WrEL8
jFFbaG75lnh4qVPprQfR78YXiwKBgQDndjcPP4ovmgKyE80dg+rYhIpQoEpQYE6Q
ZZBpg9rTyXKEIDbrlpFtKE57jzmt/IbqO1f1zGesttZV8Rq7KFvae9rtGe7HXcFp
Z9wL+5PsAQ66N+qqJnLdvSkzn9iZo5vYBp/c6a3fajmUH6Uzets9Ys+Xi5IQqjr3
Eg9hgKCPewKBgQCfi8nUa338SXUiysvMv+6k5iwaxjeJKjdxFsZpraRxfKPeOp9L
H81RTxUVwS8oRDkR0SzER80MjB7yZscZKjO4SU0M2HcZsbRpIhYLQenSjxmPr1+P
vBYmE/SHNMHIK0BRiIrJToDkgcqHm9qYE7/up45VEAlhREl3NgfjRi5XbQKBgEx4
TfCHuYvIgiN7T0T1FF28TEYe7u5nIw2pwHBb06ws3dyxF/P1ps49htBjnVbSG3C/
cmwOwCHbtixmn8I9rzsbuFSlQLI1U3UTjyuWTmSmZMs5NhpI4aJIoJghs1nvJ8nT
RnWh7oPlgGhjnBzJ9iztvFABGJzQ4PJH0TURXfqJAoGABTFao05w3Uw8y3ucN9Qd
qvkcDs1+7GePncijVWkHX0lQV4BmzTPG+ZfImWwlLj3vo5iFD1FCFndNsF06AX4I
DiPQW1PjmGT31wt0QWWjoXnVtjgsRlxBZkFrPDpXv/Dbrr6la4weHHo+Rr2Z3pUb
z1Bgsu7M4Mz1pG7vlbgtUU4=
-----END PRIVATE KEY-----

$ openssl pkey -in client-key.pem -text  //상위 Private Key 분석  
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDY7C6QOrmTrVcw
FbSTs8A7rXd/hXAelFb8YYhAglOKCkfhVzJyS1M7OAk052QXOfVzTMxCoYiIIGI/
Vo2GGoE2KbGrOrQi8GHYNxFVuaY9Pwd5WiV708hIBbq9zENQgbwiDrg5TOYXahnd
5DviuWMMsK/dgakbnJ58Z+UuhBE1fHLrYwBZIHq6npy0oTEiBaBPJXYTxmQdp6X5
E7O883PWUOdLNFx9K7FDaZFHhVbA0ObOpbTtLzrWNvZWwGdr/wZ3z3NKbaimkjZq
rHqs0T8ffixP4MaUJDRtwXZ1pkOIIsS30eqkV/6Z4/JqVRKu3YdTHvbveCuuogLP
/w0SM/TJAgMBAAECggEAYqHpfi0lim9r0HJeHDbENp5mUnZzB4R9lN4oHOTlZUPN
cTm7t1pmquuMzCBWU3VIFLgbvEREl1jaM2CAkzRkAiOtJGVZ2PUiGDTZzffPDdQl
6tjBaG9ghtcMFRbWmLmUuIum2m8LxCO7RThsvmd7ER8ZqAc3xFVPftOi0qa8SGvK
YzoKY630xImH6KwLCu6mKH0cfxyrxw0sVuTafDt+ufZX8YYjf7F/S5h1ZQ3NvnOf
z7yZd+uTzYHB08cF5hWYEV0Ly1wS6PvW9NlqAO7fcAteiHQnDVDECdQcmhK/xsP5
c2Q9uMc6sGVwAeoSmRsLKn8u6txp0S1+9N7nBvoZ3QKBgQDv62DvCC3Q1yMdu9R7
nE2cqfm7bdJkCFI1TUNyoBEZlOnZMwfGkhOsMTzxDuPZQGYCAqWPmUiXvl90j83P
9VyNqbsTVZVpX0zWLh4hMxMj5T0kG2RPiBx9Yv3wbgOHoul101AGujfeFm7WrEL8
jFFbaG75lnh4qVPprQfR78YXiwKBgQDndjcPP4ovmgKyE80dg+rYhIpQoEpQYE6Q
ZZBpg9rTyXKEIDbrlpFtKE57jzmt/IbqO1f1zGesttZV8Rq7KFvae9rtGe7HXcFp
Z9wL+5PsAQ66N+qqJnLdvSkzn9iZo5vYBp/c6a3fajmUH6Uzets9Ys+Xi5IQqjr3
Eg9hgKCPewKBgQCfi8nUa338SXUiysvMv+6k5iwaxjeJKjdxFsZpraRxfKPeOp9L
H81RTxUVwS8oRDkR0SzER80MjB7yZscZKjO4SU0M2HcZsbRpIhYLQenSjxmPr1+P
vBYmE/SHNMHIK0BRiIrJToDkgcqHm9qYE7/up45VEAlhREl3NgfjRi5XbQKBgEx4
TfCHuYvIgiN7T0T1FF28TEYe7u5nIw2pwHBb06ws3dyxF/P1ps49htBjnVbSG3C/
cmwOwCHbtixmn8I9rzsbuFSlQLI1U3UTjyuWTmSmZMs5NhpI4aJIoJghs1nvJ8nT
RnWh7oPlgGhjnBzJ9iztvFABGJzQ4PJH0TURXfqJAoGABTFao05w3Uw8y3ucN9Qd
qvkcDs1+7GePncijVWkHX0lQV4BmzTPG+ZfImWwlLj3vo5iFD1FCFndNsF06AX4I
DiPQW1PjmGT31wt0QWWjoXnVtjgsRlxBZkFrPDpXv/Dbrr6la4weHHo+Rr2Z3pUb
z1Bgsu7M4Mz1pG7vlbgtUU4=
-----END PRIVATE KEY-----
RSA Private-Key: (2048 bit, 2 primes)
modulus:
    00:d8:ec:2e:90:3a:b9:93:ad:57:30:15:b4:93:b3:
    c0:3b:ad:77:7f:85:70:1e:94:56:fc:61:88:40:82:
    53:8a:0a:47:e1:57:32:72:4b:53:3b:38:09:34:e7:
    64:17:39:f5:73:4c:cc:42:a1:88:88:20:62:3f:56:
    8d:86:1a:81:36:29:b1:ab:3a:b4:22:f0:61:d8:37:
    11:55:b9:a6:3d:3f:07:79:5a:25:7b:d3:c8:48:05:
    ba:bd:cc:43:50:81:bc:22:0e:b8:39:4c:e6:17:6a:
    19:dd:e4:3b:e2:b9:63:0c:b0:af:dd:81:a9:1b:9c:
    9e:7c:67:e5:2e:84:11:35:7c:72:eb:63:00:59:20:
    7a:ba:9e:9c:b4:a1:31:22:05:a0:4f:25:76:13:c6:
    64:1d:a7:a5:f9:13:b3:bc:f3:73:d6:50:e7:4b:34:
    5c:7d:2b:b1:43:69:91:47:85:56:c0:d0:e6:ce:a5:
    b4:ed:2f:3a:d6:36:f6:56:c0:67:6b:ff:06:77:cf:
    73:4a:6d:a8:a6:92:36:6a:ac:7a:ac:d1:3f:1f:7e:
    2c:4f:e0:c6:94:24:34:6d:c1:76:75:a6:43:88:22:
    c4:b7:d1:ea:a4:57:fe:99:e3:f2:6a:55:12:ae:dd:
    87:53:1e:f6:ef:78:2b:ae:a2:02:cf:ff:0d:12:33:
    f4:c9
publicExponent: 65537 (0x10001)
privateExponent:
    62:a1:e9:7e:2d:25:8a:6f:6b:d0:72:5e:1c:36:c4:
    36:9e:66:52:76:73:07:84:7d:94:de:28:1c:e4:e5:
    65:43:cd:71:39:bb:b7:5a:66:aa:eb:8c:cc:20:56:
    53:75:48:14:b8:1b:bc:44:44:97:58:da:33:60:80:
    93:34:64:02:23:ad:24:65:59:d8:f5:22:18:34:d9:
    cd:f7:cf:0d:d4:25:ea:d8:c1:68:6f:60:86:d7:0c:
    15:16:d6:98:b9:94:b8:8b:a6:da:6f:0b:c4:23:bb:
    45:38:6c:be:67:7b:11:1f:19:a8:07:37:c4:55:4f:
    7e:d3:a2:d2:a6:bc:48:6b:ca:63:3a:0a:63:ad:f4:
    c4:89:87:e8:ac:0b:0a:ee:a6:28:7d:1c:7f:1c:ab:
    c7:0d:2c:56:e4:da:7c:3b:7e:b9:f6:57:f1:86:23:
    7f:b1:7f:4b:98:75:65:0d:cd:be:73:9f:cf:bc:99:
    77:eb:93:cd:81:c1:d3:c7:05:e6:15:98:11:5d:0b:
    cb:5c:12:e8:fb:d6:f4:d9:6a:00:ee:df:70:0b:5e:
    88:74:27:0d:50:c4:09:d4:1c:9a:12:bf:c6:c3:f9:
    73:64:3d:b8:c7:3a:b0:65:70:01:ea:12:99:1b:0b:
    2a:7f:2e:ea:dc:69:d1:2d:7e:f4:de:e7:06:fa:19:
    dd
prime1:
    00:ef:eb:60:ef:08:2d:d0:d7:23:1d:bb:d4:7b:9c:
    4d:9c:a9:f9:bb:6d:d2:64:08:52:35:4d:43:72:a0:
    11:19:94:e9:d9:33:07:c6:92:13:ac:31:3c:f1:0e:
    e3:d9:40:66:02:02:a5:8f:99:48:97:be:5f:74:8f:
    cd:cf:f5:5c:8d:a9:bb:13:55:95:69:5f:4c:d6:2e:
    1e:21:33:13:23:e5:3d:24:1b:64:4f:88:1c:7d:62:
    fd:f0:6e:03:87:a2:e9:75:d3:50:06:ba:37:de:16:
    6e:d6:ac:42:fc:8c:51:5b:68:6e:f9:96:78:78:a9:
    53:e9:ad:07:d1:ef:c6:17:8b
prime2:
    00:e7:76:37:0f:3f:8a:2f:9a:02:b2:13:cd:1d:83:
    ea:d8:84:8a:50:a0:4a:50:60:4e:90:65:90:69:83:
    da:d3:c9:72:84:20:36:eb:96:91:6d:28:4e:7b:8f:
    39:ad:fc:86:ea:3b:57:f5:cc:67:ac:b6:d6:55:f1:
    1a:bb:28:5b:da:7b:da:ed:19:ee:c7:5d:c1:69:67:
    dc:0b:fb:93:ec:01:0e:ba:37:ea:aa:26:72:dd:bd:
    29:33:9f:d8:99:a3:9b:d8:06:9f:dc:e9:ad:df:6a:
    39:94:1f:a5:33:7a:db:3d:62:cf:97:8b:92:10:aa:
    3a:f7:12:0f:61:80:a0:8f:7b
exponent1:
    00:9f:8b:c9:d4:6b:7d:fc:49:75:22:ca:cb:cc:bf:
    ee:a4:e6:2c:1a:c6:37:89:2a:37:71:16:c6:69:ad:
    a4:71:7c:a3:de:3a:9f:4b:1f:cd:51:4f:15:15:c1:
    2f:28:44:39:11:d1:2c:c4:47:cd:0c:8c:1e:f2:66:
    c7:19:2a:33:b8:49:4d:0c:d8:77:19:b1:b4:69:22:
    16:0b:41:e9:d2:8f:19:8f:af:5f:8f:bc:16:26:13:
    f4:87:34:c1:c8:2b:40:51:88:8a:c9:4e:80:e4:81:
    ca:87:9b:da:98:13:bf:ee:a7:8e:55:10:09:61:44:
    49:77:36:07:e3:46:2e:57:6d
exponent2:
    4c:78:4d:f0:87:b9:8b:c8:82:23:7b:4f:44:f5:14:
    5d:bc:4c:46:1e:ee:ee:67:23:0d:a9:c0:70:5b:d3:
    ac:2c:dd:dc:b1:17:f3:f5:a6:ce:3d:86:d0:63:9d:
    56:d2:1b:70:bf:72:6c:0e:c0:21:db:b6:2c:66:9f:
    c2:3d:af:3b:1b:b8:54:a5:40:b2:35:53:75:13:8f:
    2b:96:4e:64:a6:64:cb:39:36:1a:48:e1:a2:48:a0:
    98:21:b3:59:ef:27:c9:d3:46:75:a1:ee:83:e5:80:
    68:63:9c:1c:c9:f6:2c:ed:bc:50:01:18:9c:d0:e0:
    f2:47:d1:35:11:5d:fa:89
coefficient:
    05:31:5a:a3:4e:70:dd:4c:3c:cb:7b:9c:37:d4:1d:
    aa:f9:1c:0e:cd:7e:ec:67:8f:9d:c8:a3:55:69:07:
    5f:49:50:57:80:66:cd:33:c6:f9:97:c8:99:6c:25:
    2e:3d:ef:a3:98:85:0f:51:42:16:77:4d:b0:5d:3a:
    01:7e:08:0e:23:d0:5b:53:e3:98:64:f7:d7:0b:74:
    41:65:a3:a1:79:d5:b6:38:2c:46:5c:41:66:41:6b:
    3c:3a:57:bf:f0:db:ae:be:a5:6b:8c:1e:1c:7a:3e:
    46:bd:99:de:95:1b:cf:50:60:b2:ee:cc:e0:cc:f5:
    a4:6e:ef:95:b8:2d:51:4e



$ cat client-cert.pem 
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUMZtS2tJd9h7UX4kqm0RszoVYTRkwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDA2MDkwMjQ5NTNaFw0zMDA2
MDcwMjQ5NTNaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDY7C6QOrmTrVcwFbSTs8A7rXd/hXAelFb8YYhAglOK
CkfhVzJyS1M7OAk052QXOfVzTMxCoYiIIGI/Vo2GGoE2KbGrOrQi8GHYNxFVuaY9
Pwd5WiV708hIBbq9zENQgbwiDrg5TOYXahnd5DviuWMMsK/dgakbnJ58Z+UuhBE1
fHLrYwBZIHq6npy0oTEiBaBPJXYTxmQdp6X5E7O883PWUOdLNFx9K7FDaZFHhVbA
0ObOpbTtLzrWNvZWwGdr/wZ3z3NKbaimkjZqrHqs0T8ffixP4MaUJDRtwXZ1pkOI
IsS30eqkV/6Z4/JqVRKu3YdTHvbveCuuogLP/w0SM/TJAgMBAAGjUzBRMB0GA1Ud
DgQWBBTEBigrdkOYiqC9WSGwPd7+gTM+VzAfBgNVHSMEGDAWgBTEBigrdkOYiqC9
WSGwPd7+gTM+VzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBn
tVibGcZrOMG3/xvMZvE31qn3x6qQS2lrGLqhaYN5q94eY5PIMOCMHnkWr1h0Qu/I
IN+H4HduuNtVtwMekxWDCMHBupjKIUY6kpNybImFauj6STaMxKp4X9XKYLByo6/L
toVVI0ibqxs/EGv6GeWA+xR49EKWbvshdAGb8CdMaSEmzfxUrneGsLkYPjcWl2tQ
59A3DLh9WbblPTWjZd6bXYwPxSPCavaEFL9aE35mUCC3JSis0vjQuMJH8Vb2TBrH
ryoqoVh/+aQPtwnwgC4/x0EvEmOm4+Cdl4qTjpuavUibcuyxRYV5dARhZjO2G4Fp
9T71PvqoAm8ZaNGdHxeq
-----END CERTIFICATE-----

$ openssl x509 -in client-cert.pem -noout -text  //상위 Certifacte 전체 분석 (상위 Privae Key 정보포함)  
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            31:9b:52:da:d2:5d:f6:1e:d4:5f:89:2a:9b:44:6c:ce:85:58:4d:19
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
        Validity
            Not Before: Jun  9 02:49:53 2020 GMT
            Not After : Jun  7 02:49:53 2030 GMT
        Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:d8:ec:2e:90:3a:b9:93:ad:57:30:15:b4:93:b3:
                    c0:3b:ad:77:7f:85:70:1e:94:56:fc:61:88:40:82:
                    53:8a:0a:47:e1:57:32:72:4b:53:3b:38:09:34:e7:
                    64:17:39:f5:73:4c:cc:42:a1:88:88:20:62:3f:56:
                    8d:86:1a:81:36:29:b1:ab:3a:b4:22:f0:61:d8:37:
                    11:55:b9:a6:3d:3f:07:79:5a:25:7b:d3:c8:48:05:
                    ba:bd:cc:43:50:81:bc:22:0e:b8:39:4c:e6:17:6a:
                    19:dd:e4:3b:e2:b9:63:0c:b0:af:dd:81:a9:1b:9c:
                    9e:7c:67:e5:2e:84:11:35:7c:72:eb:63:00:59:20:
                    7a:ba:9e:9c:b4:a1:31:22:05:a0:4f:25:76:13:c6:
                    64:1d:a7:a5:f9:13:b3:bc:f3:73:d6:50:e7:4b:34:
                    5c:7d:2b:b1:43:69:91:47:85:56:c0:d0:e6:ce:a5:
                    b4:ed:2f:3a:d6:36:f6:56:c0:67:6b:ff:06:77:cf:
                    73:4a:6d:a8:a6:92:36:6a:ac:7a:ac:d1:3f:1f:7e:
                    2c:4f:e0:c6:94:24:34:6d:c1:76:75:a6:43:88:22:
                    c4:b7:d1:ea:a4:57:fe:99:e3:f2:6a:55:12:ae:dd:
                    87:53:1e:f6:ef:78:2b:ae:a2:02:cf:ff:0d:12:33:
                    f4:c9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                C4:06:28:2B:76:43:98:8A:A0:BD:59:21:B0:3D:DE:FE:81:33:3E:57
            X509v3 Authority Key Identifier:
                keyid:C4:06:28:2B:76:43:98:8A:A0:BD:59:21:B0:3D:DE:FE:81:33:3E:57

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         67:b5:58:9b:19:c6:6b:38:c1:b7:ff:1b:cc:66:f1:37:d6:a9:
         f7:c7:aa:90:4b:69:6b:18:ba:a1:69:83:79:ab:de:1e:63:93:
         c8:30:e0:8c:1e:79:16:af:58:74:42:ef:c8:20:df:87:e0:77:
         6e:b8:db:55:b7:03:1e:93:15:83:08:c1:c1:ba:98:ca:21:46:
         3a:92:93:72:6c:89:85:6a:e8:fa:49:36:8c:c4:aa:78:5f:d5:
         ca:60:b0:72:a3:af:cb:b6:85:55:23:48:9b:ab:1b:3f:10:6b:
         fa:19:e5:80:fb:14:78:f4:42:96:6e:fb:21:74:01:9b:f0:27:
         4c:69:21:26:cd:fc:54:ae:77:86:b0:b9:18:3e:37:16:97:6b:
         50:e7:d0:37:0c:b8:7d:59:b6:e5:3d:35:a3:65:de:9b:5d:8c:
         0f:c5:23:c2:6a:f6:84:14:bf:5a:13:7e:66:50:20:b7:25:28:
         ac:d2:f8:d0:b8:c2:47:f1:56:f6:4c:1a:c7:af:2a:2a:a1:58:
         7f:f9:a4:0f:b7:09:f0:80:2e:3f:c7:41:2f:12:63:a6:e3:e0:
         9d:97:8a:93:8e:9b:9a:bd:48:9b:72:ec:b1:45:85:79:74:04:
         61:66:33:b6:1b:81:69:f5:3e:f5:3e:fa:a8:02:6f:19:68:d1:
         9d:1f:17:aa

2.3 TLS/DTLS 기본테스트 소스 


세부내용은 상위 링크 참조 

LIBS += -lssl -lcrypto


#include <openssl/bio.h> 
#include <openssl/ssl.h> 
#include <openssl/err.h>

    SSL_CTX *ctx;
    SSL *ssl;
    BIO *bio;

   OpenSSL_add_ssl_algorithms();
   SSL_load_error_strings();

   ctx = SSL_CTX_new(DTLS_client_method());

 if (!SSL_CTX_use_certificate_file(ctx, "certs/client-cert.pem", SSL_FILETYPE_PEM))
  SSLMSG("ERROR: no certificate found!\n");

 if (!SSL_CTX_use_PrivateKey_file(ctx, "certs/client-key.pem", SSL_FILETYPE_PEM))
  SSLMSG("ERROR: no private key found!\n");

 if (!SSL_CTX_check_private_key (ctx))
  SSLMSG("ERROR: invalid private key!\n");
   
//Cipher Suite List 설정가능 
  SSL_CTX_set_cipher_list(ctx, ":AES");

3. OpenSSL 설치 및 테스트


RootCA / SubCA / Digital Signature Sign
  https://en.wikipedia.org/wiki/Root_certificate
  https://en.wikipedia.org/wiki/Certificate_authority
  https://en.wikipedia.org/wiki/Public_key_certificate

OpenSSL 로 ROOT CA 발급
  https://www.lesstif.com/pages/viewpage.action?pageId=6979614
  https://www.lesstif.com/pages/viewpage.action?pageId=7635159

OpenSSL Command 사용법
  https://wiki.openssl.org/index.php/Command_Line_Utilities
  https://en.wikipedia.org/wiki/OpenSSL

openssl s_client -connect
  https://www.feistyduck.com/library/openssl-cookbook/online/ch-testing-with-openssl.html
  https://www.poftut.com/use-openssl-s_client-check-verify-ssltls-https-webserver/
  http://coffeenix.net/board_view.php?bd_code=1661
  https://xbloger.tistory.com/18
  https://spin.atomicobject.com/2018/07/30/openssl-s-client/
  https://www.freebsd.org/cgi/man.cgi?query=s_client&manpath=FreeBSD+11-current
  https://www.openssl.org/docs/man1.0.2/man1/openssl-s_client.html

openssl s_server
  https://www.openssl.org/docs/man1.0.2/man1/s_server.html
  https://github.com/openssl/openssl/blob/master/apps/server.pem
  https://theswlee.tistory.com/48
  https://superhero.ninja/2015/07/22/create-a-simple-https-server-with-openssl-s_server/
  https://www.rabbitmq.com/troubleshooting-ssl.html
  https://www.rabbitmq.com/troubleshooting-networking.html
  https://www.rabbitmq.com/ssl.html#certificates-and-keys


  • openssl 기본 테스트
설치 후 기본동작 확인 

$ openssl version
OpenSSL 1.1.1b  26 Feb 2019

$ openssl
OpenSSL> help
Standard commands
asn1parse         ca                ciphers           cms
crl               crl2pkcs7         dgst              dhparam
dsa               dsaparam          ec                ecparam
enc               engine            errstr            gendsa
genpkey           genrsa            help              list
nseq              ocsp              passwd            pkcs12
pkcs7             pkcs8             pkey              pkeyparam
pkeyutl           prime             rand              rehash
req               rsa               rsautl            s_client
s_server          s_time            sess_id           smime
speed             spkac             srp               storeutl
ts                verify            version           x509

Message Digest commands (see the `dgst' command for more details)
blake2b512        blake2s256        gost              md4
md5               mdc2              rmd160            sha1
sha224            sha256            sha3-224          sha3-256
sha3-384          sha3-512          sha384            sha512
sha512-224        sha512-256        shake128          shake256
sm3

Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb
aes-256-cbc       aes-256-ecb       aria-128-cbc      aria-128-cfb
aria-128-cfb1     aria-128-cfb8     aria-128-ctr      aria-128-ecb
aria-128-ofb      aria-192-cbc      aria-192-cfb      aria-192-cfb1
aria-192-cfb8     aria-192-ctr      aria-192-ecb      aria-192-ofb
aria-256-cbc      aria-256-cfb      aria-256-cfb1     aria-256-cfb8
aria-256-ctr      aria-256-ecb      aria-256-ofb      base64
bf                bf-cbc            bf-cfb            bf-ecb
bf-ofb            camellia-128-cbc  camellia-128-ecb  camellia-192-cbc
camellia-192-ecb  camellia-256-cbc  camellia-256-ecb  cast
cast-cbc          cast5-cbc         cast5-cfb         cast5-ecb
cast5-ofb         des               des-cbc           des-cfb
des-ecb           des-ede           des-ede-cbc       des-ede-cfb
des-ede-ofb       des-ede3          des-ede3-cbc      des-ede3-cfb
des-ede3-ofb      des-ofb           des3              desx
idea              idea-cbc          idea-cfb          idea-ecb
idea-ofb          rc2               rc2-40-cbc        rc2-64-cbc
rc2-cbc           rc2-cfb           rc2-ecb           rc2-ofb
rc4               rc4-40            seed              seed-cbc
seed-cfb          seed-ecb          seed-ofb          sm4-cbc
sm4-cfb           sm4-ctr           sm4-ecb           sm4-ofb

OpenSSL> quit 




  • DER 인증서 및 KEY 변환

일반적으로 pem or crt는 base64로 encoding하여 쉽게 cat으로 확인가능하지만, der은 binary로 구성이 된 것 같아 아래와 같이 변경해주자.

$ openssl x509 -inform DER -outform PEM -text -in test.der -out test.pem 

  https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them
  https://wiki.openssl.org/index.php/DER


3.1 HTTPS Google Server 연결 테스트 

  • HTTPS 443 Port TEST 진행 
기본으로 Server가 TLSv1.3을 지원하면, 자동으로 이를 지원하지만, 아래와 같이 밑에 부분에서 에러발생

$ openssl s_client -connect google.com:443      //HTTPS 443 Port TLSv 1.3 Fail
CONNECTED(00000003)
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
   i:C = US, O = Google Trust Services, CN = GTS CA 1O1
 1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1
   i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIJRDCCCCygAwIBAgIRAO7eZWDNNcCvAgAAAABZcbcwDQYJKoZIhvcNAQELBQAw
QjELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczET
MBEGA1UEAxMKR1RTIENBIDFPMTAeFw0yMDAyMTIxMTQ3MTFaFw0yMDA1MDYxMTQ3
MTFaMGYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
Ew1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgTExDMRUwEwYDVQQDDAwq
Lmdvb2dsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATKjE9IuwUMNbIb
CmiOS1XWI2yPFLanStLIADumajnPmHrED+4/bPKa3HXecM4hPVHL8OgqwVYWveZs
S6OdF9Pqo4IG2jCCBtYwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF
BwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFCRtN1AKArkz3KlGMpfhLYkaPFkY
MB8GA1UdIwQYMBaAFJjR+G4Q68+b7GCfGJAboOt9Cf0rMGQGCCsGAQUFBwEBBFgw
VjAnBggrBgEFBQcwAYYbaHR0cDovL29jc3AucGtpLmdvb2cvZ3RzMW8xMCsGCCsG
AQUFBzAChh9odHRwOi8vcGtpLmdvb2cvZ3NyMi9HVFMxTzEuY3J0MIIEnQYDVR0R
BIIElDCCBJCCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lkLmNvbYIWKi5hcHBlbmdp
bmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29tghgqLmNyb3dkc291cmNl
Lmdvb2dsZS5jb22CBiouZy5jb4IOKi5nY3AuZ3Z0Mi5jb22CESouZ2NwY2RuLmd2
dDEuY29tggoqLmdncGh0LmNugg4qLmdrZWNuYXBwcy5jboIWKi5nb29nbGUtYW5h
bHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNsgg4qLmdvb2dsZS5j
by5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVrgg8qLmdvb2dsZS5j
b20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29tLmJygg8qLmdvb2ds
ZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUuY29tLnRygg8qLmdv
b2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5lc4ILKi5nb29nbGUu
ZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29nbGUubmyCCyouZ29v
Z2xlLnBsggsqLmdvb2dsZS5wdIISKi5nb29nbGVhZGFwaXMuY29tgg8qLmdvb2ds
ZWFwaXMuY26CESouZ29vZ2xlY25hcHBzLmNughQqLmdvb2dsZWNvbW1lcmNlLmNv
bYIRKi5nb29nbGV2aWRlby5jb22CDCouZ3N0YXRpYy5jboINKi5nc3RhdGljLmNv
bYISKi5nc3RhdGljY25hcHBzLmNuggoqLmd2dDEuY29tggoqLmd2dDIuY29tghQq
Lm1ldHJpYy5nc3RhdGljLmNvbYIMKi51cmNoaW4uY29tghAqLnVybC5nb29nbGUu
Y29tghMqLndlYXIuZ2tlY25hcHBzLmNughYqLnlvdXR1YmUtbm9jb29raWUuY29t
gg0qLnlvdXR1YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tghEqLnlvdXR1
YmVraWRzLmNvbYIHKi55dC5iZYILKi55dGltZy5jb22CGmFuZHJvaWQuY2xpZW50
cy5nb29nbGUuY29tggthbmRyb2lkLmNvbYIbZGV2ZWxvcGVyLmFuZHJvaWQuZ29v
Z2xlLmNughxkZXZlbG9wZXJzLmFuZHJvaWQuZ29vZ2xlLmNuggRnLmNvgghnZ3Bo
dC5jboIMZ2tlY25hcHBzLmNuggZnb28uZ2yCFGdvb2dsZS1hbmFseXRpY3MuY29t
ggpnb29nbGUuY29tgg9nb29nbGVjbmFwcHMuY26CEmdvb2dsZWNvbW1lcmNlLmNv
bYIYc291cmNlLmFuZHJvaWQuZ29vZ2xlLmNuggp1cmNoaW4uY29tggp3d3cuZ29v
Lmdsggh5b3V0dS5iZYILeW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29t
gg95b3V0dWJla2lkcy5jb22CBXl0LmJlMCEGA1UdIAQaMBgwCAYGZ4EMAQICMAwG
CisGAQQB1nkCBQMwLwYDVR0fBCgwJjAkoCKgIIYeaHR0cDovL2NybC5wa2kuZ29v
Zy9HVFMxTzEuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUAsh4FzIuizYog
Todm+Su5iiUgZ2va+nDnsklTLe+LkF4AAAFwOXBpZwAABAMARjBEAiA+QN+Y1BC1
iTg87rmcpsUM/Gu24qPQtScwEkDt1exEhAIgQZ65pwiFU6WtL7WIBUDRTSLLJtQz
SUb9E8H/e+H3kv8AdwBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAA
AXA5cGl4AAAEAwBIMEYCIQD9qpknf9RA9NTnDbJ1R740ilIoZ5axO70RNKA2ozIp
DQIhAI1NyadJ74gUNJMOwgVolIAXXkoTlllaI+RlhpKJXQelMA0GCSqGSIb3DQEB
CwUAA4IBAQB/1D1o4bHjhENzzSVqw/WiW7R1Yg4kZjli4Jx+LL27l0iKIq5Je3M7
N9seKeytHKln9LJWcZKJU0ZbTMAspum0myuT9TCRUzlQySsFdd3w5wh0ORzaaMxf
dFZXbP5bVcGkuC/FdoNgnFFjfdJlif8ZWazQdGNT68dXSNYBrSWcZvTi6UHviVzy
KRNF8NXQPkmfEGnd4JAhXr/bNfKhYp/n8vsemQpmKWuA2eO+1W3C8iCVQ2JaQUSE
kOquDseMqEKLRl+Rqg9HWNZpZ7CJfxVEk9f8L9nc9fqQrRM3CB6E4nNwbo7jkwdk
w9vcyse48vXjWRg69iSIEEw4VHtES7QN
-----END CERTIFICATE-----
subject=C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com

issuer=C = US, O = Google Trust Services, CN = GTS CA 1O1

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3787 bytes and written 392 bytes
Verification error: unable to get local issuer certificate  // openssl verify (검증에러)
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported  // TLSv1.3 협상실패 
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent       //문제 사항 확인                      
Verify return code: 20 (unable to get local issuer certificate)
---
Ctrl+c 


  • HTTPS 443 Port TEST 진행 (TLSv1.2)
TLSv1.2로 진행을 하면 기존의 TLSv1.3과 다르게 Session까지 성공하며 동작

 $ openssl s_client -connect google.com:443 -tls1_2       //HTTPS 443 Port TLS1.2 
CONNECTED(00000003)
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
   i:C = US, O = Google Trust Services, CN = GTS CA 1O1
 1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1
   i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIJRDCCCCygAwIBAgIRAO7eZWDNNcCvAgAAAABZcbcwDQYJKoZIhvcNAQELBQAw
QjELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczET
MBEGA1UEAxMKR1RTIENBIDFPMTAeFw0yMDAyMTIxMTQ3MTFaFw0yMDA1MDYxMTQ3
MTFaMGYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
Ew1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgTExDMRUwEwYDVQQDDAwq
Lmdvb2dsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATKjE9IuwUMNbIb
CmiOS1XWI2yPFLanStLIADumajnPmHrED+4/bPKa3HXecM4hPVHL8OgqwVYWveZs
S6OdF9Pqo4IG2jCCBtYwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF
BwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFCRtN1AKArkz3KlGMpfhLYkaPFkY
MB8GA1UdIwQYMBaAFJjR+G4Q68+b7GCfGJAboOt9Cf0rMGQGCCsGAQUFBwEBBFgw
VjAnBggrBgEFBQcwAYYbaHR0cDovL29jc3AucGtpLmdvb2cvZ3RzMW8xMCsGCCsG
AQUFBzAChh9odHRwOi8vcGtpLmdvb2cvZ3NyMi9HVFMxTzEuY3J0MIIEnQYDVR0R
BIIElDCCBJCCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lkLmNvbYIWKi5hcHBlbmdp
bmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29tghgqLmNyb3dkc291cmNl
Lmdvb2dsZS5jb22CBiouZy5jb4IOKi5nY3AuZ3Z0Mi5jb22CESouZ2NwY2RuLmd2
dDEuY29tggoqLmdncGh0LmNugg4qLmdrZWNuYXBwcy5jboIWKi5nb29nbGUtYW5h
bHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNsgg4qLmdvb2dsZS5j
by5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVrgg8qLmdvb2dsZS5j
b20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29tLmJygg8qLmdvb2ds
ZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUuY29tLnRygg8qLmdv
b2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5lc4ILKi5nb29nbGUu
ZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29nbGUubmyCCyouZ29v
Z2xlLnBsggsqLmdvb2dsZS5wdIISKi5nb29nbGVhZGFwaXMuY29tgg8qLmdvb2ds
ZWFwaXMuY26CESouZ29vZ2xlY25hcHBzLmNughQqLmdvb2dsZWNvbW1lcmNlLmNv
bYIRKi5nb29nbGV2aWRlby5jb22CDCouZ3N0YXRpYy5jboINKi5nc3RhdGljLmNv
bYISKi5nc3RhdGljY25hcHBzLmNuggoqLmd2dDEuY29tggoqLmd2dDIuY29tghQq
Lm1ldHJpYy5nc3RhdGljLmNvbYIMKi51cmNoaW4uY29tghAqLnVybC5nb29nbGUu
Y29tghMqLndlYXIuZ2tlY25hcHBzLmNughYqLnlvdXR1YmUtbm9jb29raWUuY29t
gg0qLnlvdXR1YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tghEqLnlvdXR1
YmVraWRzLmNvbYIHKi55dC5iZYILKi55dGltZy5jb22CGmFuZHJvaWQuY2xpZW50
cy5nb29nbGUuY29tggthbmRyb2lkLmNvbYIbZGV2ZWxvcGVyLmFuZHJvaWQuZ29v
Z2xlLmNughxkZXZlbG9wZXJzLmFuZHJvaWQuZ29vZ2xlLmNuggRnLmNvgghnZ3Bo
dC5jboIMZ2tlY25hcHBzLmNuggZnb28uZ2yCFGdvb2dsZS1hbmFseXRpY3MuY29t
ggpnb29nbGUuY29tgg9nb29nbGVjbmFwcHMuY26CEmdvb2dsZWNvbW1lcmNlLmNv
bYIYc291cmNlLmFuZHJvaWQuZ29vZ2xlLmNuggp1cmNoaW4uY29tggp3d3cuZ29v
Lmdsggh5b3V0dS5iZYILeW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29t
gg95b3V0dWJla2lkcy5jb22CBXl0LmJlMCEGA1UdIAQaMBgwCAYGZ4EMAQICMAwG
CisGAQQB1nkCBQMwLwYDVR0fBCgwJjAkoCKgIIYeaHR0cDovL2NybC5wa2kuZ29v
Zy9HVFMxTzEuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUAsh4FzIuizYog
Todm+Su5iiUgZ2va+nDnsklTLe+LkF4AAAFwOXBpZwAABAMARjBEAiA+QN+Y1BC1
iTg87rmcpsUM/Gu24qPQtScwEkDt1exEhAIgQZ65pwiFU6WtL7WIBUDRTSLLJtQz
SUb9E8H/e+H3kv8AdwBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAA
AXA5cGl4AAAEAwBIMEYCIQD9qpknf9RA9NTnDbJ1R740ilIoZ5axO70RNKA2ozIp
DQIhAI1NyadJ74gUNJMOwgVolIAXXkoTlllaI+RlhpKJXQelMA0GCSqGSIb3DQEB
CwUAA4IBAQB/1D1o4bHjhENzzSVqw/WiW7R1Yg4kZjli4Jx+LL27l0iKIq5Je3M7
N9seKeytHKln9LJWcZKJU0ZbTMAspum0myuT9TCRUzlQySsFdd3w5wh0ORzaaMxf
dFZXbP5bVcGkuC/FdoNgnFFjfdJlif8ZWazQdGNT68dXSNYBrSWcZvTi6UHviVzy
KRNF8NXQPkmfEGnd4JAhXr/bNfKhYp/n8vsemQpmKWuA2eO+1W3C8iCVQ2JaQUSE
kOquDseMqEKLRl+Rqg9HWNZpZ7CJfxVEk9f8L9nc9fqQrRM3CB6E4nNwbo7jkwdk
w9vcyse48vXjWRg69iSIEEw4VHtES7QN
-----END CERTIFICATE-----
subject=C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com

issuer=C = US, O = Google Trust Services, CN = GTS CA 1O1

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3978 bytes and written 298 bytes
Verification error: unable to get local issuer certificate  // 동일하게 검증에러 
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-CHACHA20-POLY1305
Server public key is 256 bit
Secure Renegotiation IS supported       //TLSv1.2 로 협상
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-CHACHA20-POLY1305
    Session-ID: 1C072CAEAD8AC810F33CC68F2C687F8841ED13FFB9B9668FF4E6CA770CCABCC4
    Session-ID-ctx:
    Master-Key: 098E8AC1E0DEEA97F12895234B1B2DD332953D5AE4D2D1EF6679DA3CD80558AF36821E68EFED9EDF1A41DB355B7F63BE
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 01 4e 19 86 f8 af c8 74-f0 4a 2d bc b3 bd 49 07   .N.....t.J-...I.
    0010 - d4 bc b5 dd 95 fa 34 fb-f8 95 20 cb e6 91 19 6e   ......4... ....n
    0020 - 98 8c 87 54 82 76 16 72-49 41 a6 36 a9 bb 18 00   ...T.v.rIA.6....
    0030 - dd 77 aa 6f cb e9 1b e2-de 38 4e a2 54 c6 21 89   .w.o.....8N.T.!.
    0040 - 5f a1 28 e2 0a f1 1d eb-c1 ed 3f 6d 85 7d ba f7   _.(.......?m.}..
    0050 - 9d 4b 1f 8e 66 9c c4 19-bd 99 dd b5 31 6b 5e 49   .K..f.......1k^I
    0060 - 95 39 70 c1 11 26 00 ba-04 4c 18 05 82 20 72 7d   .9p..&...L... r}
    0070 - 5d 2c 31 21 c5 76 da 1a-b7 91 e4 b3 ff 93 d3 9a   ],1!.v..........
    0080 - b0 06 6d 0d 04 f7 fc 21-8d 0c 37 29 dd fc 17 a5   ..m....!..7)....
    0090 - b4 5e a3 50 e9 b2 0c 91-8c 2c 22 4b 13 52 e2 13   .^.P.....,"K.R..
    00a0 - f4 9f 99 76 43 8a 4c fc-28 22 94 de d4 0a a0 58   ...vC.L.(".....X
    00b0 - 91 1c 14 b1 c1 87 03 fa-a0 87 a6 36 81 b4 55 bf   ...........6..U.
    00c0 - 0d 69 a3 93 66 bd 68 72-b3 25 ce d1 63 6b 19 15   .i..f.hr.%..ck..
    00d0 - 5b 30 0d c3 9a de 82 85-d2 de f4 6d ae 40 e4 8a   [0.........m.@..
    00e0 - 51 66                                             Qf

    Start Time: 1583817303
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)  // 검증에러 
    Extended master secret: yes
---

Ctrl+c 


3.2 Google Server의 Certificate 분석 

  • Google Server의 Certificate를 저장
Google에 접속하여 Server의 Certificate를 별도로 저장

$ openssl s_client -connect google.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
 
$ cat public.crt
-----BEGIN CERTIFICATE-----
MIIJRDCCCCygAwIBAgIRAO7eZWDNNcCvAgAAAABZcbcwDQYJKoZIhvcNAQELBQAw
QjELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczET
MBEGA1UEAxMKR1RTIENBIDFPMTAeFw0yMDAyMTIxMTQ3MTFaFw0yMDA1MDYxMTQ3
MTFaMGYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
Ew1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgTExDMRUwEwYDVQQDDAwq
Lmdvb2dsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATKjE9IuwUMNbIb
CmiOS1XWI2yPFLanStLIADumajnPmHrED+4/bPKa3HXecM4hPVHL8OgqwVYWveZs
S6OdF9Pqo4IG2jCCBtYwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF
BwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFCRtN1AKArkz3KlGMpfhLYkaPFkY
MB8GA1UdIwQYMBaAFJjR+G4Q68+b7GCfGJAboOt9Cf0rMGQGCCsGAQUFBwEBBFgw
VjAnBggrBgEFBQcwAYYbaHR0cDovL29jc3AucGtpLmdvb2cvZ3RzMW8xMCsGCCsG
AQUFBzAChh9odHRwOi8vcGtpLmdvb2cvZ3NyMi9HVFMxTzEuY3J0MIIEnQYDVR0R
BIIElDCCBJCCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lkLmNvbYIWKi5hcHBlbmdp
bmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29tghgqLmNyb3dkc291cmNl
Lmdvb2dsZS5jb22CBiouZy5jb4IOKi5nY3AuZ3Z0Mi5jb22CESouZ2NwY2RuLmd2
dDEuY29tggoqLmdncGh0LmNugg4qLmdrZWNuYXBwcy5jboIWKi5nb29nbGUtYW5h
bHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNsgg4qLmdvb2dsZS5j
by5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVrgg8qLmdvb2dsZS5j
b20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29tLmJygg8qLmdvb2ds
ZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUuY29tLnRygg8qLmdv
b2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5lc4ILKi5nb29nbGUu
ZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29nbGUubmyCCyouZ29v
Z2xlLnBsggsqLmdvb2dsZS5wdIISKi5nb29nbGVhZGFwaXMuY29tgg8qLmdvb2ds
ZWFwaXMuY26CESouZ29vZ2xlY25hcHBzLmNughQqLmdvb2dsZWNvbW1lcmNlLmNv
bYIRKi5nb29nbGV2aWRlby5jb22CDCouZ3N0YXRpYy5jboINKi5nc3RhdGljLmNv
bYISKi5nc3RhdGljY25hcHBzLmNuggoqLmd2dDEuY29tggoqLmd2dDIuY29tghQq
Lm1ldHJpYy5nc3RhdGljLmNvbYIMKi51cmNoaW4uY29tghAqLnVybC5nb29nbGUu
Y29tghMqLndlYXIuZ2tlY25hcHBzLmNughYqLnlvdXR1YmUtbm9jb29raWUuY29t
gg0qLnlvdXR1YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tghEqLnlvdXR1
YmVraWRzLmNvbYIHKi55dC5iZYILKi55dGltZy5jb22CGmFuZHJvaWQuY2xpZW50
cy5nb29nbGUuY29tggthbmRyb2lkLmNvbYIbZGV2ZWxvcGVyLmFuZHJvaWQuZ29v
Z2xlLmNughxkZXZlbG9wZXJzLmFuZHJvaWQuZ29vZ2xlLmNuggRnLmNvgghnZ3Bo
dC5jboIMZ2tlY25hcHBzLmNuggZnb28uZ2yCFGdvb2dsZS1hbmFseXRpY3MuY29t
ggpnb29nbGUuY29tgg9nb29nbGVjbmFwcHMuY26CEmdvb2dsZWNvbW1lcmNlLmNv
bYIYc291cmNlLmFuZHJvaWQuZ29vZ2xlLmNuggp1cmNoaW4uY29tggp3d3cuZ29v
Lmdsggh5b3V0dS5iZYILeW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29t
gg95b3V0dWJla2lkcy5jb22CBXl0LmJlMCEGA1UdIAQaMBgwCAYGZ4EMAQICMAwG
CisGAQQB1nkCBQMwLwYDVR0fBCgwJjAkoCKgIIYeaHR0cDovL2NybC5wa2kuZ29v
Zy9HVFMxTzEuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUAsh4FzIuizYog
Todm+Su5iiUgZ2va+nDnsklTLe+LkF4AAAFwOXBpZwAABAMARjBEAiA+QN+Y1BC1
iTg87rmcpsUM/Gu24qPQtScwEkDt1exEhAIgQZ65pwiFU6WtL7WIBUDRTSLLJtQz
SUb9E8H/e+H3kv8AdwBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAA
AXA5cGl4AAAEAwBIMEYCIQD9qpknf9RA9NTnDbJ1R740ilIoZ5axO70RNKA2ozIp
DQIhAI1NyadJ74gUNJMOwgVolIAXXkoTlllaI+RlhpKJXQelMA0GCSqGSIb3DQEB
CwUAA4IBAQB/1D1o4bHjhENzzSVqw/WiW7R1Yg4kZjli4Jx+LL27l0iKIq5Je3M7
N9seKeytHKln9LJWcZKJU0ZbTMAspum0myuT9TCRUzlQySsFdd3w5wh0ORzaaMxf
dFZXbP5bVcGkuC/FdoNgnFFjfdJlif8ZWazQdGNT68dXSNYBrSWcZvTi6UHviVzy
KRNF8NXQPkmfEGnd4JAhXr/bNfKhYp/n8vsemQpmKWuA2eO+1W3C8iCVQ2JaQUSE
kOquDseMqEKLRl+Rqg9HWNZpZ7CJfxVEk9f8L9nc9fqQrRM3CB6E4nNwbo7jkwdk
w9vcyse48vXjWRg69iSIEEw4VHtES7QN
-----END CERTIFICATE-----

  • Google Server의 Certificate 분석
상위에서 저장된 Certificate 기반으로 분석

$ openssl x509 -in public.crt -noout -text  // 상위 Certifacte 전체 분석 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ee:de:65:60:cd:35:c0:af:02:00:00:00:00:59:71:b7
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Google Trust Services, CN = GTS CA 1O1
        Validity
            Not Before: Feb 12 11:47:11 2020 GMT
            Not After : May  6 11:47:11 2020 GMT
        Subject: C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:ca:8c:4f:48:bb:05:0c:35:b2:1b:0a:68:8e:4b:
                    55:d6:23:6c:8f:14:b6:a7:4a:d2:c8:00:3b:a6:6a:
                    39:cf:98:7a:c4:0f:ee:3f:6c:f2:9a:dc:75:de:70:
                    ce:21:3d:51:cb:f0:e8:2a:c1:56:16:bd:e6:6c:4b:
                    a3:9d:17:d3:ea
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                24:6D:37:50:0A:02:B9:33:DC:A9:46:32:97:E1:2D:89:1A:3C:59:18
            X509v3 Authority Key Identifier:
                keyid:98:D1:F8:6E:10:EB:CF:9B:EC:60:9F:18:90:1B:A0:EB:7D:09:FD:2B

            Authority Information Access:
                OCSP - URI:http://ocsp.pki.goog/gts1o1
                CA Issuers - URI:http://pki.goog/gsr2/GTS1O1.crt

            X509v3 Subject Alternative Name:
                DNS:*.google.com, DNS:*.android.com, DNS:*.appengine.google.com, DNS:*.cloud.google.com, DNS:*.crowdsource.google.com, DNS:*.g.co, DNS:*.gcp.gvt2.com, DNS:*.gcpcdn.gvt1.com, DNS:*.ggpht.cn, DNS:*.gkecnapps.cn, DNS:*.google-analytics.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google.pt, DNS:*.googleadapis.com, DNS:*.googleapis.cn, DNS:*.googlecnapps.cn, DNS:*.googlecommerce.com, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic.com, DNS:*.gstaticcnapps.cn, DNS:*.gvt1.com, DNS:*.gvt2.com, DNS:*.metric.gstatic.com, DNS:*.urchin.com, DNS:*.url.google.com, DNS:*.wear.gkecnapps.cn, DNS:*.youtube-nocookie.com, DNS:*.youtube.com, DNS:*.youtubeeducation.com, DNS:*.youtubekids.com, DNS:*.yt.be, DNS:*.ytimg.com, DNS:android.clients.google.com, DNS:android.com, DNS:developer.android.google.cn, DNS:developers.android.google.cn, DNS:g.co, DNS:ggpht.cn, DNS:gkecnapps.cn, DNS:goo.gl, DNS:google-analytics.com, DNS:google.com, DNS:googlecnapps.cn, DNS:googlecommerce.com, DNS:source.android.google.cn, DNS:urchin.com, DNS:www.goo.gl, DNS:youtu.be, DNS:youtube.com, DNS:youtubeeducation.com, DNS:youtubekids.com, DNS:yt.be
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.2
                Policy: 1.3.6.1.4.1.11129.2.5.3

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.pki.goog/GTS1O1.crl

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : B2:1E:05:CC:8B:A2:CD:8A:20:4E:87:66:F9:2B:B9:8A:
                                25:20:67:6B:DA:FA:70:E7:B2:49:53:2D:EF:8B:90:5E
                    Timestamp : Feb 12 12:47:13.255 2020 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:3E:40:DF:98:D4:10:B5:89:38:3C:EE:B9:
                                9C:A6:C5:0C:FC:6B:B6:E2:A3:D0:B5:27:30:12:40:ED:
                                D5:EC:44:84:02:20:41:9E:B9:A7:08:85:53:A5:AD:2F:
                                B5:88:05:40:D1:4D:22:CB:26:D4:33:49:46:FD:13:C1:
                                FF:7B:E1:F7:92:FF
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 5E:A7:73:F9:DF:56:C0:E7:B5:36:48:7D:D0:49:E0:32:
                                7A:91:9A:0C:84:A1:12:12:84:18:75:96:81:71:45:58
                    Timestamp : Feb 12 12:47:13.272 2020 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:FD:AA:99:27:7F:D4:40:F4:D4:E7:0D:
                                B2:75:47:BE:34:8A:52:28:67:96:B1:3B:BD:11:34:A0:
                                36:A3:32:29:0D:02:21:00:8D:4D:C9:A7:49:EF:88:14:
                                34:93:0E:C2:05:68:94:80:17:5E:4A:13:96:59:5A:23:
                                E4:65:86:92:89:5D:07:A5
    Signature Algorithm: sha256WithRSAEncryption
         7f:d4:3d:68:e1:b1:e3:84:43:73:cd:25:6a:c3:f5:a2:5b:b4:
         75:62:0e:24:66:39:62:e0:9c:7e:2c:bd:bb:97:48:8a:22:ae:
         49:7b:73:3b:37:db:1e:29:ec:ad:1c:a9:67:f4:b2:56:71:92:
         89:53:46:5b:4c:c0:2c:a6:e9:b4:9b:2b:93:f5:30:91:53:39:
         50:c9:2b:05:75:dd:f0:e7:08:74:39:1c:da:68:cc:5f:74:56:
         57:6c:fe:5b:55:c1:a4:b8:2f:c5:76:83:60:9c:51:63:7d:d2:
         65:89:ff:19:59:ac:d0:74:63:53:eb:c7:57:48:d6:01:ad:25:
         9c:66:f4:e2:e9:41:ef:89:5c:f2:29:13:45:f0:d5:d0:3e:49:
         9f:10:69:dd:e0:90:21:5e:bf:db:35:f2:a1:62:9f:e7:f2:fb:
         1e:99:0a:66:29:6b:80:d9:e3:be:d5:6d:c2:f2:20:95:43:62:
         5a:41:44:84:90:ea:ae:0e:c7:8c:a8:42:8b:46:5f:91:aa:0f:
         47:58:d6:69:67:b0:89:7f:15:44:93:d7:fc:2f:d9:dc:f5:fa:
         90:ad:13:37:08:1e:84:e2:73:70:6e:8e:e3:93:07:64:c3:db:
         dc:ca:c7:b8:f2:f5:e3:59:18:3a:f6:24:88:10:4c:38:54:7b:
         44:4b:b4:0d

$ openssl x509 -in public.crt -noout -dates  // 날짜 분석 
notBefore=Feb 12 11:47:11 2020 GMT
notAfter=May  6 11:47:11 2020 GMT



  • Google Certificate Verification
TLSv1.3 or TLSv1.2 으로 연결이 되어도 보면 항상 verification에서 문제가 있는 것을 알 수가 있어서 이부분을 점검
현재의 Certificate가 검증이 안된것이라고 생각되어짐

$ openssl verify public.crt  // 상위 검증에러 부분 다시 점검 (동일하게 에러발생)
C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error public.crt: verification failed

//openssl certs 저장장소 (현재 아무것도 없음, 검증된 certificate가 있다면 그것으로 TEST) 
$ ls -lah /etc/ssl/certs   
...


$ echo -n | openssl s_client -connect google.com:443 -CAfile ./public.crt  -tls1_2  | grep Verify  //verfication 때문에 다시 테스트진행  
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
verify return:1
    Verify return code: 20 (unable to get local issuer certificate)   // 상위와 같이 검증부분에러 
DONE


// 직접 발급 Certificate 
$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes 

$ echo -n | openssl s_client -connect google.com:443 -CAfile ./cert.pem  -tls1_2 | grep Verify  //verfication 때문에 다시 테스트진행  
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
verify return:1
    Verify return code: 20 (unable to get local issuer certificate)   // 상위와 같이 검증부분에러
DONE

아래사이트에서 이부분을 해결함
  https://github.com/nghttp2/nghttp2/issues/928


3.3  다른 HTTPS Server 직접분석방법

BASE64를 ASCII로 Encode
  https://www.base64encode.org/
  https://base64.guru/converter/encode/hex

  • HTTPS Server 직접 분석 
Google에서 Certificate를 저장하여 분석했지만, 아래와 같이 직접 분석

$ echo "" | openssl s_client -connect 서버:443 | openssl x509 -noout -dates  // 상위에서 File 저장할 필요없이 직접 분석 

$ echo "" | openssl s_client -connect 서버:443 | openssl x509 -noout -text   // 상위에서 File 저장할 필요없이 직접 분석 


  • feistyduck Server 분석 
Google에서 Certificate를 저장하여 분석했지만, 아래와 같이 직접 분석

$ openssl s_client -connect www.feistyduck.com:443  //기본 TLS v1.2 연결됨 확인 
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.feistyduck.com
verify return:1
---
Certificate chain
 0 s:OU = Domain Control Validated, OU = PositiveSSL, CN = www.feistyduck.com
   i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
 1 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
   i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
 2 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
   i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFUzCCBDugAwIBAgIRAPR/CbWZEksfCIRqxNcesPIwDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
Q0EwHhcNMTgwMjEyMDAwMDAwWhcNMjEwMjE3MjM1OTU5WjBWMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxFDASBgNVBAsTC1Bvc2l0aXZlU1NMMRsw
GQYDVQQDExJ3d3cuZmVpc3R5ZHVjay5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQC7qdk9MwGLohNIs+Yjfcie2RZQtbnvaykbeHB0gVi4UhLW7Z1Q
zkrgxHQdtFRdycHs2s/mr2y2on7d5/ZcorvioSwJw+uRmpANlw+bw6plwYaDgLRU
SOCB/XYmyhygm8SfxyK3j9vo2t5lgGgUB+WFHhSEWbGZc2iTcvWmSSxXqkl01CHP
lagHQ6cXiWDx6Nq65p7J/dhD+dI6N97mYU54r1TZXxIw86cIJxYXmIT1byHxgY2p
U/NiTAhnkZpLJIWBeZt224Ap3StzSMgeWKIAiNlK5gpP68Vn3UexQVbt4iNRnZZI
hht7GkGvnMFNtocJMzyaFv90TCNFHu7EDwmDAgMBAAGjggHfMIIB2zAfBgNVHSME
GDAWgBSQr2o6lFoL2JDqElZz30O0Oija5zAdBgNVHQ4EFgQUqXM3+6Zd7KD6Dgtf
7SJOOG8ermgwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGyMQECAgcw
KzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwCAYG
Z4EMAQIBMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2EuY29t
L0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYUG
CCsGAQUFBwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5jb21vZG9jYS5j
b20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAk
BggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMC0GA1UdEQQmMCSC
End3dy5mZWlzdHlkdWNrLmNvbYIOZmVpc3R5ZHVjay5jb20wDQYJKoZIhvcNAQEL
BQADggEBADYaCw8RhIrvN/fgZ8gQWpMXeCwnVDM4HqjgweMAdSISBGw9vry6q9w6
jTNAeGRhDYplk7prJjI8HWH8W3eT0K/LafuQdblpohm/rdtXqOyoi8pQqDN1bqwr
8TKHT6o1MUOAkK0ptkiUSLuc3lh2J1Ivyh8NTkeI+3ntxjJvE4z89ib7mQj/LPBy
L1MPjFiB5pyvf9jDBxv8TmG4Q6TnDDhw2t2Qil6lhsPAMZ9odP22W3uaLE1y7aB6
zbQXjVsc3E1THfFZWRzDPsU4fN/1iGlbrcAWa2sFfhJXrCDfAowFJ8A1n9jMiNEG
WfQfGgA2ar2xUtsqA7Re6XlXOlwBPuQ=
-----END CERTIFICATE-----
subject=OU = Domain Control Validated, OU = PositiveSSL, CN = www.feistyduck.com

issuer=C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA

---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5027 bytes and written 446 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 6B6C93F4B46A273D51F2EEBF1FCA910218EC34521BA4D9FAE45BFB839B3F8356
    Session-ID-ctx:
    Master-Key: 0A865001506F6133227E5C02290D48804041D50B7DDF8A23AE87B87BF61F287BE8C8D08CA7EE648A3E7BD004EF97D1E3
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 2b e5 ee 02 ca 6b 71 e2-af 6c c3 04 5b 40 07 60   +....kq..l..[@.`
    0010 - 71 15 fd 86 9e 56 ce bc-17 b4 1c 8c 3a 90 87 2f   q....V......:../
    0020 - bc aa 2b e6 dc 86 e4 b0-1b 2a 94 a7 96 c1 4e 2b   ..+......*....N+
    0030 - 94 33 fb 37 cb 98 ac 27-5b d5 6a f6 8c 72 c8 61   .3.7...'[.j..r.a
    0040 - 61 a5 bc e8 0d 00 3a c7-a2 4d fb 75 3e 06 3a 6b   a.....:..M.u>.:k
    0050 - 0d 86 3c cb 4a 53 1e 3f-fc ec 22 92 8e f3 e2 1c   ..<.JS.?..".....
    0060 - 67 d2 95 aa 2b c8 80 cb-5f 76 95 33 ec 32 b3 c7   g...+..._v.3.2..
    0070 - fd e5 db 1d 7c 0b ac 7c-cd 2d 49 62 f2 ed a5 71   ....|..|.-Ib...q
    0080 - dd 2e f3 63 8d 1a 5a 90-58 85 93 3a 1b 3b ec af   ...c..Z.X..:.;..
    0090 - a7 35 0f 30 1c 08 c6 98-5b 99 d0 ae 7d 20 a7 06   .5.0....[...} ..
    00a0 - 0f b1 5f bd 82 31 29 f4-12 b9 52 7b ea 35 25 0a   .._..1)...R{.5%.
    00b0 - 53 2f ad 16 13 21 10 5b-6f 79 ee 67 06 3d 14 e8   S/...!.[oy.g.=..
    00c0 - 1f 2f 41 55 c5 e1 cf 5a-ad de 57 c7 d1 d0 a4 a3   ./AU...Z..W.....

    Start Time: 1591687396
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
---


$ echo "" | openssl s_client -connect www.feistyduck.com:443 | openssl x509 -noout -text
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.feistyduck.com
verify return:1
DONE
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            f4:7f:09:b5:99:12:4b:1f:08:84:6a:c4:d7:1e:b0:f2
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
        Validity
            Not Before: Feb 12 00:00:00 2018 GMT
            Not After : Feb 17 23:59:59 2021 GMT
        Subject: OU = Domain Control Validated, OU = PositiveSSL, CN = www.feistyduck.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:bb:a9:d9:3d:33:01:8b:a2:13:48:b3:e6:23:7d:
                    c8:9e:d9:16:50:b5:b9:ef:6b:29:1b:78:70:74:81:
                    58:b8:52:12:d6:ed:9d:50:ce:4a:e0:c4:74:1d:b4:
                    54:5d:c9:c1:ec:da:cf:e6:af:6c:b6:a2:7e:dd:e7:
                    f6:5c:a2:bb:e2:a1:2c:09:c3:eb:91:9a:90:0d:97:
                    0f:9b:c3:aa:65:c1:86:83:80:b4:54:48:e0:81:fd:
                    76:26:ca:1c:a0:9b:c4:9f:c7:22:b7:8f:db:e8:da:
                    de:65:80:68:14:07:e5:85:1e:14:84:59:b1:99:73:
                    68:93:72:f5:a6:49:2c:57:aa:49:74:d4:21:cf:95:
                    a8:07:43:a7:17:89:60:f1:e8:da:ba:e6:9e:c9:fd:
                    d8:43:f9:d2:3a:37:de:e6:61:4e:78:af:54:d9:5f:
                    12:30:f3:a7:08:27:16:17:98:84:f5:6f:21:f1:81:
                    8d:a9:53:f3:62:4c:08:67:91:9a:4b:24:85:81:79:
                    9b:76:db:80:29:dd:2b:73:48:c8:1e:58:a2:00:88:
                    d9:4a:e6:0a:4f:eb:c5:67:dd:47:b1:41:56:ed:e2:
                    23:51:9d:96:48:86:1b:7b:1a:41:af:9c:c1:4d:b6:
                    87:09:33:3c:9a:16:ff:74:4c:23:45:1e:ee:c4:0f:
                    09:83
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7

            X509v3 Subject Key Identifier:
                A9:73:37:FB:A6:5D:EC:A0:FA:0E:0B:5F:ED:22:4E:38:6F:1E:AE:68
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.6449.1.2.2.7
                  CPS: https://secure.comodo.com/CPS
                Policy: 2.23.140.1.2.1

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl

            Authority Information Access:
                CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
                OCSP - URI:http://ocsp.comodoca.com

            X509v3 Subject Alternative Name:
                DNS:www.feistyduck.com, DNS:feistyduck.com
    Signature Algorithm: sha256WithRSAEncryption
         36:1a:0b:0f:11:84:8a:ef:37:f7:e0:67:c8:10:5a:93:17:78:
         2c:27:54:33:38:1e:a8:e0:c1:e3:00:75:22:12:04:6c:3d:be:
         bc:ba:ab:dc:3a:8d:33:40:78:64:61:0d:8a:65:93:ba:6b:26:
         32:3c:1d:61:fc:5b:77:93:d0:af:cb:69:fb:90:75:b9:69:a2:
         19:bf:ad:db:57:a8:ec:a8:8b:ca:50:a8:33:75:6e:ac:2b:f1:
         32:87:4f:aa:35:31:43:80:90:ad:29:b6:48:94:48:bb:9c:de:
         58:76:27:52:2f:ca:1f:0d:4e:47:88:fb:79:ed:c6:32:6f:13:
         8c:fc:f6:26:fb:99:08:ff:2c:f0:72:2f:53:0f:8c:58:81:e6:
         9c:af:7f:d8:c3:07:1b:fc:4e:61:b8:43:a4:e7:0c:38:70:da:
         dd:90:8a:5e:a5:86:c3:c0:31:9f:68:74:fd:b6:5b:7b:9a:2c:
         4d:72:ed:a0:7a:cd:b4:17:8d:5b:1c:dc:4d:53:1d:f1:59:59:
         1c:c3:3e:c5:38:7c:df:f5:88:69:5b:ad:c0:16:6b:6b:05:7e:
         12:57:ac:20:df:02:8c:05:27:c0:35:9f:d8:cc:88:d1:06:59:
         f4:1f:1a:00:36:6a:bd:b1:52:db:2a:03:b4:5e:e9:79:57:3a:
         5c:01:3e:e4

$ echo "" | openssl s_client -connect www.feistyduck.com:443 | openssl x509 -noout -dates
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.feistyduck.com
verify return:1
DONE
notBefore=Feb 12 00:00:00 2018 GMT
notAfter=Feb 17 23:59:59 2021 GMT


3.4 HTTPS 의 Local TEST 진행 

OpenSSL 기반으로 Ceritifacte와 Private Key를 발급 후 Server를 동작 후 이를 테스트 진행

RSA 기반으로 Key 발급
  • Local HTTPS Server의 Certififace 와 Private Key 발급
//RSA 기반 
$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes 
//cert.pem  Certificate Clinet가 접속시 확인가능 
//key.pem   Private Key  

  https://www.openssl.org/docs/man1.0.2/man1/openssl-req.html


$ openssl req -new -key key.pem -out cert.pem 
//cert.pem  Certificate Clinet가 접속시 확인가능 
//key.pem   Private Key  


  • Local HTTPS Server 동작 (Server)
백그라운드로 Server 동작
$ openssl s_server -key key.pem -cert cert.pem -accept 443 -www  &  
Using default temp DH parameters
ACCEPT

  • Local HTTPS Client 연결
Server 연결 후 상위 cert.pem 과 동일 확인
$ openssl s_client -connect 127.0.0.1:443  // 상위 cert.pem 와 동일 
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify return:1
---
Certificate chain
 0 s:C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
   i:C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIURnorX3QpJ93WAOOr7qar5EaAgI0wDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDA2MDkwNjE3NTdaFw0yMTA2
MDkwNjE3NTdaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCdT9nzl+IwWYLdWFCsNWRTBHgMVaQmQgQVWrrtU/HE
5xrRzxRlHMocuVO93dTBN9swAucNKa9zOYAmrBuqETnAMun3duWfqpO8OR3uFmOl
l2j2dmPl7NiFnRgWtUinOKoDcyAIyZ+fptqK4m/5+DaR2VSq9QkMJDCam34DwGaP
vWTWikHPXejzCLV8iBf8NYLDk+hyfoazSIy5Nnv7chYrgTokPowT+KuSx5FkhO1s
CpkaoWkZhCMObzkFgAg9p8m7gJXqH9BTZZ7/+0Hix2ikQ6AvSHqlFWq1HByMgret
x8FFIxV/hiAjc7693e9IhfgJWiUBtrebMvEJX8DRHJINAgMBAAGjUzBRMB0GA1Ud
DgQWBBRO/YApwyXr9ZZ7KOajIgXKDVSiazAfBgNVHSMEGDAWgBRO/YApwyXr9ZZ7
KOajIgXKDVSiazAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA8
9HXQUU6LcpMqYdeHA+bINkRZNgwLgv5UApw0pYsmoBZzSyxEvIJZQX/kq21Vbjq0
BiRl3/2+kptxlKClTM0Zr21ZDW6T2Jkzx7cYGk2mCkxnEHO4em3bIwS/Me5LKiiw
wmiN2dXcqIeKWgjrnRqE+eAnjZCPxYdZ5HwWb6yIXmbEZa63UZ3ky28jS9nZq/Xi
rTsUboQjiGivqkLQBG6OB0sgOtTxA27StHr9Xo5n2Hz0+WEigbdofM8AdJhMIjn9
tAUteoj4JUxvLJTtZuVVxdKxpmI+gDydsx1osTbrCzOJ+VkJjijJ6/Yk2/0NS2VH
CTWLAqrOcsyrtdlgXRbs
-----END CERTIFICATE-----
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd

issuer=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1435 bytes and written 373 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: ECCF57A71FE4DA0AD66DE23685BD58CD3F5BC88756033845BB3460472A40389E
    Session-ID-ctx:
    Resumption PSK: 651BA37791F1ABF1C1A7319B6386484ADE95960E666B5F14B3759AEA2DCFDB47D021A0C64F69AC383C2909E9D99127D8
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 36 62 86 65 f9 7d 97 af-32 99 0d 13 71 8b 96 fc   6b.e.}..2...q...
    0010 - af 37 d6 56 1e 5a bd 46-d2 a6 6b cc e1 9a 5a 91   .7.V.Z.F..k...Z.
    0020 - 5d b7 fa 5a e0 d1 c7 e0-c2 13 37 fe 47 f1 df da   ]..Z......7.G...
    0030 - 4e e3 5a 94 95 b5 ea 26-99 ef af 2e 91 60 64 98   N.Z....&.....`d.
    0040 - f4 18 5e 4e 91 41 07 b1-cf 45 c0 0a d4 da 9a 72   ..^N.A...E.....r
    0050 - 5b 8d d1 78 9d 51 01 73-e4 1b d5 53 2c 4c d5 28   [..x.Q.s...S,L.(
    0060 - eb e6 f1 21 be 78 87 d5-24 8a 33 10 c0 ae 32 cf   ...!.x..$.3...2.
    0070 - a3 15 d1 a0 21 d5 57 35-20 59 d3 d4 90 b4 cc 42   ....!.W5 Y.....B
    0080 - 5e 3d 90 67 be 93 25 e9-25 74 39 2b 08 04 99 a0   ^=.g..%.%t9+....
    0090 - 28 8b 4d ef a5 08 8c 36-8c f3 1e ce 6e 3f 40 59   (.M....6....n?@Y
    00a0 - 58 7f 20 f4 f4 ac 5f 1c-28 be 01 f1 3a d0 00 00   X. ..._.(...:...
    00b0 - 38 ed e3 74 4c ca a9 3e-02 ff 35 8f 41 b0 ba e1   8..tL..>..5.A...

    Start Time: 1591683618
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 08C9BB5B706488A4657B05D86629EA0518E72E0C73498DA59BF3337E7C7CB346
    Session-ID-ctx:
    Resumption PSK: 8D7303226BB700F521767764C32383FDC598B4E99185E8502A0787159DDA50DDBE2570A7D659AB4CCA85E5BF3B9F59E1
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 36 62 86 65 f9 7d 97 af-32 99 0d 13 71 8b 96 fc   6b.e.}..2...q...
    0010 - f7 4c 20 42 14 1b 61 c0-8b d2 2b b4 c9 f8 20 d1   .L B..a...+... .
    0020 - 29 6c 8c e0 8b 40 c9 f2-29 93 5d b2 e3 7a df 41   )l...@..).]..z.A
    0030 - 96 7b a6 d3 73 4d c4 31-9e ca 74 88 49 53 0f 71   .{..sM.1..t.IS.q
    0040 - bb 1f f6 0a ba 77 76 09-d3 d6 13 1e 96 21 60 91   .....wv......!`.
    0050 - c4 46 ff a6 c2 60 c8 99-a2 fd 94 8d 3a 26 ea 99   .F...`......:&..
    0060 - 7c c9 77 b1 2f 88 b8 09-35 9b d1 2d 21 43 ce 3a   |.w./...5..-!C.:
    0070 - 17 e3 78 37 a3 4b 61 32-ed 60 09 ac 92 dd 11 00   ..x7.Ka2.`......
    0080 - bb 13 6e d6 90 24 bf 39-c8 4a 9a ba ff 83 dd 2f   ..n..$.9.J...../
    0090 - 21 eb 18 23 49 bb d7 3d-71 61 0a 3f ae a2 8f 10   !..#I..=qa.?....
    00a0 - 04 06 62 f3 0c c0 99 77-c0 0e f7 81 6c cf b9 ab   ..b....w....l...
    00b0 - b1 bf fe 4a d1 7b 66 b3-56 02 fd ef ba aa 3d d1   ...J.{f.V.....=.
    00c0 - f9 a8 f4 c1 6d 40 cb fc-36 21 67 5e 2f 6c e1 c2   ....m@..6!g^/l..

    Start Time: 1591683618
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK



  • Encode 와 Decode TEST 진행
$ echo 'hello world!' | openssl aes-256-cbc -a -k "passwordkey"    //enc를 사용 -a base64 enc  
U2FsdGVkX1+fe5EdA+UkQOAxj2rYLb6ZDgNcGcd0A4Y=

$ echo 'U2FsdGVkX19LEynrqiD3WZHqvOAU5R/hUpeKLR4IYO4=' | openssl aes-256-cbc -a -d  -k "passwordkey"  // dec 사용시 동작 
hello world!
$ cat > test.txt // TEXT File 생성 
hellow world

$ openssl enc -e -aes-128-cbc -in test.txt -out test.enc -k "password1234"  // enc 사용 

$ openssl enc -d -aes-128-cbc -in test.enc -out test.dec -k "password1234"  // dec 사용 

$ cat test.dec  // dec 확인 
hello world

$ openssl enc -e -aria-128-cbc -in test.txt -out test.enc -k "password1234" // enc 사용 

$ openssl enc -d -aria-128-cbc -in test.enc -out test.dec -k "password1234" // dec 사용 

$ cat test.dec  // dec 확인 
hello world

ARIA
  https://en.wikipedia.org/wiki/ARIA_(cipher)
  https://wiki.openssl.org/index.php/How_to_Integrate_a_Symmetric_Cipher
  https://getrfc.com/rfc6209

openssl suites
  https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
  https://sarc.io/index.php/httpd/581-openssl-suites
  https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
  https://www.thesslstore.com/blog/cipher-suites-algorithms-security-settings/
  https://serverfault.com/questions/638691/how-can-i-verify-if-tls-1-2-is-supported-on-a-remote-web-server-from-the-rhel-ce
  https://m.blog.naver.com/PostView.nhn?blogId=seri0528&logNo=20188280116&proxyReferer=https%3A%2F%2Fwww.google.com%2F
  https://confluence.atlassian.com/jira/connecting-to-ssl-services-117455.html#ConnectingtoSSLservices-Usingopenssl


CBC 관련 Encrytipn and Decrytion Example
  https://wiki.openssl.org/index.php/EVP_Symmetric_Encryption_and_Decryption

GCM/CCM 관련 Encrytion and Decrytion Example
  https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption
  https://wiki.openssl.org/index.php/EVP_Asymmetric_Encryption_and_Decryption_of_an_Envelope

ECB/CBC/CFB/CTR
  https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation

댓글 없음 :