레이블이 NET-TLS인 게시물을 표시합니다. 모든 게시물 표시
레이블이 NET-TLS인 게시물을 표시합니다. 모든 게시물 표시

3/31/2020

ECDSA 기반의 Key 및 Certificate 분석

1. ECDSA 기반의 Key 와 Certificate 분석 

ECDSA(Elliptic Curve Digital Signature Algorithm)으로 주로 Digital Signature에서 사용되어지며,
이곳에서도 ECDSA 기반의 Certificate 생성 및 분석한다.
ECDSA는 기본적으로 ECC(Elliptic Curve Cryptography)기반의 Private Key/Public Key 기반으로 동작되어진다. 
ECDSA 와 RSA를 비교하면, RSA 비하여 속도가 빠르다고 하며 암호화 용량이 적어 요즘  많이 사용되어진다고 한다. 
특히, 임베디드에서는 빠르고, 적은용량으로 고효율을 요구하기 때문이다. 


아래에서 각 기본 개념들을 이해해보록하자. 

ECC(Elliptic Curve Cryptography)
한글로 번역하면, 타원곡선 암호화이며 관련자료들을 이해해보자.

EC(Elliptic Curve)
ECC를 세부이해하기 위해서 타원곡선이 어떻게 동작하는지 알아보자
RSA-3072bit (384 bytes) 와 ECC-256 bit (32 bytes) 동일급 하며, 아래 링크설명이 너무 좋다.

ECDSA(Elliptic Curve Digital Signature Algorithm)
ECC기반으로 생성된 Digital Signature 알고리즘으로 인증서 내부에 존재함 
  https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm

Elliptic-curve Diffie–Hellman (ECDH)  
Cipher Suite 키교환알고리즘

TLS 와 SSL의 관련지원사항 및 기본구조확인

전체구성을 알고 싶다면 아래참고


ECDSA기반으로 Certificate를 많이 구성하고 사용하는데, 이 기본구조를 알고자 아래와 같이 세부적으로 분석한다.
그리고 더불어 CA기반의 Certificate의 세부구성도 분석하도록 한다. 

Certificate의 전체구성을 알고자하면 바로 3. Cerficiate Auhtority의 동작을 확인 후 세부적으로 분석하자.

1.1 OpenSSL 기본 지원사항 확인

OpenSSL의 기본지원사항들을 확인해보도록 하자. 

  • OpenSSL 의 기본정보확인
  1. OpenSSL Version 확인 
  2. ECDSA의 Curves List 확인 

$ openssl version
OpenSSL 1.1.1b  26 Feb 2019

//ECDSA Key의  동작확인 및 ECDSA List 
$ openssl ecparam -list_curves // 모든 지원 curves 확인 secp xxx Key Size 
  secp112r1 : SECG/WTLS curve over a 112 bit prime field
  secp112r2 : SECG curve over a 112 bit prime field
  secp128r1 : SECG curve over a 128 bit prime field
  secp128r2 : SECG curve over a 128 bit prime field
  secp160k1 : SECG curve over a 160 bit prime field
  secp160r1 : SECG curve over a 160 bit prime field
  secp160r2 : SECG/WTLS curve over a 160 bit prime field
  secp192k1 : SECG curve over a 192 bit prime field
  secp224k1 : SECG curve over a 224 bit prime field
  secp224r1 : NIST/SECG curve over a 224 bit prime field
  secp256k1 : SECG curve over a 256 bit prime field           //현재 secp256r1 와 다름 주의 
  secp384r1 : NIST/SECG curve over a 384 bit prime field
  secp521r1 : NIST/SECG curve over a 521 bit prime field
  prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field
  prime192v2: X9.62 curve over a 192 bit prime field
  prime192v3: X9.62 curve over a 192 bit prime field
  prime239v1: X9.62 curve over a 239 bit prime field
  prime239v2: X9.62 curve over a 239 bit prime field
  prime239v3: X9.62 curve over a 239 bit prime field
  prime256v1: X9.62/SECG curve over a 256 bit prime field            //현재 secp256r1 동일(이름이 변경됨) 
  sect113r1 : SECG curve over a 113 bit binary field
  sect113r2 : SECG curve over a 113 bit binary field
  sect131r1 : SECG/WTLS curve over a 131 bit binary field
  sect131r2 : SECG curve over a 131 bit binary field
  sect163k1 : NIST/SECG/WTLS curve over a 163 bit binary field
  sect163r1 : SECG curve over a 163 bit binary field
  sect163r2 : NIST/SECG curve over a 163 bit binary field
  sect193r1 : SECG curve over a 193 bit binary field
  sect193r2 : SECG curve over a 193 bit binary field
  sect233k1 : NIST/SECG/WTLS curve over a 233 bit binary field
  sect233r1 : NIST/SECG/WTLS curve over a 233 bit binary field
  sect239k1 : SECG curve over a 239 bit binary field
  sect283k1 : NIST/SECG curve over a 283 bit binary field
  sect283r1 : NIST/SECG curve over a 283 bit binary field
  sect409k1 : NIST/SECG curve over a 409 bit binary field
  sect409r1 : NIST/SECG curve over a 409 bit binary field
  sect571k1 : NIST/SECG curve over a 571 bit binary field
  sect571r1 : NIST/SECG curve over a 571 bit binary field
  c2pnb163v1: X9.62 curve over a 163 bit binary field
  c2pnb163v2: X9.62 curve over a 163 bit binary field
  c2pnb163v3: X9.62 curve over a 163 bit binary field
  c2pnb176v1: X9.62 curve over a 176 bit binary field
  c2tnb191v1: X9.62 curve over a 191 bit binary field
  c2tnb191v2: X9.62 curve over a 191 bit binary field
  c2tnb191v3: X9.62 curve over a 191 bit binary field
  c2pnb208w1: X9.62 curve over a 208 bit binary field
  c2tnb239v1: X9.62 curve over a 239 bit binary field
  c2tnb239v2: X9.62 curve over a 239 bit binary field
  c2tnb239v3: X9.62 curve over a 239 bit binary field
  c2pnb272w1: X9.62 curve over a 272 bit binary field
  c2pnb304w1: X9.62 curve over a 304 bit binary field
  c2tnb359v1: X9.62 curve over a 359 bit binary field
  c2pnb368w1: X9.62 curve over a 368 bit binary field
  c2tnb431r1: X9.62 curve over a 431 bit binary field
  wap-wsg-idm-ecid-wtls1: WTLS curve over a 113 bit binary field
  wap-wsg-idm-ecid-wtls3: NIST/SECG/WTLS curve over a 163 bit binary field
  wap-wsg-idm-ecid-wtls4: SECG curve over a 113 bit binary field
  wap-wsg-idm-ecid-wtls5: X9.62 curve over a 163 bit binary field
  wap-wsg-idm-ecid-wtls6: SECG/WTLS curve over a 112 bit prime field
  wap-wsg-idm-ecid-wtls7: SECG/WTLS curve over a 160 bit prime field
  wap-wsg-idm-ecid-wtls8: WTLS curve over a 112 bit prime field
  wap-wsg-idm-ecid-wtls9: WTLS curve over a 160 bit prime field
  wap-wsg-idm-ecid-wtls10: NIST/SECG/WTLS curve over a 233 bit binary field
  wap-wsg-idm-ecid-wtls11: NIST/SECG/WTLS curve over a 233 bit binary field
  wap-wsg-idm-ecid-wtls12: WTLS curve over a 224 bit prime field
  Oakley-EC2N-3:
        IPSec/IKE/Oakley curve #3 over a 155 bit binary field.
        Not suitable for ECDSA.
        Questionable extension field!
  Oakley-EC2N-4:
        IPSec/IKE/Oakley curve #4 over a 185 bit binary field.
        Not suitable for ECDSA.
        Questionable extension field!
  brainpoolP160r1: RFC 5639 curve over a 160 bit prime field
  brainpoolP160t1: RFC 5639 curve over a 160 bit prime field
  brainpoolP192r1: RFC 5639 curve over a 192 bit prime field
  brainpoolP192t1: RFC 5639 curve over a 192 bit prime field
  brainpoolP224r1: RFC 5639 curve over a 224 bit prime field
  brainpoolP224t1: RFC 5639 curve over a 224 bit prime field
  brainpoolP256r1: RFC 5639 curve over a 256 bit prime field
  brainpoolP256t1: RFC 5639 curve over a 256 bit prime field
  brainpoolP320r1: RFC 5639 curve over a 320 bit prime field
  brainpoolP320t1: RFC 5639 curve over a 320 bit prime field
  brainpoolP384r1: RFC 5639 curve over a 384 bit prime field
  brainpoolP384t1: RFC 5639 curve over a 384 bit prime field
  brainpoolP512r1: RFC 5639 curve over a 512 bit prime field
  brainpoolP512t1: RFC 5639 curve over a 512 bit prime field
  SM2       : SM2 curve over a 256 bit prime field

관련내용
  https://crypto.stackexchange.com/questions/33052/is-there-any-difference-between-nist-and-secp-curves-in-terms-of-their-algorithm
  https://crypto.stackexchange.com/questions/70889/is-curve-p-384-equal-to-secp384r1


2. ECDSA Certificate 생성방법 

ECDSA 기반의 Key 기반으로 Certificate를 생성하는 방법으로 아래 방법으로 간단히 생성이 가능하다.

  • ECDSA 기반의 Certifiace 생성
  1. ECDSA Private Key 생성방법 
  2. ECDSA Private Key 기반의 Certificate 생성

$ openssl ecparam -out key.pem -name secp256r1 -genkey  // Private Key 와 Public Key 생성 

$ openssl req -new -key key.pem -x509 -nodes -days 365 -out cert.pem  // Key 기반으로 Certificate 생성(1년) 

상위와 같이 Private Key 기반으로 쉽게 Certificate를 생성가능
  1. Private Key(key.pem) 생성 
  2. Cerfiticate(cert.pem)  생성완료  (X.509)

아래 링크 생성방법과 동일
  https://stackoverflow.com/questions/11992036/how-do-i-create-an-ecdsa-certificate-with-the-openssl-command-line
  https://zurgl.com/how-to-create-an-ecdsa-certificate/
  https://stackoverflow.com/questions/11992036/how-do-i-create-an-ecdsa-certificate-with-the-openssl-command-line


ECC Key 생성과 Certificate는 기본구조 세부분석으로 알고 싶지 않다면 , 아래는 보지말고, 그냥 위 Command로만 생성하고 말자.

  • ECDSA 기반의 Certificate 분석할 것
아래의 3부분은 상위에서 만든 Private Key와 Certificate를 기본구조 이해하기 위해 분석하는것이므로 알고 이해했다면 넘어가자.

  2.1 ECSDSA Private Key 생성 및 분석: Private Key 내부구성 및 분석방법
  2.2 ECSDSA Certificate Signature 분석: Certificate의 Signature의 구성 및 사용방법 
  2.2 ECSDSA Certificate 분석: Certificate 생성방법 및 분석방법 

  • 실제 Certificate의 구성분석 
상위를 분석한 후 CA(Cerficiate Autority)의 기본동작을 보도록하자. 
  3. Certificate Auhoirty 기본동작 


2.1 ECDSA의 Private Key 생성 및 분석

Eliptic-curve cryptography 로 Private Key 생성과 분석이므로 분석할 필요가 없다면 넘어가자
**ECDSA Private Key 비대칭 Key이니, 당연히 이 정보 안에 Private Key와 Public Key 정보도 같이 포함되어있다.

ECDSA는 Certifcate에서 사용되어지는 Signature 알고리즘이니, 정확히 말하면, ECDSA가 아니라 ECC(Elliptic Curve Cryptography)의 PrivateKey가 맞겠다.  

더불어 생성된 Key 정보를 OpenSSL에서 제공하는 다양한 명령어로 분석해보자 

  • A. ECDSA Private Key 생성방법 
OpenSSL에서 지원되는 Curve List에서 각 이름별로 Key 생성 
// base64 Encoding에서 아래부분을 반드시 확인하며, 각각 의미를 확인
//-----BEGIN EC PRIVATE KEY-----
//-----END EC PRIVATE KEY----- 

$ openssl ecparam -out key0.pem -name secp256r1 -genkey  // ECDSA P-256 (secp256r1 Curve) 사용 
using curve name prime256v1 instead of secp256r1   // secp256r1 이 prime256v1 대체됨  
$ cat key0.pem                                     // Text기반으로 보기때문에 Base64 Encoding 이됨  
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIIaZ3Q9Yt+Pi0SkX7Qc3+w/qotLCxraj72TUjcrO2K/6oAoGCCqGSM49
AwEHoUQDQgAEZAn9MRJqAwmcbIuV2jFKx4q3C1pwrnPoLJPMJt+lv7wPpYvyzUBj
V7WuXWBMk2O7RYLXVCrWUoe8NWsXE+OKOQ==
-----END EC PRIVATE KEY-----

or 

$ openssl ecparam -genkey -name prime256v1 -out key1.pem -noout // -noout을 주면 EC PARAMETERS 삭제됨 
$ cat key1.pem
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIFcRnrEHSiO6Xy47Pu8RdAAg4OgwkR67QLPppNO4uKAGoAoGCCqGSM49
AwEHoUQDQgAEAjoRktPPZCBEd6TiU/g2u+qgkupmVx7XQJJvT6hWockHM6kjWGCm
AMMtW/TQ7zloruOe52YNRgxe8vMpjUHU4A==
-----END EC PRIVATE KEY-----

or 

$ openssl ecparam -genkey -name secp256r1 | openssl ec -out key2.pem // ECDSA P-256(secp256r1 Curve) 사용 
using curve name prime256v1 instead of secp256r1   // 대체되며 동일한 기능임  
$ cat key2.pem                 
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIFcRnrEHSiO6Xy47Pu8RdAAg4OgwkR67QLPppNO4uKAGoAoGCCqGSM49
AwEHoUQDQgAEAjoRktPPZCBEd6TiU/g2u+qgkupmVx7XQJJvT6hWockHM6kjWGCm
AMMtW/TQ7zloruOe52YNRgxe8vMpjUHU4A==
-----END EC PRIVATE KEY-----

openssl ecparam manual
  https://www.openssl.org/docs/man1.0.2/man1/ecparam.html


EC PRIVATE KEY FORMAT
  https://tools.ietf.org/html/rfc5915
  https://crypto.stackexchange.com/questions/48707/ecdsa-private-key-format


상위에서 다양하게 생성된 Private Key 중 하나를 선택하여 이 기반으로 다양하게 분석.

  • B. 생성된 Private Key 들 중 key.pem 선택 후 분석
$ mv key0.pem key.pem
or
$ mv key1.pem key.pem // 셋 중 아무거나 사용 

  • C.1 key.pem 의 ASN.1 Parser 분석 
BEGIN EC PRIVATE KEY는 Private Key 와 Public Key가 같이 존재하지만, ASN.1으로 OCTET STRINGBIT STRING으로 분할.

// key.pem (BEGIN EC PRIVATE KEY) 
// key.der 일경우 base64 encoding 방식이 아니며 binary이므로 -inform DER 추가   
$ cat key.pem 
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIFcRnrEHSiO6Xy47Pu8RdAAg4OgwkR67QLPppNO4uKAGoAoGCCqGSM49
AwEHoUQDQgAEAjoRktPPZCBEd6TiU/g2u+qgkupmVx7XQJJvT6hWockHM6kjWGCm
AMMtW/TQ7zloruOe52YNRgxe8vMpjUHU4A==
-----END EC PRIVATE KEY-----

// ASN.1 으로 Decoding 하면 OCTET STRING의 Hex Dump Private Key정보 존재 와 Public Key 존재 
$ openssl asn1parse -in key.pem  
    0:d=0  hl=2 l= 119 cons: SEQUENCE          
    2:d=1  hl=2 l=   1 prim: INTEGER           :01
    5:d=1  hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:57119EB1074A23BA5F2E3B3EEF11740020E0E830911EBB40B3E9A4D3B8B8A006
   39:d=1  hl=2 l=  10 cons: cont [ 0 ]        
   41:d=2  hl=2 l=   8 prim: OBJECT            :prime256v1
   51:d=1  hl=2 l=  68 cons: cont [ 1 ]        
   53:d=2  hl=2 l=  66 prim: BIT STRING 

// OCTET STRING: Private Key  
// BIT STRING: Public Key 
$ openssl asn1parse -in key.pem -dump  
    0:d=0  hl=2 l= 119 cons: SEQUENCE          
    2:d=1  hl=2 l=   1 prim: INTEGER           :01
    5:d=1  hl=2 l=  32 prim: OCTET STRING      
      0000 - 57 11 9e b1 07 4a 23 ba-5f 2e 3b 3e ef 11 74 00   W....J#._.;>..t.
      0010 - 20 e0 e8 30 91 1e bb 40-b3 e9 a4 d3 b8 b8 a0 06    ..0...@........
   39:d=1  hl=2 l=  10 cons: cont [ 0 ]        
   41:d=2  hl=2 l=   8 prim: OBJECT            :prime256v1
   51:d=1  hl=2 l=  68 cons: cont [ 1 ]        
   53:d=2  hl=2 l=  66 prim: BIT STRING        
      0000 - 00 04 02 3a 11 92 d3 cf-64 20 44 77 a4 e2 53 f8   ...:....d Dw..S.
      0010 - 36 bb ea a0 92 ea 66 57-1e d7 40 92 6f 4f a8 56   6.....fW..@.oO.V
      0020 - a1 c9 07 33 a9 23 58 60-a6 00 c3 2d 5b f4 d0 ef   ...3.#X`...-[...
      0030 - 39 68 ae e3 9e e7 66 0d-46 0c 5e f2 f3 29 8d 41   9h....f.F.^..).A
      0040 - d4 e0                                             ..



  • C.2 key.pem의 TEXT 기반분석 
Private Key 와 Public Key 분석방법 (명령어 openssl pkey)
// 상위 key.pem 다름 (BEGIN PRIVATE KEY) 이 정보안에 Private Key 정보포함 
// key.der 일경우 base64 encoding 방식이 아니며 binary이므로 -inform DER 추가   
$ openssl pkey -in key.pem -text  
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgVxGesQdKI7pfLjs+
7xF0ACDg6DCRHrtAs+mk07i4oAahRANCAAQCOhGS089kIER3pOJT+Da76qCS6mZX
HtdAkm9PqFahyQczqSNYYKYAwy1b9NDvOWiu457nZg1GDF7y8ymNQdTg
-----END PRIVATE KEY-----
Private-Key: (256 bit)        // 256bit (32byte)
priv:                         // 32bytes 
    57:11:9e:b1:07:4a:23:ba:5f:2e:3b:3e:ef:11:74:
    00:20:e0:e8:30:91:1e:bb:40:b3:e9:a4:d3:b8:b8:
    a0:06
pub:                          // 65byte (1+32bytes+32bytes) Public Key A/B 두개의 키로구성
    04:02:3a:11:92:d3:cf:64:20:44:77:a4:e2:53:f8:
    36:bb:ea:a0:92:ea:66:57:1e:d7:40:92:6f:4f:a8:
    56:a1:c9:07:33:a9:23:58:60:a6:00:c3:2d:5b:f4:
    d0:ef:39:68:ae:e3:9e:e7:66:0d:46:0c:5e:f2:f3:
    29:8d:41:d4:e0
ASN1 OID: prime256v1
NIST CURVE: P-256

$ openssl pkey -in key.pem -noout -text
Private-Key: (256 bit)        // 256bit (32byte)
priv:                         // 32bytes  Private Key 
    57:11:9e:b1:07:4a:23:ba:5f:2e:3b:3e:ef:11:74:
    00:20:e0:e8:30:91:1e:bb:40:b3:e9:a4:d3:b8:b8:
    a0:06
pub:                          // 65byte (1+32bytes+32bytes) Public Key A/B 두개의 키로구성  
    04:02:3a:11:92:d3:cf:64:20:44:77:a4:e2:53:f8:
    36:bb:ea:a0:92:ea:66:57:1e:d7:40:92:6f:4f:a8:
    56:a1:c9:07:33:a9:23:58:60:a6:00:c3:2d:5b:f4:
    d0:ef:39:68:ae:e3:9e:e7:66:0d:46:0c:5e:f2:f3:
    29:8d:41:d4:e0
ASN1 OID: prime256v1
NIST CURVE: P-256




  • BEGIN EC PRIVATE KEY 와 BEGIN PRIVATE KEY 차이 
둘 다 Private Key 와 Public Key를 가지고 있지만 ASN.1의  Data Type 차이일 뿐
  1. BEGIN EC PRIVATE KEY: ASN.1으로 OCTECT STRING 과 BIT STRING으로 분리됨 
  2. BEGIN PRIVATE KEY:  ASN.1의 OCTECT STRING으로 통합되어 쉽게 볼수 있음 

// key.der 일경우 base64 encoding 방식이 아니며 binary이므로 -inform DER 추가   
$ vi test.pem  // Private Key 와 Public Key 같이 가지고 있음 
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgVxGesQdKI7pfLjs+
7xF0ACDg6DCRHrtAs+mk07i4oAahRANCAAQCOhGS089kIER3pOJT+Da76qCS6mZX
HtdAkm9PqFahyQczqSNYYKYAwy1b9NDvOWiu457nZg1GDF7y8ymNQdTg
-----END PRIVATE KEY-----

$ openssl asn1parse -in test.pem // 상위 Private Key 와 Public Key 정보 확인가능 
    0:d=0  hl=3 l= 135 cons: SEQUENCE          
    3:d=1  hl=2 l=   1 prim: INTEGER           :00
    6:d=1  hl=2 l=  19 cons: SEQUENCE          
    8:d=2  hl=2 l=   7 prim: OBJECT            :id-ecPublicKey
   17:d=2  hl=2 l=   8 prim: OBJECT            :prime256v1
   27:d=1  hl=2 l= 109 prim: OCTET STRING      [HEX DUMP]:306B020101042057119EB1074A23BA5F2E3B3EEF11740020E0E830911EBB40B3E9A4D3B8B8A006A14403420004023A1192D3CF64204477A4E253F836BBEAA092EA66571ED740926F4FA856A1C90733A9235860A600C32D5BF4D0EF3968AEE39EE7660D460C5EF2F3298D41D4E0

$ openssl asn1parse -in test.pem -dump //혹시 몰라서 전체 dump 
    0:d=0  hl=3 l= 135 cons: SEQUENCE          
    3:d=1  hl=2 l=   1 prim: INTEGER           :00
    6:d=1  hl=2 l=  19 cons: SEQUENCE          
    8:d=2  hl=2 l=   7 prim: OBJECT            :id-ecPublicKey
   17:d=2  hl=2 l=   8 prim: OBJECT            :prime256v1
   27:d=1  hl=2 l= 109 prim: OCTET STRING      
      0000 - 30 6b 02 01 01 04 20 57-11 9e b1 07 4a 23 ba 5f   0k.... W....J#._
      0010 - 2e 3b 3e ef 11 74 00 20-e0 e8 30 91 1e bb 40 b3   .;>..t. ..0...@.
      0020 - e9 a4 d3 b8 b8 a0 06 a1-44 03 42 00 04 02 3a 11   ........D.B...:.
      0030 - 92 d3 cf 64 20 44 77 a4-e2 53 f8 36 bb ea a0 92   ...d Dw..S.6....
      0040 - ea 66 57 1e d7 40 92 6f-4f a8 56 a1 c9 07 33 a9   .fW..@.oO.V...3.
      0050 - 23 58 60 a6 00 c3 2d 5b-f4 d0 ef 39 68 ae e3 9e   #X`...-[...9h...
      0060 - e7 66 0d 46 0c 5e f2 f3-29 8d 41 d4 e0            .f.F.^..).A..


ASN.1 parse 구조 
  1. offset:d  
  2. d: depth
  3. hl: header length (bytes)
  4. l: length (bytes)
  5. cons or prim: tags form

openssl asn1parse
  https://www.openssl.org/docs/manmaster/man1/openssl-asn1parse.html
  https://www.obj-sys.com/docs/acv67/JavaRunTime/com/objsys/asn1j/runtime/Asn1Tag.html

  • C.3 key.pem의 TEXT 기반분석 
Private Key 와 Public Key 분석방법 (명령어 openssl ec)  
바로 이전과 동일하게 나오며, 쉽게 Private Key와 Public Key 좀 더 쉽게 분석가능 
이 Private Key로 2.3 ECDSA 의 Certificate 분석에 사용  

// key.der 일경우 base64 encoding 방식이 아니며 binary이므로 -inform DER 추가   
$ openssl ec -in key.pem -text -noout
read EC key
Private-Key: (256 bit)
priv:
    57:11:9e:b1:07:4a:23:ba:5f:2e:3b:3e:ef:11:74:
    00:20:e0:e8:30:91:1e:bb:40:b3:e9:a4:d3:b8:b8:
    a0:06
pub:   //Prefix(0x04) and Pair of Coordinates (X,Y)   RFC5480 2.2 Subject Public Key 참조 0x04 uncompressed  
    04:02:3a:11:92:d3:cf:64:20:44:77:a4:e2:53:f8:
    36:bb:ea:a0:92:ea:66:57:1e:d7:40:92:6f:4f:a8:
    56:a1:c9:07:33:a9:23:58:60:a6:00:c3:2d:5b:f4:
    d0:ef:39:68:ae:e3:9e:e7:66:0d:46:0c:5e:f2:f3:
    29:8d:41:d4:e0
ASN1 OID: prime256v1
NIST CURVE: P-256

$ openssl ec -in key.pem -text
read EC key
Private-Key: (256 bit)
priv:
    57:11:9e:b1:07:4a:23:ba:5f:2e:3b:3e:ef:11:74:
    00:20:e0:e8:30:91:1e:bb:40:b3:e9:a4:d3:b8:b8:
    a0:06
pub:    //Prefix(0x04) and Pair of Coordinates (X,Y)   RFC5480 2.2 Subject Public Key 참조 0x04 uncompressed  
    04:02:3a:11:92:d3:cf:64:20:44:77:a4:e2:53:f8:
    36:bb:ea:a0:92:ea:66:57:1e:d7:40:92:6f:4f:a8:
    56:a1:c9:07:33:a9:23:58:60:a6:00:c3:2d:5b:f4:
    d0:ef:39:68:ae:e3:9e:e7:66:0d:46:0c:5e:f2:f3:
    29:8d:41:d4:e0
ASN1 OID: prime256v1
NIST CURVE: P-256
writing EC key
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIFcRnrEHSiO6Xy47Pu8RdAAg4OgwkR67QLPppNO4uKAGoAoGCCqGSM49
AwEHoUQDQgAEAjoRktPPZCBEd6TiU/g2u+qgkupmVx7XQJJvT6hWockHM6kjWGCm
AMMtW/TQ7zloruOe52YNRgxe8vMpjUHU4A==
-----END EC PRIVATE KEY-----

$ openssl ec -in key.pem -text -pubout  // 실제 Public Key 추출 가능(이는 아래의 Certificate 사용) 
read EC key
Private-Key: (256 bit)
priv:
    57:11:9e:b1:07:4a:23:ba:5f:2e:3b:3e:ef:11:74:
    00:20:e0:e8:30:91:1e:bb:40:b3:e9:a4:d3:b8:b8:
    a0:06
pub:   //Prefix(0x04) and Pair of Coordinates (X,Y)   RFC5480 2.2 Subject Public Key 참조 0x04 uncompressed  
    04:02:3a:11:92:d3:cf:64:20:44:77:a4:e2:53:f8:
    36:bb:ea:a0:92:ea:66:57:1e:d7:40:92:6f:4f:a8:
    56:a1:c9:07:33:a9:23:58:60:a6:00:c3:2d:5b:f4:
    d0:ef:39:68:ae:e3:9e:e7:66:0d:46:0c:5e:f2:f3:
    29:8d:41:d4:e0
ASN1 OID: prime256v1
NIST CURVE: P-256
writing EC key
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAjoRktPPZCBEd6TiU/g2u+qgkupm
Vx7XQJJvT6hWockHM6kjWGCmAMMtW/TQ7zloruOe52YNRgxe8vMpjUHU4A==
-----END PUBLIC KEY-----

openssl ec manual
  https://www.openssl.org/docs/man1.0.2/man1/ec.html
openssl ec command 예제
  https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations
openssl command 예제
  https://wiki.openssl.org/index.php/Command_Line_Utilities

  https://en.wikipedia.org/wiki/X.690


  • Base64 Code To Hex로 Private Key 재검증 
ASN.1 이 필요하지만, Base64로 직접 Hex로 변경하여  ASN.1 OCTECT STRING으로 통합된 곳 확인가능

// key.pem (BEGIN EC PRIVATE KEY) 
MHcCAQEEIFcRnrEHSiO6Xy47Pu8RdAAg4OgwkR67QLPppNO4uKAGoAoGCCqGSM49AwEHoUQDQgAEAjoRktPPZCBEd6TiU/g2u+qgkupmVx7XQJJvT6hWockHM6kjWGCmAMMtW/TQ7zloruOe52YNRgxe8vMpjUHU4A==
//base64 to Hex
30770201010420178b69b8b92c8f17366eb7ac816bf04c7410b022c01942a10acc4f791c4a7f9ba00a06082a8648ce3d030107a14403420004353693ac07ddd2e5f1231ef3e86f97fcfd2365653f9bc2c261513e36cdd4b3df1d4b800a5f25a4bc96fa0230c0f4a338837da9c30450cbb8e43ce07a6aede8d0

// key.pem (BEGIN PRIVATE KEY) 
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgVxGesQdKI7pfLjs+7xF0ACDg6DCRHrtAs+mk07i4oAahRANCAAQCOhGS089kIER3pOJT+Da76qCS6mZXHtdAkm9PqFahyQczqSNYYKYAwy1b9NDvOWiu457nZg1GDF7y8ymNQdTg
//base64 to Hex
308187020100301306072a8648ce3d020106082a8648ce3d030107046d306b020101042057119eb1074a23ba5f2e3b3eef11740020e0e830911ebb40b3e9a4d3b8b8a006a14403420004023a1192d3cf64204477a4e253f836bbeaa092ea66571ed740926f4fa856a1c90733a9235860a600c32d5bf4d0ef3968aee39ee7660d460c5ef2f3298d41d4e0

Base64 Encode/Decode Tool 이 없다면 아래의 사이트에서 변경 

Base64 Encode/Decode Website
  https://base64.guru/converter/encode/hex
  https://base64.guru/converter/decode/hex


2.2 ECDSA 의 Certificate Signature 분석 

이 부분은 CA가 Certificate 의 Signature 부분을 생성부분을 이해하기 위해서 간단하게 구성한 것이므로, 알면 넘어가자
이부분은 ECDSA Certificate의 Signature Sign/Verify 부분을 이해하는 것으로, 나중에 구조그림을 보면 쉽게 이해간다. 


Signature는 Private Key 기반으로 만들고, Public Key로 검증이 가능하니 아래와 같이 각 Key들을 확인 

  • Private Key 동일하게 생성
// Create Private key and Public Key (상위와 key.pem 동일)
$ openssl ecparam -genkey -name prime256v1 -noout -out private.pem //새로 생성하고 할 경우, 나는 상위 key.pem 복사

$ cat private.pem  //기존의 key.pem 과 동일 
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIFcRnrEHSiO6Xy47Pu8RdAAg4OgwkR67QLPppNO4uKAGoAoGCCqGSM49
AwEHoUQDQgAEAjoRktPPZCBEd6TiU/g2u+qgkupmVx7XQJJvT6hWockHM6kjWGCm
AMMtW/TQ7zloruOe52YNRgxe8vMpjUHU4A==
-----END EC PRIVATE KEY-----

$ openssl ec -in private.pem -text -pubout   //상위 key.pem 과 동일하며, Sign/Verify 테스트  
read EC key
Private-Key: (256 bit)
priv:
    57:11:9e:b1:07:4a:23:ba:5f:2e:3b:3e:ef:11:74:      //ECC Private Key 256bit (32bytes)
    00:20:e0:e8:30:91:1e:bb:40:b3:e9:a4:d3:b8:b8:
    a0:06
pub:      //Prefix(0x04) and Pair of Coordinates (X,Y)   RFC5480 2.2 Subject Public Key 참조 0x04 uncompressed  
    04:02:3a:11:92:d3:cf:64:20:44:77:a4:e2:53:f8:        //ECC Public Key X (32bytes)
    36:bb:ea:a0:92:ea:66:57:1e:d7:40:92:6f:4f:a8:
    56:a1:c9:07:33:a9:23:58:60:a6:00:c3:2d:5b:f4:        //ECC Public Key Y (32bytes)
    d0:ef:39:68:ae:e3:9e:e7:66:0d:46:0c:5e:f2:f3:
    29:8d:41:d4:e0
ASN1 OID: prime256v1
NIST CURVE: P-256
writing EC key
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAjoRktPPZCBEd6TiU/g2u+qgkupm
Vx7XQJJvT6hWockHM6kjWGCmAMMtW/TQ7zloruOe52YNRgxe8vMpjUHU4A==
-----END PUBLIC KEY-----

  • Private Key에서 Public Key만 추출
// Save public key (Public Key 추출)
$ openssl ec -in private.pem -pubout -out public.pem   //상위 private.pem 에서 public key만 추출

$ cat public.pem  
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAjoRktPPZCBEd6TiU/g2u+qgkupm
Vx7XQJJvT6hWockHM6kjWGCmAMMtW/TQ7zloruOe52YNRgxe8vMpjUHU4A==
-----END PUBLIC KEY-----

$ openssl asn1parse -in public.pem -dump //ECC Public key 확인완료 prefix: 0x04 coordinates (x,y) 
    0:d=0  hl=2 l=  89 cons: SEQUENCE
    2:d=1  hl=2 l=  19 cons: SEQUENCE
    4:d=2  hl=2 l=   7 prim: OBJECT            :id-ecPublicKey
   13:d=2  hl=2 l=   8 prim: OBJECT            :prime256v1
   23:d=1  hl=2 l=  66 prim: BIT STRING
      0000 - 00 04 02 3a 11 92 d3 cf-64 20 44 77 a4 e2 53 f8   ...:....d Dw..S.       //Public Key X (32bytes)
      0010 - 36 bb ea a0 92 ea 66 57-1e d7 40 92 6f 4f a8 56   6.....fW..@.oO.V
      0020 - a1 c9 07 33 a9 23 58 60-a6 00 c3 2d 5b f4 d0 ef   ...3.#X`...-[...       //Public Key Y (32bytes) 
      0030 - 39 68 ae e3 9e e7 66 0d-46 0c 5e f2 f3 29 8d 41   9h....f.F.^..).A
      0040 - d4 e0


  • Hash를 이용하여 Signature 생성(Private Key) 및 검증(Public Key)방법 
Signature 의 역할은 아래와 간단히 Public Key로 검증하기 위해서 필요하다.
이 부분은 아래의 CA의 구조 및 역할을 보면 다시 이해 가능

준비사항
  1. private.pem 
  2. public.pem
  3. yourinputdocument : Test File 

SHA-256 Hash 
  https://ko.wikipedia.org/wiki/SHA



Sample Data 생성하여 TEST하며, Certificate의 Signature의 원리파악을 해보자

1. TEST DATA or TEXT 생성 

Sample Data 생성하여 TEST하며, Certificate의 Signature일 경우 Certificate 정보
$ vi yourinputdocument      // 1. TEST DATA 생성
Hellow World !!!!
or 
$ cat >  yourinputdocument
Hellow World !!!!

    2. Private Key 기반으로 Signature 생성 
    1. TEST DATA를 SHA256로 Hash를 이용
    2. 상위에서 생성된 Hash를  Private Key 기반으로 Sign을 하여 Signature를 생성
    Sign something: ECDSA의 Private Key를 이용하여 Sign 를 진행하여 yourinput.sha256 Signature 생성
    $ openssl dgst -sha256 -sign private.pem -out yourinput.sha256 yourinputdocument  // SHA256기반으로 Sign 
    

    3. 생성된 Signature(yourinput.sha256) 확인

    생성된 Signature File의 크기 및 구조파악하며 256(32byte) 가 아니며, 72bytes (Certificate의 Signature 와 동일)
    $ hd yourinput.sha256  // 상위에서 생성된 결과 (Signature) 를 확인 (TEST DATA의 크기를 늘려도 크기는 동일) 
    or
    $ xxd yourinput.sha256
    or
    $ hexdump yourinput.sha256  //아래의 값은 상위 2.Signature를 생성될때마다 매번 값이 변경됨 
    0000000 4430 2002 0c3b 1c15 537f 1297 6ac7 575c
    0000010 a62a d386 0a3d 3973 aa69 a750 5ffd 1198
    0000020 b1dd 30b2 2002 5e55 236b 1188 eea8 6719
    0000030 b507 37d2 272e d84a ced1 91fc 59cb 6e9b
    0000040 2adc a97d b373
    0000046
    


    4. Signature를 Public Key로 검증(Verification) 

    To verify: Public Key를 이용하여 yourinput.sha256 Signature로 이를 검증
    $ openssl dgst -sha256 -verify public.pem -signature yourinput.sha256 yourinputdocument
    Verified OK


    OpenSSL dgst
      https://www.openssl.org/docs/man1.1.0/man1/openssl-dgst.html

    Digital Signature Algorithm 
     Public Key 와 Private Key 기반으로 상위와 같이 구성
      https://en.wikipedia.org/wiki/Digital_Signature_Algorithm
      https://cryptobook.nakov.com/digital-signatures

    • Web Site에서 직접 확인방법
    상위내용을 쉽게 Web에서  Sign/Verification 을 쉽게 확인가능 
    1. EC Private Key 와 EC Public Key Hex 생성 
    2. Data에서 Signature Algorithm (SHA256 with ECDSA) 를 이용하여 Signature Value생성
    3. Signature Value(Hash Checksum)기반으로 Data 검증완료  
      https://kjur.github.io/jsrsasign/sample/sample-ecdsa.html

    • ECDSA 의 Signature 관련부분 (Data 검증부분) 
    openssl dgst 을 이용하여 Signature 기능검증
      https://superuser.com/questions/737574/openssl-ecdsa-sign-and-verify-file
      https://medium.com/@skloesch/openssl-and-ecdsa-signatures-db60c005b1f4
      https://superuser.com/questions/1258478/how-to-get-ecsda-with-p-256-and-sha256-in-openssl



    2.3 ECDSA 기반의 Certificate 분석 

    이미 위에서 ECDSA의 Private Key/Public Key 기반으로 Certificate 생성했지만, 이를 분석하기 위해서 아래와 같이 다시 생성 후 이를 분석

    • ECDSA 기반의 Certificate 생성 
    // 상위에서 생긴 key.pem 기반으로 X.509로 Certificate 생성 
    $ openssl req -new -key key.pem -x509 -nodes -days 365 -out cert.pem 
    

    openssl req manual
    https://www.openssl.org/docs/man1.0.2/man1/openssl-req.html

    • ECDSA 기반의 Certificate 분석 
    상위에서 생성된 TEST Certificate를 전체세부분석해보도록 하자. 
    Private Key는 이곳에 저장하지 못하며, Public Key를 이곳에 저장한다.
    $ openssl x509 -in cert.pem -noout -text  // 상위 Certifacte 전체 분석 
    Certificate:
        Data:
            Version: 3 (0x2)    // 인증서 Version
            Serial Number:    // 인증서 Serial Number로 Unique하며, 매번 CA 생성시마다 다르며, 최대 20bytes 
                14:ad:af:2e:18:63:68:60:8e:36:be:05:99:66:b2:e6:da:b7:0d:8c
            Signature Algorithm: ecdsa-with-SHA256                      // 인증서 Signature Alogirthm ECDSA 와 SHA256 (아래 값이 나옴) 
            Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
            Validity                                  // 인증서 유효기간 (1년) 
                Not Before: Jul  6 13:34:08 2020 GMT
                Not After : Jul  6 13:34:08 2021 GMT
            Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
            Subject Public Key Info:
                Public Key Algorithm: id-ecPublicKey
                    Public-Key: (256 bit)        //256bit (32bytes)  상위 key.pem 부분과 동일(상위 key.pem 의 Public Key 만 사용) 
                    pub:
                        04:02:3a:11:92:d3:cf:64:20:44:77:a4:e2:53:f8:   //Public Key X (32bytes) 상위와 동일
                        36:bb:ea:a0:92:ea:66:57:1e:d7:40:92:6f:4f:a8:
                        56:a1:c9:07:33:a9:23:58:60:a6:00:c3:2d:5b:f4:
                        d0:ef:39:68:ae:e3:9e:e7:66:0d:46:0c:5e:f2:f3:  //Public Key Y (32bytes) 상위와 동일 
                        29:8d:41:d4:e0
                    ASN1 OID: prime256v1
                    NIST CURVE: P-256
            X509v3 extensions:
                X509v3 Subject Key Identifier:  // 상위 Pubic Key의 SHA1 값 (아래에서 확인)   
                    1A:2B:F7:8D:87:A4:E7:35:2E:05:92:C8:60:69:F8:C7:7E:F5:46:FB
                X509v3 Authority Key Identifier: // Subject Key Identifier 와 Authority Key Identifier 동일값 
                    keyid:1A:2B:F7:8D:87:A4:E7:35:2E:05:92:C8:60:69:F8:C7:7E:F5:46:FB
    
                X509v3 Basic Constraints: critical  // CA True 이면, Digital Signature 가 아님, 이부분 아래다시 설명 
                    CA:TRUE
        Signature Algorithm: ecdsa-with-SHA256    //72byte , Signature로   생성될때마다 다르며, Public Key로 검증 
             30:46:02:21:00:fd:39:0d:c0:cf:72:8c:9d:81:c3:0c:65:0d:
             21:50:ac:54:9b:e1:ca:2f:f8:f3:e6:5d:62:36:41:ae:79:57:
             20:02:21:00:fc:ef:4e:4a:14:30:0c:5c:a6:96:bb:1c:23:8c:
             1c:ba:f0:1b:fa:04:32:ad:c9:3c:45:d3:bc:f6:14:01:be:e5
    


    Subject Key Identifier(SHA1)
    //Public Key
    04023a1192d3cf64204477a4e253f836bbeaa092ea66571ed740926f4fa856a1c90733a9235860a600c32d5bf4d0ef3968aee39ee7660d460c5ef2f3298d41d4e0
    //Subject Key Identifier
    1a2bf78d87a4e7352e0592c86069f8c77ef546fb
    SHA1 ,Input Type: TEXT->HEX사용


    • ECDSA X.509 세부분석 

    $ openssl x509 -in cert.pem -noout -dates  // 날짜 분석 
    notBefore=Jul  6 13:34:08 2020 GMT
    notAfter=Jul  6 13:34:08 2021 GMT
    
    $ openssl x509 -in cert.pem -noout -pubkey  // 상위 PublicKey Base64 Encode
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAjoRktPPZCBEd6TiU/g2u+qgkupm
    Vx7XQJJvT6hWockHM6kjWGCmAMMtW/TQ7zloruOe52YNRgxe8vMpjUHU4A==
    -----END PUBLIC KEY-----
    
    $ openssl asn1parse -in cert.pem   //ASN.1 Decode 
        0:d=0  hl=4 l= 480 cons: SEQUENCE          
        4:d=1  hl=4 l= 389 cons: SEQUENCE          
        8:d=2  hl=2 l=   3 cons: cont [ 0 ]        
       10:d=3  hl=2 l=   1 prim: INTEGER           :02
       13:d=2  hl=2 l=  20 prim: INTEGER           :14ADAF2E186368608E36BE059966B2E6DAB70D8C
       35:d=2  hl=2 l=  10 cons: SEQUENCE          
       37:d=3  hl=2 l=   8 prim: OBJECT            :ecdsa-with-SHA256
       47:d=2  hl=2 l=  69 cons: SEQUENCE          
       49:d=3  hl=2 l=  11 cons: SET               
       51:d=4  hl=2 l=   9 cons: SEQUENCE          
       53:d=5  hl=2 l=   3 prim: OBJECT            :countryName
       58:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :AU
       62:d=3  hl=2 l=  19 cons: SET               
       64:d=4  hl=2 l=  17 cons: SEQUENCE          
       66:d=5  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName
       71:d=5  hl=2 l=  10 prim: UTF8STRING        :Some-State
       83:d=3  hl=2 l=  33 cons: SET               
       85:d=4  hl=2 l=  31 cons: SEQUENCE          
       87:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
       92:d=5  hl=2 l=  24 prim: UTF8STRING        :Internet Widgits Pty Ltd
      118:d=2  hl=2 l=  30 cons: SEQUENCE          
      120:d=3  hl=2 l=  13 prim: UTCTIME           :200706133408Z
      135:d=3  hl=2 l=  13 prim: UTCTIME           :210706133408Z
      150:d=2  hl=2 l=  69 cons: SEQUENCE          
      152:d=3  hl=2 l=  11 cons: SET               
      154:d=4  hl=2 l=   9 cons: SEQUENCE          
      156:d=5  hl=2 l=   3 prim: OBJECT            :countryName
      161:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :AU
      165:d=3  hl=2 l=  19 cons: SET               
      167:d=4  hl=2 l=  17 cons: SEQUENCE          
      169:d=5  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName
      174:d=5  hl=2 l=  10 prim: UTF8STRING        :Some-State
      186:d=3  hl=2 l=  33 cons: SET               
      188:d=4  hl=2 l=  31 cons: SEQUENCE          
      190:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
      195:d=5  hl=2 l=  24 prim: UTF8STRING        :Internet Widgits Pty Ltd
      221:d=2  hl=2 l=  89 cons: SEQUENCE          
      223:d=3  hl=2 l=  19 cons: SEQUENCE          
      225:d=4  hl=2 l=   7 prim: OBJECT            :id-ecPublicKey
      234:d=4  hl=2 l=   8 prim: OBJECT            :prime256v1
      244:d=3  hl=2 l=  66 prim: BIT STRING        
      312:d=2  hl=2 l=  83 cons: cont [ 3 ]        
      314:d=3  hl=2 l=  81 cons: SEQUENCE          
      316:d=4  hl=2 l=  29 cons: SEQUENCE          
      318:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
      323:d=5  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:04141A2BF78D87A4E7352E0592C86069F8C77EF546FB
      347:d=4  hl=2 l=  31 cons: SEQUENCE          
      349:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
      354:d=5  hl=2 l=  24 prim: OCTET STRING      [HEX DUMP]:301680141A2BF78D87A4E7352E0592C86069F8C77EF546FB
      380:d=4  hl=2 l=  15 cons: SEQUENCE          
      382:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
      387:d=5  hl=2 l=   1 prim: BOOLEAN           :255
      390:d=5  hl=2 l=   5 prim: OCTET STRING      [HEX DUMP]:30030101FF
      397:d=1  hl=2 l=  10 cons: SEQUENCE          
      399:d=2  hl=2 l=   8 prim: OBJECT            :ecdsa-with-SHA256
      409:d=1  hl=2 l=  73 prim: BIT STRING  
    


    OpenSSL 로 x509로 분석시 옵션
      https://www.openssl.org/docs/man1.0.2/man1/openssl-x509.html

    openssl asn1parse
      https://www.openssl.org/docs/manmaster/man1/openssl-asn1parse.html


    3. Certificate Authority 기본동작 


    • Certificate Authority 역할 및 동작 
    Certificate Authority 의 역할은 digital certificate을 발행하는 것이며, CA는 제 3자의 역할로 발행이 되어 인증이 되는 시스템으로 보인다.

    아래 그림처럼 CA는 Certificate를 검증하고, CA의 Private Key로 Encryption 하여 나오는 Digital Signature를 Digital Certificate에 추가하여 발행


    1. 좌측: CA의 의해 Digital Certificate 발행 전  
    2. 우측: CA의 의해 Digital Certificate 발행 후  

    세부내용은 아래 wiki 참조 

    CA(Cerficate Authority)
      https://en.wikipedia.org/wiki/Certificate_authority

    Digital certificate 
       https://en.wikipedia.org/wiki/Public_key_certificate

    • RootCA / SubCA / Digital Signature Sign
    1. Layer 1:  Root CA로 Self로 Private Key로 Signature 생성  
    2. Layer 2:  Intermediate Certificate로 Layer 1의 Private Key로 Signature 생성  
    3. Layer 3:  End 유저가 사용 Layer 2에 Private Key로 Signature 생성  

    아래의 경우 3단계로 구성이 되어있지만, 글을 읽다보면, 다른 구성도 가능하며, 단계 역시  사용자가 사용하기 나름인 것 같다.
    하지만 기본구조를 보면 다음과 같기에 이를 알아두도록하자

    Signature 의 경우 CA의 Private Key를 이용하며, 이는 CA가 검증을 할 수 있도록 하는 기능을 하는 구조이며, 이 부분은 상위 Signature 사용방법을 보자


    1. Certificate 의 Issuer:  인증서 발급자 (Reference)
    2. Certificate 의 Subject: 현재 Certificate 소유자 
    3. Public Key의 역할은 Sign이 아니라 Verify용으로 검증 

    상위 Signature를 이해하면 아래 Sign/Verify를 쉽게 이해 
    https://en.wikipedia.org/wiki/Root_certificate

    세부내용은 아래링크 참조
      https://en.wikipedia.org/wiki/Root_certificate
      https://en.wikipedia.org/wiki/Certificate_authority
      https://en.wikipedia.org/wiki/Public_key_certificate


    3.1 ECDSA 기반의 CA 와 Certificate 생성 

    상위구조를 이해를 했으면, 나의 경우는 3단계의 구성이 아니라 간단하게 Root CA 와 End Certificate로 두 단계 구성으로 만들어 보자. 
    Root CA는 CA로 End Certificate는 Server로 아래와 같이 생성해보자 

    • ECDSA Private Key 생성 후 CA 생성준비 완료 
    상위 처럼 Private Key 다시 생성

    //GENERATING CERTIFICATE Authority 
    $ openssl ecparam -genkey -name prime256v1 -out ca.key
    $ cat ca.key
    -----BEGIN EC PARAMETERS-----
    BggqhkjOPQMBBw==
    -----END EC PARAMETERS-----
    -----BEGIN EC PRIVATE KEY-----
    MHcCAQEEIF54a1vqeHiIR3aMKOkBEgVMk/7w12OnO3s89Dq5rO6KoAoGCCqGSM49
    AwEHoUQDQgAEXbLvFW468tBNs6r6j8yInfZoTeCTKfdkRIS75r3lin6FGGfGhLml
    Z1oO5+nFqcmbEIHBTs5l327iCMuYPq8H8w==
    -----END EC PRIVATE KEY-----
    

    • CA(Certificate Authority) 생성완료 
    상위에서 만든 Private Key 기반으로 Certificate Authrity (Root CA) 생성, 10년 짜리로 CA를 X.509로 바로 생성을 한다 

    /*
    *Cerificate Authorities
      Country Name(C): KR
      State or Province Name(ST):SL
      Locality Name(L): Seoul
      Organization Name(O):Jeonghun  
      Organizational Unit Name(OU):JHLEE
      Common Name(CN):JeonghunCA
      Email Address:
    
    -subj "/C=KR/ST=SL/L=Seoul/O=Jeonghun/OU=JHLEE/CN=JeonghunCA"
    */
    
    $ openssl req -x509 -new -SHA256 -nodes -key ca.key -days 3650 -out ca.crt -subj "/C=KR/ST=SL/L=Seoul/O=Jeonghun/OU=JHLEE/CN=JeonghunCA"  
    $ cat ca.crt        //상위 생성시마다 값이 다르므로 동일값이 나올수 없다
    -----BEGIN CERTIFICATE-----
    MIICGTCCAb+gAwIBAgIUK+hYEK24Ewtrib+XxYcws14T+4gwCgYIKoZIzj0EAwIw
    YjELMAkGA1UEBhMCS1IxCzAJBgNVBAgMAlNMMQ4wDAYDVQQHDAVTZW91bDERMA8G
    A1UECgwISmVvbmdodW4xDjAMBgNVBAsMBUpITEVFMRMwEQYDVQQDDApKZW9uZ2h1
    bkNBMB4XDTIwMDcwNzA1NTI1MloXDTMwMDcwNTA1NTI1MlowYjELMAkGA1UEBhMC
    S1IxCzAJBgNVBAgMAlNMMQ4wDAYDVQQHDAVTZW91bDERMA8GA1UECgwISmVvbmdo
    dW4xDjAMBgNVBAsMBUpITEVFMRMwEQYDVQQDDApKZW9uZ2h1bkNBMFkwEwYHKoZI
    zj0CAQYIKoZIzj0DAQcDQgAEXbLvFW468tBNs6r6j8yInfZoTeCTKfdkRIS75r3l
    in6FGGfGhLmlZ1oO5+nFqcmbEIHBTs5l327iCMuYPq8H86NTMFEwHQYDVR0OBBYE
    FPHSACWs/mXd/PG3IYPEkKn7NTKrMB8GA1UdIwQYMBaAFPHSACWs/mXd/PG3IYPE
    kKn7NTKrMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgRJsRlghF
    X7qOod/JlqoKiHuQY0jMuldlbz7W/jGEXPQCIQDxoj/CXkDllYDLy1OM7jLSyTOF
    hKdgqMjWIUWw2Ui3Mg==
    -----END CERTIFICATE-----
    



    • Server CSR 생성완료
    ECDSA로 Private Key 기반으로 Server Certificate Signing Request로 상위와 비슷하게 생성을 해보자.
    CSR(Certificate Signing Request)는 아직 X.509로 Certificate가 아니며 Request 상태
    현재 상위 CA와 Server CSR 는 Reference 상태가 아님

    //CREATING A ECDSA CSR(certificate signing request)
    $ openssl ecparam -genkey -name prime256v1 -out server.key
    $ cat server.key
    -----BEGIN EC PARAMETERS-----
    BggqhkjOPQMBBw==
    -----END EC PARAMETERS-----
    -----BEGIN EC PRIVATE KEY-----
    MHcCAQEEIC6SklucSfbgPAn+UI6u2bIHdotXOofYam/nqM18R2l6oAoGCCqGSM49
    AwEHoUQDQgAEWnx+hVyhasx53hxJ5cWbdde08ZCPvbvdGjIX/RWif1S9ZZ2ZtUGU
    B592OyuheBVQS6rQZdIgQVIE/QmORQDDOA==
    -----END EC PRIVATE KEY-----
    
    // -subj "/C=KR/ST=SL/L=Seoul/O=Jeonghun/OU=JHLEE/CN=ServerCert" 
    $ openssl req -new -SHA256 -key server.key -nodes -out server.csr -subj "/C=KR/ST=SL/L=Seoul/O=Jeonghun/OU=JHLEE/CN=ServerCert"
    $ cat server.csr
    -----BEGIN CERTIFICATE REQUEST-----
    MIIBHjCBxAIBADBiMQswCQYDVQQGEwJLUjELMAkGA1UECAwCU0wxDjAMBgNVBAcM
    BVNlb3VsMREwDwYDVQQKDAhKZW9uZ2h1bjEOMAwGA1UECwwFSkhMRUUxEzARBgNV
    BAMMClNlcnZlckNlcnQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARafH6FXKFq
    zHneHEnlxZt117TxkI+9u90aMhf9FaJ/VL1lnZm1QZQHn3Y7K6F4FVBLqtBl0iBB
    UgT9CY5FAMM4oAAwCgYIKoZIzj0EAwIDSQAwRgIhANK/U6C2NNPFvTTnBqb83wX0
    b8xMxIYqrcyS9Qq6tCzAAiEAtVGTBPKLMtu2zYNqd/lO6n1AJq+6tZFkt7RR42L8
    oVY=
    -----END CERTIFICATE REQUEST-----
    

    • Server CSR(Certificate Sigining Request) 분석 

    /* 생성된 CSR 분석 , Certificate가 아님 
    - 아직 X.509 Format 이 아님 
    - 아직 Serial Number 와 Validity 가 없음 
    */ 
    $ openssl req -in server.csr -noout -text 
    Certificate Request:
        Data:
            Version: 1 (0x0)
            Subject: C = KR, ST = SL, L = Seoul, O = Jeonghun, OU = JHLEE, CN = ServerCert
            Subject Public Key Info:
                Public Key Algorithm: id-ecPublicKey
                    Public-Key: (256 bit)
                    pub:
                        04:5a:7c:7e:85:5c:a1:6a:cc:79:de:1c:49:e5:c5:
                        9b:75:d7:b4:f1:90:8f:bd:bb:dd:1a:32:17:fd:15:
                        a2:7f:54:bd:65:9d:99:b5:41:94:07:9f:76:3b:2b:
                        a1:78:15:50:4b:aa:d0:65:d2:20:41:52:04:fd:09:
                        8e:45:00:c3:38
                    ASN1 OID: prime256v1
                    NIST CURVE: P-256
            Attributes:
                a0:00
        Signature Algorithm: ecdsa-with-SHA256            /* Server Certificate 생성때 다시 변경됨 */ 
             30:46:02:21:00:d2:bf:53:a0:b6:34:d3:c5:bd:34:e7:06:a6:
             fc:df:05:f4:6f:cc:4c:c4:86:2a:ad:cc:92:f5:0a:ba:b4:2c:
             c0:02:21:00:b5:51:93:04:f2:8b:32:db:b6:cd:83:6a:77:f9:
             4e:ea:7d:40:26:af:ba:b5:91:64:b7:b4:51:e3:62:fc:a1:56
    
    

    openssl req manual
       https://www.openssl.org/docs/man1.0.2/man1/openssl-req.html

    • Server CSR의 확장정보변경준비  
    $ vi v3.ext   // CSR의 추가 확장정보 (CA: FALSE 와 digitalSignature)  
    authorityKeyIdentifier=keyid,issuer
    basicConstraints=CA:FALSE
    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    subjectAltName = @alt_names
    
    [alt_names]
    DNS.1 = ahyuo79.blogspot.com
    

    X.509 확장정보는 아래 참조
      https://en.wikipedia.org/wiki/X.509#Extensions_informing_a_specific_usage_of_a_certificate
      https://en.wikipedia.org/wiki/X.509


    • Server Certificate 최종생성
    상위 CA 기반으로  Server CSR를 이용하여 Server Certificate (X.509) 생성완료 (CA Reference)


     // CA기반으로 server.crt 발행(issue) 
    /* 
      -CA filename    : CA filename  
      -CAkey filename : CA private key를 Sign을 하기 위해서 사용
      -CAcreateserial : CA serial file이 존재하지 않는다면 자동생성한 후 CA 02로 되고, CA에 의해 발행된 Certificate는 1을 가짐
    
    --------  기타 옵션 세부사항은 아래링크 참조
      or 
      -CAserial filename : 본인이 직접 넣어 사용 
      -set_serial n : -CA와 함께사용하며, 직접 n번째 Sign
      -CAform DER|PEM|P12 : 현재 PEM으로 default  
    */
     
    $ openssl x509 -req -SHA256 -extfile v3.ext -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
    



    3.2 ECDSA 기반의 CA 와 Certificate 분석

    상위 3.1에서 생성된 CA와 Server Certificate 세부적으로 분석해보자 

    반드시 상위 3.1에서 CA 와 Server Certificate 생성 후 분석 진행 

    • Server Certificate 세부분석 전 알아야 할 사항  
    두 인증서를 분석을 해보면, Signature의 경우 Public Key로 구성하며, Issuer의 CN을 보면 Reference를 알 수 있으므로, 이름 및 다른 값을 반드시 정해야겠음

    1. Authority Key Identifier: JeonghunCA의 Public Key Hash Value이며 CA의 Subject Key Id와 동일 
    2. Subject Key Identifier:  CA와 다르게 존재하지 않음 
    3. Basic Constraints: CA 인지 아닌지 구분
    4. Key Usage: 주 목적은 Certificate의 Public Key의 사용용도의 허용기능
      1. Digital Signature: Digital Signature를 검증하기 위해서 사용이라는데, 이해가 안감
      2. Non Repudiation: 추후 이해하도록함
      3. Key Encipherment
      4. Data Encipherment

    - RFC5280의 세부내용 

    Key Usage (아래 X.509 분석부분과 같이 확인)

      https://tools.ietf.org/html/rfc5280#section-4.2.1.3
     
    Subject Alternative Name (아래 X.509 분석부분과 같이 확인)
      https://tools.ietf.org/html/rfc5280#section-4.2.1.6


    • Server Certificate 세부분석 
    아래의 CA 세부분석과 같이 비교해보면 분석을 해야하며, Certificate 의 Public Key 부분은 상위에 너무 많이 설명해서 생략 
    $ openssl pkey -in server.key -noout -text  // server.key 분석 
    Private-Key: (256 bit)
    priv:
        2e:92:92:5b:9c:49:f6:e0:3c:09:fe:50:8e:ae:d9:
        b2:07:76:8b:57:3a:87:d8:6a:6f:e7:a8:cd:7c:47:
        69:7a
    pub:
        04:5a:7c:7e:85:5c:a1:6a:cc:79:de:1c:49:e5:c5:
        9b:75:d7:b4:f1:90:8f:bd:bb:dd:1a:32:17:fd:15:
        a2:7f:54:bd:65:9d:99:b5:41:94:07:9f:76:3b:2b:
        a1:78:15:50:4b:aa:d0:65:d2:20:41:52:04:fd:09:
        8e:45:00:c3:38
    ASN1 OID: prime256v1
    NIST CURVE: P-256
    
    /* 
    CA가 완전 동일하더라도, 
    매번 Server Certificate가 생성될 때마다 Validity 가 변경 될 것이며, 
    Serial Number도 Unique 하도록 설정되어 다르므로, 
    Signature Algorithm 의 (signatureValue)값 역시 Server Certificate 생성될때마다 자동 변경된다. 
    */
    
    $ openssl x509 -in server.crt -noout -text  // server.crt 분석 
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: // Unique 해야하며 CA에 의해 할당되어진 값
                46:5d:19:4d:d3:40:43:9b:0b:2a:91:2e:55:f8:64:fe:d6:8f:9f:f3
            Signature Algorithm: ecdsa-with-SHA256
            Issuer: C = KR, ST = SL, L = Seoul, O = Jeonghun, OU = JHLEE, CN = JeonghunCA // 인증서 발급자 (Reference), 즉 CA 
            Validity  // 인증서 유효기간 (1년) 
                Not Before: Jul  7 06:01:52 2020 GMT
                Not After : Jul  7 06:01:52 2021 GMT
            Subject: C = KR, ST = SL, L = Seoul, O = Jeonghun, OU = JHLEE, CN = ServerCert // 인증서 소유자 
            Subject Public Key Info:         // 인증서 Public Key 정보 (server.key)
                Public Key Algorithm: id-ecPublicKey
                    Public-Key: (256 bit)
                    pub:
                        04:5a:7c:7e:85:5c:a1:6a:cc:79:de:1c:49:e5:c5:
                        9b:75:d7:b4:f1:90:8f:bd:bb:dd:1a:32:17:fd:15:
                        a2:7f:54:bd:65:9d:99:b5:41:94:07:9f:76:3b:2b:
                        a1:78:15:50:4b:aa:d0:65:d2:20:41:52:04:fd:09:
                        8e:45:00:c3:38
                    ASN1 OID: prime256v1
                    NIST CURVE: P-256
            X509v3 extensions:  // 상위 v3.ext 확인 
                X509v3 Authority Key Identifier:    //CA의 Subject Key Id 동일하며, Server의 Subject Key Id는 없음  
                    keyid:F1:D2:00:25:AC:FE:65:DD:FC:F1:B7:21:83:C4:90:A9:FB:35:32:AB
    
                X509v3 Basic Constraints:      // CA:FALSE 로 CA가 아니며 Digital Signature 용 사용
                    CA:FALSE
                X509v3 Key Usage:          //Digital Signature용 
                    Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
                X509v3 Subject Alternative Name:  //Digital Signature용 DNS에 website 주소 입력
                    DNS:ahyuo79.blogspot.com
        Signature Algorithm: ecdsa-with-SHA256  // Certificate를 생성마다 값이 변경되며, 이값을 변경주는 요소 (Validity와 Serial Number 예상)
             30:45:02:21:00:e9:ae:29:05:fa:ef:a6:8c:c8:25:06:33:e3:
             47:9b:20:34:19:45:18:fa:45:62:f8:91:4b:3f:0c:7e:35:23:
             ed:02:20:12:d1:84:72:99:bd:ba:bd:c0:cb:b8:78:86:65:2c:
             9f:74:0b:0c:bf:a6:b9:20:8d:9d:78:99:f3:8e:cc:b5:82
    
    
    
    $ openssl asn1parse -in server.crt  //ASN.1으로 분석가능 (너무길어서 생략)
    $ openssl asn1parse -in server.crt -dump  //ASN.1 BIT STRING도 보고 싶다면 
    


    • CA(Certificate Authorities)  세부분석 
    기본정보의 이해 
    1. Issuer:  인증서 발급자 
    2. Subject 인증서 실제 소유자
    Self Sign을 했으므로, 동시에 두개의 정보를 가지고 있음 
    1. Authority Key Identifier: 인증서 발급자 (Issuer) Public Key Hash Value
    2. Subject Key Identifier: 인증서 소유자 Public Key Hash Value
    3. Basic Constraints : CA 인지 아닌지 구분

    $ openssl pkey -in ca.key -noout -text  // ca.key 분석 
    Private-Key: (256 bit)
    priv:
        5e:78:6b:5b:ea:78:78:88:47:76:8c:28:e9:01:12:
        05:4c:93:fe:f0:d7:63:a7:3b:7b:3c:f4:3a:b9:ac:
        ee:8a
    pub:
        04:5d:b2:ef:15:6e:3a:f2:d0:4d:b3:aa:fa:8f:cc:
        88:9d:f6:68:4d:e0:93:29:f7:64:44:84:bb:e6:bd:
        e5:8a:7e:85:18:67:c6:84:b9:a5:67:5a:0e:e7:e9:
        c5:a9:c9:9b:10:81:c1:4e:ce:65:df:6e:e2:08:cb:
        98:3e:af:07:f3
    ASN1 OID: prime256v1
    NIST CURVE: P-256
    
    $ openssl x509 -in ca.crt -noout -text  // ca.crt 분석 
    Certificate:
        Data:
            Version: 3 (0x2)       // 인증서 Version 
            Serial Number:     // 인증서 Serial Number로 Unique하며, 매번 CA 생성시마다 다르며, 최대 20bytes 
                2b:e8:58:10:ad:b8:13:0b:6b:89:bf:97:c5:87:30:b3:5e:13:fb:88
            Signature Algorithm: ecdsa-with-SHA256               // 인증서 Signature Alogirthm 
            Issuer: C = KR, ST = SL, L = Seoul, O = Jeonghun, OU = JHLEE, CN = JeonghunCA  // 인증서 발급자 (Reference)
            Validity          // 인증서 유효기간 (10년) 
                Not Before: Jul  7 05:52:52 2020 GMT
                Not After : Jul  5 05:52:52 2030 GMT
            Subject: C = KR, ST = SL, L = Seoul, O = Jeonghun, OU = JHLEE, CN = JeonghunCA // 인증서 소유자,(발급자와 소유자 동일) 
            Subject Public Key Info:                   // 인증서 Public Key 정보 (ca.key) 
                Public Key Algorithm: id-ecPublicKey
                    Public-Key: (256 bit)          // Publickey의 SHA1 Hash값으로 아래의 확장의 Subject Key Identifier 적용  
                    pub:                           // ca.key가 동일하며 , Public Key와 Subject Key Identifier는 항상동일  
                        04:5d:b2:ef:15:6e:3a:f2:d0:4d:b3:aa:fa:8f:cc:
                        88:9d:f6:68:4d:e0:93:29:f7:64:44:84:bb:e6:bd:
                        e5:8a:7e:85:18:67:c6:84:b9:a5:67:5a:0e:e7:e9:
                        c5:a9:c9:9b:10:81:c1:4e:ce:65:df:6e:e2:08:cb:
                        98:3e:af:07:f3
                    ASN1 OID: prime256v1
                    NIST CURVE: P-256
            X509v3 extensions:       // 인증서 확장
                X509v3 Subject Key Identifier:      // 상위 Public Key의 SHA1 Hash값(20bytes)며, 상위 server.crt 의 Authority Key Id 적용 
                    F1:D2:00:25:AC:FE:65:DD:FC:F1:B7:21:83:C4:90:A9:FB:35:32:AB
                X509v3 Authority Key Identifier:   // Self Sign이므로 Subject Key Id 와 동일 
                    keyid:F1:D2:00:25:AC:FE:65:DD:FC:F1:B7:21:83:C4:90:A9:FB:35:32:AB
    
                X509v3 Basic Constraints: critical           // 인증서 CA TRUE
                    CA:TRUE
        Signature Algorithm: ecdsa-with-SHA256              // 인증서 Signature Value (SHA256 적용후 ECDSA 적용)
             30:45:02:20:44:9b:11:96:08:45:5f:ba:8e:a1:df:c9:96:aa:
             0a:88:7b:90:63:48:cc:ba:57:65:6f:3e:d6:fe:31:84:5c:f4:
             02:21:00:f1:a2:3f:c2:5e:40:e5:95:80:cb:cb:53:8c:ee:32:
             d2:c9:33:85:84:a7:60:a8:c8:d6:21:45:b0:d9:48:b7:32
    
    $ openssl asn1parse -in ca.crt  //ASN.1으로 분석가능 (너무길어서 생략)
    
    $ openssl asn1parse -in ca.crt -dump  //ASN.1 BIT STRING도 보고 싶다면 
    


    • CA의 세부사항 확인
     Subject Key Identifier 값 확인방법 
    //상위 ca.crt의 Public-Key: (256 bit) 값  65(1+32+32) Bytes 
    // 상위 ca.crt의 Public-Key 부분을 ":"로 제거하여 아래와 같이 정리
    045db2ef156e3af2d04db3aafa8fcc889df6684de09329f7644484bbe6bde58a7e851867c684b9a5675a0ee7e9c5a9c99b1081c14ece65df6ee208cb983eaf07f3
    
    // 아래 사이트에서 SHA1 Hash 값을 상위 값으로 적용하면 ca.crt의 Subject Key Identifier 와 동일 
    //ca.crt의 Subject Key Identifier:  Public Key 65 bytes SHA1 Hash Value (20bytes, 160bit) 
    f1d20025acfe65ddfcf1b72183c490a9fb3532ab

    SHA1 Hash (상위값 적용하면 동일,주의 Input Type: TEXT->HEX사용 )


    • CA의 세부항목: Signature Algorithm 의 Signature Value 
    SHA256를 적용후 256bit가 나온 결과를 ECDSA를 적용하면, R과 S는 나온다고 함 




    • CA의 Signature 테스트 방법
    1. CA에서 Public Key 만 추출 
    2. CA의 Private Key 기반으로 Signature 생성 
    3. CA의 Public Key로 검증 

    상위 2.2 에서 설명한 Certificate Signature 테스트 한 부분과 동일하며 이를 실제로 Server Certificate에서 적용하여 테스트


    OpenSSL 를 이용한 인증서의 Signature 테스트
    // CA(ca.crt)에서 Public Key 만 추출
    $ openssl x509 -pubkey -noout -in ca.crt > ca_pubkey.pem
    
    //CA의 Private Key를 이용하여 Sign하여 Signature 생성(sigfile)
    $ openssl dgst -sha256 -sign ca.key -out sigfile  server.crt
    
    //간단히 Signature file확인  (실제 인증서 Signature Value 다르며, 상위 에서 생성될때마다 아래의 값이 다름) 
    $ hd sigfile 
    or
    $ hexdump sigfile   
    
    //CA의 Public Key(ca_pubkey.pem) 와 Signature(sigfile) 이용하여 간단히 server.crt 검증  
    $ openssl dgst -verify ca_pubkey.pem -signature sigfile server.crt
    Verified OK


    ECDSA Encrypt/Decrypt 예제 


    • 관련참고링크사항

    openssl x509 manual
      https://www.openssl.org/docs/manmaster/man1/openssl-x509.html

    openssl asn1parse
      https://www.openssl.org/docs/manmaster/man1/openssl-asn1parse.html

    X.509 기본구조
      https://en.wikipedia.org/wiki/X.509#Structure_of_a_certificate

    ECDSA 기반의 CA 와 Certificate 생성방법
      https://www.erianna.com/ecdsa-certificate-authorities-and-certificates-with-openssl/

    3/12/2020

    암호화 개념 과 Cipher Suite

    1.  암호화 개념 

    기본 암호화 구조와 대칭키/비대칭키 개념 과  Cipher Suite 과 이를 이용한 TLS/DTLS의 기본에 대해 알아보도록 하자 

    SSL/TLS의 기본자료 및 지원사항 확인 

    암호화를 하는 방법에서 보면 기본구조는 다음과 같이 두 개의 기본구조로 구성이 되어지는 것 같다. 
    1. 대칭키 구조:  1개의 Key를 사용하여 Encryption/Decrytion 을 진행 
      • 동일한 Key를 가지고 Encryption하고 Decrytion을 진행하며, 주로 Blocker Cipher이용되어짐 
    2. 비대칭키 구조: 2개의 Key를 사용하여  Encryption/Decrytion 을 진행 
      • Public Key 와 Private Key로 Encryption과 Decrytion 할때 각각 다르게 사용


    1.1 대칭키의 기본개념

    • 대칭키(Symmetric Key) 구조
    말그대로, 대칭으로 단일 Key 구성으로 Encode 와 Decode를 함께 진행 할 수 있는 암호화 방식이다. 
    조금 쉽게 생각하고자하면, 자료구조에서 배운 Hash 기반으로 암호화구성도 가능하다. 
    그래서 구조가 간단하고 이해하기도 쉽다.

    대칭키 

    • 대칭키의 대표적인 예 
    1. Stream cipher(RC4) 
    2. Block cipher (RC5, AES)

    • Stream Cipher
    Block Cipher와 큰 차이점을 잘 모르겠으나, RC4는 Stream Cipher지만 RC5는 Block Cipher되는 것으로 보아 
    알고리즘사용이 점차 Block Cipher쪽으로 변해가는 것 같으며, 생각해보면, 사용처가 비슷하다.

    • Block Cipher
    현재 가장 많이 사용되는 것이 AES 으로 보이며 대칭키로 암호화 하는 방식인데, 현재 알고리즘에따라 조금씩 다르지만, 주로 128/198/256기반으로 사용되어진다. 
    TLS 내부에서는 주로 보내는 Message를 Encode을 하는 역할인데, 이때 Block Chain 형식처럼 순환구조로 연결하여 주로 사용하는 구조이다. 

    Block Cipher의 역사 및 관련내용들이 자세히 기술되어있음 

    DES(Data Encryption Standard)
    현재 거의 사용하지 않는 것으로 보이며, 주로 AES 사용 
    AES(Advanced Encryption Standard)
    가장 많이사용되며, 이 기반으로 파생된 ARIA 이외에도 다양하다.(ARIA는 국내용으로 사용)
    현재 KCMVP는 ARIA를 적극적으로 밀고 있지만, 별로

    DES 와 AES 차이 
    DES 와 AES의 차이를 알아두도록 하고 파생 Block Cipher들은 다양하다.



    • MAC(Message Authentication Code)/Message Authentication
    Message Authentication Code로 Message 인증이라고 생각하면 될 꺼같다 
    Key 즉 Hash 함수에 특정 Key 값를 이용하여 Message 가 맞는지 검증하는 방식이다. 
    Openssl에서 흔히 digest라고 하며,  MD5 or SHA로 사용되어지며 Message 검증여부로 사용되어진다. 
    1. SENDER: 보낼 Message가 존재하고, Key/Hash함수에 Key 값을 넣어 MAC을 얻는다 
    2. RECEIVER: 받은 Message가 맞는지 검증을 위해서 MAC을 이용하여 검증한다  


      


    • Block/Stream Cipher 와 운영모드(ECB/CBC/CFB/OFB) 
    Block Cipher는 Data를 암호화하는 방법으로 Key 값 기반으로 암호화를 한다. 
    TLS에서 실제 전송할 Data를 암호화(Encrpyt) 와 복호화(Decrypt)운영하는 방식이므로 다만 운영하는 방식이 다양하다.
    ECB/GCM/CBC/CFB/OFB 에 대해서는 아래링크를 보도록 하자.

    Block Cipher의 운영 세부내용은 아래 참조 
    그림과 같이 자세히 설명이 되어있어 아래 사이트들을 반드시 참조

    TLS에서 아래와 같이 사용하는 Block Cipher 와 사용하는 Bit 운영모드로 구분해서 명시한다.
    1. AES-128-ECB :  상위 사이트 참조 (구조가 너무 간단함)
    2. AES-128-GCM : 주로 이것을 권장하지만, 아직 완벽히 이해못함  (GMAC도 이해해야함)
    3. AES-128-CBC :  우선 기본개념을 위해 이것만 설명

    AES-128-CBC 동작 예 
    CBC(Cipher Block Chaining)을 보면, Block Chain 기술생각이 날 것이며, 이전 IV값을 모르면 안되니, 연속적으로 Data를 암호화하여 Chaning 가능하다    
    1. IV(initialzation Vector) : 암호화 하기전에, 넣는 Vector값으로 128bit 사용 
    2. Plaintext:  암호화 되기 전의 TEXT 128bit 기반으로 사용 
    3. Ciphertext:  IV XOR Plain Text Data를 AES로 암호화 된 TEXT 


    Encryption 기본개념 순서  
    1. Message 와 IV(initialzation Vector)    XOR연산 
    2. Cipher Table 통해 Encrypt 진행 
    3. 최종 Ciphered Message 

    Decryption 기본개념 순서  
    1. Ciphered Message 에, Decipher Table 통해 Decript 진행
    2. 나온 Decrypted Message 와 IV(initialzation Vector)    XOR연산 
    3. 최종 Message 확인 

    https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation


    Encryption 순서 
    1. IV(initialzation Vector) 와 PlainText  128 Bit 단위로  XOR연산 진행
    2. 상위 결과 값 기반으로 AES 암호화가 진행 (Key 값은 128bit)
    3. AES-128 기반으로 Cipher Text 생성 
    4. AES-128 기반으로 new IV(initialzation Vector) 생성 
    https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation


    Decryption 순서 
    1. AES-128기반 Cipher Text를 받음  
    2.  Key를 이용하여 Decrpyt 진행 (Key 값은 128bit) 와 new IV(initialzation Vector) 생성 
    3. 상위 Decrpyt 된 Text 와 IV(initialzation Vector) 128 Bit 단위로  XOR연산 진행
    4. Plain Text 생성 

    https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation



    MAC이 AEAD(Authenticated Encryption with Associated Data) 일 경우
    openssl ciphers -v 에서 MAC이 AEAD의 경우 
    상위 Block/Stream Cipher를 Data 암호화가 용도가 아닌 MAC 용도로 사용한다고 한다.  



    1.2 비대칭키(Public Key) 의 기본개념

    비대칭암호화(asymmetric cryptography)로라고 하며,  한번에 두 개의 Key를 각각 생성하여 Encryption 과 Decryption을  별도의 Key로 사용을 한다.

    양방향으로 통신을 할 경우 서로 Public Key를 교환을 한 후 상대방이 나의 Public Key로 Encoding 하면, 
    나의 경우 Encoding 된 Data를  Private Key로 Decode를 하면 이를 볼 수 있는 구조이다.

    • 비대칭키(Asymmetric Key)의 기본구조 
    1. Encryption 은 Public Key
    2. Decryption 은 Private Key

    • 양쪽 각자의 2개의 Key를 생성 
    1. Alice는 본인의 Public Key 와 Private Key를 생성
    2. Bob는 본인의 Public Key 와 Private Key를 생성

    • Bob 과 Alice가 암호화 비대칭키로 통신
    1. Bob 은 Alice 의 Public Key로 Encrypt를 하여 보내면, Alice는 Alice의 Private Key로 이를 Decrypt하여 Decoding 진행한다. 
    2. Alice와 Bob은 서로의 Public Key를 교환하고 각자 본인의 Private Key로 이를 Decoding 하여 통신하면 암호화되어 통신된다



    관련내용출처
      https://en.wikipedia.org/wiki/Public-key_cryptography


    • 비대칭(Public Key) 기반의 예 (키 교환방법)
    Diffie–Hellman key exchange 에서도 아래와 같이 이용이 된다고 하는데,  Combine Keys를 만들어 키 교환 알고리즘을 사용한다고 하는데, 
    이부분은 좀 더 이해가 필요할 것 같다. 




    • 비대칭(Public Key) 기반의 예 (인증서 Sign/Verify)
    Digital Signature에서보면, Alice의 Private Key 와 Public Key를 이용하여 Sign과 Verify를 진행을 한다. 


    RootCA 와 Certificate 의 기본구조 
    https://en.wikipedia.org/wiki/Root_certificate


    Digital Signature 의 구조 
      https://en.wikipedia.org/wiki/Digital_signature


    Public Key 기반으로 다양하게 사용이 되어지는데 아래와 같이 많은 예제들이 존재 

    Public Key Certificate 의 구조
      https://en.wikipedia.org/wiki/Public_key_certificate
      https://en.wikipedia.org/wiki/X.509#Structure_of_a_certificate


    1.2.1 Public-Key Cryptography Standards

    Public Key는 상위에서 언급했듯이 비대칭키이며, 이 관련 표준은 아래와 같다.
    이를 보통이해하기 위해서는 ITU-T 와 IETF 문서를 대충 이해할 수 있는 수준은 되어야한다.
    더불어, OpenSSL을 기본적으로 어느정도 사용을 할 줄 알아야 한다.

    PKCS(Public-Key Cryptography Standards)
    PKCS#1~15까지 존재하며, 각각의 숫자마다 해당하는 표준이 존재하며, 이부분 역시 OpenSSL 혹은 MbedTLS에 존재한다. 

    PKCS 알고있는 것들을 간략하게 소개하며 정리한다.
    우선 Public Keys는 비대칭 키이므로, Private Key가 존재하며, 이 관련내용을 숙지해야한다.
    그리고, 관련 표준내용확인, 그리고, Public Key 보관방법 과 통신을 할 경우의 문법필요 


    RSA 관련된 내용이지만, 현재 RSA는 거의 잘 사용되지 않는 방향으로 가는 것 같다.
    참고만 하고, ITU-T에서 ASN.1의 문법은 필수이다.

    TLS/DTLS에서 사용하는 Key 교환 알고리즘이며, 이는 TLS를 보면된다. 

    X.509v1 (Cefificate)에서 확장(Extended)되어 v3으로 사용하기 위해서 사용되어지는 것이다.
    역시, 이를 이해하기 위해서는 ASN.1는 필수 이며, OpenSSL을 이용하여 분석가능하다. 

    예를들면, TLS의 경우, 처음 Key 교환 후, 대칭키 AES 기반으로 Message를 주고 받는데,
    AES-128-ECB/기타 사용할 경우 ZERO Padding or PKCS7 Padding 방식으로 주로 Message 기반으로 통신에서 사용되어진다.
    이 부분은 추후 AES를 사용해보면 좀 자세히 알게 될 것 같다. 

    PKCS#8: Public-Key Cryptography Standards/Private-Key Information Syntax Standard
    Public-Key는 비대칭키 이므로, Private Key를 저장하는 표준으로 보통 Private Key는 PEM base64로 encoded 되어진다. 

    CSR이라고 하며, Cerficate를 요청하는 표준이라고 생각하면 되겠다. 

    PKCS#11: Cryptographic Token Interface 
    주로 Certificate , 즉 인증서를 보관하는 Interface이며,  Device에서 많이 사용되어진다. 
    Device는 이 PKCS11 Interface API를 통해 접근하도록하고, 철저히 암호화 한다.
    즉 Device 입장에서, 외부에 별도로 보관하는 방법으로 Interface 제공한다.
    이는 보안을 철저이 하고자 함이며, 이 보안을 걸쳐 TLS를 비롯하여, Secure Boot 이용한다.

    PKC#13Elliptic-curve cryptography Standard
    보통 ECC(Elliptic Curve Cryptography)라고 하며, RSA보다 이를 선호하는데, 
    이유는 암호화 속도와 저장공간이 줄어들어서라고 한다. 
    이 부분은 추후에 ECDSA를 자세히 분석하도록 하겠다. 


    2. SSL/TLS의 Cipher Suite

    TLS(Transport Layer Security)는 SSL(Secure Socket Layer) Protocol기반으로 TCP를 이용하여 암호화 하는 방식이며, UDP를 사용할 경우 DTLS라고 한다.
    기본적으로 신뢰할 수 없는 양쪽 통신에서 키 교환부터 인증 및 주고 받는 메시지 암호화까지 전부를 관리하는 통신기술이다. 
    그 중 Cipher Suite은 TLS에서 사용하는 암호화 구성을 나타내어주는 Set,즉 각 구성들을 리스트로 보여준다. 
    각 Device들은 이 정보를 기반으로 지원하는 Cipher Suite로 암호화 통신이 가능한지 쉽게 파악이 가능하다. 

    • SSL/TLS Cipher Suite 분석방법  
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    • TLS: TLS Protocol 사용 (TCP) 
    1. ECDHE:  Key 교환 알고리즘 
    2. RSA: Authentication으로 (handshake 중 양쪽 인증서 인증) 
    3. AES_128_GCM: AES 기반으로 128 bit Key 기반으로 GCM방식으로 운영 Block Cipher
    4. SHA256: message authentication으로 MAC(Message Authentication Code) 

    TLS 통신을 진행하게 되면, 통신하는 양쪽 서로 이 키 교환 후, 각 암호환 된 Message 주고 받고 이를 검증하는 시스템이다.  
    물론 TLS의 각 설정에 따라 다르겠지만, 그정도로 보안성이 높다고 할 수 있다. 
    그러므로, 여러 Protocol 접목되어 사용되어지고 있다. 

    Algorithms supported in TLS 1.0–1.2 cipher suites
    Key exchange/agreementAuthenticationBlock/stream ciphersMessage authentication
    RSARSARC4Hash-based MD5
    Diffie–HellmanDSATriple DESSHA hash function
    ECDHECDSAAES
    SRPIDEA
    PSKDES
    Camellia
    ChaCha20

    TLS은 아래의 순서대로 진행되기 때문에 항상 순서대로 이해하도록 하자 
    1. Key exchange/agreement: 대칭키 or 비대칭키 방식으로 TLS에서 각자의 Key를 교환알고리즘
    2. Authentication: 인증으로 Server/Client의 인증을 말한다. 
    3. Bulk encryption/Block/Stream/Ciphers: 대칭키알고리즘으로 실제 전송 DATA를 encryption
    4. MAC/Message Authentication: 전송 Data의 검증 및 인증 




    https://docs.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel


      
    Window의 Cipher Suite 확인 

    다양한 Cipher Suite 확인 
      https://www.jscape.com/blog/cipher-suites

    한글로 설명이 잘되어있어 쉽게이해 
      https://rsec.kr/?p=455
      https://run-it.tistory.com/30


    2.1 OpenSSL의 Block/Stream/MAC 테스트 

    주의해야 할 것은 각 Device 마다 지원되는사항이 다를 수 있으므로, 반드시 확인하도록 하자 

    • digest-command 와 cipher command  테스트 
    OpenSSL digest(MAC)cipher(Block/Stream Cipher) 관련 Command 확인 
    $ openssl list -help
    Usage: list [options]
    Valid options are:
     -help                   Display this summary
     -1                      List in one column
     -commands               List of standard commands
     -digest-commands        List of message digest commands
     -digest-algorithms      List of message digest algorithms
     -cipher-commands        List of cipher commands
     -cipher-algorithms      List of cipher algorithms
     -public-key-algorithms  List of public key algorithms
     -public-key-methods     List of public key methods
     -disabled               List of disabled features
     -missing-help           List missing detailed help strings
     -options val            List options for specified command
    
    $ openssl list -digest-commands   // 상위에서 설명한 MAC에 해당하는 알고리즘 
    blake2b512        blake2s256        gost              md4
    md5               mdc2              rmd160            sha1
    sha224            sha256            sha3-224          sha3-256
    sha3-384          sha3-512          sha384            sha512
    sha512-224        sha512-256        shake128          shake256
    sm3
    
    $ openssl list -cipher-commands   // 상위에서 설명한 Block/Stream Cipher와  이 기반의 운영방식
    aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb
    aes-256-cbc       aes-256-ecb       aria-128-cbc      aria-128-cfb
    aria-128-cfb1     aria-128-cfb8     aria-128-ctr      aria-128-ecb
    aria-128-ofb      aria-192-cbc      aria-192-cfb      aria-192-cfb1
    aria-192-cfb8     aria-192-ctr      aria-192-ecb      aria-192-ofb
    aria-256-cbc      aria-256-cfb      aria-256-cfb1     aria-256-cfb8
    aria-256-ctr      aria-256-ecb      aria-256-ofb      base64
    bf                bf-cbc            bf-cfb            bf-ecb
    bf-ofb            camellia-128-cbc  camellia-128-ecb  camellia-192-cbc
    camellia-192-ecb  camellia-256-cbc  camellia-256-ecb  cast
    cast-cbc          cast5-cbc         cast5-cfb         cast5-ecb
    cast5-ofb         des               des-cbc           des-cfb
    des-ecb           des-ede           des-ede-cbc       des-ede-cfb
    des-ede-ofb       des-ede3          des-ede3-cbc      des-ede3-cfb
    des-ede3-ofb      des-ofb           des3              desx
    idea              idea-cbc          idea-cfb          idea-ecb
    idea-ofb          rc2               rc2-40-cbc        rc2-64-cbc
    rc2-cbc           rc2-cfb           rc2-ecb           rc2-ofb
    rc4               rc4-40            seed              seed-cbc
    seed-cfb          seed-ecb          seed-ofb          sm4-cbc
    sm4-cfb           sm4-ctr           sm4-ecb           sm4-ofb
    
    $ openssl speed -help
    Usage: speed [options] ciphers...
    Valid options are:
     -help               Display this summary
     -evp val          Use EVP-named cipher or digest
     -decrypt            Time decryption instead of encryption (only EVP)
     -aead               Benchmark EVP-named AEAD cipher in TLS-like sequence
     -mb                 Enable (tls1>=1) multi-block mode on EVP-named cipher
     -mr                 Produce machine readable output
     -multi +int         Run benchmarks in parallel
     -async_jobs +int    Enable async mode and start specified number of jobs
     -rand val           Load the file(s) into the random number generator
     -writerand outfile  Write random data to the specified file
     -engine val         Use engine, possibly a hardware device
     -elapsed            Use wall-clock time instead of CPU user time as divisor
     -primes +int        Specify number of primes (for RSA only)
     -seconds +int       Run benchmarks for specified amount of seconds
     -bytes +int         Run [non-PKI] benchmarks on custom-sized buffer
     -misalign +int      Use specified offset to mis-align buffers
    

    OpenSSL 관련설명 및 함수
      https://www.openssl.org/docs/man1.0.2/man3/evp.html
      https://www.openssl.org/docs/man1.0.2/man3/EVP_EncryptInit.html

    • OpenSSL의 AES-128-CBC의 PC 처리속도 
    Laptop Ubuntun 3초 동안 Block Cipher 의 성능을 측정해보면, 매번 조금씩 다르지만, 평균값으로 계산 
    // 일반 Ubuntu PC 기반 테스트 - 확인사항  
    $ openssl speed -evp aes-128-cbc   // 3초동안 처리가능한 각 size 별 blocks 수 확인 
    Doing aes-128-cbc for 3s on 16 size blocks: 99970413 aes-128-cbc's in 3.00s   // 최종결과로 16 x 99970413 / 3s = 533,175,536 (533175.54k), 즉 bytes per second 변경 
    Doing aes-128-cbc for 3s on 64 size blocks: 29734079 aes-128-cbc's in 3.00s
    Doing aes-128-cbc for 3s on 256 size blocks: 7579414 aes-128-cbc's in 3.00s
    Doing aes-128-cbc for 3s on 1024 size blocks: 1902764 aes-128-cbc's in 3.00s
    Doing aes-128-cbc for 3s on 8192 size blocks: 238073 aes-128-cbc's in 3.00s
    OpenSSL 1.0.2g  1 Mar 2016
    built on: reproducible build, date unspecified
    options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) blowfish(idx)
    compiler: cc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
    The 'numbers' are in 1000s of bytes per second processed.    // 1s동안 각 처리한 bytes 비교  
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-128-cbc     533175.54k   634327.02k   646776.66k   649476.78k   650098.01k
    
    $ openssl speed -evp aes-128-cbc  // 3초동안 처리가능한 각 size 별 blocks 수 확인 (상위와 비슷함) 
    Doing aes-128-cbc for 3s on 16 size blocks: 99909269 aes-128-cbc's in 3.00s
    Doing aes-128-cbc for 3s on 64 size blocks: 29840898 aes-128-cbc's in 3.00s
    Doing aes-128-cbc for 3s on 256 size blocks: 7580732 aes-128-cbc's in 3.00s
    Doing aes-128-cbc for 3s on 1024 size blocks: 1902763 aes-128-cbc's in 3.00s
    Doing aes-128-cbc for 3s on 8192 size blocks: 238123 aes-128-cbc's in 3.00s
    OpenSSL 1.0.2g  1 Mar 2016
    built on: reproducible build, date unspecified
    options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) blowfish(idx)
    compiler: cc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-128-cbc     532849.43k   636605.82k   646889.13k   649476.44k   650234.54k
    
    $ openssl speed aes-128-cbc  // -evp 옵션제거하면, 왜 많이 차이 나는지는 정확히 모르겠음  
    Doing aes-128 cbc for 3s on 16 size blocks: 18950418 aes-128 cbc's in 3.00s
    Doing aes-128 cbc for 3s on 64 size blocks: 5106208 aes-128 cbc's in 3.00s
    Doing aes-128 cbc for 3s on 256 size blocks: 1298409 aes-128 cbc's in 3.00s
    Doing aes-128 cbc for 3s on 1024 size blocks: 326887 aes-128 cbc's in 3.00s
    Doing aes-128 cbc for 3s on 8192 size blocks: 40944 aes-128 cbc's in 3.00s
    OpenSSL 1.0.2g  1 Mar 2016
    built on: reproducible build, date unspecified
    options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) blowfish(idx)
    compiler: cc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
    The 'numbers' are in 1000s of bytes per second processed.       // 1s동안 각 처리한 bytes 비교, 상위와 차이가 많이남  
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-128 cbc     101068.90k   108932.44k   110797.57k   111577.43k   111804.42k
    
    $ openssl speed aes-128-cbc  // -evp 옵션제거하면, 오차도 심함  
    Doing aes-128 cbc for 3s on 16 size blocks: 16931056 aes-128 cbc's in 3.00s
    Doing aes-128 cbc for 3s on 64 size blocks: 5108214 aes-128 cbc's in 3.00s
    Doing aes-128 cbc for 3s on 256 size blocks: 1298789 aes-128 cbc's in 3.00s
    Doing aes-128 cbc for 3s on 1024 size blocks: 326969 aes-128 cbc's in 3.00s
    Doing aes-128 cbc for 3s on 8192 size blocks: 40938 aes-128 cbc's in 3.00s
    OpenSSL 1.0.2g  1 Mar 2016
    built on: reproducible build, date unspecified
    options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) blowfish(idx)
    compiler: cc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
    The 'numbers' are in 1000s of bytes per second processed.     // 1s동안 각 처리한 bytes 비교, 동일한 command인데 오차가 심함  
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-128 cbc      90298.97k   108975.23k   110829.99k   111605.42k   111788.03k
    

    • OpenSSL의 AES-128-CBC의 ARM 처리속도 
    ARM기반의 AP에서 이를 측정하며, 상위 Laptop 기반과 비교해보면, 3초 측정이 잘 안지켜짐
    // ARM기반의 AP에서 OpenSSL에서 테스트 - 확인사항  
    $ openssl speed -evp aes-128-cbc    // 3초동안 처리가능한 각 size 별 blocks 수 확인(3초가 안지켜지는데, 다른 곳에서 OpenSSL를 사용 or CPU 사용문제) 
    Doing aes-128-cbc for 3s on 16 size blocks: 3853682 aes-128-cbc's in 2.85s  // 최종결과로 16 x 3853682 / 2.85s = 21,634,705.96491228 (21634.71k)
    Doing aes-128-cbc for 3s on 64 size blocks: 1144605 aes-128-cbc's in 2.85s
    Doing aes-128-cbc for 3s on 256 size blocks: 301595 aes-128-cbc's in 2.85s
    Doing aes-128-cbc for 3s on 1024 size blocks: 76442 aes-128-cbc's in 2.85s
    Doing aes-128-cbc for 3s on 8192 size blocks: 9572 aes-128-cbc's in 2.84s
    Doing aes-128-cbc for 3s on 16384 size blocks: 4753 aes-128-cbc's in 2.82s
    OpenSSL 1.1.1b  26 Feb 2019
    built on: Tue Oct 27 08:41:13 2020 UTC
    options:bn(64,32) rc4(char) des(long) aes(partial) idea(int) blowfish(ptr)
    compiler: arm-poky-linux-gnueabi-gcc  -mfpu=neon -mfloat-abi=hard -mcpu=cortex-a9 --sysroot=recipe-sysroot -O2 -pipe -g -feliminate-unused-debug-types -fmacro-prefix-map=                      -fdebug-prefix-map=                      -fdebug-prefix-map=                      -fdebug-prefix-map= -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
    aes-128-cbc      21634.71k    25703.41k    27090.64k    27465.48k    27610.50k    27614.59k
    
    $ openssl speed -evp aes-128-cbc
    Doing aes-128-cbc for 3s on 16 size blocks: 3848965 aes-128-cbc's in 2.84s
    Doing aes-128-cbc for 3s on 64 size blocks: 1142228 aes-128-cbc's in 2.84s
    Doing aes-128-cbc for 3s on 256 size blocks: 301598 aes-128-cbc's in 2.85s
    Doing aes-128-cbc for 3s on 1024 size blocks: 76500 aes-128-cbc's in 2.85s
    Doing aes-128-cbc for 3s on 8192 size blocks: 9573 aes-128-cbc's in 2.84s
    Doing aes-128-cbc for 3s on 16384 size blocks: 4753 aes-128-cbc's in 2.83s
    OpenSSL 1.1.1b  26 Feb 2019
    built on: Tue Oct 27 08:41:13 2020 UTC
    options:bn(64,32) rc4(char) des(long) aes(partial) idea(int) blowfish(ptr)
    compiler: arm-poky-linux-gnueabi-gcc  -mfpu=neon -mfloat-abi=hard -mcpu=cortex-a9 --sysroot=recipe-sysroot -O2 -pipe -g -feliminate-unused-debug-types -fmacro-prefix-map=                      -fdebug-prefix-map=                      -fdebug-prefix-map=                      -fdebug-prefix-map= -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
    aes-128-cbc      21684.31k    25740.35k    27090.91k    27486.32k    27613.39k    27517.01k
    
    
    $ openssl speed aes-128-cbc
    Doing aes-128 cbc for 3s on 16 size blocks: 4524953 aes-128 cbc's in 2.85s
    Doing aes-128 cbc for 3s on 64 size blocks: 1192731 aes-128 cbc's in 2.82s
    Doing aes-128 cbc for 3s on 256 size blocks: 306092 aes-128 cbc's in 2.85s
    Doing aes-128 cbc for 3s on 1024 size blocks: 77040 aes-128 cbc's in 2.84s
    Doing aes-128 cbc for 3s on 8192 size blocks: 9592 aes-128 cbc's in 2.85s
    Doing aes-128 cbc for 3s on 16384 size blocks: 4766 aes-128 cbc's in 2.81s
    OpenSSL 1.1.1b  26 Feb 2019
    built on: Tue Oct 27 08:41:13 2020 UTC
    options:bn(64,32) rc4(char) des(long) aes(partial) idea(int) blowfish(ptr)
    compiler: arm-poky-linux-gnueabi-gcc  -mfpu=neon -mfloat-abi=hard -mcpu=cortex-a9 --sysroot=recipe-sysroot -O2 -pipe -g -feliminate-unused-debug-types -fmacro-prefix-map=                      -fdebug-prefix-map=                      -fdebug-prefix-map=                      -fdebug-prefix-map= -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
    aes-128 cbc      25403.24k    27069.07k    27494.58k    27777.80k    27571.11k    27788.66k
    
    $ openssl speed aes-128-cbc
    Doing aes-128 cbc for 3s on 16 size blocks: 4531171 aes-128 cbc's in 2.84s
    Doing aes-128 cbc for 3s on 64 size blocks: 1191326 aes-128 cbc's in 2.81s
    Doing aes-128 cbc for 3s on 256 size blocks: 305709 aes-128 cbc's in 2.83s
    Doing aes-128 cbc for 3s on 1024 size blocks: 77085 aes-128 cbc's in 2.86s
    Doing aes-128 cbc for 3s on 8192 size blocks: 9604 aes-128 cbc's in 2.85s
    Doing aes-128 cbc for 3s on 16384 size blocks: 4746 aes-128 cbc's in 2.80s
    OpenSSL 1.1.1b  26 Feb 2019
    built on: Tue Oct 27 08:41:13 2020 UTC
    options:bn(64,32) rc4(char) des(long) aes(partial) idea(int) blowfish(ptr)
    compiler: arm-poky-linux-gnueabi-gcc  -mfpu=neon -mfloat-abi=hard -mcpu=cortex-a9 --sysroot=recipe-sysroot -O2 -pipe -g -feliminate-unused-debug-types -fmacro-prefix-map=                      -fdebug-prefix-map=                      -fdebug-prefix-map=                      -fdebug-prefix-map= -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
    aes-128 cbc      25527.72k    27133.40k    27654.24k    27599.66k    27605.60k    27770.88k
    
    $ openssl speed aes-128-cbc  //동작중인 service 중지 후 실행하면, 3초가 거의지켜짐
    Doing aes-128 cbc for 3s on 16 size blocks: 4811433 aes-128 cbc's in 2.99s
    Doing aes-128 cbc for 3s on 64 size blocks: 1276776 aes-128 cbc's in 2.99s
    Doing aes-128 cbc for 3s on 256 size blocks: 326993 aes-128 cbc's in 2.99s
    Doing aes-128 cbc for 3s on 1024 size blocks: 82190 aes-128 cbc's in 3.00s
    Doing aes-128 cbc for 3s on 8192 size blocks: 10266 aes-128 cbc's in 2.99s
    Doing aes-128 cbc for 3s on 16384 size blocks: 5148 aes-128 cbc's in 2.99s
    OpenSSL 1.1.1b  26 Feb 2019
    built on: Tue Oct 27 08:41:13 2020 UTC
    options:bn(64,32) rc4(char) des(long) aes(partial) idea(int) blowfish(ptr)
    compiler: arm-poky-linux-gnueabi-gcc  -mfpu=neon -mfloat-abi=hard -mcpu=cortex-a9 --sysroot=recipe-sysroot -O2 -pipe -g -feliminate-unused-debug-types -fmacro-prefix-map=                      -fdebug-prefix-map=                      -fdebug-prefix-map=                      -fdebug-prefix-map= -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
    aes-128 cbc      25746.80k    27328.98k    27996.73k    28054.19k    28126.78k    28208.97k
    
    

    • OpenSSL에서 두개의 처리 속도 
    OpenSSL에서 두 개 넣어 각각 처리속도 비교 (3초 와 10초)
    // 동시에 두개 테스트 진행하며, 뒤의 RSA의 경우는 별도의 옵션 존재 -primes , -seconds
    $ openssl speed aes-128-cbc rsa  
    Doing aes-128 cbc for 3s on 16 size blocks: 4738092 aes-128 cbc's in 2.94s
    Doing aes-128 cbc for 3s on 64 size blocks: 1252558 aes-128 cbc's in 2.95s
    Doing aes-128 cbc for 3s on 256 size blocks: 321331 aes-128 cbc's in 2.95s
    Doing aes-128 cbc for 3s on 1024 size blocks: 80812 aes-128 cbc's in 2.96s
    Doing aes-128 cbc for 3s on 8192 size blocks: 10086 aes-128 cbc's in 2.94s
    Doing aes-128 cbc for 3s on 16384 size blocks: 5040 aes-128 cbc's in 2.95s
    Doing 512 bits private rsa's for 10s: 11617 512 bits private RSA's in 9.75s
    Doing 512 bits public rsa's for 10s: 150175 512 bits public RSA's in 9.84s
    Doing 1024 bits private rsa's for 10s: 2323 1024 bits private RSA's in 9.75s
    Doing 1024 bits public rsa's for 10s: 53326 1024 bits public RSA's in 9.83s
    Doing 2048 bits private rsa's for 10s: 394 2048 bits private RSA's in 9.80s
    Doing 2048 bits public rsa's for 10s: 15840 2048 bits public RSA's in 9.82s
    Doing 3072 bits private rsa's for 10s: 137 3072 bits private RSA's in 9.87s
    Doing 3072 bits public rsa's for 10s: 7440 3072 bits public RSA's in 9.80s
    Doing 4096 bits private rsa's for 10s: 63 4096 bits private RSA's in 9.85s
    Doing 4096 bits public rsa's for 10s: 4308 4096 bits public RSA's in 9.80s
    Doing 7680 bits private rsa's for 10s: 11 7680 bits private RSA's in 10.04s
    Doing 7680 bits public rsa's for 10s: 1272 7680 bits public RSA's in 9.77s
    Doing 15360 bits private rsa's for 10s: 2 15360 bits private RSA's in 13.57s
    Doing 15360 bits public rsa's for 10s: 325 15360 bits public RSA's in 9.77s
    ......
    
    $ openssl speed aes-128-cbc rsa1024 // AES-128-CBC 와 RSA1024 속도 비교 
    Doing aes-128 cbc for 3s on 16 size blocks: 4741717 aes-128 cbc's in 2.94s
    Doing aes-128 cbc for 3s on 64 size blocks: 1251100 aes-128 cbc's in 2.94s
    Doing aes-128 cbc for 3s on 256 size blocks: 321063 aes-128 cbc's in 2.95s
    Doing aes-128 cbc for 3s on 1024 size blocks: 80734 aes-128 cbc's in 2.95s
    Doing aes-128 cbc for 3s on 8192 size blocks: 10079 aes-128 cbc's in 2.93s
    Doing aes-128 cbc for 3s on 16384 size blocks: 5030 aes-128 cbc's in 2.95s
    Doing 1024 bits private rsa's for 10s: 2324 1024 bits private RSA's in 9.74s
    Doing 1024 bits public rsa's for 10s: 53284 1024 bits public RSA's in 9.79s
    ......
    
    
    OpenSSL의 speed 관련내용 
      https://www.openssl.org/docs/man1.1.0/man1/openssl-speed.html


    2.2 OpenSSL의 지원되는 Cipher Suite

    OpenSSL에서 지원되는 Cipher Suite 들을 알아보고 각 TLS Version 따라 달라지는 것을 확인하도록 하자 

    • OpenSSL에서 지원되는 Cipher Suite 확인 
    현재 Linux PC의 OpenSSL에서의 Cihper Suite이며, 추후 ARM or PowerPC에서 비교해야할 것 같아 이를 명시 
    // TLS 1.3만 TLS 표시 (e.g TLS_AES_256_GCM_SHA384 ) , TLSv1.3 이하 (e.g ECDHE-ECDSA-AES256-GCM-SHA384 )
    // 확인해야 할 사항 
    // A. TLSvx or SSLvx  ( TLS 와 SSL version)
    // B. Kx= Key Exchange    (키 교환)
    // C. Au=Authentication   (인증서)
    // D. Enc=Block/stream ciphers     (e.g. 운영모드 GCM: Galois Counter Mode , CBC: Cipher Block Chaining )
    // E. Mac=Message authentication  (Message 인증)
    $ openssl ciphers -v  
    TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
    TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
    ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
    ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
    DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
    ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
    ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
    ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
    DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
    ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
    ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
    DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
    ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
    ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
    DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
    ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
    ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
    DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
    ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
    ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
    DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
    RSA-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(256) Mac=AEAD
    DHE-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(256) Mac=AEAD
    RSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    DHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=ECDHEPSK Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
    PSK-AES256-GCM-SHA384   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(256) Mac=AEAD
    PSK-CHACHA20-POLY1305   TLSv1.2 Kx=PSK      Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    RSA-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(128) Mac=AEAD
    DHE-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(128) Mac=AEAD
    AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
    PSK-AES128-GCM-SHA256   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(128) Mac=AEAD
    AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
    AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
    ECDHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA384
    ECDHE-PSK-AES256-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA1
    SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(256)  Mac=SHA1
    SRP-AES-256-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(256)  Mac=SHA1
    RSA-PSK-AES256-CBC-SHA384 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA384
    DHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA384
    RSA-PSK-AES256-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA1
    DHE-PSK-AES256-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA1
    AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
    PSK-AES256-CBC-SHA384   TLSv1 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA384
    PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
    ECDHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA256
    ECDHE-PSK-AES128-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA1
    SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(128)  Mac=SHA1
    SRP-AES-128-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(128)  Mac=SHA1
    RSA-PSK-AES128-CBC-SHA256 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA256
    DHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA256
    RSA-PSK-AES128-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA1
    DHE-PSK-AES128-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA1
    AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
    PSK-AES128-CBC-SHA256   TLSv1 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA256
    PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1 
    


    //  SSL_CTX_set_cipher_list(ctx, "ALL:eNULL");
    //" ALL:eNULL" :는 or 연산이며, 제외하고 싶다면, !MD5
    $ openssl ciphers -v 'ALL:eNULL'  
    TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
    TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
    ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
    ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
    DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
    DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
    ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
    ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(256) Mac=AEAD
    ECDHE-ECDSA-AES256-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(256) Mac=AEAD
    DHE-RSA-AES256-CCM8     TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM8(256) Mac=AEAD
    DHE-RSA-AES256-CCM      TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM(256) Mac=AEAD
    ECDHE-ECDSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ARIAGCM(256) Mac=AEAD
    ECDHE-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
    DHE-DSS-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=ARIAGCM(256) Mac=AEAD
    DHE-RSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
    ADH-AES256-GCM-SHA384   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(256) Mac=AEAD
    ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
    ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
    DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
    DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
    ECDHE-ECDSA-AES128-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(128) Mac=AEAD
    ECDHE-ECDSA-AES128-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(128) Mac=AEAD
    DHE-RSA-AES128-CCM8     TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM8(128) Mac=AEAD
    DHE-RSA-AES128-CCM      TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM(128) Mac=AEAD
    ECDHE-ECDSA-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ARIAGCM(128) Mac=AEAD
    ECDHE-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
    DHE-DSS-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=ARIAGCM(128) Mac=AEAD
    DHE-RSA-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
    ADH-AES128-GCM-SHA256   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(128) Mac=AEAD
    ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
    ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
    DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
    DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
    ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
    ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
    DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
    DHE-DSS-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA256
    ADH-AES256-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(256)  Mac=SHA256
    ADH-CAMELLIA256-SHA256  TLSv1.2 Kx=DH       Au=None Enc=Camellia(256) Mac=SHA256
    ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
    ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
    DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
    DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
    ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
    ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
    DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
    DHE-DSS-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA256
    ADH-AES128-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(128)  Mac=SHA256
    ADH-CAMELLIA128-SHA256  TLSv1.2 Kx=DH       Au=None Enc=Camellia(128) Mac=SHA256
    ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
    ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
    DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
    DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
    DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
    DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1
    AECDH-AES256-SHA        TLSv1 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
    ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
    ADH-CAMELLIA256-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(256) Mac=SHA1
    ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
    ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
    DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
    DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
    DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128) Mac=SHA1
    DHE-DSS-SEED-SHA        SSLv3 Kx=DH       Au=DSS  Enc=SEED(128) Mac=SHA1
    DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
    DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA1
    AECDH-AES128-SHA        TLSv1 Kx=ECDH     Au=None Enc=AES(128)  Mac=SHA1
    ADH-AES128-SHA          SSLv3 Kx=DH       Au=None Enc=AES(128)  Mac=SHA1
    ADH-SEED-SHA            SSLv3 Kx=DH       Au=None Enc=SEED(128) Mac=SHA1
    ADH-CAMELLIA128-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(128) Mac=SHA1
    RSA-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(256) Mac=AEAD
    DHE-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(256) Mac=AEAD
    RSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    DHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=ECDHEPSK Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    DHE-PSK-AES256-CCM8     TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM8(256) Mac=AEAD
    DHE-PSK-AES256-CCM      TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM(256) Mac=AEAD
    RSA-PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
    DHE-PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=ARIAGCM(256) Mac=AEAD
    AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
    AES256-CCM8             TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM8(256) Mac=AEAD
    AES256-CCM              TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM(256) Mac=AEAD
    ARIA256-GCM-SHA384      TLSv1.2 Kx=RSA      Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
    PSK-AES256-GCM-SHA384   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(256) Mac=AEAD
    PSK-CHACHA20-POLY1305   TLSv1.2 Kx=PSK      Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    PSK-AES256-CCM8         TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM8(256) Mac=AEAD
    PSK-AES256-CCM          TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM(256) Mac=AEAD
    PSK-ARIA256-GCM-SHA384  TLSv1.2 Kx=PSK      Au=PSK  Enc=ARIAGCM(256) Mac=AEAD
    RSA-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(128) Mac=AEAD
    DHE-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(128) Mac=AEAD
    DHE-PSK-AES128-CCM8     TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM8(128) Mac=AEAD
    DHE-PSK-AES128-CCM      TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM(128) Mac=AEAD
    RSA-PSK-ARIA128-GCM-SHA256 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
    DHE-PSK-ARIA128-GCM-SHA256 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=ARIAGCM(128) Mac=AEAD
    AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
    AES128-CCM8             TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM8(128) Mac=AEAD
    AES128-CCM              TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM(128) Mac=AEAD
    ARIA128-GCM-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
    PSK-AES128-GCM-SHA256   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(128) Mac=AEAD
    PSK-AES128-CCM8         TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM8(128) Mac=AEAD
    PSK-AES128-CCM          TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM(128) Mac=AEAD
    PSK-ARIA128-GCM-SHA256  TLSv1.2 Kx=PSK      Au=PSK  Enc=ARIAGCM(128) Mac=AEAD
    AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
    CAMELLIA256-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
    AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
    CAMELLIA128-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA256
    ECDHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA384
    ECDHE-PSK-AES256-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA1
    SRP-DSS-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=AES(256)  Mac=SHA1
    SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(256)  Mac=SHA1
    SRP-AES-256-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(256)  Mac=SHA1
    RSA-PSK-AES256-CBC-SHA384 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA384
    DHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA384
    RSA-PSK-AES256-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA1
    DHE-PSK-AES256-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA1
    ECDHE-PSK-CAMELLIA256-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=Camellia(256) Mac=SHA384
    RSA-PSK-CAMELLIA256-SHA384 TLSv1 Kx=RSAPSK   Au=RSA  Enc=Camellia(256) Mac=SHA384
    DHE-PSK-CAMELLIA256-SHA384 TLSv1 Kx=DHEPSK   Au=PSK  Enc=Camellia(256) Mac=SHA384
    AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
    CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
    PSK-AES256-CBC-SHA384   TLSv1 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA384
    PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
    PSK-CAMELLIA256-SHA384  TLSv1 Kx=PSK      Au=PSK  Enc=Camellia(256) Mac=SHA384
    ECDHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA256
    ECDHE-PSK-AES128-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA1
    SRP-DSS-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=AES(128)  Mac=SHA1
    SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(128)  Mac=SHA1
    SRP-AES-128-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(128)  Mac=SHA1
    RSA-PSK-AES128-CBC-SHA256 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA256
    DHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA256
    RSA-PSK-AES128-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA1
    DHE-PSK-AES128-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA1
    ECDHE-PSK-CAMELLIA128-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=Camellia(128) Mac=SHA256
    RSA-PSK-CAMELLIA128-SHA256 TLSv1 Kx=RSAPSK   Au=RSA  Enc=Camellia(128) Mac=SHA256
    DHE-PSK-CAMELLIA128-SHA256 TLSv1 Kx=DHEPSK   Au=PSK  Enc=Camellia(128) Mac=SHA256
    AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
    SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1
    CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
    IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
    PSK-AES128-CBC-SHA256   TLSv1 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA256
    PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1
    PSK-CAMELLIA128-SHA256  TLSv1 Kx=PSK      Au=PSK  Enc=Camellia(128) Mac=SHA256
    ECDHE-ECDSA-NULL-SHA    TLSv1 Kx=ECDH     Au=ECDSA Enc=None      Mac=SHA1
    ECDHE-RSA-NULL-SHA      TLSv1 Kx=ECDH     Au=RSA  Enc=None      Mac=SHA1
    AECDH-NULL-SHA          TLSv1 Kx=ECDH     Au=None Enc=None      Mac=SHA1
    NULL-SHA256             TLSv1.2 Kx=RSA      Au=RSA  Enc=None      Mac=SHA256
    ECDHE-PSK-NULL-SHA384   TLSv1 Kx=ECDHEPSK Au=PSK  Enc=None      Mac=SHA384
    ECDHE-PSK-NULL-SHA256   TLSv1 Kx=ECDHEPSK Au=PSK  Enc=None      Mac=SHA256
    ECDHE-PSK-NULL-SHA      TLSv1 Kx=ECDHEPSK Au=PSK  Enc=None      Mac=SHA1
    RSA-PSK-NULL-SHA384     TLSv1 Kx=RSAPSK   Au=RSA  Enc=None      Mac=SHA384
    RSA-PSK-NULL-SHA256     TLSv1 Kx=RSAPSK   Au=RSA  Enc=None      Mac=SHA256
    DHE-PSK-NULL-SHA384     TLSv1 Kx=DHEPSK   Au=PSK  Enc=None      Mac=SHA384
    DHE-PSK-NULL-SHA256     TLSv1 Kx=DHEPSK   Au=PSK  Enc=None      Mac=SHA256
    RSA-PSK-NULL-SHA        SSLv3 Kx=RSAPSK   Au=RSA  Enc=None      Mac=SHA1
    DHE-PSK-NULL-SHA        SSLv3 Kx=DHEPSK   Au=PSK  Enc=None      Mac=SHA1
    NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
    NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5
    PSK-NULL-SHA384         TLSv1 Kx=PSK      Au=PSK  Enc=None      Mac=SHA384
    PSK-NULL-SHA256         TLSv1 Kx=PSK      Au=PSK  Enc=None      Mac=SHA256
    PSK-NULL-SHA            SSLv3 Kx=PSK      Au=PSK  Enc=None      Mac=SHA1
    
    $ openssl ciphers -v "eNULL:!MD5"
    TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
    TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
    ECDHE-ECDSA-NULL-SHA    TLSv1 Kx=ECDH     Au=ECDSA Enc=None      Mac=SHA1
    ECDHE-RSA-NULL-SHA      TLSv1 Kx=ECDH     Au=RSA  Enc=None      Mac=SHA1
    AECDH-NULL-SHA          TLSv1 Kx=ECDH     Au=None Enc=None      Mac=SHA1
    NULL-SHA256             TLSv1.2 Kx=RSA      Au=RSA  Enc=None      Mac=SHA256
    ECDHE-PSK-NULL-SHA384   TLSv1 Kx=ECDHEPSK Au=PSK  Enc=None      Mac=SHA384
    ECDHE-PSK-NULL-SHA256   TLSv1 Kx=ECDHEPSK Au=PSK  Enc=None      Mac=SHA256
    ECDHE-PSK-NULL-SHA      TLSv1 Kx=ECDHEPSK Au=PSK  Enc=None      Mac=SHA1
    RSA-PSK-NULL-SHA384     TLSv1 Kx=RSAPSK   Au=RSA  Enc=None      Mac=SHA384
    RSA-PSK-NULL-SHA256     TLSv1 Kx=RSAPSK   Au=RSA  Enc=None      Mac=SHA256
    DHE-PSK-NULL-SHA384     TLSv1 Kx=DHEPSK   Au=PSK  Enc=None      Mac=SHA384
    DHE-PSK-NULL-SHA256     TLSv1 Kx=DHEPSK   Au=PSK  Enc=None      Mac=SHA256
    RSA-PSK-NULL-SHA        SSLv3 Kx=RSAPSK   Au=RSA  Enc=None      Mac=SHA1
    DHE-PSK-NULL-SHA        SSLv3 Kx=DHEPSK   Au=PSK  Enc=None      Mac=SHA1
    NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
    PSK-NULL-SHA384         TLSv1 Kx=PSK      Au=PSK  Enc=None      Mac=SHA384
    PSK-NULL-SHA256         TLSv1 Kx=PSK      Au=PSK  Enc=None      Mac=SHA256
    PSK-NULL-SHA            SSLv3 Kx=PSK      Au=PSK  Enc=None      Mac=SHA1
    

    //  SSL_CTX_set_cipher_list(ctx, "ALL:NULL:eNULL:aNULL");
    $  openssl ciphers -v "ALL:NULL:eNULL:aNULL"
    TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
    TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
    ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
    ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
    DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
    DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
    ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
    ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(256) Mac=AEAD
    ECDHE-ECDSA-AES256-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(256) Mac=AEAD
    DHE-RSA-AES256-CCM8     TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM8(256) Mac=AEAD
    DHE-RSA-AES256-CCM      TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM(256) Mac=AEAD
    ECDHE-ECDSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ARIAGCM(256) Mac=AEAD
    ECDHE-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
    DHE-DSS-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=ARIAGCM(256) Mac=AEAD
    DHE-RSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
    ADH-AES256-GCM-SHA384   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(256) Mac=AEAD
    ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
    ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
    DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
    DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
    ECDHE-ECDSA-AES128-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(128) Mac=AEAD
    ECDHE-ECDSA-AES128-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(128) Mac=AEAD
    DHE-RSA-AES128-CCM8     TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM8(128) Mac=AEAD
    DHE-RSA-AES128-CCM      TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM(128) Mac=AEAD
    ECDHE-ECDSA-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ARIAGCM(128) Mac=AEAD
    ECDHE-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
    DHE-DSS-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=ARIAGCM(128) Mac=AEAD
    DHE-RSA-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
    ADH-AES128-GCM-SHA256   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(128) Mac=AEAD
    ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
    ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
    DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
    DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
    ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
    ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
    DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
    DHE-DSS-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA256
    ADH-AES256-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(256)  Mac=SHA256
    ADH-CAMELLIA256-SHA256  TLSv1.2 Kx=DH       Au=None Enc=Camellia(256) Mac=SHA256
    ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
    ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
    DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
    DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
    ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
    ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
    DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
    DHE-DSS-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA256
    ADH-AES128-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(128)  Mac=SHA256
    ADH-CAMELLIA128-SHA256  TLSv1.2 Kx=DH       Au=None Enc=Camellia(128) Mac=SHA256
    ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
    ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
    DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
    DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
    DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
    DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1
    AECDH-AES256-SHA        TLSv1 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
    ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
    ADH-CAMELLIA256-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(256) Mac=SHA1
    ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
    ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
    DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
    DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
    DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128) Mac=SHA1
    DHE-DSS-SEED-SHA        SSLv3 Kx=DH       Au=DSS  Enc=SEED(128) Mac=SHA1
    DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
    DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA1
    AECDH-AES128-SHA        TLSv1 Kx=ECDH     Au=None Enc=AES(128)  Mac=SHA1
    ADH-AES128-SHA          SSLv3 Kx=DH       Au=None Enc=AES(128)  Mac=SHA1
    ADH-SEED-SHA            SSLv3 Kx=DH       Au=None Enc=SEED(128) Mac=SHA1
    ADH-CAMELLIA128-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(128) Mac=SHA1
    RSA-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(256) Mac=AEAD
    DHE-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(256) Mac=AEAD
    RSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    DHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=ECDHEPSK Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    DHE-PSK-AES256-CCM8     TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM8(256) Mac=AEAD
    DHE-PSK-AES256-CCM      TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM(256) Mac=AEAD
    RSA-PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
    DHE-PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=ARIAGCM(256) Mac=AEAD
    AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
    AES256-CCM8             TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM8(256) Mac=AEAD
    AES256-CCM              TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM(256) Mac=AEAD
    ARIA256-GCM-SHA384      TLSv1.2 Kx=RSA      Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
    PSK-AES256-GCM-SHA384   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(256) Mac=AEAD
    PSK-CHACHA20-POLY1305   TLSv1.2 Kx=PSK      Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    PSK-AES256-CCM8         TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM8(256) Mac=AEAD
    PSK-AES256-CCM          TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM(256) Mac=AEAD
    PSK-ARIA256-GCM-SHA384  TLSv1.2 Kx=PSK      Au=PSK  Enc=ARIAGCM(256) Mac=AEAD
    RSA-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(128) Mac=AEAD
    DHE-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(128) Mac=AEAD
    DHE-PSK-AES128-CCM8     TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM8(128) Mac=AEAD
    DHE-PSK-AES128-CCM      TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM(128) Mac=AEAD
    RSA-PSK-ARIA128-GCM-SHA256 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
    DHE-PSK-ARIA128-GCM-SHA256 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=ARIAGCM(128) Mac=AEAD
    AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
    AES128-CCM8             TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM8(128) Mac=AEAD
    AES128-CCM              TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM(128) Mac=AEAD
    ARIA128-GCM-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
    PSK-AES128-GCM-SHA256   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(128) Mac=AEAD
    PSK-AES128-CCM8         TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM8(128) Mac=AEAD
    PSK-AES128-CCM          TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM(128) Mac=AEAD
    PSK-ARIA128-GCM-SHA256  TLSv1.2 Kx=PSK      Au=PSK  Enc=ARIAGCM(128) Mac=AEAD
    AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
    CAMELLIA256-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
    AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
    CAMELLIA128-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA256
    ECDHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA384
    ECDHE-PSK-AES256-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA1
    SRP-DSS-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=AES(256)  Mac=SHA1
    SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(256)  Mac=SHA1
    SRP-AES-256-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(256)  Mac=SHA1
    RSA-PSK-AES256-CBC-SHA384 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA384
    DHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA384
    RSA-PSK-AES256-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA1
    DHE-PSK-AES256-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA1
    ECDHE-PSK-CAMELLIA256-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=Camellia(256) Mac=SHA384
    RSA-PSK-CAMELLIA256-SHA384 TLSv1 Kx=RSAPSK   Au=RSA  Enc=Camellia(256) Mac=SHA384
    DHE-PSK-CAMELLIA256-SHA384 TLSv1 Kx=DHEPSK   Au=PSK  Enc=Camellia(256) Mac=SHA384
    AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
    CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
    PSK-AES256-CBC-SHA384   TLSv1 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA384
    PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
    PSK-CAMELLIA256-SHA384  TLSv1 Kx=PSK      Au=PSK  Enc=Camellia(256) Mac=SHA384
    ECDHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA256
    ECDHE-PSK-AES128-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA1
    SRP-DSS-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=AES(128)  Mac=SHA1
    SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(128)  Mac=SHA1
    SRP-AES-128-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(128)  Mac=SHA1
    RSA-PSK-AES128-CBC-SHA256 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA256
    DHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA256
    RSA-PSK-AES128-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA1
    DHE-PSK-AES128-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA1
    ECDHE-PSK-CAMELLIA128-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=Camellia(128) Mac=SHA256
    RSA-PSK-CAMELLIA128-SHA256 TLSv1 Kx=RSAPSK   Au=RSA  Enc=Camellia(128) Mac=SHA256
    DHE-PSK-CAMELLIA128-SHA256 TLSv1 Kx=DHEPSK   Au=PSK  Enc=Camellia(128) Mac=SHA256
    AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
    SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1
    CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
    IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
    PSK-AES128-CBC-SHA256   TLSv1 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA256
    PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1
    PSK-CAMELLIA128-SHA256  TLSv1 Kx=PSK      Au=PSK  Enc=Camellia(128) Mac=SHA256
    ECDHE-ECDSA-NULL-SHA    TLSv1 Kx=ECDH     Au=ECDSA Enc=None      Mac=SHA1
    ECDHE-RSA-NULL-SHA      TLSv1 Kx=ECDH     Au=RSA  Enc=None      Mac=SHA1
    AECDH-NULL-SHA          TLSv1 Kx=ECDH     Au=None Enc=None      Mac=SHA1
    NULL-SHA256             TLSv1.2 Kx=RSA      Au=RSA  Enc=None      Mac=SHA256
    ECDHE-PSK-NULL-SHA384   TLSv1 Kx=ECDHEPSK Au=PSK  Enc=None      Mac=SHA384
    ECDHE-PSK-NULL-SHA256   TLSv1 Kx=ECDHEPSK Au=PSK  Enc=None      Mac=SHA256
    ECDHE-PSK-NULL-SHA      TLSv1 Kx=ECDHEPSK Au=PSK  Enc=None      Mac=SHA1
    RSA-PSK-NULL-SHA384     TLSv1 Kx=RSAPSK   Au=RSA  Enc=None      Mac=SHA384
    RSA-PSK-NULL-SHA256     TLSv1 Kx=RSAPSK   Au=RSA  Enc=None      Mac=SHA256
    DHE-PSK-NULL-SHA384     TLSv1 Kx=DHEPSK   Au=PSK  Enc=None      Mac=SHA384
    DHE-PSK-NULL-SHA256     TLSv1 Kx=DHEPSK   Au=PSK  Enc=None      Mac=SHA256
    RSA-PSK-NULL-SHA        SSLv3 Kx=RSAPSK   Au=RSA  Enc=None      Mac=SHA1
    DHE-PSK-NULL-SHA        SSLv3 Kx=DHEPSK   Au=PSK  Enc=None      Mac=SHA1
    NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
    NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5
    PSK-NULL-SHA384         TLSv1 Kx=PSK      Au=PSK  Enc=None      Mac=SHA384
    PSK-NULL-SHA256         TLSv1 Kx=PSK      Au=PSK  Enc=None      Mac=SHA256
    PSK-NULL-SHA            SSLv3 Kx=PSK      Au=PSK  Enc=None      Mac=SHA1
    


    $  openssl ciphers -v "ALL:NULL:eNULL:aNULL"  //  SSL_CTX_set_cipher_list(ctx, "ALL:NULL:eNULL:aNULL");
    TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
    TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
    ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
    ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
    DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
    DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
    ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
    ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(256) Mac=AEAD
    ECDHE-ECDSA-AES256-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(256) Mac=AEAD
    DHE-RSA-AES256-CCM8     TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM8(256) Mac=AEAD
    DHE-RSA-AES256-CCM      TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM(256) Mac=AEAD
    ECDHE-ECDSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ARIAGCM(256) Mac=AEAD
    ECDHE-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
    DHE-DSS-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=ARIAGCM(256) Mac=AEAD
    DHE-RSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
    ADH-AES256-GCM-SHA384   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(256) Mac=AEAD
    ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
    ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
    DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
    DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
    ECDHE-ECDSA-AES128-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(128) Mac=AEAD
    ECDHE-ECDSA-AES128-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(128) Mac=AEAD
    DHE-RSA-AES128-CCM8     TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM8(128) Mac=AEAD
    DHE-RSA-AES128-CCM      TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM(128) Mac=AEAD
    ECDHE-ECDSA-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ARIAGCM(128) Mac=AEAD
    ECDHE-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
    DHE-DSS-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=ARIAGCM(128) Mac=AEAD
    DHE-RSA-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
    ADH-AES128-GCM-SHA256   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(128) Mac=AEAD
    ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
    ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
    DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
    DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
    ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
    ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
    DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
    DHE-DSS-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA256
    ADH-AES256-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(256)  Mac=SHA256
    ADH-CAMELLIA256-SHA256  TLSv1.2 Kx=DH       Au=None Enc=Camellia(256) Mac=SHA256
    ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
    ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
    DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
    DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
    ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
    ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
    DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
    DHE-DSS-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA256
    ADH-AES128-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(128)  Mac=SHA256
    ADH-CAMELLIA128-SHA256  TLSv1.2 Kx=DH       Au=None Enc=Camellia(128) Mac=SHA256
    ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
    ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
    DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
    DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
    DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
    DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1
    AECDH-AES256-SHA        TLSv1 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
    ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
    ADH-CAMELLIA256-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(256) Mac=SHA1
    ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
    ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
    DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
    DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
    DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128) Mac=SHA1
    DHE-DSS-SEED-SHA        SSLv3 Kx=DH       Au=DSS  Enc=SEED(128) Mac=SHA1
    DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
    DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA1
    AECDH-AES128-SHA        TLSv1 Kx=ECDH     Au=None Enc=AES(128)  Mac=SHA1
    ADH-AES128-SHA          SSLv3 Kx=DH       Au=None Enc=AES(128)  Mac=SHA1
    ADH-SEED-SHA            SSLv3 Kx=DH       Au=None Enc=SEED(128) Mac=SHA1
    ADH-CAMELLIA128-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(128) Mac=SHA1
    RSA-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(256) Mac=AEAD
    DHE-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(256) Mac=AEAD
    RSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    DHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=ECDHEPSK Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    DHE-PSK-AES256-CCM8     TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM8(256) Mac=AEAD
    DHE-PSK-AES256-CCM      TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM(256) Mac=AEAD
    RSA-PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
    DHE-PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=ARIAGCM(256) Mac=AEAD
    AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
    AES256-CCM8             TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM8(256) Mac=AEAD
    AES256-CCM              TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM(256) Mac=AEAD
    ARIA256-GCM-SHA384      TLSv1.2 Kx=RSA      Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
    PSK-AES256-GCM-SHA384   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(256) Mac=AEAD
    PSK-CHACHA20-POLY1305   TLSv1.2 Kx=PSK      Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    PSK-AES256-CCM8         TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM8(256) Mac=AEAD
    PSK-AES256-CCM          TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM(256) Mac=AEAD
    PSK-ARIA256-GCM-SHA384  TLSv1.2 Kx=PSK      Au=PSK  Enc=ARIAGCM(256) Mac=AEAD
    RSA-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(128) Mac=AEAD
    DHE-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(128) Mac=AEAD
    DHE-PSK-AES128-CCM8     TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM8(128) Mac=AEAD
    DHE-PSK-AES128-CCM      TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM(128) Mac=AEAD
    RSA-PSK-ARIA128-GCM-SHA256 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
    DHE-PSK-ARIA128-GCM-SHA256 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=ARIAGCM(128) Mac=AEAD
    AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
    AES128-CCM8             TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM8(128) Mac=AEAD
    AES128-CCM              TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM(128) Mac=AEAD
    ARIA128-GCM-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
    PSK-AES128-GCM-SHA256   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(128) Mac=AEAD
    PSK-AES128-CCM8         TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM8(128) Mac=AEAD
    PSK-AES128-CCM          TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM(128) Mac=AEAD
    PSK-ARIA128-GCM-SHA256  TLSv1.2 Kx=PSK      Au=PSK  Enc=ARIAGCM(128) Mac=AEAD
    AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
    CAMELLIA256-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
    AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
    CAMELLIA128-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA256
    ECDHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA384
    ECDHE-PSK-AES256-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA1
    SRP-DSS-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=AES(256)  Mac=SHA1
    SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(256)  Mac=SHA1
    SRP-AES-256-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(256)  Mac=SHA1
    RSA-PSK-AES256-CBC-SHA384 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA384
    DHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA384
    RSA-PSK-AES256-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA1
    DHE-PSK-AES256-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA1
    ECDHE-PSK-CAMELLIA256-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=Camellia(256) Mac=SHA384
    RSA-PSK-CAMELLIA256-SHA384 TLSv1 Kx=RSAPSK   Au=RSA  Enc=Camellia(256) Mac=SHA384
    DHE-PSK-CAMELLIA256-SHA384 TLSv1 Kx=DHEPSK   Au=PSK  Enc=Camellia(256) Mac=SHA384
    AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
    CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
    PSK-AES256-CBC-SHA384   TLSv1 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA384
    PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
    PSK-CAMELLIA256-SHA384  TLSv1 Kx=PSK      Au=PSK  Enc=Camellia(256) Mac=SHA384
    ECDHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA256
    ECDHE-PSK-AES128-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA1
    SRP-DSS-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=AES(128)  Mac=SHA1
    SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(128)  Mac=SHA1
    SRP-AES-128-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(128)  Mac=SHA1
    RSA-PSK-AES128-CBC-SHA256 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA256
    DHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA256
    RSA-PSK-AES128-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA1
    DHE-PSK-AES128-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA1
    ECDHE-PSK-CAMELLIA128-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=Camellia(128) Mac=SHA256
    RSA-PSK-CAMELLIA128-SHA256 TLSv1 Kx=RSAPSK   Au=RSA  Enc=Camellia(128) Mac=SHA256
    DHE-PSK-CAMELLIA128-SHA256 TLSv1 Kx=DHEPSK   Au=PSK  Enc=Camellia(128) Mac=SHA256
    AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
    SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1
    CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
    IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
    PSK-AES128-CBC-SHA256   TLSv1 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA256
    PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1
    PSK-CAMELLIA128-SHA256  TLSv1 Kx=PSK      Au=PSK  Enc=Camellia(128) Mac=SHA256
    ECDHE-ECDSA-NULL-SHA    TLSv1 Kx=ECDH     Au=ECDSA Enc=None      Mac=SHA1
    ECDHE-RSA-NULL-SHA      TLSv1 Kx=ECDH     Au=RSA  Enc=None      Mac=SHA1
    AECDH-NULL-SHA          TLSv1 Kx=ECDH     Au=None Enc=None      Mac=SHA1
    NULL-SHA256             TLSv1.2 Kx=RSA      Au=RSA  Enc=None      Mac=SHA256
    ECDHE-PSK-NULL-SHA384   TLSv1 Kx=ECDHEPSK Au=PSK  Enc=None      Mac=SHA384
    ECDHE-PSK-NULL-SHA256   TLSv1 Kx=ECDHEPSK Au=PSK  Enc=None      Mac=SHA256
    ECDHE-PSK-NULL-SHA      TLSv1 Kx=ECDHEPSK Au=PSK  Enc=None      Mac=SHA1
    RSA-PSK-NULL-SHA384     TLSv1 Kx=RSAPSK   Au=RSA  Enc=None      Mac=SHA384
    RSA-PSK-NULL-SHA256     TLSv1 Kx=RSAPSK   Au=RSA  Enc=None      Mac=SHA256
    DHE-PSK-NULL-SHA384     TLSv1 Kx=DHEPSK   Au=PSK  Enc=None      Mac=SHA384
    DHE-PSK-NULL-SHA256     TLSv1 Kx=DHEPSK   Au=PSK  Enc=None      Mac=SHA256
    RSA-PSK-NULL-SHA        SSLv3 Kx=RSAPSK   Au=RSA  Enc=None      Mac=SHA1
    DHE-PSK-NULL-SHA        SSLv3 Kx=DHEPSK   Au=PSK  Enc=None      Mac=SHA1
    NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
    NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5
    PSK-NULL-SHA384         TLSv1 Kx=PSK      Au=PSK  Enc=None      Mac=SHA384
    PSK-NULL-SHA256         TLSv1 Kx=PSK      Au=PSK  Enc=None      Mac=SHA256
    PSK-NULL-SHA            SSLv3 Kx=PSK      Au=PSK  Enc=None      Mac=SHA1
    

    OpenSSL Cipher List 
      https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_cipher_list.html