레이블이 Security-Basic인 게시물을 표시합니다. 모든 게시물 표시
레이블이 Security-Basic인 게시물을 표시합니다. 모든 게시물 표시

3/12/2020

암호화 개념 과 Cipher Suite

1.  암호화 개념 

기본 암호화 구조와 대칭키/비대칭키 개념 과  Cipher Suite 과 이를 이용한 TLS/DTLS의 기본에 대해 알아보도록 하자 

SSL/TLS의 기본자료 및 지원사항 확인 

암호화를 하는 방법에서 보면 기본구조는 다음과 같이 두 개의 기본구조로 구성이 되어지는 것 같다. 
  1. 대칭키 구조:  1개의 Key를 사용하여 Encryption/Decrytion 을 진행 
    • 동일한 Key를 가지고 Encryption하고 Decrytion을 진행하며, 주로 Blocker Cipher이용되어짐 
  2. 비대칭키 구조: 2개의 Key를 사용하여  Encryption/Decrytion 을 진행 
    • Public Key 와 Private Key로 Encryption과 Decrytion 할때 각각 다르게 사용


1.1 대칭키의 기본개념

  • 대칭키(Symmetric Key) 구조
말그대로, 대칭으로 단일 Key 구성으로 Encode 와 Decode를 함께 진행 할 수 있는 암호화 방식이다. 
조금 쉽게 생각하고자하면, 자료구조에서 배운 Hash 기반으로 암호화구성도 가능하다. 
그래서 구조가 간단하고 이해하기도 쉽다.

대칭키 

  • 대칭키의 대표적인 예 
  1. Stream cipher(RC4) 
  2. Block cipher (RC5, AES)

  • Stream Cipher
Block Cipher와 큰 차이점을 잘 모르겠으나, RC4는 Stream Cipher지만 RC5는 Block Cipher되는 것으로 보아 
알고리즘사용이 점차 Block Cipher쪽으로 변해가는 것 같으며, 생각해보면, 사용처가 비슷하다.

  • Block Cipher
현재 가장 많이 사용되는 것이 AES 으로 보이며 대칭키로 암호화 하는 방식인데, 현재 알고리즘에따라 조금씩 다르지만, 주로 128/198/256기반으로 사용되어진다. 
TLS 내부에서는 주로 보내는 Message를 Encode을 하는 역할인데, 이때 Block Chain 형식처럼 순환구조로 연결하여 주로 사용하는 구조이다. 

Block Cipher의 역사 및 관련내용들이 자세히 기술되어있음 

DES(Data Encryption Standard)
현재 거의 사용하지 않는 것으로 보이며, 주로 AES 사용 
AES(Advanced Encryption Standard)
가장 많이사용되며, 이 기반으로 파생된 ARIA 이외에도 다양하다.(ARIA는 국내용으로 사용)
현재 KCMVP는 ARIA를 적극적으로 밀고 있지만, 별로

DES 와 AES 차이 
DES 와 AES의 차이를 알아두도록 하고 파생 Block Cipher들은 다양하다.



  • MAC(Message Authentication Code)/Message Authentication
Message Authentication Code로 Message 인증이라고 생각하면 될 꺼같다 
Key 즉 Hash 함수에 특정 Key 값를 이용하여 Message 가 맞는지 검증하는 방식이다. 
Openssl에서 흔히 digest라고 하며,  MD5 or SHA로 사용되어지며 Message 검증여부로 사용되어진다. 
  1. SENDER: 보낼 Message가 존재하고, Key/Hash함수에 Key 값을 넣어 MAC을 얻는다 
  2. RECEIVER: 받은 Message가 맞는지 검증을 위해서 MAC을 이용하여 검증한다  


  


  • Block/Stream Cipher 와 운영모드(ECB/CBC/CFB/OFB) 
Block Cipher는 Data를 암호화하는 방법으로 Key 값 기반으로 암호화를 한다. 
TLS에서 실제 전송할 Data를 암호화(Encrpyt) 와 복호화(Decrypt)운영하는 방식이므로 다만 운영하는 방식이 다양하다.
ECB/GCM/CBC/CFB/OFB 에 대해서는 아래링크를 보도록 하자.

Block Cipher의 운영 세부내용은 아래 참조 
그림과 같이 자세히 설명이 되어있어 아래 사이트들을 반드시 참조

TLS에서 아래와 같이 사용하는 Block Cipher 와 사용하는 Bit 운영모드로 구분해서 명시한다.
  1. AES-128-ECB :  상위 사이트 참조 (구조가 너무 간단함)
  2. AES-128-GCM : 주로 이것을 권장하지만, 아직 완벽히 이해못함  (GMAC도 이해해야함)
  3. AES-128-CBC :  우선 기본개념을 위해 이것만 설명

AES-128-CBC 동작 예 
CBC(Cipher Block Chaining)을 보면, Block Chain 기술생각이 날 것이며, 이전 IV값을 모르면 안되니, 연속적으로 Data를 암호화하여 Chaning 가능하다    
  1. IV(initialzation Vector) : 암호화 하기전에, 넣는 Vector값으로 128bit 사용 
  2. Plaintext:  암호화 되기 전의 TEXT 128bit 기반으로 사용 
  3. Ciphertext:  IV XOR Plain Text Data를 AES로 암호화 된 TEXT 


Encryption 기본개념 순서  
  1. Message 와 IV(initialzation Vector)    XOR연산 
  2. Cipher Table 통해 Encrypt 진행 
  3. 최종 Ciphered Message 

Decryption 기본개념 순서  
  1. Ciphered Message 에, Decipher Table 통해 Decript 진행
  2. 나온 Decrypted Message 와 IV(initialzation Vector)    XOR연산 
  3. 최종 Message 확인 

https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation


Encryption 순서 
  1. IV(initialzation Vector) 와 PlainText  128 Bit 단위로  XOR연산 진행
  2. 상위 결과 값 기반으로 AES 암호화가 진행 (Key 값은 128bit)
  3. AES-128 기반으로 Cipher Text 생성 
  4. AES-128 기반으로 new IV(initialzation Vector) 생성 
https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation


Decryption 순서 
  1. AES-128기반 Cipher Text를 받음  
  2.  Key를 이용하여 Decrpyt 진행 (Key 값은 128bit) 와 new IV(initialzation Vector) 생성 
  3. 상위 Decrpyt 된 Text 와 IV(initialzation Vector) 128 Bit 단위로  XOR연산 진행
  4. Plain Text 생성 

https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation



MAC이 AEAD(Authenticated Encryption with Associated Data) 일 경우
openssl ciphers -v 에서 MAC이 AEAD의 경우 
상위 Block/Stream Cipher를 Data 암호화가 용도가 아닌 MAC 용도로 사용한다고 한다.  



1.2 비대칭키(Public Key) 의 기본개념

비대칭암호화(asymmetric cryptography)로라고 하며,  한번에 두 개의 Key를 각각 생성하여 Encryption 과 Decryption을  별도의 Key로 사용을 한다.

양방향으로 통신을 할 경우 서로 Public Key를 교환을 한 후 상대방이 나의 Public Key로 Encoding 하면, 
나의 경우 Encoding 된 Data를  Private Key로 Decode를 하면 이를 볼 수 있는 구조이다.

  • 비대칭키(Asymmetric Key)의 기본구조 
  1. Encryption 은 Public Key
  2. Decryption 은 Private Key

  • 양쪽 각자의 2개의 Key를 생성 
  1. Alice는 본인의 Public Key 와 Private Key를 생성
  2. Bob는 본인의 Public Key 와 Private Key를 생성

  • Bob 과 Alice가 암호화 비대칭키로 통신
  1. Bob 은 Alice 의 Public Key로 Encrypt를 하여 보내면, Alice는 Alice의 Private Key로 이를 Decrypt하여 Decoding 진행한다. 
  2. Alice와 Bob은 서로의 Public Key를 교환하고 각자 본인의 Private Key로 이를 Decoding 하여 통신하면 암호화되어 통신된다



관련내용출처
  https://en.wikipedia.org/wiki/Public-key_cryptography


  • 비대칭(Public Key) 기반의 예 (키 교환방법)
Diffie–Hellman key exchange 에서도 아래와 같이 이용이 된다고 하는데,  Combine Keys를 만들어 키 교환 알고리즘을 사용한다고 하는데, 
이부분은 좀 더 이해가 필요할 것 같다. 




  • 비대칭(Public Key) 기반의 예 (인증서 Sign/Verify)
Digital Signature에서보면, Alice의 Private Key 와 Public Key를 이용하여 Sign과 Verify를 진행을 한다. 


RootCA 와 Certificate 의 기본구조 
https://en.wikipedia.org/wiki/Root_certificate


Digital Signature 의 구조 
  https://en.wikipedia.org/wiki/Digital_signature


Public Key 기반으로 다양하게 사용이 되어지는데 아래와 같이 많은 예제들이 존재 

Public Key Certificate 의 구조
  https://en.wikipedia.org/wiki/Public_key_certificate
  https://en.wikipedia.org/wiki/X.509#Structure_of_a_certificate


1.2.1 Public-Key Cryptography Standards

Public Key는 상위에서 언급했듯이 비대칭키이며, 이 관련 표준은 아래와 같다.
이를 보통이해하기 위해서는 ITU-T 와 IETF 문서를 대충 이해할 수 있는 수준은 되어야한다.
더불어, OpenSSL을 기본적으로 어느정도 사용을 할 줄 알아야 한다.

PKCS(Public-Key Cryptography Standards)
PKCS#1~15까지 존재하며, 각각의 숫자마다 해당하는 표준이 존재하며, 이부분 역시 OpenSSL 혹은 MbedTLS에 존재한다. 

PKCS 알고있는 것들을 간략하게 소개하며 정리한다.
우선 Public Keys는 비대칭 키이므로, Private Key가 존재하며, 이 관련내용을 숙지해야한다.
그리고, 관련 표준내용확인, 그리고, Public Key 보관방법 과 통신을 할 경우의 문법필요 


RSA 관련된 내용이지만, 현재 RSA는 거의 잘 사용되지 않는 방향으로 가는 것 같다.
참고만 하고, ITU-T에서 ASN.1의 문법은 필수이다.

TLS/DTLS에서 사용하는 Key 교환 알고리즘이며, 이는 TLS를 보면된다. 

X.509v1 (Cefificate)에서 확장(Extended)되어 v3으로 사용하기 위해서 사용되어지는 것이다.
역시, 이를 이해하기 위해서는 ASN.1는 필수 이며, OpenSSL을 이용하여 분석가능하다. 

예를들면, TLS의 경우, 처음 Key 교환 후, 대칭키 AES 기반으로 Message를 주고 받는데,
AES-128-ECB/기타 사용할 경우 ZERO Padding or PKCS7 Padding 방식으로 주로 Message 기반으로 통신에서 사용되어진다.
이 부분은 추후 AES를 사용해보면 좀 자세히 알게 될 것 같다. 

PKCS#8: Public-Key Cryptography Standards/Private-Key Information Syntax Standard
Public-Key는 비대칭키 이므로, Private Key를 저장하는 표준으로 보통 Private Key는 PEM base64로 encoded 되어진다. 

CSR이라고 하며, Cerficate를 요청하는 표준이라고 생각하면 되겠다. 

PKCS#11: Cryptographic Token Interface 
주로 Certificate , 즉 인증서를 보관하는 Interface이며,  Device에서 많이 사용되어진다. 
Device는 이 PKCS11 Interface API를 통해 접근하도록하고, 철저히 암호화 한다.
즉 Device 입장에서, 외부에 별도로 보관하는 방법으로 Interface 제공한다.
이는 보안을 철저이 하고자 함이며, 이 보안을 걸쳐 TLS를 비롯하여, Secure Boot 이용한다.

PKC#13Elliptic-curve cryptography Standard
보통 ECC(Elliptic Curve Cryptography)라고 하며, RSA보다 이를 선호하는데, 
이유는 암호화 속도와 저장공간이 줄어들어서라고 한다. 
이 부분은 추후에 ECDSA를 자세히 분석하도록 하겠다. 


2. SSL/TLS의 Cipher Suite

TLS(Transport Layer Security)는 SSL(Secure Socket Layer) Protocol기반으로 TCP를 이용하여 암호화 하는 방식이며, UDP를 사용할 경우 DTLS라고 한다.
기본적으로 신뢰할 수 없는 양쪽 통신에서 키 교환부터 인증 및 주고 받는 메시지 암호화까지 전부를 관리하는 통신기술이다. 
그 중 Cipher Suite은 TLS에서 사용하는 암호화 구성을 나타내어주는 Set,즉 각 구성들을 리스트로 보여준다. 
각 Device들은 이 정보를 기반으로 지원하는 Cipher Suite로 암호화 통신이 가능한지 쉽게 파악이 가능하다. 

  • SSL/TLS Cipher Suite 분석방법  
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS: TLS Protocol 사용 (TCP) 
  1. ECDHE:  Key 교환 알고리즘 
  2. RSA: Authentication으로 (handshake 중 양쪽 인증서 인증) 
  3. AES_128_GCM: AES 기반으로 128 bit Key 기반으로 GCM방식으로 운영 Block Cipher
  4. SHA256: message authentication으로 MAC(Message Authentication Code) 

TLS 통신을 진행하게 되면, 통신하는 양쪽 서로 이 키 교환 후, 각 암호환 된 Message 주고 받고 이를 검증하는 시스템이다.  
물론 TLS의 각 설정에 따라 다르겠지만, 그정도로 보안성이 높다고 할 수 있다. 
그러므로, 여러 Protocol 접목되어 사용되어지고 있다. 

Algorithms supported in TLS 1.0–1.2 cipher suites
Key exchange/agreementAuthenticationBlock/stream ciphersMessage authentication
RSARSARC4Hash-based MD5
Diffie–HellmanDSATriple DESSHA hash function
ECDHECDSAAES
SRPIDEA
PSKDES
Camellia
ChaCha20

TLS은 아래의 순서대로 진행되기 때문에 항상 순서대로 이해하도록 하자 
  1. Key exchange/agreement: 대칭키 or 비대칭키 방식으로 TLS에서 각자의 Key를 교환알고리즘
  2. Authentication: 인증으로 Server/Client의 인증을 말한다. 
  3. Bulk encryption/Block/Stream/Ciphers: 대칭키알고리즘으로 실제 전송 DATA를 encryption
  4. MAC/Message Authentication: 전송 Data의 검증 및 인증 




https://docs.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel


  
Window의 Cipher Suite 확인 

다양한 Cipher Suite 확인 
  https://www.jscape.com/blog/cipher-suites

한글로 설명이 잘되어있어 쉽게이해 
  https://rsec.kr/?p=455
  https://run-it.tistory.com/30


2.1 OpenSSL의 Block/Stream/MAC 테스트 

주의해야 할 것은 각 Device 마다 지원되는사항이 다를 수 있으므로, 반드시 확인하도록 하자 

  • digest-command 와 cipher command  테스트 
OpenSSL digest(MAC)cipher(Block/Stream Cipher) 관련 Command 확인 
$ openssl list -help
Usage: list [options]
Valid options are:
 -help                   Display this summary
 -1                      List in one column
 -commands               List of standard commands
 -digest-commands        List of message digest commands
 -digest-algorithms      List of message digest algorithms
 -cipher-commands        List of cipher commands
 -cipher-algorithms      List of cipher algorithms
 -public-key-algorithms  List of public key algorithms
 -public-key-methods     List of public key methods
 -disabled               List of disabled features
 -missing-help           List missing detailed help strings
 -options val            List options for specified command

$ openssl list -digest-commands   // 상위에서 설명한 MAC에 해당하는 알고리즘 
blake2b512        blake2s256        gost              md4
md5               mdc2              rmd160            sha1
sha224            sha256            sha3-224          sha3-256
sha3-384          sha3-512          sha384            sha512
sha512-224        sha512-256        shake128          shake256
sm3

$ openssl list -cipher-commands   // 상위에서 설명한 Block/Stream Cipher와  이 기반의 운영방식
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb
aes-256-cbc       aes-256-ecb       aria-128-cbc      aria-128-cfb
aria-128-cfb1     aria-128-cfb8     aria-128-ctr      aria-128-ecb
aria-128-ofb      aria-192-cbc      aria-192-cfb      aria-192-cfb1
aria-192-cfb8     aria-192-ctr      aria-192-ecb      aria-192-ofb
aria-256-cbc      aria-256-cfb      aria-256-cfb1     aria-256-cfb8
aria-256-ctr      aria-256-ecb      aria-256-ofb      base64
bf                bf-cbc            bf-cfb            bf-ecb
bf-ofb            camellia-128-cbc  camellia-128-ecb  camellia-192-cbc
camellia-192-ecb  camellia-256-cbc  camellia-256-ecb  cast
cast-cbc          cast5-cbc         cast5-cfb         cast5-ecb
cast5-ofb         des               des-cbc           des-cfb
des-ecb           des-ede           des-ede-cbc       des-ede-cfb
des-ede-ofb       des-ede3          des-ede3-cbc      des-ede3-cfb
des-ede3-ofb      des-ofb           des3              desx
idea              idea-cbc          idea-cfb          idea-ecb
idea-ofb          rc2               rc2-40-cbc        rc2-64-cbc
rc2-cbc           rc2-cfb           rc2-ecb           rc2-ofb
rc4               rc4-40            seed              seed-cbc
seed-cfb          seed-ecb          seed-ofb          sm4-cbc
sm4-cfb           sm4-ctr           sm4-ecb           sm4-ofb

$ openssl speed -help
Usage: speed [options] ciphers...
Valid options are:
 -help               Display this summary
 -evp val          Use EVP-named cipher or digest
 -decrypt            Time decryption instead of encryption (only EVP)
 -aead               Benchmark EVP-named AEAD cipher in TLS-like sequence
 -mb                 Enable (tls1>=1) multi-block mode on EVP-named cipher
 -mr                 Produce machine readable output
 -multi +int         Run benchmarks in parallel
 -async_jobs +int    Enable async mode and start specified number of jobs
 -rand val           Load the file(s) into the random number generator
 -writerand outfile  Write random data to the specified file
 -engine val         Use engine, possibly a hardware device
 -elapsed            Use wall-clock time instead of CPU user time as divisor
 -primes +int        Specify number of primes (for RSA only)
 -seconds +int       Run benchmarks for specified amount of seconds
 -bytes +int         Run [non-PKI] benchmarks on custom-sized buffer
 -misalign +int      Use specified offset to mis-align buffers

OpenSSL 관련설명 및 함수
  https://www.openssl.org/docs/man1.0.2/man3/evp.html
  https://www.openssl.org/docs/man1.0.2/man3/EVP_EncryptInit.html

  • OpenSSL의 AES-128-CBC의 PC 처리속도 
Laptop Ubuntun 3초 동안 Block Cipher 의 성능을 측정해보면, 매번 조금씩 다르지만, 평균값으로 계산 
// 일반 Ubuntu PC 기반 테스트 - 확인사항  
$ openssl speed -evp aes-128-cbc   // 3초동안 처리가능한 각 size 별 blocks 수 확인 
Doing aes-128-cbc for 3s on 16 size blocks: 99970413 aes-128-cbc's in 3.00s   // 최종결과로 16 x 99970413 / 3s = 533,175,536 (533175.54k), 즉 bytes per second 변경 
Doing aes-128-cbc for 3s on 64 size blocks: 29734079 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 7579414 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 1902764 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 238073 aes-128-cbc's in 3.00s
OpenSSL 1.0.2g  1 Mar 2016
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) blowfish(idx)
compiler: cc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
The 'numbers' are in 1000s of bytes per second processed.    // 1s동안 각 처리한 bytes 비교  
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc     533175.54k   634327.02k   646776.66k   649476.78k   650098.01k

$ openssl speed -evp aes-128-cbc  // 3초동안 처리가능한 각 size 별 blocks 수 확인 (상위와 비슷함) 
Doing aes-128-cbc for 3s on 16 size blocks: 99909269 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 29840898 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 7580732 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 1902763 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 238123 aes-128-cbc's in 3.00s
OpenSSL 1.0.2g  1 Mar 2016
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) blowfish(idx)
compiler: cc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc     532849.43k   636605.82k   646889.13k   649476.44k   650234.54k

$ openssl speed aes-128-cbc  // -evp 옵션제거하면, 왜 많이 차이 나는지는 정확히 모르겠음  
Doing aes-128 cbc for 3s on 16 size blocks: 18950418 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 64 size blocks: 5106208 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 256 size blocks: 1298409 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 1024 size blocks: 326887 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 8192 size blocks: 40944 aes-128 cbc's in 3.00s
OpenSSL 1.0.2g  1 Mar 2016
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) blowfish(idx)
compiler: cc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
The 'numbers' are in 1000s of bytes per second processed.       // 1s동안 각 처리한 bytes 비교, 상위와 차이가 많이남  
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128 cbc     101068.90k   108932.44k   110797.57k   111577.43k   111804.42k

$ openssl speed aes-128-cbc  // -evp 옵션제거하면, 오차도 심함  
Doing aes-128 cbc for 3s on 16 size blocks: 16931056 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 64 size blocks: 5108214 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 256 size blocks: 1298789 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 1024 size blocks: 326969 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 8192 size blocks: 40938 aes-128 cbc's in 3.00s
OpenSSL 1.0.2g  1 Mar 2016
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) blowfish(idx)
compiler: cc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
The 'numbers' are in 1000s of bytes per second processed.     // 1s동안 각 처리한 bytes 비교, 동일한 command인데 오차가 심함  
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128 cbc      90298.97k   108975.23k   110829.99k   111605.42k   111788.03k

  • OpenSSL의 AES-128-CBC의 ARM 처리속도 
ARM기반의 AP에서 이를 측정하며, 상위 Laptop 기반과 비교해보면, 3초 측정이 잘 안지켜짐
// ARM기반의 AP에서 OpenSSL에서 테스트 - 확인사항  
$ openssl speed -evp aes-128-cbc    // 3초동안 처리가능한 각 size 별 blocks 수 확인(3초가 안지켜지는데, 다른 곳에서 OpenSSL를 사용 or CPU 사용문제) 
Doing aes-128-cbc for 3s on 16 size blocks: 3853682 aes-128-cbc's in 2.85s  // 최종결과로 16 x 3853682 / 2.85s = 21,634,705.96491228 (21634.71k)
Doing aes-128-cbc for 3s on 64 size blocks: 1144605 aes-128-cbc's in 2.85s
Doing aes-128-cbc for 3s on 256 size blocks: 301595 aes-128-cbc's in 2.85s
Doing aes-128-cbc for 3s on 1024 size blocks: 76442 aes-128-cbc's in 2.85s
Doing aes-128-cbc for 3s on 8192 size blocks: 9572 aes-128-cbc's in 2.84s
Doing aes-128-cbc for 3s on 16384 size blocks: 4753 aes-128-cbc's in 2.82s
OpenSSL 1.1.1b  26 Feb 2019
built on: Tue Oct 27 08:41:13 2020 UTC
options:bn(64,32) rc4(char) des(long) aes(partial) idea(int) blowfish(ptr)
compiler: arm-poky-linux-gnueabi-gcc  -mfpu=neon -mfloat-abi=hard -mcpu=cortex-a9 --sysroot=recipe-sysroot -O2 -pipe -g -feliminate-unused-debug-types -fmacro-prefix-map=                      -fdebug-prefix-map=                      -fdebug-prefix-map=                      -fdebug-prefix-map= -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-cbc      21634.71k    25703.41k    27090.64k    27465.48k    27610.50k    27614.59k

$ openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 3848965 aes-128-cbc's in 2.84s
Doing aes-128-cbc for 3s on 64 size blocks: 1142228 aes-128-cbc's in 2.84s
Doing aes-128-cbc for 3s on 256 size blocks: 301598 aes-128-cbc's in 2.85s
Doing aes-128-cbc for 3s on 1024 size blocks: 76500 aes-128-cbc's in 2.85s
Doing aes-128-cbc for 3s on 8192 size blocks: 9573 aes-128-cbc's in 2.84s
Doing aes-128-cbc for 3s on 16384 size blocks: 4753 aes-128-cbc's in 2.83s
OpenSSL 1.1.1b  26 Feb 2019
built on: Tue Oct 27 08:41:13 2020 UTC
options:bn(64,32) rc4(char) des(long) aes(partial) idea(int) blowfish(ptr)
compiler: arm-poky-linux-gnueabi-gcc  -mfpu=neon -mfloat-abi=hard -mcpu=cortex-a9 --sysroot=recipe-sysroot -O2 -pipe -g -feliminate-unused-debug-types -fmacro-prefix-map=                      -fdebug-prefix-map=                      -fdebug-prefix-map=                      -fdebug-prefix-map= -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-cbc      21684.31k    25740.35k    27090.91k    27486.32k    27613.39k    27517.01k


$ openssl speed aes-128-cbc
Doing aes-128 cbc for 3s on 16 size blocks: 4524953 aes-128 cbc's in 2.85s
Doing aes-128 cbc for 3s on 64 size blocks: 1192731 aes-128 cbc's in 2.82s
Doing aes-128 cbc for 3s on 256 size blocks: 306092 aes-128 cbc's in 2.85s
Doing aes-128 cbc for 3s on 1024 size blocks: 77040 aes-128 cbc's in 2.84s
Doing aes-128 cbc for 3s on 8192 size blocks: 9592 aes-128 cbc's in 2.85s
Doing aes-128 cbc for 3s on 16384 size blocks: 4766 aes-128 cbc's in 2.81s
OpenSSL 1.1.1b  26 Feb 2019
built on: Tue Oct 27 08:41:13 2020 UTC
options:bn(64,32) rc4(char) des(long) aes(partial) idea(int) blowfish(ptr)
compiler: arm-poky-linux-gnueabi-gcc  -mfpu=neon -mfloat-abi=hard -mcpu=cortex-a9 --sysroot=recipe-sysroot -O2 -pipe -g -feliminate-unused-debug-types -fmacro-prefix-map=                      -fdebug-prefix-map=                      -fdebug-prefix-map=                      -fdebug-prefix-map= -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128 cbc      25403.24k    27069.07k    27494.58k    27777.80k    27571.11k    27788.66k

$ openssl speed aes-128-cbc
Doing aes-128 cbc for 3s on 16 size blocks: 4531171 aes-128 cbc's in 2.84s
Doing aes-128 cbc for 3s on 64 size blocks: 1191326 aes-128 cbc's in 2.81s
Doing aes-128 cbc for 3s on 256 size blocks: 305709 aes-128 cbc's in 2.83s
Doing aes-128 cbc for 3s on 1024 size blocks: 77085 aes-128 cbc's in 2.86s
Doing aes-128 cbc for 3s on 8192 size blocks: 9604 aes-128 cbc's in 2.85s
Doing aes-128 cbc for 3s on 16384 size blocks: 4746 aes-128 cbc's in 2.80s
OpenSSL 1.1.1b  26 Feb 2019
built on: Tue Oct 27 08:41:13 2020 UTC
options:bn(64,32) rc4(char) des(long) aes(partial) idea(int) blowfish(ptr)
compiler: arm-poky-linux-gnueabi-gcc  -mfpu=neon -mfloat-abi=hard -mcpu=cortex-a9 --sysroot=recipe-sysroot -O2 -pipe -g -feliminate-unused-debug-types -fmacro-prefix-map=                      -fdebug-prefix-map=                      -fdebug-prefix-map=                      -fdebug-prefix-map= -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128 cbc      25527.72k    27133.40k    27654.24k    27599.66k    27605.60k    27770.88k

$ openssl speed aes-128-cbc  //동작중인 service 중지 후 실행하면, 3초가 거의지켜짐
Doing aes-128 cbc for 3s on 16 size blocks: 4811433 aes-128 cbc's in 2.99s
Doing aes-128 cbc for 3s on 64 size blocks: 1276776 aes-128 cbc's in 2.99s
Doing aes-128 cbc for 3s on 256 size blocks: 326993 aes-128 cbc's in 2.99s
Doing aes-128 cbc for 3s on 1024 size blocks: 82190 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 8192 size blocks: 10266 aes-128 cbc's in 2.99s
Doing aes-128 cbc for 3s on 16384 size blocks: 5148 aes-128 cbc's in 2.99s
OpenSSL 1.1.1b  26 Feb 2019
built on: Tue Oct 27 08:41:13 2020 UTC
options:bn(64,32) rc4(char) des(long) aes(partial) idea(int) blowfish(ptr)
compiler: arm-poky-linux-gnueabi-gcc  -mfpu=neon -mfloat-abi=hard -mcpu=cortex-a9 --sysroot=recipe-sysroot -O2 -pipe -g -feliminate-unused-debug-types -fmacro-prefix-map=                      -fdebug-prefix-map=                      -fdebug-prefix-map=                      -fdebug-prefix-map= -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128 cbc      25746.80k    27328.98k    27996.73k    28054.19k    28126.78k    28208.97k

  • OpenSSL에서 두개의 처리 속도 
OpenSSL에서 두 개 넣어 각각 처리속도 비교 (3초 와 10초)
// 동시에 두개 테스트 진행하며, 뒤의 RSA의 경우는 별도의 옵션 존재 -primes , -seconds
$ openssl speed aes-128-cbc rsa  
Doing aes-128 cbc for 3s on 16 size blocks: 4738092 aes-128 cbc's in 2.94s
Doing aes-128 cbc for 3s on 64 size blocks: 1252558 aes-128 cbc's in 2.95s
Doing aes-128 cbc for 3s on 256 size blocks: 321331 aes-128 cbc's in 2.95s
Doing aes-128 cbc for 3s on 1024 size blocks: 80812 aes-128 cbc's in 2.96s
Doing aes-128 cbc for 3s on 8192 size blocks: 10086 aes-128 cbc's in 2.94s
Doing aes-128 cbc for 3s on 16384 size blocks: 5040 aes-128 cbc's in 2.95s
Doing 512 bits private rsa's for 10s: 11617 512 bits private RSA's in 9.75s
Doing 512 bits public rsa's for 10s: 150175 512 bits public RSA's in 9.84s
Doing 1024 bits private rsa's for 10s: 2323 1024 bits private RSA's in 9.75s
Doing 1024 bits public rsa's for 10s: 53326 1024 bits public RSA's in 9.83s
Doing 2048 bits private rsa's for 10s: 394 2048 bits private RSA's in 9.80s
Doing 2048 bits public rsa's for 10s: 15840 2048 bits public RSA's in 9.82s
Doing 3072 bits private rsa's for 10s: 137 3072 bits private RSA's in 9.87s
Doing 3072 bits public rsa's for 10s: 7440 3072 bits public RSA's in 9.80s
Doing 4096 bits private rsa's for 10s: 63 4096 bits private RSA's in 9.85s
Doing 4096 bits public rsa's for 10s: 4308 4096 bits public RSA's in 9.80s
Doing 7680 bits private rsa's for 10s: 11 7680 bits private RSA's in 10.04s
Doing 7680 bits public rsa's for 10s: 1272 7680 bits public RSA's in 9.77s
Doing 15360 bits private rsa's for 10s: 2 15360 bits private RSA's in 13.57s
Doing 15360 bits public rsa's for 10s: 325 15360 bits public RSA's in 9.77s
......

$ openssl speed aes-128-cbc rsa1024 // AES-128-CBC 와 RSA1024 속도 비교 
Doing aes-128 cbc for 3s on 16 size blocks: 4741717 aes-128 cbc's in 2.94s
Doing aes-128 cbc for 3s on 64 size blocks: 1251100 aes-128 cbc's in 2.94s
Doing aes-128 cbc for 3s on 256 size blocks: 321063 aes-128 cbc's in 2.95s
Doing aes-128 cbc for 3s on 1024 size blocks: 80734 aes-128 cbc's in 2.95s
Doing aes-128 cbc for 3s on 8192 size blocks: 10079 aes-128 cbc's in 2.93s
Doing aes-128 cbc for 3s on 16384 size blocks: 5030 aes-128 cbc's in 2.95s
Doing 1024 bits private rsa's for 10s: 2324 1024 bits private RSA's in 9.74s
Doing 1024 bits public rsa's for 10s: 53284 1024 bits public RSA's in 9.79s
......
OpenSSL의 speed 관련내용 
  https://www.openssl.org/docs/man1.1.0/man1/openssl-speed.html


2.2 OpenSSL의 지원되는 Cipher Suite

OpenSSL에서 지원되는 Cipher Suite 들을 알아보고 각 TLS Version 따라 달라지는 것을 확인하도록 하자 

  • OpenSSL에서 지원되는 Cipher Suite 확인 
현재 Linux PC의 OpenSSL에서의 Cihper Suite이며, 추후 ARM or PowerPC에서 비교해야할 것 같아 이를 명시 
// TLS 1.3만 TLS 표시 (e.g TLS_AES_256_GCM_SHA384 ) , TLSv1.3 이하 (e.g ECDHE-ECDSA-AES256-GCM-SHA384 )
// 확인해야 할 사항 
// A. TLSvx or SSLvx  ( TLS 와 SSL version)
// B. Kx= Key Exchange    (키 교환)
// C. Au=Authentication   (인증서)
// D. Enc=Block/stream ciphers     (e.g. 운영모드 GCM: Galois Counter Mode , CBC: Cipher Block Chaining )
// E. Mac=Message authentication  (Message 인증)
$ openssl ciphers -v  
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
RSA-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(256) Mac=AEAD
RSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=ECDHEPSK Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
PSK-AES256-GCM-SHA384   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(256) Mac=AEAD
PSK-CHACHA20-POLY1305   TLSv1.2 Kx=PSK      Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
RSA-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(128) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
PSK-AES128-GCM-SHA256   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA384
ECDHE-PSK-AES256-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA1
SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(256)  Mac=SHA1
SRP-AES-256-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(256)  Mac=SHA1
RSA-PSK-AES256-CBC-SHA384 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA384
RSA-PSK-AES256-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-PSK-AES256-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
PSK-AES256-CBC-SHA384   TLSv1 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA384
PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
ECDHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA256
ECDHE-PSK-AES128-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA1
SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(128)  Mac=SHA1
SRP-AES-128-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(128)  Mac=SHA1
RSA-PSK-AES128-CBC-SHA256 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA256
RSA-PSK-AES128-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-PSK-AES128-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
PSK-AES128-CBC-SHA256   TLSv1 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA256
PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1 



//  SSL_CTX_set_cipher_list(ctx, "ALL:eNULL");
//" ALL:eNULL" :는 or 연산이며, 제외하고 싶다면, !MD5
$ openssl ciphers -v 'ALL:eNULL'  
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(256) Mac=AEAD
DHE-RSA-AES256-CCM8     TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM8(256) Mac=AEAD
DHE-RSA-AES256-CCM      TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM(256) Mac=AEAD
ECDHE-ECDSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ARIAGCM(256) Mac=AEAD
ECDHE-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
DHE-DSS-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=ARIAGCM(256) Mac=AEAD
DHE-RSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
ADH-AES256-GCM-SHA384   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(128) Mac=AEAD
ECDHE-ECDSA-AES128-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(128) Mac=AEAD
DHE-RSA-AES128-CCM8     TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM8(128) Mac=AEAD
DHE-RSA-AES128-CCM      TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM(128) Mac=AEAD
ECDHE-ECDSA-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ARIAGCM(128) Mac=AEAD
ECDHE-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
DHE-DSS-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=ARIAGCM(128) Mac=AEAD
DHE-RSA-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
ADH-AES128-GCM-SHA256   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
DHE-DSS-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA256
ADH-AES256-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(256)  Mac=SHA256
ADH-CAMELLIA256-SHA256  TLSv1.2 Kx=DH       Au=None Enc=Camellia(256) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-DSS-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA256
ADH-AES128-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(128)  Mac=SHA256
ADH-CAMELLIA128-SHA256  TLSv1.2 Kx=DH       Au=None Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1
AECDH-AES256-SHA        TLSv1 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
ADH-CAMELLIA256-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(256) Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128) Mac=SHA1
DHE-DSS-SEED-SHA        SSLv3 Kx=DH       Au=DSS  Enc=SEED(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA1
AECDH-AES128-SHA        TLSv1 Kx=ECDH     Au=None Enc=AES(128)  Mac=SHA1
ADH-AES128-SHA          SSLv3 Kx=DH       Au=None Enc=AES(128)  Mac=SHA1
ADH-SEED-SHA            SSLv3 Kx=DH       Au=None Enc=SEED(128) Mac=SHA1
ADH-CAMELLIA128-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(128) Mac=SHA1
RSA-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(256) Mac=AEAD
RSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=ECDHEPSK Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-PSK-AES256-CCM8     TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM8(256) Mac=AEAD
DHE-PSK-AES256-CCM      TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM(256) Mac=AEAD
RSA-PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
DHE-PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=ARIAGCM(256) Mac=AEAD
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-CCM8             TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM8(256) Mac=AEAD
AES256-CCM              TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM(256) Mac=AEAD
ARIA256-GCM-SHA384      TLSv1.2 Kx=RSA      Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
PSK-AES256-GCM-SHA384   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(256) Mac=AEAD
PSK-CHACHA20-POLY1305   TLSv1.2 Kx=PSK      Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
PSK-AES256-CCM8         TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM8(256) Mac=AEAD
PSK-AES256-CCM          TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM(256) Mac=AEAD
PSK-ARIA256-GCM-SHA384  TLSv1.2 Kx=PSK      Au=PSK  Enc=ARIAGCM(256) Mac=AEAD
RSA-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(128) Mac=AEAD
DHE-PSK-AES128-CCM8     TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM8(128) Mac=AEAD
DHE-PSK-AES128-CCM      TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM(128) Mac=AEAD
RSA-PSK-ARIA128-GCM-SHA256 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
DHE-PSK-ARIA128-GCM-SHA256 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=ARIAGCM(128) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-CCM8             TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM8(128) Mac=AEAD
AES128-CCM              TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM(128) Mac=AEAD
ARIA128-GCM-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
PSK-AES128-GCM-SHA256   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(128) Mac=AEAD
PSK-AES128-CCM8         TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM8(128) Mac=AEAD
PSK-AES128-CCM          TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM(128) Mac=AEAD
PSK-ARIA128-GCM-SHA256  TLSv1.2 Kx=PSK      Au=PSK  Enc=ARIAGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
CAMELLIA256-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
CAMELLIA128-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA256
ECDHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA384
ECDHE-PSK-AES256-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA1
SRP-DSS-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=AES(256)  Mac=SHA1
SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(256)  Mac=SHA1
SRP-AES-256-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(256)  Mac=SHA1
RSA-PSK-AES256-CBC-SHA384 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA384
RSA-PSK-AES256-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-PSK-AES256-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA1
ECDHE-PSK-CAMELLIA256-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=Camellia(256) Mac=SHA384
RSA-PSK-CAMELLIA256-SHA384 TLSv1 Kx=RSAPSK   Au=RSA  Enc=Camellia(256) Mac=SHA384
DHE-PSK-CAMELLIA256-SHA384 TLSv1 Kx=DHEPSK   Au=PSK  Enc=Camellia(256) Mac=SHA384
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
PSK-AES256-CBC-SHA384   TLSv1 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA384
PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
PSK-CAMELLIA256-SHA384  TLSv1 Kx=PSK      Au=PSK  Enc=Camellia(256) Mac=SHA384
ECDHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA256
ECDHE-PSK-AES128-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA1
SRP-DSS-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=AES(128)  Mac=SHA1
SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(128)  Mac=SHA1
SRP-AES-128-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(128)  Mac=SHA1
RSA-PSK-AES128-CBC-SHA256 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA256
RSA-PSK-AES128-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-PSK-AES128-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA1
ECDHE-PSK-CAMELLIA128-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=Camellia(128) Mac=SHA256
RSA-PSK-CAMELLIA128-SHA256 TLSv1 Kx=RSAPSK   Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-PSK-CAMELLIA128-SHA256 TLSv1 Kx=DHEPSK   Au=PSK  Enc=Camellia(128) Mac=SHA256
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
PSK-AES128-CBC-SHA256   TLSv1 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA256
PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1
PSK-CAMELLIA128-SHA256  TLSv1 Kx=PSK      Au=PSK  Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-NULL-SHA    TLSv1 Kx=ECDH     Au=ECDSA Enc=None      Mac=SHA1
ECDHE-RSA-NULL-SHA      TLSv1 Kx=ECDH     Au=RSA  Enc=None      Mac=SHA1
AECDH-NULL-SHA          TLSv1 Kx=ECDH     Au=None Enc=None      Mac=SHA1
NULL-SHA256             TLSv1.2 Kx=RSA      Au=RSA  Enc=None      Mac=SHA256
ECDHE-PSK-NULL-SHA384   TLSv1 Kx=ECDHEPSK Au=PSK  Enc=None      Mac=SHA384
ECDHE-PSK-NULL-SHA256   TLSv1 Kx=ECDHEPSK Au=PSK  Enc=None      Mac=SHA256
ECDHE-PSK-NULL-SHA      TLSv1 Kx=ECDHEPSK Au=PSK  Enc=None      Mac=SHA1
RSA-PSK-NULL-SHA384     TLSv1 Kx=RSAPSK   Au=RSA  Enc=None      Mac=SHA384
RSA-PSK-NULL-SHA256     TLSv1 Kx=RSAPSK   Au=RSA  Enc=None      Mac=SHA256
DHE-PSK-NULL-SHA384     TLSv1 Kx=DHEPSK   Au=PSK  Enc=None      Mac=SHA384
DHE-PSK-NULL-SHA256     TLSv1 Kx=DHEPSK   Au=PSK  Enc=None      Mac=SHA256
RSA-PSK-NULL-SHA        SSLv3 Kx=RSAPSK   Au=RSA  Enc=None      Mac=SHA1
DHE-PSK-NULL-SHA        SSLv3 Kx=DHEPSK   Au=PSK  Enc=None      Mac=SHA1
NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5
PSK-NULL-SHA384         TLSv1 Kx=PSK      Au=PSK  Enc=None      Mac=SHA384
PSK-NULL-SHA256         TLSv1 Kx=PSK      Au=PSK  Enc=None      Mac=SHA256
PSK-NULL-SHA            SSLv3 Kx=PSK      Au=PSK  Enc=None      Mac=SHA1

$ openssl ciphers -v "eNULL:!MD5"
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-NULL-SHA    TLSv1 Kx=ECDH     Au=ECDSA Enc=None      Mac=SHA1
ECDHE-RSA-NULL-SHA      TLSv1 Kx=ECDH     Au=RSA  Enc=None      Mac=SHA1
AECDH-NULL-SHA          TLSv1 Kx=ECDH     Au=None Enc=None      Mac=SHA1
NULL-SHA256             TLSv1.2 Kx=RSA      Au=RSA  Enc=None      Mac=SHA256
ECDHE-PSK-NULL-SHA384   TLSv1 Kx=ECDHEPSK Au=PSK  Enc=None      Mac=SHA384
ECDHE-PSK-NULL-SHA256   TLSv1 Kx=ECDHEPSK Au=PSK  Enc=None      Mac=SHA256
ECDHE-PSK-NULL-SHA      TLSv1 Kx=ECDHEPSK Au=PSK  Enc=None      Mac=SHA1
RSA-PSK-NULL-SHA384     TLSv1 Kx=RSAPSK   Au=RSA  Enc=None      Mac=SHA384
RSA-PSK-NULL-SHA256     TLSv1 Kx=RSAPSK   Au=RSA  Enc=None      Mac=SHA256
DHE-PSK-NULL-SHA384     TLSv1 Kx=DHEPSK   Au=PSK  Enc=None      Mac=SHA384
DHE-PSK-NULL-SHA256     TLSv1 Kx=DHEPSK   Au=PSK  Enc=None      Mac=SHA256
RSA-PSK-NULL-SHA        SSLv3 Kx=RSAPSK   Au=RSA  Enc=None      Mac=SHA1
DHE-PSK-NULL-SHA        SSLv3 Kx=DHEPSK   Au=PSK  Enc=None      Mac=SHA1
NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
PSK-NULL-SHA384         TLSv1 Kx=PSK      Au=PSK  Enc=None      Mac=SHA384
PSK-NULL-SHA256         TLSv1 Kx=PSK      Au=PSK  Enc=None      Mac=SHA256
PSK-NULL-SHA            SSLv3 Kx=PSK      Au=PSK  Enc=None      Mac=SHA1


//  SSL_CTX_set_cipher_list(ctx, "ALL:NULL:eNULL:aNULL");
$  openssl ciphers -v "ALL:NULL:eNULL:aNULL"
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(256) Mac=AEAD
DHE-RSA-AES256-CCM8     TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM8(256) Mac=AEAD
DHE-RSA-AES256-CCM      TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM(256) Mac=AEAD
ECDHE-ECDSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ARIAGCM(256) Mac=AEAD
ECDHE-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
DHE-DSS-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=ARIAGCM(256) Mac=AEAD
DHE-RSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
ADH-AES256-GCM-SHA384   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(128) Mac=AEAD
ECDHE-ECDSA-AES128-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(128) Mac=AEAD
DHE-RSA-AES128-CCM8     TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM8(128) Mac=AEAD
DHE-RSA-AES128-CCM      TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM(128) Mac=AEAD
ECDHE-ECDSA-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ARIAGCM(128) Mac=AEAD
ECDHE-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
DHE-DSS-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=ARIAGCM(128) Mac=AEAD
DHE-RSA-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
ADH-AES128-GCM-SHA256   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
DHE-DSS-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA256
ADH-AES256-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(256)  Mac=SHA256
ADH-CAMELLIA256-SHA256  TLSv1.2 Kx=DH       Au=None Enc=Camellia(256) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-DSS-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA256
ADH-AES128-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(128)  Mac=SHA256
ADH-CAMELLIA128-SHA256  TLSv1.2 Kx=DH       Au=None Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1
AECDH-AES256-SHA        TLSv1 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
ADH-CAMELLIA256-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(256) Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128) Mac=SHA1
DHE-DSS-SEED-SHA        SSLv3 Kx=DH       Au=DSS  Enc=SEED(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA1
AECDH-AES128-SHA        TLSv1 Kx=ECDH     Au=None Enc=AES(128)  Mac=SHA1
ADH-AES128-SHA          SSLv3 Kx=DH       Au=None Enc=AES(128)  Mac=SHA1
ADH-SEED-SHA            SSLv3 Kx=DH       Au=None Enc=SEED(128) Mac=SHA1
ADH-CAMELLIA128-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(128) Mac=SHA1
RSA-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(256) Mac=AEAD
RSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=ECDHEPSK Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-PSK-AES256-CCM8     TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM8(256) Mac=AEAD
DHE-PSK-AES256-CCM      TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM(256) Mac=AEAD
RSA-PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
DHE-PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=ARIAGCM(256) Mac=AEAD
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-CCM8             TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM8(256) Mac=AEAD
AES256-CCM              TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM(256) Mac=AEAD
ARIA256-GCM-SHA384      TLSv1.2 Kx=RSA      Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
PSK-AES256-GCM-SHA384   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(256) Mac=AEAD
PSK-CHACHA20-POLY1305   TLSv1.2 Kx=PSK      Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
PSK-AES256-CCM8         TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM8(256) Mac=AEAD
PSK-AES256-CCM          TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM(256) Mac=AEAD
PSK-ARIA256-GCM-SHA384  TLSv1.2 Kx=PSK      Au=PSK  Enc=ARIAGCM(256) Mac=AEAD
RSA-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(128) Mac=AEAD
DHE-PSK-AES128-CCM8     TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM8(128) Mac=AEAD
DHE-PSK-AES128-CCM      TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM(128) Mac=AEAD
RSA-PSK-ARIA128-GCM-SHA256 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
DHE-PSK-ARIA128-GCM-SHA256 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=ARIAGCM(128) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-CCM8             TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM8(128) Mac=AEAD
AES128-CCM              TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM(128) Mac=AEAD
ARIA128-GCM-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
PSK-AES128-GCM-SHA256   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(128) Mac=AEAD
PSK-AES128-CCM8         TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM8(128) Mac=AEAD
PSK-AES128-CCM          TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM(128) Mac=AEAD
PSK-ARIA128-GCM-SHA256  TLSv1.2 Kx=PSK      Au=PSK  Enc=ARIAGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
CAMELLIA256-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
CAMELLIA128-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA256
ECDHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA384
ECDHE-PSK-AES256-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA1
SRP-DSS-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=AES(256)  Mac=SHA1
SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(256)  Mac=SHA1
SRP-AES-256-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(256)  Mac=SHA1
RSA-PSK-AES256-CBC-SHA384 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA384
RSA-PSK-AES256-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-PSK-AES256-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA1
ECDHE-PSK-CAMELLIA256-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=Camellia(256) Mac=SHA384
RSA-PSK-CAMELLIA256-SHA384 TLSv1 Kx=RSAPSK   Au=RSA  Enc=Camellia(256) Mac=SHA384
DHE-PSK-CAMELLIA256-SHA384 TLSv1 Kx=DHEPSK   Au=PSK  Enc=Camellia(256) Mac=SHA384
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
PSK-AES256-CBC-SHA384   TLSv1 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA384
PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
PSK-CAMELLIA256-SHA384  TLSv1 Kx=PSK      Au=PSK  Enc=Camellia(256) Mac=SHA384
ECDHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA256
ECDHE-PSK-AES128-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA1
SRP-DSS-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=AES(128)  Mac=SHA1
SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(128)  Mac=SHA1
SRP-AES-128-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(128)  Mac=SHA1
RSA-PSK-AES128-CBC-SHA256 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA256
RSA-PSK-AES128-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-PSK-AES128-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA1
ECDHE-PSK-CAMELLIA128-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=Camellia(128) Mac=SHA256
RSA-PSK-CAMELLIA128-SHA256 TLSv1 Kx=RSAPSK   Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-PSK-CAMELLIA128-SHA256 TLSv1 Kx=DHEPSK   Au=PSK  Enc=Camellia(128) Mac=SHA256
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
PSK-AES128-CBC-SHA256   TLSv1 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA256
PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1
PSK-CAMELLIA128-SHA256  TLSv1 Kx=PSK      Au=PSK  Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-NULL-SHA    TLSv1 Kx=ECDH     Au=ECDSA Enc=None      Mac=SHA1
ECDHE-RSA-NULL-SHA      TLSv1 Kx=ECDH     Au=RSA  Enc=None      Mac=SHA1
AECDH-NULL-SHA          TLSv1 Kx=ECDH     Au=None Enc=None      Mac=SHA1
NULL-SHA256             TLSv1.2 Kx=RSA      Au=RSA  Enc=None      Mac=SHA256
ECDHE-PSK-NULL-SHA384   TLSv1 Kx=ECDHEPSK Au=PSK  Enc=None      Mac=SHA384
ECDHE-PSK-NULL-SHA256   TLSv1 Kx=ECDHEPSK Au=PSK  Enc=None      Mac=SHA256
ECDHE-PSK-NULL-SHA      TLSv1 Kx=ECDHEPSK Au=PSK  Enc=None      Mac=SHA1
RSA-PSK-NULL-SHA384     TLSv1 Kx=RSAPSK   Au=RSA  Enc=None      Mac=SHA384
RSA-PSK-NULL-SHA256     TLSv1 Kx=RSAPSK   Au=RSA  Enc=None      Mac=SHA256
DHE-PSK-NULL-SHA384     TLSv1 Kx=DHEPSK   Au=PSK  Enc=None      Mac=SHA384
DHE-PSK-NULL-SHA256     TLSv1 Kx=DHEPSK   Au=PSK  Enc=None      Mac=SHA256
RSA-PSK-NULL-SHA        SSLv3 Kx=RSAPSK   Au=RSA  Enc=None      Mac=SHA1
DHE-PSK-NULL-SHA        SSLv3 Kx=DHEPSK   Au=PSK  Enc=None      Mac=SHA1
NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5
PSK-NULL-SHA384         TLSv1 Kx=PSK      Au=PSK  Enc=None      Mac=SHA384
PSK-NULL-SHA256         TLSv1 Kx=PSK      Au=PSK  Enc=None      Mac=SHA256
PSK-NULL-SHA            SSLv3 Kx=PSK      Au=PSK  Enc=None      Mac=SHA1



$  openssl ciphers -v "ALL:NULL:eNULL:aNULL"  //  SSL_CTX_set_cipher_list(ctx, "ALL:NULL:eNULL:aNULL");
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(256) Mac=AEAD
DHE-RSA-AES256-CCM8     TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM8(256) Mac=AEAD
DHE-RSA-AES256-CCM      TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM(256) Mac=AEAD
ECDHE-ECDSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ARIAGCM(256) Mac=AEAD
ECDHE-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
DHE-DSS-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=ARIAGCM(256) Mac=AEAD
DHE-RSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
ADH-AES256-GCM-SHA384   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(128) Mac=AEAD
ECDHE-ECDSA-AES128-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(128) Mac=AEAD
DHE-RSA-AES128-CCM8     TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM8(128) Mac=AEAD
DHE-RSA-AES128-CCM      TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM(128) Mac=AEAD
ECDHE-ECDSA-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ARIAGCM(128) Mac=AEAD
ECDHE-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
DHE-DSS-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=ARIAGCM(128) Mac=AEAD
DHE-RSA-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
ADH-AES128-GCM-SHA256   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
DHE-DSS-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA256
ADH-AES256-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(256)  Mac=SHA256
ADH-CAMELLIA256-SHA256  TLSv1.2 Kx=DH       Au=None Enc=Camellia(256) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-DSS-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA256
ADH-AES128-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(128)  Mac=SHA256
ADH-CAMELLIA128-SHA256  TLSv1.2 Kx=DH       Au=None Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1
AECDH-AES256-SHA        TLSv1 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
ADH-CAMELLIA256-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(256) Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128) Mac=SHA1
DHE-DSS-SEED-SHA        SSLv3 Kx=DH       Au=DSS  Enc=SEED(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA1
AECDH-AES128-SHA        TLSv1 Kx=ECDH     Au=None Enc=AES(128)  Mac=SHA1
ADH-AES128-SHA          SSLv3 Kx=DH       Au=None Enc=AES(128)  Mac=SHA1
ADH-SEED-SHA            SSLv3 Kx=DH       Au=None Enc=SEED(128) Mac=SHA1
ADH-CAMELLIA128-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(128) Mac=SHA1
RSA-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(256) Mac=AEAD
RSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=ECDHEPSK Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-PSK-AES256-CCM8     TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM8(256) Mac=AEAD
DHE-PSK-AES256-CCM      TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM(256) Mac=AEAD
RSA-PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
DHE-PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=ARIAGCM(256) Mac=AEAD
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-CCM8             TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM8(256) Mac=AEAD
AES256-CCM              TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM(256) Mac=AEAD
ARIA256-GCM-SHA384      TLSv1.2 Kx=RSA      Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
PSK-AES256-GCM-SHA384   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(256) Mac=AEAD
PSK-CHACHA20-POLY1305   TLSv1.2 Kx=PSK      Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
PSK-AES256-CCM8         TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM8(256) Mac=AEAD
PSK-AES256-CCM          TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM(256) Mac=AEAD
PSK-ARIA256-GCM-SHA384  TLSv1.2 Kx=PSK      Au=PSK  Enc=ARIAGCM(256) Mac=AEAD
RSA-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(128) Mac=AEAD
DHE-PSK-AES128-CCM8     TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM8(128) Mac=AEAD
DHE-PSK-AES128-CCM      TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESCCM(128) Mac=AEAD
RSA-PSK-ARIA128-GCM-SHA256 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
DHE-PSK-ARIA128-GCM-SHA256 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=ARIAGCM(128) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-CCM8             TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM8(128) Mac=AEAD
AES128-CCM              TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM(128) Mac=AEAD
ARIA128-GCM-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
PSK-AES128-GCM-SHA256   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(128) Mac=AEAD
PSK-AES128-CCM8         TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM8(128) Mac=AEAD
PSK-AES128-CCM          TLSv1.2 Kx=PSK      Au=PSK  Enc=AESCCM(128) Mac=AEAD
PSK-ARIA128-GCM-SHA256  TLSv1.2 Kx=PSK      Au=PSK  Enc=ARIAGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
CAMELLIA256-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
CAMELLIA128-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA256
ECDHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA384
ECDHE-PSK-AES256-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA1
SRP-DSS-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=AES(256)  Mac=SHA1
SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(256)  Mac=SHA1
SRP-AES-256-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(256)  Mac=SHA1
RSA-PSK-AES256-CBC-SHA384 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA384
RSA-PSK-AES256-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-PSK-AES256-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA1
ECDHE-PSK-CAMELLIA256-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=Camellia(256) Mac=SHA384
RSA-PSK-CAMELLIA256-SHA384 TLSv1 Kx=RSAPSK   Au=RSA  Enc=Camellia(256) Mac=SHA384
DHE-PSK-CAMELLIA256-SHA384 TLSv1 Kx=DHEPSK   Au=PSK  Enc=Camellia(256) Mac=SHA384
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
PSK-AES256-CBC-SHA384   TLSv1 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA384
PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
PSK-CAMELLIA256-SHA384  TLSv1 Kx=PSK      Au=PSK  Enc=Camellia(256) Mac=SHA384
ECDHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA256
ECDHE-PSK-AES128-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA1
SRP-DSS-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=AES(128)  Mac=SHA1
SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(128)  Mac=SHA1
SRP-AES-128-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(128)  Mac=SHA1
RSA-PSK-AES128-CBC-SHA256 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA256
RSA-PSK-AES128-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-PSK-AES128-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA1
ECDHE-PSK-CAMELLIA128-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=Camellia(128) Mac=SHA256
RSA-PSK-CAMELLIA128-SHA256 TLSv1 Kx=RSAPSK   Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-PSK-CAMELLIA128-SHA256 TLSv1 Kx=DHEPSK   Au=PSK  Enc=Camellia(128) Mac=SHA256
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
PSK-AES128-CBC-SHA256   TLSv1 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA256
PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1
PSK-CAMELLIA128-SHA256  TLSv1 Kx=PSK      Au=PSK  Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-NULL-SHA    TLSv1 Kx=ECDH     Au=ECDSA Enc=None      Mac=SHA1
ECDHE-RSA-NULL-SHA      TLSv1 Kx=ECDH     Au=RSA  Enc=None      Mac=SHA1
AECDH-NULL-SHA          TLSv1 Kx=ECDH     Au=None Enc=None      Mac=SHA1
NULL-SHA256             TLSv1.2 Kx=RSA      Au=RSA  Enc=None      Mac=SHA256
ECDHE-PSK-NULL-SHA384   TLSv1 Kx=ECDHEPSK Au=PSK  Enc=None      Mac=SHA384
ECDHE-PSK-NULL-SHA256   TLSv1 Kx=ECDHEPSK Au=PSK  Enc=None      Mac=SHA256
ECDHE-PSK-NULL-SHA      TLSv1 Kx=ECDHEPSK Au=PSK  Enc=None      Mac=SHA1
RSA-PSK-NULL-SHA384     TLSv1 Kx=RSAPSK   Au=RSA  Enc=None      Mac=SHA384
RSA-PSK-NULL-SHA256     TLSv1 Kx=RSAPSK   Au=RSA  Enc=None      Mac=SHA256
DHE-PSK-NULL-SHA384     TLSv1 Kx=DHEPSK   Au=PSK  Enc=None      Mac=SHA384
DHE-PSK-NULL-SHA256     TLSv1 Kx=DHEPSK   Au=PSK  Enc=None      Mac=SHA256
RSA-PSK-NULL-SHA        SSLv3 Kx=RSAPSK   Au=RSA  Enc=None      Mac=SHA1
DHE-PSK-NULL-SHA        SSLv3 Kx=DHEPSK   Au=PSK  Enc=None      Mac=SHA1
NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5
PSK-NULL-SHA384         TLSv1 Kx=PSK      Au=PSK  Enc=None      Mac=SHA384
PSK-NULL-SHA256         TLSv1 Kx=PSK      Au=PSK  Enc=None      Mac=SHA256
PSK-NULL-SHA            SSLv3 Kx=PSK      Au=PSK  Enc=None      Mac=SHA1

OpenSSL Cipher List 
  https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_cipher_list.html

댓글 없음 :
Tags: , , ,

3/10/2020

SSL/TLS 기본개념 와 OpenSSL 분석방법

1. SSL 과 TLS 기본개념

일반적으로 암호화 관련 Protocol 하면, SSL(Secure Sockets Layer)/ TLS(Transport Layer Security) or 
DTLS(Datagram Transport Layer Security)를 사용하며 각 사용용도와 기본개념만을 이해하도록 하자. 

  • 약어 및 TCP/UDP 
  1. SSL(Socket Security Layer)     TCP기반
  2. TLS(Transport Layer Security)  TCP 기반 
  3. DTLS(Datagram Transport Layer Security) UDP기반 
SSL(Secure Sockets Layer)

SSL(Secure Sockets Layer)/ TLS(Transport Layer Security)

SSL(Secure Sockets Layer)/ TLS(Transport Layer Security)는 TCP를 이용하는 보안 채널로 HTTP or FTP or 
다른 Network Protocol들을 암호화하여 통신을 해주도록 한다. 
  
SSL의 경우는 SSH에 많이 사용되었으며, 여기서 더 발전된 것이  TLS인데 보통 HTTPS에서 사용을 비롯, 다양한 곳에서 
사용되어지는 암호화되는 Protocol 이다. 
SSL의 경우는 거의 사라지는 추세이며, 주요하게 볼것은 TLS or DTLS이며 관련해서 다룬다. 

DTLS의 경우, 나의 경우는  CMVP(Cryptographic Module Validation Program) or KCMVP 장비에서 주로 사용되어지는 것만 보았다.  
DTLS의 경우는 TLS를 UDP로 사용한다고 보면 될것 같다. 

OpenSSL 관련링크

OpenSSL의 Version History를 확인


1.1 SSL/TLS 지원 Library 

Linux에서는 OpenSSL를 많이 사용하지만, Embedded에서는 Size문제로 OpenSSL이외의  Library가 아래와 같이 변경되어 사용되어 질 수 있다. 

ARM 은 주로 (MbedTLS) 사용하며 , 그 다음 유명한게 wolfSSL 인 것 같다. 
iOS는 잘모르니 넘어간다. 

  • TLS version 지원확인 
보통 OpenSSL 사용하며 다른 TLS Library와 비교하며 표에서 확인하면 될 것 같다. 
최근 ARM에서 제공하는 mbed OS에서도 TLS를 지원하므로 관련사항 아래 링크확인.
Library support for TLS/SSL
ImplementationSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3
BotanNoNo[199]YesYesYes
cryptlibNoDisabled by default at compile timeYesYesYes
GnuTLSNo[a]Disabled by default[200]YesYesYesYes[201]
Java Secure Socket ExtensionNo[a]Disabled by default[202]YesYesYesYes
LibreSSLNo[203]No[204]YesYesYesAs of version 3.2.2 [205][206]
MatrixSSLNoDisabled by default at compile time[207]YesYesYesyes
(draft version)
mbed TLS (previously PolarSSL)NoDisabled by default[208]YesYesYes
Network Security ServicesNo[b]Disabled by default[209]YesYes[210]Yes[211]Yes[212]
OpenSSLNo[213]Enabled by defaultYesYes[214]Yes[214]Yes[215]
RSA BSAFE Micro Edition SuiteNoDisabled by defaultYesYesYesNot yet
RSA BSAFE SSL-JNoDisabled by defaultYesYesYesNot yet
SChannel XP / 2003[216]Disabled by default by MSIE 7Enabled by defaultEnabled by default by MSIE 7NoNoNo
SChannel Vista[217]Disabled by defaultEnabled by defaultYesNoNoNo
SChannel 2008[217]Disabled by defaultEnabled by defaultYesDisabled by default (KB4019276)[149]Disabled by default (KB4019276)[149]No
SChannel 7 / 2008 R2[218]Disabled by defaultDisabled by default in MSIE 11YesEnabled by default by MSIE 11Enabled by default by MSIE 11No
SChannel 8 / 2012[218]Disabled by defaultEnabled by defaultYesDisabled by defaultDisabled by defaultNo
SChannel 8.1 / 2012 R2, 10 v1507 & v1511[218]Disabled by defaultDisabled by default in MSIE 11YesYesYesNo
SChannel 10 v1607 / 2016[159]NoDisabled by defaultYesYesYesNo
Secure Transport OS X 10.2–10.8 / iOS 1–4YesYesYesNoNo
Secure Transport OS X 10.9–10.10 / iOS 5–8No[c]YesYesYes[c]Yes[c]
Secure Transport OS X 10.11 / iOS 9NoNo[c]YesYesYes
Seed7 TLS/SSL LibraryNoYesYesYesYes
wolfSSL (previously CyaSSL)NoDisabled by default[219]YesYesYesyes
(draft version)[220]
ImplementationSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3

출처



1.2 HTTPS 관련 Browser 관련정보 

HTTPS는 HTTP에 TLS 통신이 추가되어진 Protocol이라고 생각하면 되겠다. 

각 인터넷 Browser들의 암호화 Protocol 지원사항이며, 각각의 사항을 비교해서 알자.
위키에서 가져온 정보이기 때문에, 최신은 아래 위키에서 확인 

아래의 그림 좌측 부터 보안이 강화 될 수록 SSL -> TLS 로 점차 변경되어지는 것을 알수 있다. 
더불어 SSL/TLS의 버전도 같이 보도록 하자. 


HTTPS 의 기반의 인증서(Certifcate) CSR/CRT
  https://namjackson.tistory.com/24
  https://soul0.tistory.com/510

TLS/SSL support history of web browsers
BrowserVersionPlatformsSSL protocolsTLS protocolsCertificate supportVulnerabilities fixed[n 1]Protocol selection by user
[n 2]
SSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3EV
[n 3][70]		SHA-2
[71]		ECDSA
[72]		BEAST[n 4]CRIME[n 5]POODLE (SSLv3)[n 6]RC4[n 7]FREAK[73][74]Logjam
Google Chrome
(Chrome for Android)
[n 8]
[n 9]		1–9Windows (7+)
macOS (10.10+)
Linux
Android (4.4+)
iOS (10.0+)
Chrome OS		Disabled by defaultEnabled by defaultYesNoNoNoYes
(only desktop)		needs SHA-2 compatible OS[71]needs ECC compatible OS[72]Not affected
[79]		Vulnerable
(HTTPS)		VulnerableVulnerableVulnerable
(except Windows)		VulnerableYes[n 10]
10–20No[80]Enabled by defaultYesNoNoNoYes
(only desktop)		needs SHA-2 compatible OS[71]needs ECC compatible OS[72]Not affectedVulnerable
(HTTPS/SPDY)		VulnerableVulnerableVulnerable
(except Windows)		VulnerableYes[n 10]
21NoEnabled by defaultYesNoNoNoYes
(only desktop)		needs SHA-2 compatible OS[71]needs ECC compatible OS[72]Not affectedMitigated
[81]		VulnerableVulnerableVulnerable
(except Windows)		VulnerableYes[n 10]
22–29NoEnabled by defaultYesYes[82]No[82][83][84][85]NoYes
(only desktop)		needs SHA-2 compatible OS[71]needs ECC compatible OS[72]Not affectedMitigatedVulnerableVulnerableVulnerable
(except Windows)		VulnerableTemporary
[n 11]
30–32NoEnabled by defaultYesYesYes​[83][84][85]NoYes
(only desktop)		needs SHA-2 compatible OS[71]needs ECC compatible OS[72]Not affectedMitigatedVulnerableVulnerableVulnerable
(except Windows)		VulnerableTemporary
[n 11]
33–37NoEnabled by defaultYesYesYesNoYes
(only desktop)		needs SHA-2 compatible OS[71]needs ECC compatible OS[72]Not affectedMitigatedPartly mitigated
[n 12]		Lowest priority
[88][89][90]		Vulnerable
(except Windows)		VulnerableTemporary
[n 11]
38, 39NoEnabled by defaultYesYesYesNoYes
(only desktop)		Yesneeds ECC compatible OS[72]Not affectedMitigatedPartly mitigatedLowest priorityVulnerable
(except Windows)		VulnerableTemporary
[n 11]
40NoDisabled by default​[87][91]YesYesYesNoYes
(only desktop)		Yesneeds ECC compatible OS[72]Not affectedMitigatedMitigated
[n 13]		Lowest priorityVulnerable
(except Windows)		VulnerableYes[n 14]
41, 42NoDisabled by defaultYesYesYesNoYes
(only desktop)		Yesneeds ECC compatible OS[72]Not affectedMitigatedMitigatedLowest priorityMitigatedVulnerableYes[n 14]
43NoDisabled by defaultYesYesYesNoYes
(only desktop)		Yesneeds ECC compatible OS[72]Not affectedMitigatedMitigatedOnly as fallback
[n 15][92]		MitigatedVulnerableYes[n 14]
44–47NoNo[93]YesYesYesNoYes
(only desktop)		Yesneeds ECC compatible OS[72]Not affectedMitigatedNot affectedOnly as fallback
[n 15]		MitigatedMitigated​[94]Temporary
[n 11]
48, 49NoNoYesYesYesNoYes
(only desktop)		Yesneeds ECC compatible OS[72]Not affectedMitigatedNot affectedDisabled by default​[n 16][95][96]MitigatedMitigatedTemporary
[n 11]
50–53NoNoYesYesYesNoYes
(only desktop)		YesYesNot affectedMitigatedNot affectedDisabled by default​[n 16][95][96]MitigatedMitigatedTemporary
[n 11]
54–66NoNoYesYesYesDisabled by default
(draft version)		Yes
(only desktop)		YesYesNot affectedMitigatedNot affectedDisabled by default​[n 16][95][96]MitigatedMitigatedTemporary
[n 11]
67–69NoNoYesYesYesYes
(draft version)		Yes
(only desktop)		YesYesNot affectedMitigatedNot affectedDisabled by default​[n 16][95][96]MitigatedMitigatedTemporary
[n 11]
70–83NoNoYesYesYesYesYes
(only desktop)		YesYesNot affectedMitigatedNot affectedDisabled by default​[n 16][95][96]MitigatedMitigatedTemporary
[n 11]
84–8586NoNoWarn by defaultWarn by defaultYesYesYes
(only desktop)		YesYesNot affectedMitigatedNot affectedDisabled by default​[n 16][95][96]MitigatedMitigatedTemporary
[n 11]
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3EV certificateSHA-2 certificateECDSA certificateBEASTCRIMEPOODLE (SSLv3)RC4FREAKLogjamProtocol selection by user
Microsoft Edge
(Chromium based)
OS independent		79–83Windows (7+)
macOS (10.12+)
Linux 
Android (4.4+)
iOS (11.0+)		NoNoYesYesYesYesYesYesYesMitigatedNot affectedNot affectedDisabled by defaultMitigatedMitigatedYes[n 10]
84–8586NoNoWarn by defaultWarn by defaultYesYesYesYesYesMitigatedNot affectedNot affectedDisabled by defaultMitigatedMitigatedYes[n 10]
88[97]NoNoNoNoYesYesYesYesYesMitigatedNot affectedNot affectedDisabled by defaultMitigatedMitigatedYes[n 10]
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3EV certificateSHA-2 certificateECDSA certificateBEASTCRIMEPOODLE (SSLv3)RC4FREAKLogjamProtocol selection by user
Mozilla Firefox
(Firefox for mobile)
[n 17]		1.0, 1.5Windows (7+)
macOS (10.12+)
Linux
Android (4.1+)
iOS (10.3+)
Firefox OS
Maemo

ESR only for:
Windows (7+)
macOS (10.9+)
Linux		Enabled by default
[98]		Enabled by default
[98]		Yes[98]NoNoNoNoYes[71]NoNot affected
[99]		Not affectedVulnerableVulnerableNot affectedVulnerableYes[n 10]
2Disabled by default
[98][100]		Enabled by defaultYesNoNoNoNoYesYes[72]Not affectedNot affectedVulnerableVulnerableNot affectedVulnerableYes[n 10]
3–7Disabled by defaultEnabled by defaultYesNoNoNoYesYesYesNot affectedNot affectedVulnerableVulnerableNot affectedVulnerableYes[n 10]
8–10
ESR 10		No[100]Enabled by defaultYesNoNoNoYesYesYesNot affectedNot affectedVulnerableVulnerableNot affectedVulnerableYes[n 10]
11–14NoEnabled by defaultYesNoNoNoYesYesYesNot affectedVulnerable
(SPDY)[81]		VulnerableVulnerableNot affectedVulnerableYes[n 10]
15–22
ESR 17.0–17.0.10		NoEnabled by defaultYesNoNoNoYesYesYesNot affectedMitigatedVulnerableVulnerableNot affectedVulnerableYes[n 10]
ESR 17.0.11NoEnabled by defaultYesNoNoNoYesYesYesNot affectedMitigatedVulnerableLowest priority
[101][102]		Not affectedVulnerableYes[n 10]
23NoEnabled by defaultYesDisabled by default
[103]		NoNoYesYesYesNot affectedMitigatedVulnerableVulnerableNot affectedVulnerableYes[n 18]
24, 25.0.0
ESR 24.0–24.1.0		NoEnabled by defaultYesDisabled by defaultDisabled by default
[104]		NoYesYesYesNot affectedMitigatedVulnerableVulnerableNot affectedVulnerableYes[n 18]
25.0.1, 26
ESR 24.1.1		NoEnabled by defaultYesDisabled by defaultDisabled by defaultNoYesYesYesNot affectedMitigatedVulnerableLowest priority
[101][102]		Not affectedVulnerableYes[n 18]
27–33
ESR 31.0–31.2		NoEnabled by defaultYesYes​[105][106]Yes​[107][106]NoYesYesYesNot affectedMitigatedVulnerableLowest priorityNot affectedVulnerableYes[n 18]
34, 35
ESR 31.3–31.7		NoDisabled by default
[108][109]		YesYesYesNoYesYesYesNot affectedMitigatedMitigated
[n 19]		Lowest priorityNot affectedVulnerableYes[n 18]
ESR 31.8NoDisabled by defaultYesYesYesNoYesYesYesNot affectedMitigatedMitigatedLowest priorityNot affectedMitigated​[112]Yes[n 18]
36–38
ESR 38.0		NoDisabled by defaultYesYesYesNoYesYesYesNot affectedMitigatedMitigatedOnly as fallback
[n 15][113]		Not affectedVulnerableYes[n 18]
ESR 38.1–38.8NoDisabled by defaultYesYesYesNoYesYesYesNot affectedMitigatedMitigatedOnly as fallback
[n 15]		Not affectedMitigated​[112]Yes[n 18]
39–43NoNo[114]YesYesYesNoYesYesYesNot affectedMitigatedNot affectedOnly as fallback
[n 15]		Not affectedMitigated​[112]Yes[n 18]
44–48
ESR 45		NoNoYesYesYesNoYesYesYesNot affectedMitigatedNot affectedDisabled by default​[n 16][115][116][117][118]Not affectedMitigatedYes[n 18]
49–59
ESR 52		NoNoYesYesYesDisabled by default
(draft version)[119]		YesYesYesNot affectedMitigatedNot affectedDisabled by default​[n 16]Not affectedMitigatedYes[n 18]
60–62
ESR 60		NoNoYesYesYesYes
(draft version)		YesYesYesNot affectedMitigatedNot affectedDisabled by default​[n 16]Not affectedMitigatedYes[n 18]
63–77
ESR 68		NoNoYesYesYesYesYesYesYesNot affectedMitigatedNot affectedDisabled by default​[n 16]Not affectedMitigatedYes[n 18]
78–81
ESR 78.0–78.3		NoNoDisabled by default[120]Disabled by default[120]YesYesYesYesYesNot affectedMitigatedNot affectedDisabled by default​[n 16]Not affectedMitigatedYes[n 18]
ESR 78.482
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3EV certificateSHA-2 certificateECDSA certificateBEASTCRIMEPOODLE (SSLv3)RC4FREAKLogjamProtocol selection by user
Opera Browser
(Opera Mobile)
(Pre-Presto and Presto)
[n 20]		1–2Windows
macOS
Linux
Android
Symbian S60
Maemo
Windows Mobile		No SSL/TLS support[122]
3Yes[123]NoNoNoNoNoNoNoNoNo SSL 3.0 or TLS supportVulnerableUnknownUnknownN/A
4YesYes[124]NoNoNoNoNoNoNoVulnerableNot affectedVulnerableVulnerableUnknownUnknownUnknown
5Enabled by defaultEnabled by defaultYes[125]NoNoNoNoNoNoVulnerableNot affectedVulnerableVulnerableUnknownUnknownYes[n 10]
6–7Enabled by defaultEnabled by defaultYes[125]NoNoNoNoYes[71]NoVulnerableNot affectedVulnerableVulnerableUnknownUnknownYes[n 10]
8Enabled by defaultEnabled by defaultYesDisabled by default
[126]		NoNoNoYesNoVulnerableNot affectedVulnerableVulnerableUnknownUnknownYes[n 10]
9Disabled by default
[127]		Enabled by defaultYesYesNoNosince v9.5
(only desktop)		YesNoVulnerableNot affectedVulnerableVulnerableUnknownUnknownYes[n 10]
10–11.52No[128]Enabled by defaultYesDisabled by defaultDisabled by default
[128]		NoYes
(only desktop)		YesNoVulnerableNot affectedVulnerableVulnerableUnknownUnknownYes[n 10]
11.60–11.64NoEnabled by defaultYesDisabled by defaultDisabled by defaultNoYes
(only desktop)		YesNoMitigated
[129]		Not affectedVulnerableVulnerableUnknownUnknownYes[n 10]
12–12.14NoDisabled by default
[n 21]		YesDisabled by defaultDisabled by defaultNoYes
(only desktop)		YesNoMitigatedNot affectedMitigated
[n 21]		VulnerableUnknownMitigated​[131]Yes[n 10]
12.15–12.17NoDisabled by defaultYesDisabled by defaultDisabled by defaultNoYes
(only desktop)		YesNoMitigatedNot affectedMitigatedPartly mitigated
[132][133]		UnknownMitigated​[131]Yes[n 10]
12.18NoDisabled by defaultYesYes[134]Yes[134]NoYes
(only desktop)		YesYes[134]MitigatedNot affectedMitigatedDisabled by default​[n 16][134]Mitigated​[134]Mitigated​[131]Yes[n 10]
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3EV certificateSHA-2 certificateECDSA certificateBEASTCRIMEPOODLE (SSLv3)RC4FREAKLogjamProtocol selection by user
Opera Browser
(Opera Mobile)
(Webkit and Blink)
[n 22]		14–16Windows (7+)
macOS (10.11+)
Linux
Android (4.4+)		NoEnabled by defaultYesYes[137]No[137]NoYes
(only desktop)		needs SHA-2 compatible OS[71]needs ECC compatible OS[72]Not affectedMitigatedVulnerableVulnerableVulnerable
(except Windows)		VulnerableTemporary
[n 11]
17–19NoEnabled by defaultYesYes[138]Yes[138]NoYes
(only desktop)		needs SHA-2 compatible OS[71]needs ECC compatible OS[72]Not affectedMitigatedVulnerableVulnerableVulnerable
(except Windows)		VulnerableTemporary
[n 11]
20–24NoEnabled by defaultYesYesYesNoYes
(only desktop)		needs SHA-2 compatible OS[71]needs ECC compatible OS[72]Not affectedMitigatedPartly mitigated
[n 23]		Lowest priority
[139]		Vulnerable
(except Windows)		VulnerableTemporary
[n 11]
25, 26NoEnabled by default
[n 24]		YesYesYesNoYes
(only desktop)		Yesneeds ECC compatible OS[72]Not affectedMitigatedMitigated
[n 25]		Lowest priorityVulnerable
(except Windows)		VulnerableTemporary
[n 11]
27NoDisabled by default
[91]		YesYesYesNoYes
(only desktop)		Yesneeds ECC compatible OS[72]Not affectedMitigatedMitigated
[n 26]		Lowest priorityVulnerable
(except Windows)		VulnerableYes[n 27]
(only desktop)
28, 29NoDisabled by defaultYesYesYesNoYes
(only desktop)		Yesneeds ECC compatible OS[72]Not affectedMitigatedMitigatedLowest priorityMitigatedVulnerableYes[n 27]
(only desktop)
30NoDisabled by defaultYesYesYesNoYes
(only desktop)		Yesneeds ECC compatible OS[72]Not affectedMitigatedMitigatedOnly as fallback
[n 15][92]		MitigatedMitigated​[131]Yes[n 27]
(only desktop)
31–34NoNo[93]YesYesYesNoYes
(only desktop)		Yesneeds ECC compatible OS[72]Not affectedMitigatedNot affectedOnly as fallback
[n 15][92]		MitigatedMitigatedTemporary
[n 11]
35, 36NoNoYesYesYesNoYes
(only desktop)		Yesneeds ECC compatible OS[72]Not affectedMitigatedNot affectedDisabled by default​[n 16][95][96]MitigatedMitigatedTemporary
[n 11]
37–40NoNoYesYesYesNoYes
(only desktop)		YesYesNot affectedMitigatedNot affectedDisabled by default​[n 16][95][96]MitigatedMitigatedTemporary
[n 11]
41–56NoNoYesYesYesDisabled by default
(draft version)		Yes
(only desktop)		YesYesNot affectedMitigatedNot affectedDisabled by default​[n 16][95][96]MitigatedMitigatedTemporary
[n 11]
57–7172NoNoYesYesYesYesYes
(only desktop)		YesYesNot affectedMitigatedNot affectedDisabled by default​[n 16][95][96]MitigatedMitigatedTemporary
[n 11]
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3EV certificateSHA-2 certificateECDSA certificateBEASTCRIMEPOODLE (SSLv3)RC4FREAKLogjamProtocol selection by user
Microsoft Internet Explorer
(1–10)
[n 28]		1.xWindows 3.195NT,[n 29][n 30]
Mac OS 78		No SSL/TLS support
2YesNoNoNoNoNoNoNoNoNo SSL 3.0 or TLS supportVulnerableVulnerableVulnerableN/A
3YesYes[142]NoNoNoNoNoNoNoVulnerableNot affectedVulnerableVulnerableVulnerableVulnerableUnknown
456Windows 3.19598NT2000[n 29][n 30]
Mac OS 7.18X,
SolarisHP-UX		Enabled by defaultEnabled by defaultDisabled by default
[142]		NoNoNoNoNoNoVulnerableNot affectedVulnerableVulnerableVulnerableVulnerableYes[n 10]
6Windows XP[n 30]Enabled by defaultEnabled by defaultDisabled by defaultNoNoNoNoYes
[n 31][143]		NoMitigatedNot affectedVulnerableVulnerableVulnerableVulnerableYes[n 10]
78Disabled by default
[144]		Enabled by defaultYes[144]NoNoNoYesYes
[n 31][143]		NoMitigatedNot affectedVulnerableVulnerableVulnerableVulnerableYes[n 10]
6Server 2003[n 30]Enabled by defaultEnabled by defaultDisabled by defaultNoNoNoNoYes
[n 31][143]		NoMitigatedNot affectedVulnerableVulnerableMitigated
[147]		Mitigated
[148]		Yes[n 10]
78Disabled by default
[144]		Enabled by defaultYes[144]NoNoNoYesYes
[n 31][143]		NoMitigatedNot affectedVulnerableVulnerableMitigated
[147]		Mitigated
[148]		Yes[n 10]
789Windows VistaDisabled by defaultEnabled by defaultYesNoNoNoYesYesYes[72]MitigatedNot affectedVulnerableVulnerableMitigated
[147]		Mitigated
[148]		Yes[n 10]
789Server 2008Disabled by defaultEnabled by defaultYesDisabled by default​[149]
(KB4019276)		Disabled by default​[149]
(KB4019276)		NoYesYesYes[72]MitigatedNot affectedVulnerableVulnerableMitigated
[147]		Mitigated
[148]		Yes[n 10]
8910Windows 7 / 8
Server 2008 R2 / 2012		Disabled by defaultEnabled by defaultYesDisabled by default
[150]		Disabled by default
[150]		NoYesYesYesMitigatedNot affectedVulnerableLowest priority
[151][n 32]		Mitigated
[147]		Mitigated
[148]		Yes[n 10]
Internet Explorer 11
[n 28]		11Windows 7
Server 2008 R2		Disabled by defaultDisabled by default
[n 33]		YesYes[153]Yes[153]NoYesYesYesMitigatedNot affectedMitigated
[n 33]		Disabled by default​[157]Mitigated
[147]		Mitigated
[148]		Yes[n 10]
11[158]Windows 8.1Disabled by defaultDisabled by default
[n 33]		YesYes[153]Yes[153]NoYesYesYesMitigatedNot affectedMitigated
[n 33]		Disabled by default​[n 16]Mitigated
[147]		Mitigated
[148]		Yes[n 10]
Server 2012
Server 2012 R2
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3EV certificateSHA-2 certificateECDSA certificateBEASTCRIMEPOODLE (SSLv3)RC4FREAKLogjamProtocol selection by user
Microsoft Edge
(12–18)
(EdgeHTML based)
Client only

Internet Explorer 11
[n 28]		1112–13Windows 10
1507–1511		Disabled by defaultDisabled by defaultYesYesYesNoYesYesYesMitigatedNot affectedMitigatedDisabled by default​[n 16]MitigatedMitigatedYes[n 10]
1114–18
(client only)		Windows 10
1607–1809
Windows Server (SAC)
1709–1809		No[159]Disabled by defaultYesYesYesNoYesYesYesMitigatedNot affectedMitigatedDisabled by default​[n 16]MitigatedMitigatedYes[n 10]
1118
(client only)		Windows 10
1903
Windows Server (SAC)
1903		NoDisabled by defaultYesYesYesNoYesYesYesMitigatedNot affectedMitigatedDisabled by default​[n 16]MitigatedMitigatedYes[n 10]
1118
(client only)		Windows 10
1909
Windows Server (SAC)
1909		NoDisabled by defaultYesYesYesNoYesYesYesMitigatedNot affectedMitigatedDisabled by default​[n 16]MitigatedMitigatedYes[n 10]
1118
(client only)		Windows 10
2004
Windows Server (SAC)
2004		NoDisabled by defaultYesYesYesNoYesYesYesMitigatedNot affectedMitigatedDisabled by default​[n 16]MitigatedMitigatedYes[n 10]
Internet Explorer 11
[n 28]		11Windows 10
20H2
Windows Server (SAC) 20H2		NoDisabled by defaultYesYesYesNoYesYesYesMitigatedNot affectedMitigatedDisabled by default​[n 16]MitigatedMitigatedYes[n 10]
11Windows 10
21Hx
Windows Server (SAC) 21Hx		NoDisabled by defaultYesYesYesEnabled by default
(experimental)
since Dev 10.0.20170[160]		YesYesYesMitigatedNot affectedMitigatedDisabled by default​[n 16]MitigatedMitigatedYes[n 10]
Internet Explorer 11
[n 28]		11Windows 10
LTSB 2015 (1507)		Disabled by defaultDisabled by defaultYesYesYesNoYesYesYesMitigatedNot affectedMitigatedDisabled by default​[n 16]MitigatedMitigatedYes[n 10]
11Windows 10
LTSB 2016 (1607)		No[159]Disabled by defaultYesYesYesNoYesYesYesMitigatedNot affectedMitigatedDisabled by default​[n 16]MitigatedMitigatedYes[n 10]
11Windows Server 2016
(LTSB / 1607)		No[159]Disabled by defaultYesYesYesNoYesYesYesMitigatedNot affectedMitigatedDisabled by default​[n 16]MitigatedMitigatedYes[n 10]
11Windows 10
LTSC 2019 (1809)
Windows Server 2019
(LTSC / 1809)		NoDisabled by defaultYesYesYesNoYesYesYesMitigatedNot affectedMitigatedDisabled by default​[n 16]MitigatedMitigatedYes[n 10]
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3EV certificateSHA-2 certificateECDSA certificateBEASTCRIMEPOODLE (SSLv3)RC4FREAKLogjamProtocol selection by user
Microsoft Internet Explorer Mobile
[n 28]		7, 9Windows Phone 7, 7.5, 7.8Disabled by default
[144]		Enabled by defaultYesNo
[citation needed]		No
[citation needed]		NoNo
[citation needed]		YesYes[161]UnknownNot affectedVulnerableVulnerableVulnerableVulnerableOnly with 3rd party tools[n 34]
10Windows Phone 8Disabled by defaultEnabled by defaultYesDisabled by default
[163]		Disabled by default
[163]		NoNo
[citation needed]		YesYes[164]MitigatedNot affectedVulnerableVulnerableVulnerableVulnerableOnly with 3rd party tools[n 34]
11Windows Phone 8.1Disabled by defaultEnabled by defaultYesYes[165]Yes[165]NoNo
[citation needed]		YesYesMitigatedNot affectedVulnerableOnly as fallback
[n 15][166][167]		VulnerableVulnerableOnly with 3rd party tools[n 34]
Microsoft Edge
(13–15)
(EdgeHTML based)
[n 35]		13Windows 10 Mobile
1511		Disabled by defaultDisabled by defaultYesYesYesNoYesYesYesMitigatedNot affectedMitigatedDisabled by default​[n 16]MitigatedMitigatedNo
14, 15Windows 10 Mobile
1607–1709		No[159]Disabled by defaultYesYesYesNoYesYesYesMitigatedNot affectedMitigatedDisabled by default​[n 16]MitigatedMitigatedNo
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3EV certificateSHA-2 certificateECDSA certificateBEASTCRIMEPOODLE (SSLv3)RC4FREAKLogjamProtocol selection by user
Apple Safari
[n 36]		1Mac OS X 10.210.3No[172]YesYesNoNoNoNoNoNoVulnerableNot affectedVulnerableVulnerableVulnerableVulnerableNo
2–5Mac OS X 10.410.5Win XPNoYesYesNoNoNosince v3.2NoNoVulnerableNot affectedVulnerableVulnerableVulnerableVulnerableNo
3–5VistaWin 7NoYesYesNoNoNosince v3.2NoYes[161]VulnerableNot affectedVulnerableVulnerableVulnerableVulnerableNo
4–6Mac OS X 10.610.7NoYesYesNoNoNoYesYes[71]Yes[72]VulnerableNot affectedVulnerableVulnerableVulnerableVulnerableNo
6OS X 10.8NoYesYesNoNoNoYesYesYes[72]Mitigated
[n 37]		Not affectedMitigated
[n 38]		Vulnerable
[n 38]		Mitigated
[178]		VulnerableNo
7, 9OS X 10.9NoYesYesYes[179]Yes[179]NoYesYesYesMitigated
[174]		Not affectedMitigated
[n 38]		Vulnerable
[n 38]		Mitigated
[178]		VulnerableNo
8–10OS X 10.10NoYesYesYesYesNoYesYesYesMitigatedNot affectedMitigated
[n 38]		Lowest priority
[180][n 38]		Mitigated
[178]		Mitigated
[181]		No
9–11OS X 10.11NoNoYesYesYesNoYesYesYesMitigatedNot affectedNot affectedLowest priorityMitigatedMitigatedNo
10–12macOS 10.12NoNoYesYesYesNoYesYesYesMitigatedNot affectedNot affectedDisabled by default​[n 16]MitigatedMitigatedNo
11, 1213macOS 10.13NoNoYesYesYesNoYesYesYesMitigatedNot affectedNot affectedDisabled by default​[n 16]MitigatedMitigatedNo
12, 1314macOS 10.14NoNoYesYesYesYes (since macOS 10.14.4)[182]YesYesYesMitigatedNot affectedNot affectedDisabled by default​[n 16]MitigatedMitigatedNo
1314macOS 10.15NoNoYesYesYesYesYesYesYesMitigatedNot affectedNot affectedDisabled by default​[n 16]MitigatedMitigatedNo
14macOS 11.0NoNoYesYesYesYesYesYesYesMitigatedNot affectedNot affectedDisabled by default​[n 16]MitigatedMitigatedNo
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3EV certificateSHA-2 certificateECDSA certificateBEASTCRIMEPOODLE (SSLv3)RC4FREAKLogjamProtocol selection by user
Apple Safari
(mobile)
[n 39]		3iPhone OS 12No[186]YesYesNoNoNoNoNoNoVulnerableNot affectedVulnerableVulnerableVulnerableVulnerableNo
4, 5iPhone OS 3iOS 4NoYesYesNoNoNoYes[187]Yessince iOS 4[161]VulnerableNot affectedVulnerableVulnerableVulnerableVulnerableNo
5, 6iOS 56NoYesYesYes[183]Yes[183]NoYesYesYesVulnerableNot affectedVulnerableVulnerableVulnerableVulnerableNo
7iOS 7NoYesYesYesYesNoYesYesYes[188]Mitigated
[189]		Not affectedVulnerableVulnerableVulnerableVulnerableNo
8iOS 8NoYesYesYesYesNoYesYesYesMitigatedNot affectedMitigated
[n 38]		Lowest priority
[190][n 38]		Mitigated
[191]		Mitigated
[192]		No
9iOS 9NoNoYesYesYesNoYesYesYesMitigatedNot affectedNot affectedLowest priorityMitigatedMitigatedNo
10–11iOS 1011NoNoYesYesYesNoYesYesYesMitigatedNot affectedNot affectedDisabled by default​[n 16]MitigatedMitigatedNo
12iOS 12NoNoYesYesYesYes (since iOS 12.2)[182]YesYesYesMitigatedNot affectedNot affectedDisabled by default​[n 16]MitigatedMitigatedNo
13iOS 13NoNoYesYesYesYesYesYesYesMitigatedNot affectedNot affectedDisabled by default​[n 16]MitigatedMitigatedNo
iPadOS 13
14iOS 14NoNoYesYesYesYesYesYesYesMitigatedNot affectedNot affectedDisabled by default​[n 16]MitigatedMitigatedNo
iPadOS 14
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3EV
[n 3]		SHA-2ECDSABEAST[n 4]CRIME[n 5]POODLE (SSLv3)[n 6]RC4[n 7]FREAK[73][74]LogjamProtocol selection by user
SSL protocolsTLS protocolsCertificate SupportVulnerabilities fixed
Google Android OS
[193]		Android 1.0–4.0.4NoEnabled by defaultYesNoNoNoUnknownYes[71]since 3.0[161][72]UnknownUnknownVulnerableVulnerableVulnerableVulnerableNo
Android 4.1–4.4.4NoEnabled by defaultYesDisabled by default​[194]Disabled by default​[194]NoUnknownYesYesUnknownUnknownVulnerableVulnerableVulnerableVulnerableNo
Android 5.0–5.0.2NoEnabled by defaultYesYes[194][195]Yes[194][195]NoUnknownYesYesUnknownUnknownVulnerableVulnerableVulnerableVulnerableNo
Android 5.1–5.1.1NoDisabled by default
[citation needed]		YesYesYesNoUnknownYesYesUnknownUnknownNot affectedOnly as fallback
[n 15]		MitigatedMitigatedNo
Android 6.07.1.2NoDisabled by default
[citation needed]		YesYesYesNoUnknownYesYesUnknownUnknownNot affectedDisabled by defaultMitigatedMitigatedNo
Android 8.09.0NoNo
[196]		YesYesYesNoUnknownYesYesUnknownUnknownNot affectedDisabled by defaultMitigatedMitigatedNo
Android 10.0NoNoYesYesYesYesUnknownYesYesUnknownUnknownNot affectedDisabled by defaultMitigatedMitigatedNo
Android 11.0NoNoYesYesYesYesUnknownYesYesUnknownUnknownNot affectedDisabled by defaultMitigatedMitigatedNo
BrowserVersionPlatformsSSL 2.0 (insecure)SSL 3.0 (insecure)TLS 1.0TLS 1.1TLS 1.2TLS 1.3EV certificateSHA-2 certificateECDSA certificateBEASTCRIMEPOODLE (SSLv3)RC4FREAKLogjamProtocol selection by user
Color or NoteSignificance
Browser versionPlatform
Browser versionOperating systemFuture release; under development
Browser versionOperating systemCurrent latest release
Browser versionOperating systemFormer release; still supported
Browser versionOperating systemFormer release; long-term support still active, but will end in less than 12 months
Browser versionOperating systemFormer release; no longer supported
n/aOperating systemMixed / Unspecified
Operating system (Version+)Minimum required operating system version (for supported versions of the browser)
Operating systemNo longer supported for this operating system

2. SSL/TLS 의 기본분석  

요즘 많이 사용도어지는 SSL/TLS 동작 방식은 주로 TCP기반으로 키를 서로 교환한 후, 
이를 암호화하여 통신하는 Protocol을 말하며, TLS Version 과 지원되는 암호화방식에 따라 달라진다. 

  • SSL/TLS 기본동작 방식
기본동작 방식은 Client/Server 암호화이며, 각각 Key 교환 후 암호화 진행 



Simple  SSL/TLS Client Source
  https://wiki.openssl.org/index.php/SSL/TLS_Client


2.1 TLS Handshake 와 Cipher Suite


TLS의 Cipher Suite설명 및 TLS 관련설명 
  • TLS v1.2 Handshake 방법 
HandShake 도중 Cipher Suite 하는 곳 과 순서확인 





  • TLSv1.2 의 전체흐름 분석 
WireShark로 직접 Capture 하여, 세부적으로 확인해보도록 하자.



  • 1st Message  Client->Server ( Client Hello)  
  1. Random:  Client에서 Time (4Byte) 와  Random Data (12Byte) 로 구성 
  2. Cipher Suites: Client 지원가능한 Cipher Suite 을 Server 에 제안 
  3. Client 지원가능한 Signature HASH Algorithm Server에게 제안 (Hash 와 Signature 제안) 


이후 생략 
나도 화면 캡쳐하기가 귀찮음 상위 구조대로 잘 동작함. 


2.2 TLS/DTLS Key 및 Certificate 준비

TLS를 테스트 하기전에 Cetificate를 준비 
DTLS or TLS 를 TEST를 진행을 위해서 Key 와 Certificate 아래와 같이 발급진행  


  • Client Key 와 Client Certificate 발급 
$ openssl req -x509 -newkey rsa:2048 -days 3650 -nodes  -keyout client-key.pem -out client-cert.pem 
.....
//각 본인 정보 입력  
Country Name (2 letter code) [AU]:                
State or Province Name (full name) [Some-State]:  
Locality Name (eg, city) []:                      
Organization Name (eg, company) [Internet Widgits Pty Ltd]:  
Organizational Unit Name (eg, section) []:   
Common Name (e.g. server FQDN or YOUR name) []: 
Email Address []:    

//10 (3650) 년 RSA Private Key 발급 및 이 기반으로 Certificate 발급

  • Server Key 와 Server Certificate 발급 
$ openssl req -x509 -newkey rsa:2048 -days 3650 -nodes  -keyout server-key.pem -out server-cert.pem 
//각 본인 정보 입력  
....
//10 (3650) 년 RSA Private Key 발급 및 이 기반으로 Certificate 발급 



$ cat client-key.pem 
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDY7C6QOrmTrVcw
FbSTs8A7rXd/hXAelFb8YYhAglOKCkfhVzJyS1M7OAk052QXOfVzTMxCoYiIIGI/
Vo2GGoE2KbGrOrQi8GHYNxFVuaY9Pwd5WiV708hIBbq9zENQgbwiDrg5TOYXahnd
5DviuWMMsK/dgakbnJ58Z+UuhBE1fHLrYwBZIHq6npy0oTEiBaBPJXYTxmQdp6X5
E7O883PWUOdLNFx9K7FDaZFHhVbA0ObOpbTtLzrWNvZWwGdr/wZ3z3NKbaimkjZq
rHqs0T8ffixP4MaUJDRtwXZ1pkOIIsS30eqkV/6Z4/JqVRKu3YdTHvbveCuuogLP
/w0SM/TJAgMBAAECggEAYqHpfi0lim9r0HJeHDbENp5mUnZzB4R9lN4oHOTlZUPN
cTm7t1pmquuMzCBWU3VIFLgbvEREl1jaM2CAkzRkAiOtJGVZ2PUiGDTZzffPDdQl
6tjBaG9ghtcMFRbWmLmUuIum2m8LxCO7RThsvmd7ER8ZqAc3xFVPftOi0qa8SGvK
YzoKY630xImH6KwLCu6mKH0cfxyrxw0sVuTafDt+ufZX8YYjf7F/S5h1ZQ3NvnOf
z7yZd+uTzYHB08cF5hWYEV0Ly1wS6PvW9NlqAO7fcAteiHQnDVDECdQcmhK/xsP5
c2Q9uMc6sGVwAeoSmRsLKn8u6txp0S1+9N7nBvoZ3QKBgQDv62DvCC3Q1yMdu9R7
nE2cqfm7bdJkCFI1TUNyoBEZlOnZMwfGkhOsMTzxDuPZQGYCAqWPmUiXvl90j83P
9VyNqbsTVZVpX0zWLh4hMxMj5T0kG2RPiBx9Yv3wbgOHoul101AGujfeFm7WrEL8
jFFbaG75lnh4qVPprQfR78YXiwKBgQDndjcPP4ovmgKyE80dg+rYhIpQoEpQYE6Q
ZZBpg9rTyXKEIDbrlpFtKE57jzmt/IbqO1f1zGesttZV8Rq7KFvae9rtGe7HXcFp
Z9wL+5PsAQ66N+qqJnLdvSkzn9iZo5vYBp/c6a3fajmUH6Uzets9Ys+Xi5IQqjr3
Eg9hgKCPewKBgQCfi8nUa338SXUiysvMv+6k5iwaxjeJKjdxFsZpraRxfKPeOp9L
H81RTxUVwS8oRDkR0SzER80MjB7yZscZKjO4SU0M2HcZsbRpIhYLQenSjxmPr1+P
vBYmE/SHNMHIK0BRiIrJToDkgcqHm9qYE7/up45VEAlhREl3NgfjRi5XbQKBgEx4
TfCHuYvIgiN7T0T1FF28TEYe7u5nIw2pwHBb06ws3dyxF/P1ps49htBjnVbSG3C/
cmwOwCHbtixmn8I9rzsbuFSlQLI1U3UTjyuWTmSmZMs5NhpI4aJIoJghs1nvJ8nT
RnWh7oPlgGhjnBzJ9iztvFABGJzQ4PJH0TURXfqJAoGABTFao05w3Uw8y3ucN9Qd
qvkcDs1+7GePncijVWkHX0lQV4BmzTPG+ZfImWwlLj3vo5iFD1FCFndNsF06AX4I
DiPQW1PjmGT31wt0QWWjoXnVtjgsRlxBZkFrPDpXv/Dbrr6la4weHHo+Rr2Z3pUb
z1Bgsu7M4Mz1pG7vlbgtUU4=
-----END PRIVATE KEY-----

$ openssl pkey -in client-key.pem -text  //상위 Private Key 분석  
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDY7C6QOrmTrVcw
FbSTs8A7rXd/hXAelFb8YYhAglOKCkfhVzJyS1M7OAk052QXOfVzTMxCoYiIIGI/
Vo2GGoE2KbGrOrQi8GHYNxFVuaY9Pwd5WiV708hIBbq9zENQgbwiDrg5TOYXahnd
5DviuWMMsK/dgakbnJ58Z+UuhBE1fHLrYwBZIHq6npy0oTEiBaBPJXYTxmQdp6X5
E7O883PWUOdLNFx9K7FDaZFHhVbA0ObOpbTtLzrWNvZWwGdr/wZ3z3NKbaimkjZq
rHqs0T8ffixP4MaUJDRtwXZ1pkOIIsS30eqkV/6Z4/JqVRKu3YdTHvbveCuuogLP
/w0SM/TJAgMBAAECggEAYqHpfi0lim9r0HJeHDbENp5mUnZzB4R9lN4oHOTlZUPN
cTm7t1pmquuMzCBWU3VIFLgbvEREl1jaM2CAkzRkAiOtJGVZ2PUiGDTZzffPDdQl
6tjBaG9ghtcMFRbWmLmUuIum2m8LxCO7RThsvmd7ER8ZqAc3xFVPftOi0qa8SGvK
YzoKY630xImH6KwLCu6mKH0cfxyrxw0sVuTafDt+ufZX8YYjf7F/S5h1ZQ3NvnOf
z7yZd+uTzYHB08cF5hWYEV0Ly1wS6PvW9NlqAO7fcAteiHQnDVDECdQcmhK/xsP5
c2Q9uMc6sGVwAeoSmRsLKn8u6txp0S1+9N7nBvoZ3QKBgQDv62DvCC3Q1yMdu9R7
nE2cqfm7bdJkCFI1TUNyoBEZlOnZMwfGkhOsMTzxDuPZQGYCAqWPmUiXvl90j83P
9VyNqbsTVZVpX0zWLh4hMxMj5T0kG2RPiBx9Yv3wbgOHoul101AGujfeFm7WrEL8
jFFbaG75lnh4qVPprQfR78YXiwKBgQDndjcPP4ovmgKyE80dg+rYhIpQoEpQYE6Q
ZZBpg9rTyXKEIDbrlpFtKE57jzmt/IbqO1f1zGesttZV8Rq7KFvae9rtGe7HXcFp
Z9wL+5PsAQ66N+qqJnLdvSkzn9iZo5vYBp/c6a3fajmUH6Uzets9Ys+Xi5IQqjr3
Eg9hgKCPewKBgQCfi8nUa338SXUiysvMv+6k5iwaxjeJKjdxFsZpraRxfKPeOp9L
H81RTxUVwS8oRDkR0SzER80MjB7yZscZKjO4SU0M2HcZsbRpIhYLQenSjxmPr1+P
vBYmE/SHNMHIK0BRiIrJToDkgcqHm9qYE7/up45VEAlhREl3NgfjRi5XbQKBgEx4
TfCHuYvIgiN7T0T1FF28TEYe7u5nIw2pwHBb06ws3dyxF/P1ps49htBjnVbSG3C/
cmwOwCHbtixmn8I9rzsbuFSlQLI1U3UTjyuWTmSmZMs5NhpI4aJIoJghs1nvJ8nT
RnWh7oPlgGhjnBzJ9iztvFABGJzQ4PJH0TURXfqJAoGABTFao05w3Uw8y3ucN9Qd
qvkcDs1+7GePncijVWkHX0lQV4BmzTPG+ZfImWwlLj3vo5iFD1FCFndNsF06AX4I
DiPQW1PjmGT31wt0QWWjoXnVtjgsRlxBZkFrPDpXv/Dbrr6la4weHHo+Rr2Z3pUb
z1Bgsu7M4Mz1pG7vlbgtUU4=
-----END PRIVATE KEY-----
RSA Private-Key: (2048 bit, 2 primes)
modulus:
    00:d8:ec:2e:90:3a:b9:93:ad:57:30:15:b4:93:b3:
    c0:3b:ad:77:7f:85:70:1e:94:56:fc:61:88:40:82:
    53:8a:0a:47:e1:57:32:72:4b:53:3b:38:09:34:e7:
    64:17:39:f5:73:4c:cc:42:a1:88:88:20:62:3f:56:
    8d:86:1a:81:36:29:b1:ab:3a:b4:22:f0:61:d8:37:
    11:55:b9:a6:3d:3f:07:79:5a:25:7b:d3:c8:48:05:
    ba:bd:cc:43:50:81:bc:22:0e:b8:39:4c:e6:17:6a:
    19:dd:e4:3b:e2:b9:63:0c:b0:af:dd:81:a9:1b:9c:
    9e:7c:67:e5:2e:84:11:35:7c:72:eb:63:00:59:20:
    7a:ba:9e:9c:b4:a1:31:22:05:a0:4f:25:76:13:c6:
    64:1d:a7:a5:f9:13:b3:bc:f3:73:d6:50:e7:4b:34:
    5c:7d:2b:b1:43:69:91:47:85:56:c0:d0:e6:ce:a5:
    b4:ed:2f:3a:d6:36:f6:56:c0:67:6b:ff:06:77:cf:
    73:4a:6d:a8:a6:92:36:6a:ac:7a:ac:d1:3f:1f:7e:
    2c:4f:e0:c6:94:24:34:6d:c1:76:75:a6:43:88:22:
    c4:b7:d1:ea:a4:57:fe:99:e3:f2:6a:55:12:ae:dd:
    87:53:1e:f6:ef:78:2b:ae:a2:02:cf:ff:0d:12:33:
    f4:c9
publicExponent: 65537 (0x10001)
privateExponent:
    62:a1:e9:7e:2d:25:8a:6f:6b:d0:72:5e:1c:36:c4:
    36:9e:66:52:76:73:07:84:7d:94:de:28:1c:e4:e5:
    65:43:cd:71:39:bb:b7:5a:66:aa:eb:8c:cc:20:56:
    53:75:48:14:b8:1b:bc:44:44:97:58:da:33:60:80:
    93:34:64:02:23:ad:24:65:59:d8:f5:22:18:34:d9:
    cd:f7:cf:0d:d4:25:ea:d8:c1:68:6f:60:86:d7:0c:
    15:16:d6:98:b9:94:b8:8b:a6:da:6f:0b:c4:23:bb:
    45:38:6c:be:67:7b:11:1f:19:a8:07:37:c4:55:4f:
    7e:d3:a2:d2:a6:bc:48:6b:ca:63:3a:0a:63:ad:f4:
    c4:89:87:e8:ac:0b:0a:ee:a6:28:7d:1c:7f:1c:ab:
    c7:0d:2c:56:e4:da:7c:3b:7e:b9:f6:57:f1:86:23:
    7f:b1:7f:4b:98:75:65:0d:cd:be:73:9f:cf:bc:99:
    77:eb:93:cd:81:c1:d3:c7:05:e6:15:98:11:5d:0b:
    cb:5c:12:e8:fb:d6:f4:d9:6a:00:ee:df:70:0b:5e:
    88:74:27:0d:50:c4:09:d4:1c:9a:12:bf:c6:c3:f9:
    73:64:3d:b8:c7:3a:b0:65:70:01:ea:12:99:1b:0b:
    2a:7f:2e:ea:dc:69:d1:2d:7e:f4:de:e7:06:fa:19:
    dd
prime1:
    00:ef:eb:60:ef:08:2d:d0:d7:23:1d:bb:d4:7b:9c:
    4d:9c:a9:f9:bb:6d:d2:64:08:52:35:4d:43:72:a0:
    11:19:94:e9:d9:33:07:c6:92:13:ac:31:3c:f1:0e:
    e3:d9:40:66:02:02:a5:8f:99:48:97:be:5f:74:8f:
    cd:cf:f5:5c:8d:a9:bb:13:55:95:69:5f:4c:d6:2e:
    1e:21:33:13:23:e5:3d:24:1b:64:4f:88:1c:7d:62:
    fd:f0:6e:03:87:a2:e9:75:d3:50:06:ba:37:de:16:
    6e:d6:ac:42:fc:8c:51:5b:68:6e:f9:96:78:78:a9:
    53:e9:ad:07:d1:ef:c6:17:8b
prime2:
    00:e7:76:37:0f:3f:8a:2f:9a:02:b2:13:cd:1d:83:
    ea:d8:84:8a:50:a0:4a:50:60:4e:90:65:90:69:83:
    da:d3:c9:72:84:20:36:eb:96:91:6d:28:4e:7b:8f:
    39:ad:fc:86:ea:3b:57:f5:cc:67:ac:b6:d6:55:f1:
    1a:bb:28:5b:da:7b:da:ed:19:ee:c7:5d:c1:69:67:
    dc:0b:fb:93:ec:01:0e:ba:37:ea:aa:26:72:dd:bd:
    29:33:9f:d8:99:a3:9b:d8:06:9f:dc:e9:ad:df:6a:
    39:94:1f:a5:33:7a:db:3d:62:cf:97:8b:92:10:aa:
    3a:f7:12:0f:61:80:a0:8f:7b
exponent1:
    00:9f:8b:c9:d4:6b:7d:fc:49:75:22:ca:cb:cc:bf:
    ee:a4:e6:2c:1a:c6:37:89:2a:37:71:16:c6:69:ad:
    a4:71:7c:a3:de:3a:9f:4b:1f:cd:51:4f:15:15:c1:
    2f:28:44:39:11:d1:2c:c4:47:cd:0c:8c:1e:f2:66:
    c7:19:2a:33:b8:49:4d:0c:d8:77:19:b1:b4:69:22:
    16:0b:41:e9:d2:8f:19:8f:af:5f:8f:bc:16:26:13:
    f4:87:34:c1:c8:2b:40:51:88:8a:c9:4e:80:e4:81:
    ca:87:9b:da:98:13:bf:ee:a7:8e:55:10:09:61:44:
    49:77:36:07:e3:46:2e:57:6d
exponent2:
    4c:78:4d:f0:87:b9:8b:c8:82:23:7b:4f:44:f5:14:
    5d:bc:4c:46:1e:ee:ee:67:23:0d:a9:c0:70:5b:d3:
    ac:2c:dd:dc:b1:17:f3:f5:a6:ce:3d:86:d0:63:9d:
    56:d2:1b:70:bf:72:6c:0e:c0:21:db:b6:2c:66:9f:
    c2:3d:af:3b:1b:b8:54:a5:40:b2:35:53:75:13:8f:
    2b:96:4e:64:a6:64:cb:39:36:1a:48:e1:a2:48:a0:
    98:21:b3:59:ef:27:c9:d3:46:75:a1:ee:83:e5:80:
    68:63:9c:1c:c9:f6:2c:ed:bc:50:01:18:9c:d0:e0:
    f2:47:d1:35:11:5d:fa:89
coefficient:
    05:31:5a:a3:4e:70:dd:4c:3c:cb:7b:9c:37:d4:1d:
    aa:f9:1c:0e:cd:7e:ec:67:8f:9d:c8:a3:55:69:07:
    5f:49:50:57:80:66:cd:33:c6:f9:97:c8:99:6c:25:
    2e:3d:ef:a3:98:85:0f:51:42:16:77:4d:b0:5d:3a:
    01:7e:08:0e:23:d0:5b:53:e3:98:64:f7:d7:0b:74:
    41:65:a3:a1:79:d5:b6:38:2c:46:5c:41:66:41:6b:
    3c:3a:57:bf:f0:db:ae:be:a5:6b:8c:1e:1c:7a:3e:
    46:bd:99:de:95:1b:cf:50:60:b2:ee:cc:e0:cc:f5:
    a4:6e:ef:95:b8:2d:51:4e




$ cat client-cert.pem 
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUMZtS2tJd9h7UX4kqm0RszoVYTRkwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDA2MDkwMjQ5NTNaFw0zMDA2
MDcwMjQ5NTNaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDY7C6QOrmTrVcwFbSTs8A7rXd/hXAelFb8YYhAglOK
CkfhVzJyS1M7OAk052QXOfVzTMxCoYiIIGI/Vo2GGoE2KbGrOrQi8GHYNxFVuaY9
Pwd5WiV708hIBbq9zENQgbwiDrg5TOYXahnd5DviuWMMsK/dgakbnJ58Z+UuhBE1
fHLrYwBZIHq6npy0oTEiBaBPJXYTxmQdp6X5E7O883PWUOdLNFx9K7FDaZFHhVbA
0ObOpbTtLzrWNvZWwGdr/wZ3z3NKbaimkjZqrHqs0T8ffixP4MaUJDRtwXZ1pkOI
IsS30eqkV/6Z4/JqVRKu3YdTHvbveCuuogLP/w0SM/TJAgMBAAGjUzBRMB0GA1Ud
DgQWBBTEBigrdkOYiqC9WSGwPd7+gTM+VzAfBgNVHSMEGDAWgBTEBigrdkOYiqC9
WSGwPd7+gTM+VzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBn
tVibGcZrOMG3/xvMZvE31qn3x6qQS2lrGLqhaYN5q94eY5PIMOCMHnkWr1h0Qu/I
IN+H4HduuNtVtwMekxWDCMHBupjKIUY6kpNybImFauj6STaMxKp4X9XKYLByo6/L
toVVI0ibqxs/EGv6GeWA+xR49EKWbvshdAGb8CdMaSEmzfxUrneGsLkYPjcWl2tQ
59A3DLh9WbblPTWjZd6bXYwPxSPCavaEFL9aE35mUCC3JSis0vjQuMJH8Vb2TBrH
ryoqoVh/+aQPtwnwgC4/x0EvEmOm4+Cdl4qTjpuavUibcuyxRYV5dARhZjO2G4Fp
9T71PvqoAm8ZaNGdHxeq
-----END CERTIFICATE-----

$ openssl x509 -in client-cert.pem -noout -text  //상위 Certifacte 전체 분석 (상위 Privae Key 정보포함)  
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            31:9b:52:da:d2:5d:f6:1e:d4:5f:89:2a:9b:44:6c:ce:85:58:4d:19
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
        Validity
            Not Before: Jun  9 02:49:53 2020 GMT
            Not After : Jun  7 02:49:53 2030 GMT
        Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:d8:ec:2e:90:3a:b9:93:ad:57:30:15:b4:93:b3:
                    c0:3b:ad:77:7f:85:70:1e:94:56:fc:61:88:40:82:
                    53:8a:0a:47:e1:57:32:72:4b:53:3b:38:09:34:e7:
                    64:17:39:f5:73:4c:cc:42:a1:88:88:20:62:3f:56:
                    8d:86:1a:81:36:29:b1:ab:3a:b4:22:f0:61:d8:37:
                    11:55:b9:a6:3d:3f:07:79:5a:25:7b:d3:c8:48:05:
                    ba:bd:cc:43:50:81:bc:22:0e:b8:39:4c:e6:17:6a:
                    19:dd:e4:3b:e2:b9:63:0c:b0:af:dd:81:a9:1b:9c:
                    9e:7c:67:e5:2e:84:11:35:7c:72:eb:63:00:59:20:
                    7a:ba:9e:9c:b4:a1:31:22:05:a0:4f:25:76:13:c6:
                    64:1d:a7:a5:f9:13:b3:bc:f3:73:d6:50:e7:4b:34:
                    5c:7d:2b:b1:43:69:91:47:85:56:c0:d0:e6:ce:a5:
                    b4:ed:2f:3a:d6:36:f6:56:c0:67:6b:ff:06:77:cf:
                    73:4a:6d:a8:a6:92:36:6a:ac:7a:ac:d1:3f:1f:7e:
                    2c:4f:e0:c6:94:24:34:6d:c1:76:75:a6:43:88:22:
                    c4:b7:d1:ea:a4:57:fe:99:e3:f2:6a:55:12:ae:dd:
                    87:53:1e:f6:ef:78:2b:ae:a2:02:cf:ff:0d:12:33:
                    f4:c9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                C4:06:28:2B:76:43:98:8A:A0:BD:59:21:B0:3D:DE:FE:81:33:3E:57
            X509v3 Authority Key Identifier:
                keyid:C4:06:28:2B:76:43:98:8A:A0:BD:59:21:B0:3D:DE:FE:81:33:3E:57

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         67:b5:58:9b:19:c6:6b:38:c1:b7:ff:1b:cc:66:f1:37:d6:a9:
         f7:c7:aa:90:4b:69:6b:18:ba:a1:69:83:79:ab:de:1e:63:93:
         c8:30:e0:8c:1e:79:16:af:58:74:42:ef:c8:20:df:87:e0:77:
         6e:b8:db:55:b7:03:1e:93:15:83:08:c1:c1:ba:98:ca:21:46:
         3a:92:93:72:6c:89:85:6a:e8:fa:49:36:8c:c4:aa:78:5f:d5:
         ca:60:b0:72:a3:af:cb:b6:85:55:23:48:9b:ab:1b:3f:10:6b:
         fa:19:e5:80:fb:14:78:f4:42:96:6e:fb:21:74:01:9b:f0:27:
         4c:69:21:26:cd:fc:54:ae:77:86:b0:b9:18:3e:37:16:97:6b:
         50:e7:d0:37:0c:b8:7d:59:b6:e5:3d:35:a3:65:de:9b:5d:8c:
         0f:c5:23:c2:6a:f6:84:14:bf:5a:13:7e:66:50:20:b7:25:28:
         ac:d2:f8:d0:b8:c2:47:f1:56:f6:4c:1a:c7:af:2a:2a:a1:58:
         7f:f9:a4:0f:b7:09:f0:80:2e:3f:c7:41:2f:12:63:a6:e3:e0:
         9d:97:8a:93:8e:9b:9a:bd:48:9b:72:ec:b1:45:85:79:74:04:
         61:66:33:b6:1b:81:69:f5:3e:f5:3e:fa:a8:02:6f:19:68:d1:
         9d:1f:17:aa

2.3 TLS/DTLS 기본테스트 소스 


세부내용은 상위 링크 참조 

LIBS += -lssl -lcrypto


#include <openssl/bio.h> 
#include <openssl/ssl.h> 
#include <openssl/err.h>

    SSL_CTX *ctx;
    SSL *ssl;
    BIO *bio;

   OpenSSL_add_ssl_algorithms();
   SSL_load_error_strings();

   ctx = SSL_CTX_new(DTLS_client_method());

 if (!SSL_CTX_use_certificate_file(ctx, "certs/client-cert.pem", SSL_FILETYPE_PEM))
  SSLMSG("ERROR: no certificate found!\n");

 if (!SSL_CTX_use_PrivateKey_file(ctx, "certs/client-key.pem", SSL_FILETYPE_PEM))
  SSLMSG("ERROR: no private key found!\n");

 if (!SSL_CTX_check_private_key (ctx))
  SSLMSG("ERROR: invalid private key!\n");
   
//Cipher Suite List 설정가능 
  SSL_CTX_set_cipher_list(ctx, ":AES");

3. OpenSSL 설치 및 테스트


RootCA / SubCA / Digital Signature Sign
  https://en.wikipedia.org/wiki/Root_certificate
  https://en.wikipedia.org/wiki/Certificate_authority
  https://en.wikipedia.org/wiki/Public_key_certificate

OpenSSL 로 ROOT CA 발급
  https://www.lesstif.com/pages/viewpage.action?pageId=6979614
  https://www.lesstif.com/pages/viewpage.action?pageId=7635159

OpenSSL Command 사용법
  https://wiki.openssl.org/index.php/Command_Line_Utilities
  https://en.wikipedia.org/wiki/OpenSSL

openssl s_client -connect
  https://www.feistyduck.com/library/openssl-cookbook/online/ch-testing-with-openssl.html
  https://www.poftut.com/use-openssl-s_client-check-verify-ssltls-https-webserver/
  http://coffeenix.net/board_view.php?bd_code=1661
  https://xbloger.tistory.com/18
  https://spin.atomicobject.com/2018/07/30/openssl-s-client/
  https://www.freebsd.org/cgi/man.cgi?query=s_client&manpath=FreeBSD+11-current
  https://www.openssl.org/docs/man1.0.2/man1/openssl-s_client.html

openssl s_server
  https://www.openssl.org/docs/man1.0.2/man1/s_server.html
  https://github.com/openssl/openssl/blob/master/apps/server.pem
  https://theswlee.tistory.com/48
  https://superhero.ninja/2015/07/22/create-a-simple-https-server-with-openssl-s_server/
  https://www.rabbitmq.com/troubleshooting-ssl.html
  https://www.rabbitmq.com/troubleshooting-networking.html
  https://www.rabbitmq.com/ssl.html#certificates-and-keys


  • openssl 기본 테스트
설치 후 기본동작 확인 

$ openssl version
OpenSSL 1.1.1b  26 Feb 2019

$ openssl
OpenSSL> help
Standard commands
asn1parse         ca                ciphers           cms
crl               crl2pkcs7         dgst              dhparam
dsa               dsaparam          ec                ecparam
enc               engine            errstr            gendsa
genpkey           genrsa            help              list
nseq              ocsp              passwd            pkcs12
pkcs7             pkcs8             pkey              pkeyparam
pkeyutl           prime             rand              rehash
req               rsa               rsautl            s_client
s_server          s_time            sess_id           smime
speed             spkac             srp               storeutl
ts                verify            version           x509

Message Digest commands (see the `dgst' command for more details)
blake2b512        blake2s256        gost              md4
md5               mdc2              rmd160            sha1
sha224            sha256            sha3-224          sha3-256
sha3-384          sha3-512          sha384            sha512
sha512-224        sha512-256        shake128          shake256
sm3

Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb
aes-256-cbc       aes-256-ecb       aria-128-cbc      aria-128-cfb
aria-128-cfb1     aria-128-cfb8     aria-128-ctr      aria-128-ecb
aria-128-ofb      aria-192-cbc      aria-192-cfb      aria-192-cfb1
aria-192-cfb8     aria-192-ctr      aria-192-ecb      aria-192-ofb
aria-256-cbc      aria-256-cfb      aria-256-cfb1     aria-256-cfb8
aria-256-ctr      aria-256-ecb      aria-256-ofb      base64
bf                bf-cbc            bf-cfb            bf-ecb
bf-ofb            camellia-128-cbc  camellia-128-ecb  camellia-192-cbc
camellia-192-ecb  camellia-256-cbc  camellia-256-ecb  cast
cast-cbc          cast5-cbc         cast5-cfb         cast5-ecb
cast5-ofb         des               des-cbc           des-cfb
des-ecb           des-ede           des-ede-cbc       des-ede-cfb
des-ede-ofb       des-ede3          des-ede3-cbc      des-ede3-cfb
des-ede3-ofb      des-ofb           des3              desx
idea              idea-cbc          idea-cfb          idea-ecb
idea-ofb          rc2               rc2-40-cbc        rc2-64-cbc
rc2-cbc           rc2-cfb           rc2-ecb           rc2-ofb
rc4               rc4-40            seed              seed-cbc
seed-cfb          seed-ecb          seed-ofb          sm4-cbc
sm4-cfb           sm4-ctr           sm4-ecb           sm4-ofb

OpenSSL> quit




  • DER 인증서 및 KEY 변환

일반적으로 pem or crt는 base64로 encoding하여 쉽게 cat으로 확인가능하지만, der은 binary로 구성이 된 것 같아 아래와 같이 변경해주자.

$ openssl x509 -inform DER -outform PEM -text -in test.der -out test.pem

  https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them
  https://wiki.openssl.org/index.php/DER


3.1 HTTPS Google Server 연결 테스트 

  • HTTPS 443 Port TEST 진행 
기본으로 Server가 TLSv1.3을 지원하면, 자동으로 이를 지원하지만, 아래와 같이 밑에 부분에서 에러발생

$ openssl s_client -connect google.com:443      //HTTPS 443 Port TLSv 1.3 Fail
CONNECTED(00000003)
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
   i:C = US, O = Google Trust Services, CN = GTS CA 1O1
 1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1
   i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIJRDCCCCygAwIBAgIRAO7eZWDNNcCvAgAAAABZcbcwDQYJKoZIhvcNAQELBQAw
QjELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczET
MBEGA1UEAxMKR1RTIENBIDFPMTAeFw0yMDAyMTIxMTQ3MTFaFw0yMDA1MDYxMTQ3
MTFaMGYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
Ew1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgTExDMRUwEwYDVQQDDAwq
Lmdvb2dsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATKjE9IuwUMNbIb
CmiOS1XWI2yPFLanStLIADumajnPmHrED+4/bPKa3HXecM4hPVHL8OgqwVYWveZs
S6OdF9Pqo4IG2jCCBtYwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF
BwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFCRtN1AKArkz3KlGMpfhLYkaPFkY
MB8GA1UdIwQYMBaAFJjR+G4Q68+b7GCfGJAboOt9Cf0rMGQGCCsGAQUFBwEBBFgw
VjAnBggrBgEFBQcwAYYbaHR0cDovL29jc3AucGtpLmdvb2cvZ3RzMW8xMCsGCCsG
AQUFBzAChh9odHRwOi8vcGtpLmdvb2cvZ3NyMi9HVFMxTzEuY3J0MIIEnQYDVR0R
BIIElDCCBJCCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lkLmNvbYIWKi5hcHBlbmdp
bmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29tghgqLmNyb3dkc291cmNl
Lmdvb2dsZS5jb22CBiouZy5jb4IOKi5nY3AuZ3Z0Mi5jb22CESouZ2NwY2RuLmd2
dDEuY29tggoqLmdncGh0LmNugg4qLmdrZWNuYXBwcy5jboIWKi5nb29nbGUtYW5h
bHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNsgg4qLmdvb2dsZS5j
by5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVrgg8qLmdvb2dsZS5j
b20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29tLmJygg8qLmdvb2ds
ZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUuY29tLnRygg8qLmdv
b2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5lc4ILKi5nb29nbGUu
ZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29nbGUubmyCCyouZ29v
Z2xlLnBsggsqLmdvb2dsZS5wdIISKi5nb29nbGVhZGFwaXMuY29tgg8qLmdvb2ds
ZWFwaXMuY26CESouZ29vZ2xlY25hcHBzLmNughQqLmdvb2dsZWNvbW1lcmNlLmNv
bYIRKi5nb29nbGV2aWRlby5jb22CDCouZ3N0YXRpYy5jboINKi5nc3RhdGljLmNv
bYISKi5nc3RhdGljY25hcHBzLmNuggoqLmd2dDEuY29tggoqLmd2dDIuY29tghQq
Lm1ldHJpYy5nc3RhdGljLmNvbYIMKi51cmNoaW4uY29tghAqLnVybC5nb29nbGUu
Y29tghMqLndlYXIuZ2tlY25hcHBzLmNughYqLnlvdXR1YmUtbm9jb29raWUuY29t
gg0qLnlvdXR1YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tghEqLnlvdXR1
YmVraWRzLmNvbYIHKi55dC5iZYILKi55dGltZy5jb22CGmFuZHJvaWQuY2xpZW50
cy5nb29nbGUuY29tggthbmRyb2lkLmNvbYIbZGV2ZWxvcGVyLmFuZHJvaWQuZ29v
Z2xlLmNughxkZXZlbG9wZXJzLmFuZHJvaWQuZ29vZ2xlLmNuggRnLmNvgghnZ3Bo
dC5jboIMZ2tlY25hcHBzLmNuggZnb28uZ2yCFGdvb2dsZS1hbmFseXRpY3MuY29t
ggpnb29nbGUuY29tgg9nb29nbGVjbmFwcHMuY26CEmdvb2dsZWNvbW1lcmNlLmNv
bYIYc291cmNlLmFuZHJvaWQuZ29vZ2xlLmNuggp1cmNoaW4uY29tggp3d3cuZ29v
Lmdsggh5b3V0dS5iZYILeW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29t
gg95b3V0dWJla2lkcy5jb22CBXl0LmJlMCEGA1UdIAQaMBgwCAYGZ4EMAQICMAwG
CisGAQQB1nkCBQMwLwYDVR0fBCgwJjAkoCKgIIYeaHR0cDovL2NybC5wa2kuZ29v
Zy9HVFMxTzEuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUAsh4FzIuizYog
Todm+Su5iiUgZ2va+nDnsklTLe+LkF4AAAFwOXBpZwAABAMARjBEAiA+QN+Y1BC1
iTg87rmcpsUM/Gu24qPQtScwEkDt1exEhAIgQZ65pwiFU6WtL7WIBUDRTSLLJtQz
SUb9E8H/e+H3kv8AdwBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAA
AXA5cGl4AAAEAwBIMEYCIQD9qpknf9RA9NTnDbJ1R740ilIoZ5axO70RNKA2ozIp
DQIhAI1NyadJ74gUNJMOwgVolIAXXkoTlllaI+RlhpKJXQelMA0GCSqGSIb3DQEB
CwUAA4IBAQB/1D1o4bHjhENzzSVqw/WiW7R1Yg4kZjli4Jx+LL27l0iKIq5Je3M7
N9seKeytHKln9LJWcZKJU0ZbTMAspum0myuT9TCRUzlQySsFdd3w5wh0ORzaaMxf
dFZXbP5bVcGkuC/FdoNgnFFjfdJlif8ZWazQdGNT68dXSNYBrSWcZvTi6UHviVzy
KRNF8NXQPkmfEGnd4JAhXr/bNfKhYp/n8vsemQpmKWuA2eO+1W3C8iCVQ2JaQUSE
kOquDseMqEKLRl+Rqg9HWNZpZ7CJfxVEk9f8L9nc9fqQrRM3CB6E4nNwbo7jkwdk
w9vcyse48vXjWRg69iSIEEw4VHtES7QN
-----END CERTIFICATE-----
subject=C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com

issuer=C = US, O = Google Trust Services, CN = GTS CA 1O1

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3787 bytes and written 392 bytes
Verification error: unable to get local issuer certificate  // openssl verify (검증에러)
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported  // TLSv1.3 협상실패 
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent       //문제 사항 확인                      
Verify return code: 20 (unable to get local issuer certificate)
---
Ctrl+c


  • HTTPS 443 Port TEST 진행 (TLSv1.2)
TLSv1.2로 진행을 하면 기존의 TLSv1.3과 다르게 Session까지 성공하며 동작

 $ openssl s_client -connect google.com:443 -tls1_2       //HTTPS 443 Port TLS1.2 
CONNECTED(00000003)
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
   i:C = US, O = Google Trust Services, CN = GTS CA 1O1
 1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1
   i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIJRDCCCCygAwIBAgIRAO7eZWDNNcCvAgAAAABZcbcwDQYJKoZIhvcNAQELBQAw
QjELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczET
MBEGA1UEAxMKR1RTIENBIDFPMTAeFw0yMDAyMTIxMTQ3MTFaFw0yMDA1MDYxMTQ3
MTFaMGYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
Ew1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgTExDMRUwEwYDVQQDDAwq
Lmdvb2dsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATKjE9IuwUMNbIb
CmiOS1XWI2yPFLanStLIADumajnPmHrED+4/bPKa3HXecM4hPVHL8OgqwVYWveZs
S6OdF9Pqo4IG2jCCBtYwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF
BwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFCRtN1AKArkz3KlGMpfhLYkaPFkY
MB8GA1UdIwQYMBaAFJjR+G4Q68+b7GCfGJAboOt9Cf0rMGQGCCsGAQUFBwEBBFgw
VjAnBggrBgEFBQcwAYYbaHR0cDovL29jc3AucGtpLmdvb2cvZ3RzMW8xMCsGCCsG
AQUFBzAChh9odHRwOi8vcGtpLmdvb2cvZ3NyMi9HVFMxTzEuY3J0MIIEnQYDVR0R
BIIElDCCBJCCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lkLmNvbYIWKi5hcHBlbmdp
bmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29tghgqLmNyb3dkc291cmNl
Lmdvb2dsZS5jb22CBiouZy5jb4IOKi5nY3AuZ3Z0Mi5jb22CESouZ2NwY2RuLmd2
dDEuY29tggoqLmdncGh0LmNugg4qLmdrZWNuYXBwcy5jboIWKi5nb29nbGUtYW5h
bHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNsgg4qLmdvb2dsZS5j
by5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVrgg8qLmdvb2dsZS5j
b20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29tLmJygg8qLmdvb2ds
ZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUuY29tLnRygg8qLmdv
b2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5lc4ILKi5nb29nbGUu
ZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29nbGUubmyCCyouZ29v
Z2xlLnBsggsqLmdvb2dsZS5wdIISKi5nb29nbGVhZGFwaXMuY29tgg8qLmdvb2ds
ZWFwaXMuY26CESouZ29vZ2xlY25hcHBzLmNughQqLmdvb2dsZWNvbW1lcmNlLmNv
bYIRKi5nb29nbGV2aWRlby5jb22CDCouZ3N0YXRpYy5jboINKi5nc3RhdGljLmNv
bYISKi5nc3RhdGljY25hcHBzLmNuggoqLmd2dDEuY29tggoqLmd2dDIuY29tghQq
Lm1ldHJpYy5nc3RhdGljLmNvbYIMKi51cmNoaW4uY29tghAqLnVybC5nb29nbGUu
Y29tghMqLndlYXIuZ2tlY25hcHBzLmNughYqLnlvdXR1YmUtbm9jb29raWUuY29t
gg0qLnlvdXR1YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tghEqLnlvdXR1
YmVraWRzLmNvbYIHKi55dC5iZYILKi55dGltZy5jb22CGmFuZHJvaWQuY2xpZW50
cy5nb29nbGUuY29tggthbmRyb2lkLmNvbYIbZGV2ZWxvcGVyLmFuZHJvaWQuZ29v
Z2xlLmNughxkZXZlbG9wZXJzLmFuZHJvaWQuZ29vZ2xlLmNuggRnLmNvgghnZ3Bo
dC5jboIMZ2tlY25hcHBzLmNuggZnb28uZ2yCFGdvb2dsZS1hbmFseXRpY3MuY29t
ggpnb29nbGUuY29tgg9nb29nbGVjbmFwcHMuY26CEmdvb2dsZWNvbW1lcmNlLmNv
bYIYc291cmNlLmFuZHJvaWQuZ29vZ2xlLmNuggp1cmNoaW4uY29tggp3d3cuZ29v
Lmdsggh5b3V0dS5iZYILeW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29t
gg95b3V0dWJla2lkcy5jb22CBXl0LmJlMCEGA1UdIAQaMBgwCAYGZ4EMAQICMAwG
CisGAQQB1nkCBQMwLwYDVR0fBCgwJjAkoCKgIIYeaHR0cDovL2NybC5wa2kuZ29v
Zy9HVFMxTzEuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUAsh4FzIuizYog
Todm+Su5iiUgZ2va+nDnsklTLe+LkF4AAAFwOXBpZwAABAMARjBEAiA+QN+Y1BC1
iTg87rmcpsUM/Gu24qPQtScwEkDt1exEhAIgQZ65pwiFU6WtL7WIBUDRTSLLJtQz
SUb9E8H/e+H3kv8AdwBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAA
AXA5cGl4AAAEAwBIMEYCIQD9qpknf9RA9NTnDbJ1R740ilIoZ5axO70RNKA2ozIp
DQIhAI1NyadJ74gUNJMOwgVolIAXXkoTlllaI+RlhpKJXQelMA0GCSqGSIb3DQEB
CwUAA4IBAQB/1D1o4bHjhENzzSVqw/WiW7R1Yg4kZjli4Jx+LL27l0iKIq5Je3M7
N9seKeytHKln9LJWcZKJU0ZbTMAspum0myuT9TCRUzlQySsFdd3w5wh0ORzaaMxf
dFZXbP5bVcGkuC/FdoNgnFFjfdJlif8ZWazQdGNT68dXSNYBrSWcZvTi6UHviVzy
KRNF8NXQPkmfEGnd4JAhXr/bNfKhYp/n8vsemQpmKWuA2eO+1W3C8iCVQ2JaQUSE
kOquDseMqEKLRl+Rqg9HWNZpZ7CJfxVEk9f8L9nc9fqQrRM3CB6E4nNwbo7jkwdk
w9vcyse48vXjWRg69iSIEEw4VHtES7QN
-----END CERTIFICATE-----
subject=C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com

issuer=C = US, O = Google Trust Services, CN = GTS CA 1O1

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3978 bytes and written 298 bytes
Verification error: unable to get local issuer certificate  // 동일하게 검증에러 
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-CHACHA20-POLY1305
Server public key is 256 bit
Secure Renegotiation IS supported       //TLSv1.2 로 협상
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-CHACHA20-POLY1305
    Session-ID: 1C072CAEAD8AC810F33CC68F2C687F8841ED13FFB9B9668FF4E6CA770CCABCC4
    Session-ID-ctx:
    Master-Key: 098E8AC1E0DEEA97F12895234B1B2DD332953D5AE4D2D1EF6679DA3CD80558AF36821E68EFED9EDF1A41DB355B7F63BE
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 01 4e 19 86 f8 af c8 74-f0 4a 2d bc b3 bd 49 07   .N.....t.J-...I.
    0010 - d4 bc b5 dd 95 fa 34 fb-f8 95 20 cb e6 91 19 6e   ......4... ....n
    0020 - 98 8c 87 54 82 76 16 72-49 41 a6 36 a9 bb 18 00   ...T.v.rIA.6....
    0030 - dd 77 aa 6f cb e9 1b e2-de 38 4e a2 54 c6 21 89   .w.o.....8N.T.!.
    0040 - 5f a1 28 e2 0a f1 1d eb-c1 ed 3f 6d 85 7d ba f7   _.(.......?m.}..
    0050 - 9d 4b 1f 8e 66 9c c4 19-bd 99 dd b5 31 6b 5e 49   .K..f.......1k^I
    0060 - 95 39 70 c1 11 26 00 ba-04 4c 18 05 82 20 72 7d   .9p..&...L... r}
    0070 - 5d 2c 31 21 c5 76 da 1a-b7 91 e4 b3 ff 93 d3 9a   ],1!.v..........
    0080 - b0 06 6d 0d 04 f7 fc 21-8d 0c 37 29 dd fc 17 a5   ..m....!..7)....
    0090 - b4 5e a3 50 e9 b2 0c 91-8c 2c 22 4b 13 52 e2 13   .^.P.....,"K.R..
    00a0 - f4 9f 99 76 43 8a 4c fc-28 22 94 de d4 0a a0 58   ...vC.L.(".....X
    00b0 - 91 1c 14 b1 c1 87 03 fa-a0 87 a6 36 81 b4 55 bf   ...........6..U.
    00c0 - 0d 69 a3 93 66 bd 68 72-b3 25 ce d1 63 6b 19 15   .i..f.hr.%..ck..
    00d0 - 5b 30 0d c3 9a de 82 85-d2 de f4 6d ae 40 e4 8a   [0.........m.@..
    00e0 - 51 66                                             Qf

    Start Time: 1583817303
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)  // 검증에러 
    Extended master secret: yes
---

Ctrl+c


3.2 Google Server의 Certificate 분석 

  • Google Server의 Certificate를 저장
Google에 접속하여 Server의 Certificate를 별도로 저장

$ openssl s_client -connect google.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
 
$ cat public.crt
-----BEGIN CERTIFICATE-----
MIIJRDCCCCygAwIBAgIRAO7eZWDNNcCvAgAAAABZcbcwDQYJKoZIhvcNAQELBQAw
QjELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczET
MBEGA1UEAxMKR1RTIENBIDFPMTAeFw0yMDAyMTIxMTQ3MTFaFw0yMDA1MDYxMTQ3
MTFaMGYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
Ew1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgTExDMRUwEwYDVQQDDAwq
Lmdvb2dsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATKjE9IuwUMNbIb
CmiOS1XWI2yPFLanStLIADumajnPmHrED+4/bPKa3HXecM4hPVHL8OgqwVYWveZs
S6OdF9Pqo4IG2jCCBtYwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF
BwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFCRtN1AKArkz3KlGMpfhLYkaPFkY
MB8GA1UdIwQYMBaAFJjR+G4Q68+b7GCfGJAboOt9Cf0rMGQGCCsGAQUFBwEBBFgw
VjAnBggrBgEFBQcwAYYbaHR0cDovL29jc3AucGtpLmdvb2cvZ3RzMW8xMCsGCCsG
AQUFBzAChh9odHRwOi8vcGtpLmdvb2cvZ3NyMi9HVFMxTzEuY3J0MIIEnQYDVR0R
BIIElDCCBJCCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lkLmNvbYIWKi5hcHBlbmdp
bmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29tghgqLmNyb3dkc291cmNl
Lmdvb2dsZS5jb22CBiouZy5jb4IOKi5nY3AuZ3Z0Mi5jb22CESouZ2NwY2RuLmd2
dDEuY29tggoqLmdncGh0LmNugg4qLmdrZWNuYXBwcy5jboIWKi5nb29nbGUtYW5h
bHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNsgg4qLmdvb2dsZS5j
by5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVrgg8qLmdvb2dsZS5j
b20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29tLmJygg8qLmdvb2ds
ZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUuY29tLnRygg8qLmdv
b2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5lc4ILKi5nb29nbGUu
ZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29nbGUubmyCCyouZ29v
Z2xlLnBsggsqLmdvb2dsZS5wdIISKi5nb29nbGVhZGFwaXMuY29tgg8qLmdvb2ds
ZWFwaXMuY26CESouZ29vZ2xlY25hcHBzLmNughQqLmdvb2dsZWNvbW1lcmNlLmNv
bYIRKi5nb29nbGV2aWRlby5jb22CDCouZ3N0YXRpYy5jboINKi5nc3RhdGljLmNv
bYISKi5nc3RhdGljY25hcHBzLmNuggoqLmd2dDEuY29tggoqLmd2dDIuY29tghQq
Lm1ldHJpYy5nc3RhdGljLmNvbYIMKi51cmNoaW4uY29tghAqLnVybC5nb29nbGUu
Y29tghMqLndlYXIuZ2tlY25hcHBzLmNughYqLnlvdXR1YmUtbm9jb29raWUuY29t
gg0qLnlvdXR1YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tghEqLnlvdXR1
YmVraWRzLmNvbYIHKi55dC5iZYILKi55dGltZy5jb22CGmFuZHJvaWQuY2xpZW50
cy5nb29nbGUuY29tggthbmRyb2lkLmNvbYIbZGV2ZWxvcGVyLmFuZHJvaWQuZ29v
Z2xlLmNughxkZXZlbG9wZXJzLmFuZHJvaWQuZ29vZ2xlLmNuggRnLmNvgghnZ3Bo
dC5jboIMZ2tlY25hcHBzLmNuggZnb28uZ2yCFGdvb2dsZS1hbmFseXRpY3MuY29t
ggpnb29nbGUuY29tgg9nb29nbGVjbmFwcHMuY26CEmdvb2dsZWNvbW1lcmNlLmNv
bYIYc291cmNlLmFuZHJvaWQuZ29vZ2xlLmNuggp1cmNoaW4uY29tggp3d3cuZ29v
Lmdsggh5b3V0dS5iZYILeW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29t
gg95b3V0dWJla2lkcy5jb22CBXl0LmJlMCEGA1UdIAQaMBgwCAYGZ4EMAQICMAwG
CisGAQQB1nkCBQMwLwYDVR0fBCgwJjAkoCKgIIYeaHR0cDovL2NybC5wa2kuZ29v
Zy9HVFMxTzEuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUAsh4FzIuizYog
Todm+Su5iiUgZ2va+nDnsklTLe+LkF4AAAFwOXBpZwAABAMARjBEAiA+QN+Y1BC1
iTg87rmcpsUM/Gu24qPQtScwEkDt1exEhAIgQZ65pwiFU6WtL7WIBUDRTSLLJtQz
SUb9E8H/e+H3kv8AdwBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAA
AXA5cGl4AAAEAwBIMEYCIQD9qpknf9RA9NTnDbJ1R740ilIoZ5axO70RNKA2ozIp
DQIhAI1NyadJ74gUNJMOwgVolIAXXkoTlllaI+RlhpKJXQelMA0GCSqGSIb3DQEB
CwUAA4IBAQB/1D1o4bHjhENzzSVqw/WiW7R1Yg4kZjli4Jx+LL27l0iKIq5Je3M7
N9seKeytHKln9LJWcZKJU0ZbTMAspum0myuT9TCRUzlQySsFdd3w5wh0ORzaaMxf
dFZXbP5bVcGkuC/FdoNgnFFjfdJlif8ZWazQdGNT68dXSNYBrSWcZvTi6UHviVzy
KRNF8NXQPkmfEGnd4JAhXr/bNfKhYp/n8vsemQpmKWuA2eO+1W3C8iCVQ2JaQUSE
kOquDseMqEKLRl+Rqg9HWNZpZ7CJfxVEk9f8L9nc9fqQrRM3CB6E4nNwbo7jkwdk
w9vcyse48vXjWRg69iSIEEw4VHtES7QN
-----END CERTIFICATE-----

  • Google Server의 Certificate 분석
상위에서 저장된 Certificate 기반으로 분석

$ openssl x509 -in public.crt -noout -text  // 상위 Certifacte 전체 분석 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ee:de:65:60:cd:35:c0:af:02:00:00:00:00:59:71:b7
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Google Trust Services, CN = GTS CA 1O1
        Validity
            Not Before: Feb 12 11:47:11 2020 GMT
            Not After : May  6 11:47:11 2020 GMT
        Subject: C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:ca:8c:4f:48:bb:05:0c:35:b2:1b:0a:68:8e:4b:
                    55:d6:23:6c:8f:14:b6:a7:4a:d2:c8:00:3b:a6:6a:
                    39:cf:98:7a:c4:0f:ee:3f:6c:f2:9a:dc:75:de:70:
                    ce:21:3d:51:cb:f0:e8:2a:c1:56:16:bd:e6:6c:4b:
                    a3:9d:17:d3:ea
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                24:6D:37:50:0A:02:B9:33:DC:A9:46:32:97:E1:2D:89:1A:3C:59:18
            X509v3 Authority Key Identifier:
                keyid:98:D1:F8:6E:10:EB:CF:9B:EC:60:9F:18:90:1B:A0:EB:7D:09:FD:2B

            Authority Information Access:
                OCSP - URI:http://ocsp.pki.goog/gts1o1
                CA Issuers - URI:http://pki.goog/gsr2/GTS1O1.crt

            X509v3 Subject Alternative Name:
                DNS:*.google.com, DNS:*.android.com, DNS:*.appengine.google.com, DNS:*.cloud.google.com, DNS:*.crowdsource.google.com, DNS:*.g.co, DNS:*.gcp.gvt2.com, DNS:*.gcpcdn.gvt1.com, DNS:*.ggpht.cn, DNS:*.gkecnapps.cn, DNS:*.google-analytics.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google.pt, DNS:*.googleadapis.com, DNS:*.googleapis.cn, DNS:*.googlecnapps.cn, DNS:*.googlecommerce.com, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic.com, DNS:*.gstaticcnapps.cn, DNS:*.gvt1.com, DNS:*.gvt2.com, DNS:*.metric.gstatic.com, DNS:*.urchin.com, DNS:*.url.google.com, DNS:*.wear.gkecnapps.cn, DNS:*.youtube-nocookie.com, DNS:*.youtube.com, DNS:*.youtubeeducation.com, DNS:*.youtubekids.com, DNS:*.yt.be, DNS:*.ytimg.com, DNS:android.clients.google.com, DNS:android.com, DNS:developer.android.google.cn, DNS:developers.android.google.cn, DNS:g.co, DNS:ggpht.cn, DNS:gkecnapps.cn, DNS:goo.gl, DNS:google-analytics.com, DNS:google.com, DNS:googlecnapps.cn, DNS:googlecommerce.com, DNS:source.android.google.cn, DNS:urchin.com, DNS:www.goo.gl, DNS:youtu.be, DNS:youtube.com, DNS:youtubeeducation.com, DNS:youtubekids.com, DNS:yt.be
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.2
                Policy: 1.3.6.1.4.1.11129.2.5.3

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.pki.goog/GTS1O1.crl

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : B2:1E:05:CC:8B:A2:CD:8A:20:4E:87:66:F9:2B:B9:8A:
                                25:20:67:6B:DA:FA:70:E7:B2:49:53:2D:EF:8B:90:5E
                    Timestamp : Feb 12 12:47:13.255 2020 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:3E:40:DF:98:D4:10:B5:89:38:3C:EE:B9:
                                9C:A6:C5:0C:FC:6B:B6:E2:A3:D0:B5:27:30:12:40:ED:
                                D5:EC:44:84:02:20:41:9E:B9:A7:08:85:53:A5:AD:2F:
                                B5:88:05:40:D1:4D:22:CB:26:D4:33:49:46:FD:13:C1:
                                FF:7B:E1:F7:92:FF
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 5E:A7:73:F9:DF:56:C0:E7:B5:36:48:7D:D0:49:E0:32:
                                7A:91:9A:0C:84:A1:12:12:84:18:75:96:81:71:45:58
                    Timestamp : Feb 12 12:47:13.272 2020 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:FD:AA:99:27:7F:D4:40:F4:D4:E7:0D:
                                B2:75:47:BE:34:8A:52:28:67:96:B1:3B:BD:11:34:A0:
                                36:A3:32:29:0D:02:21:00:8D:4D:C9:A7:49:EF:88:14:
                                34:93:0E:C2:05:68:94:80:17:5E:4A:13:96:59:5A:23:
                                E4:65:86:92:89:5D:07:A5
    Signature Algorithm: sha256WithRSAEncryption
         7f:d4:3d:68:e1:b1:e3:84:43:73:cd:25:6a:c3:f5:a2:5b:b4:
         75:62:0e:24:66:39:62:e0:9c:7e:2c:bd:bb:97:48:8a:22:ae:
         49:7b:73:3b:37:db:1e:29:ec:ad:1c:a9:67:f4:b2:56:71:92:
         89:53:46:5b:4c:c0:2c:a6:e9:b4:9b:2b:93:f5:30:91:53:39:
         50:c9:2b:05:75:dd:f0:e7:08:74:39:1c:da:68:cc:5f:74:56:
         57:6c:fe:5b:55:c1:a4:b8:2f:c5:76:83:60:9c:51:63:7d:d2:
         65:89:ff:19:59:ac:d0:74:63:53:eb:c7:57:48:d6:01:ad:25:
         9c:66:f4:e2:e9:41:ef:89:5c:f2:29:13:45:f0:d5:d0:3e:49:
         9f:10:69:dd:e0:90:21:5e:bf:db:35:f2:a1:62:9f:e7:f2:fb:
         1e:99:0a:66:29:6b:80:d9:e3:be:d5:6d:c2:f2:20:95:43:62:
         5a:41:44:84:90:ea:ae:0e:c7:8c:a8:42:8b:46:5f:91:aa:0f:
         47:58:d6:69:67:b0:89:7f:15:44:93:d7:fc:2f:d9:dc:f5:fa:
         90:ad:13:37:08:1e:84:e2:73:70:6e:8e:e3:93:07:64:c3:db:
         dc:ca:c7:b8:f2:f5:e3:59:18:3a:f6:24:88:10:4c:38:54:7b:
         44:4b:b4:0d

$ openssl x509 -in public.crt -noout -dates  // 날짜 분석 
notBefore=Feb 12 11:47:11 2020 GMT
notAfter=May  6 11:47:11 2020 GMT



  • Google Certificate Verification
TLSv1.3 or TLSv1.2 으로 연결이 되어도 보면 항상 verification에서 문제가 있는 것을 알 수가 있어서 이부분을 점검
현재의 Certificate가 검증이 안된것이라고 생각되어짐

$ openssl verify public.crt  // 상위 검증에러 부분 다시 점검 (동일하게 에러발생)
C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error public.crt: verification failed

//openssl certs 저장장소 (현재 아무것도 없음, 검증된 certificate가 있다면 그것으로 TEST) 
$ ls -lah /etc/ssl/certs   
...


$ echo -n | openssl s_client -connect google.com:443 -CAfile ./public.crt  -tls1_2  | grep Verify  //verfication 때문에 다시 테스트진행  
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
verify return:1
    Verify return code: 20 (unable to get local issuer certificate)   // 상위와 같이 검증부분에러 
DONE


// 직접 발급 Certificate 
$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes 

$ echo -n | openssl s_client -connect google.com:443 -CAfile ./cert.pem  -tls1_2 | grep Verify  //verfication 때문에 다시 테스트진행  
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
verify return:1
    Verify return code: 20 (unable to get local issuer certificate)   // 상위와 같이 검증부분에러
DONE

아래사이트에서 이부분을 해결함
  https://github.com/nghttp2/nghttp2/issues/928


3.3  다른 HTTPS Server 직접분석방법

BASE64를 ASCII로 Encode
  https://www.base64encode.org/
  https://base64.guru/converter/encode/hex

  • HTTPS Server 직접 분석 
Google에서 Certificate를 저장하여 분석했지만, 아래와 같이 직접 분석

$ echo "" | openssl s_client -connect 서버:443 | openssl x509 -noout -dates  // 상위에서 File 저장할 필요없이 직접 분석 

$ echo "" | openssl s_client -connect 서버:443 | openssl x509 -noout -text   // 상위에서 File 저장할 필요없이 직접 분석


  • feistyduck Server 분석 
Google에서 Certificate를 저장하여 분석했지만, 아래와 같이 직접 분석

$ openssl s_client -connect www.feistyduck.com:443  //기본 TLS v1.2 연결됨 확인 
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.feistyduck.com
verify return:1
---
Certificate chain
 0 s:OU = Domain Control Validated, OU = PositiveSSL, CN = www.feistyduck.com
   i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
 1 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
   i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
 2 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
   i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFUzCCBDugAwIBAgIRAPR/CbWZEksfCIRqxNcesPIwDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
Q0EwHhcNMTgwMjEyMDAwMDAwWhcNMjEwMjE3MjM1OTU5WjBWMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxFDASBgNVBAsTC1Bvc2l0aXZlU1NMMRsw
GQYDVQQDExJ3d3cuZmVpc3R5ZHVjay5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQC7qdk9MwGLohNIs+Yjfcie2RZQtbnvaykbeHB0gVi4UhLW7Z1Q
zkrgxHQdtFRdycHs2s/mr2y2on7d5/ZcorvioSwJw+uRmpANlw+bw6plwYaDgLRU
SOCB/XYmyhygm8SfxyK3j9vo2t5lgGgUB+WFHhSEWbGZc2iTcvWmSSxXqkl01CHP
lagHQ6cXiWDx6Nq65p7J/dhD+dI6N97mYU54r1TZXxIw86cIJxYXmIT1byHxgY2p
U/NiTAhnkZpLJIWBeZt224Ap3StzSMgeWKIAiNlK5gpP68Vn3UexQVbt4iNRnZZI
hht7GkGvnMFNtocJMzyaFv90TCNFHu7EDwmDAgMBAAGjggHfMIIB2zAfBgNVHSME
GDAWgBSQr2o6lFoL2JDqElZz30O0Oija5zAdBgNVHQ4EFgQUqXM3+6Zd7KD6Dgtf
7SJOOG8ermgwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGyMQECAgcw
KzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwCAYG
Z4EMAQIBMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2EuY29t
L0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYUG
CCsGAQUFBwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5jb21vZG9jYS5j
b20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAk
BggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMC0GA1UdEQQmMCSC
End3dy5mZWlzdHlkdWNrLmNvbYIOZmVpc3R5ZHVjay5jb20wDQYJKoZIhvcNAQEL
BQADggEBADYaCw8RhIrvN/fgZ8gQWpMXeCwnVDM4HqjgweMAdSISBGw9vry6q9w6
jTNAeGRhDYplk7prJjI8HWH8W3eT0K/LafuQdblpohm/rdtXqOyoi8pQqDN1bqwr
8TKHT6o1MUOAkK0ptkiUSLuc3lh2J1Ivyh8NTkeI+3ntxjJvE4z89ib7mQj/LPBy
L1MPjFiB5pyvf9jDBxv8TmG4Q6TnDDhw2t2Qil6lhsPAMZ9odP22W3uaLE1y7aB6
zbQXjVsc3E1THfFZWRzDPsU4fN/1iGlbrcAWa2sFfhJXrCDfAowFJ8A1n9jMiNEG
WfQfGgA2ar2xUtsqA7Re6XlXOlwBPuQ=
-----END CERTIFICATE-----
subject=OU = Domain Control Validated, OU = PositiveSSL, CN = www.feistyduck.com

issuer=C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA

---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5027 bytes and written 446 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 6B6C93F4B46A273D51F2EEBF1FCA910218EC34521BA4D9FAE45BFB839B3F8356
    Session-ID-ctx:
    Master-Key: 0A865001506F6133227E5C02290D48804041D50B7DDF8A23AE87B87BF61F287BE8C8D08CA7EE648A3E7BD004EF97D1E3
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 2b e5 ee 02 ca 6b 71 e2-af 6c c3 04 5b 40 07 60   +....kq..l..[@.`
    0010 - 71 15 fd 86 9e 56 ce bc-17 b4 1c 8c 3a 90 87 2f   q....V......:../
    0020 - bc aa 2b e6 dc 86 e4 b0-1b 2a 94 a7 96 c1 4e 2b   ..+......*....N+
    0030 - 94 33 fb 37 cb 98 ac 27-5b d5 6a f6 8c 72 c8 61   .3.7...'[.j..r.a
    0040 - 61 a5 bc e8 0d 00 3a c7-a2 4d fb 75 3e 06 3a 6b   a.....:..M.u>.:k
    0050 - 0d 86 3c cb 4a 53 1e 3f-fc ec 22 92 8e f3 e2 1c   ..<.JS.?..".....
    0060 - 67 d2 95 aa 2b c8 80 cb-5f 76 95 33 ec 32 b3 c7   g...+..._v.3.2..
    0070 - fd e5 db 1d 7c 0b ac 7c-cd 2d 49 62 f2 ed a5 71   ....|..|.-Ib...q
    0080 - dd 2e f3 63 8d 1a 5a 90-58 85 93 3a 1b 3b ec af   ...c..Z.X..:.;..
    0090 - a7 35 0f 30 1c 08 c6 98-5b 99 d0 ae 7d 20 a7 06   .5.0....[...} ..
    00a0 - 0f b1 5f bd 82 31 29 f4-12 b9 52 7b ea 35 25 0a   .._..1)...R{.5%.
    00b0 - 53 2f ad 16 13 21 10 5b-6f 79 ee 67 06 3d 14 e8   S/...!.[oy.g.=..
    00c0 - 1f 2f 41 55 c5 e1 cf 5a-ad de 57 c7 d1 d0 a4 a3   ./AU...Z..W.....

    Start Time: 1591687396
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
---


$ echo "" | openssl s_client -connect www.feistyduck.com:443 | openssl x509 -noout -text
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.feistyduck.com
verify return:1
DONE
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            f4:7f:09:b5:99:12:4b:1f:08:84:6a:c4:d7:1e:b0:f2
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
        Validity
            Not Before: Feb 12 00:00:00 2018 GMT
            Not After : Feb 17 23:59:59 2021 GMT
        Subject: OU = Domain Control Validated, OU = PositiveSSL, CN = www.feistyduck.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:bb:a9:d9:3d:33:01:8b:a2:13:48:b3:e6:23:7d:
                    c8:9e:d9:16:50:b5:b9:ef:6b:29:1b:78:70:74:81:
                    58:b8:52:12:d6:ed:9d:50:ce:4a:e0:c4:74:1d:b4:
                    54:5d:c9:c1:ec:da:cf:e6:af:6c:b6:a2:7e:dd:e7:
                    f6:5c:a2:bb:e2:a1:2c:09:c3:eb:91:9a:90:0d:97:
                    0f:9b:c3:aa:65:c1:86:83:80:b4:54:48:e0:81:fd:
                    76:26:ca:1c:a0:9b:c4:9f:c7:22:b7:8f:db:e8:da:
                    de:65:80:68:14:07:e5:85:1e:14:84:59:b1:99:73:
                    68:93:72:f5:a6:49:2c:57:aa:49:74:d4:21:cf:95:
                    a8:07:43:a7:17:89:60:f1:e8:da:ba:e6:9e:c9:fd:
                    d8:43:f9:d2:3a:37:de:e6:61:4e:78:af:54:d9:5f:
                    12:30:f3:a7:08:27:16:17:98:84:f5:6f:21:f1:81:
                    8d:a9:53:f3:62:4c:08:67:91:9a:4b:24:85:81:79:
                    9b:76:db:80:29:dd:2b:73:48:c8:1e:58:a2:00:88:
                    d9:4a:e6:0a:4f:eb:c5:67:dd:47:b1:41:56:ed:e2:
                    23:51:9d:96:48:86:1b:7b:1a:41:af:9c:c1:4d:b6:
                    87:09:33:3c:9a:16:ff:74:4c:23:45:1e:ee:c4:0f:
                    09:83
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7

            X509v3 Subject Key Identifier:
                A9:73:37:FB:A6:5D:EC:A0:FA:0E:0B:5F:ED:22:4E:38:6F:1E:AE:68
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.6449.1.2.2.7
                  CPS: https://secure.comodo.com/CPS
                Policy: 2.23.140.1.2.1

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl

            Authority Information Access:
                CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
                OCSP - URI:http://ocsp.comodoca.com

            X509v3 Subject Alternative Name:
                DNS:www.feistyduck.com, DNS:feistyduck.com
    Signature Algorithm: sha256WithRSAEncryption
         36:1a:0b:0f:11:84:8a:ef:37:f7:e0:67:c8:10:5a:93:17:78:
         2c:27:54:33:38:1e:a8:e0:c1:e3:00:75:22:12:04:6c:3d:be:
         bc:ba:ab:dc:3a:8d:33:40:78:64:61:0d:8a:65:93:ba:6b:26:
         32:3c:1d:61:fc:5b:77:93:d0:af:cb:69:fb:90:75:b9:69:a2:
         19:bf:ad:db:57:a8:ec:a8:8b:ca:50:a8:33:75:6e:ac:2b:f1:
         32:87:4f:aa:35:31:43:80:90:ad:29:b6:48:94:48:bb:9c:de:
         58:76:27:52:2f:ca:1f:0d:4e:47:88:fb:79:ed:c6:32:6f:13:
         8c:fc:f6:26:fb:99:08:ff:2c:f0:72:2f:53:0f:8c:58:81:e6:
         9c:af:7f:d8:c3:07:1b:fc:4e:61:b8:43:a4:e7:0c:38:70:da:
         dd:90:8a:5e:a5:86:c3:c0:31:9f:68:74:fd:b6:5b:7b:9a:2c:
         4d:72:ed:a0:7a:cd:b4:17:8d:5b:1c:dc:4d:53:1d:f1:59:59:
         1c:c3:3e:c5:38:7c:df:f5:88:69:5b:ad:c0:16:6b:6b:05:7e:
         12:57:ac:20:df:02:8c:05:27:c0:35:9f:d8:cc:88:d1:06:59:
         f4:1f:1a:00:36:6a:bd:b1:52:db:2a:03:b4:5e:e9:79:57:3a:
         5c:01:3e:e4

$ echo "" | openssl s_client -connect www.feistyduck.com:443 | openssl x509 -noout -dates
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.feistyduck.com
verify return:1
DONE
notBefore=Feb 12 00:00:00 2018 GMT
notAfter=Feb 17 23:59:59 2021 GMT

3.4 HTTPS 의 Local TEST 진행 

OpenSSL 기반으로 Ceritifacte와 Private Key를 발급 후 Server를 동작 후 이를 테스트 진행

RSA 기반으로 Key 발급
  • Local HTTPS Server의 Certififace 와 Private Key 발급
//RSA 기반 
$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes 
//cert.pem  Certificate Clinet가 접속시 확인가능 
//key.pem   Private Key

  https://www.openssl.org/docs/man1.0.2/man1/openssl-req.html


$ openssl req -new -key key.pem -out cert.pem 
//cert.pem  Certificate Clinet가 접속시 확인가능 
//key.pem   Private Key


  • Local HTTPS Server 동작 (Server)
백그라운드로 Server 동작
$ openssl s_server -key key.pem -cert cert.pem -accept 443 -www  &  
Using default temp DH parameters
ACCEPT

  • Local HTTPS Client 연결
Server 연결 후 상위 cert.pem 과 동일 확인
$ openssl s_client -connect 127.0.0.1:443  // 상위 cert.pem 와 동일 
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify return:1
---
Certificate chain
 0 s:C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
   i:C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIURnorX3QpJ93WAOOr7qar5EaAgI0wDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDA2MDkwNjE3NTdaFw0yMTA2
MDkwNjE3NTdaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCdT9nzl+IwWYLdWFCsNWRTBHgMVaQmQgQVWrrtU/HE
5xrRzxRlHMocuVO93dTBN9swAucNKa9zOYAmrBuqETnAMun3duWfqpO8OR3uFmOl
l2j2dmPl7NiFnRgWtUinOKoDcyAIyZ+fptqK4m/5+DaR2VSq9QkMJDCam34DwGaP
vWTWikHPXejzCLV8iBf8NYLDk+hyfoazSIy5Nnv7chYrgTokPowT+KuSx5FkhO1s
CpkaoWkZhCMObzkFgAg9p8m7gJXqH9BTZZ7/+0Hix2ikQ6AvSHqlFWq1HByMgret
x8FFIxV/hiAjc7693e9IhfgJWiUBtrebMvEJX8DRHJINAgMBAAGjUzBRMB0GA1Ud
DgQWBBRO/YApwyXr9ZZ7KOajIgXKDVSiazAfBgNVHSMEGDAWgBRO/YApwyXr9ZZ7
KOajIgXKDVSiazAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA8
9HXQUU6LcpMqYdeHA+bINkRZNgwLgv5UApw0pYsmoBZzSyxEvIJZQX/kq21Vbjq0
BiRl3/2+kptxlKClTM0Zr21ZDW6T2Jkzx7cYGk2mCkxnEHO4em3bIwS/Me5LKiiw
wmiN2dXcqIeKWgjrnRqE+eAnjZCPxYdZ5HwWb6yIXmbEZa63UZ3ky28jS9nZq/Xi
rTsUboQjiGivqkLQBG6OB0sgOtTxA27StHr9Xo5n2Hz0+WEigbdofM8AdJhMIjn9
tAUteoj4JUxvLJTtZuVVxdKxpmI+gDydsx1osTbrCzOJ+VkJjijJ6/Yk2/0NS2VH
CTWLAqrOcsyrtdlgXRbs
-----END CERTIFICATE-----
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd

issuer=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1435 bytes and written 373 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: ECCF57A71FE4DA0AD66DE23685BD58CD3F5BC88756033845BB3460472A40389E
    Session-ID-ctx:
    Resumption PSK: 651BA37791F1ABF1C1A7319B6386484ADE95960E666B5F14B3759AEA2DCFDB47D021A0C64F69AC383C2909E9D99127D8
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 36 62 86 65 f9 7d 97 af-32 99 0d 13 71 8b 96 fc   6b.e.}..2...q...
    0010 - af 37 d6 56 1e 5a bd 46-d2 a6 6b cc e1 9a 5a 91   .7.V.Z.F..k...Z.
    0020 - 5d b7 fa 5a e0 d1 c7 e0-c2 13 37 fe 47 f1 df da   ]..Z......7.G...
    0030 - 4e e3 5a 94 95 b5 ea 26-99 ef af 2e 91 60 64 98   N.Z....&.....`d.
    0040 - f4 18 5e 4e 91 41 07 b1-cf 45 c0 0a d4 da 9a 72   ..^N.A...E.....r
    0050 - 5b 8d d1 78 9d 51 01 73-e4 1b d5 53 2c 4c d5 28   [..x.Q.s...S,L.(
    0060 - eb e6 f1 21 be 78 87 d5-24 8a 33 10 c0 ae 32 cf   ...!.x..$.3...2.
    0070 - a3 15 d1 a0 21 d5 57 35-20 59 d3 d4 90 b4 cc 42   ....!.W5 Y.....B
    0080 - 5e 3d 90 67 be 93 25 e9-25 74 39 2b 08 04 99 a0   ^=.g..%.%t9+....
    0090 - 28 8b 4d ef a5 08 8c 36-8c f3 1e ce 6e 3f 40 59   (.M....6....n?@Y
    00a0 - 58 7f 20 f4 f4 ac 5f 1c-28 be 01 f1 3a d0 00 00   X. ..._.(...:...
    00b0 - 38 ed e3 74 4c ca a9 3e-02 ff 35 8f 41 b0 ba e1   8..tL..>..5.A...

    Start Time: 1591683618
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 08C9BB5B706488A4657B05D86629EA0518E72E0C73498DA59BF3337E7C7CB346
    Session-ID-ctx:
    Resumption PSK: 8D7303226BB700F521767764C32383FDC598B4E99185E8502A0787159DDA50DDBE2570A7D659AB4CCA85E5BF3B9F59E1
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 36 62 86 65 f9 7d 97 af-32 99 0d 13 71 8b 96 fc   6b.e.}..2...q...
    0010 - f7 4c 20 42 14 1b 61 c0-8b d2 2b b4 c9 f8 20 d1   .L B..a...+... .
    0020 - 29 6c 8c e0 8b 40 c9 f2-29 93 5d b2 e3 7a df 41   )l...@..).]..z.A
    0030 - 96 7b a6 d3 73 4d c4 31-9e ca 74 88 49 53 0f 71   .{..sM.1..t.IS.q
    0040 - bb 1f f6 0a ba 77 76 09-d3 d6 13 1e 96 21 60 91   .....wv......!`.
    0050 - c4 46 ff a6 c2 60 c8 99-a2 fd 94 8d 3a 26 ea 99   .F...`......:&..
    0060 - 7c c9 77 b1 2f 88 b8 09-35 9b d1 2d 21 43 ce 3a   |.w./...5..-!C.:
    0070 - 17 e3 78 37 a3 4b 61 32-ed 60 09 ac 92 dd 11 00   ..x7.Ka2.`......
    0080 - bb 13 6e d6 90 24 bf 39-c8 4a 9a ba ff 83 dd 2f   ..n..$.9.J...../
    0090 - 21 eb 18 23 49 bb d7 3d-71 61 0a 3f ae a2 8f 10   !..#I..=qa.?....
    00a0 - 04 06 62 f3 0c c0 99 77-c0 0e f7 81 6c cf b9 ab   ..b....w....l...
    00b0 - b1 bf fe 4a d1 7b 66 b3-56 02 fd ef ba aa 3d d1   ...J.{f.V.....=.
    00c0 - f9 a8 f4 c1 6d 40 cb fc-36 21 67 5e 2f 6c e1 c2   ....m@..6!g^/l..

    Start Time: 1591683618
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK



  • Encode 와 Decode TEST 진행
$ echo 'hello world!' | openssl aes-256-cbc -a -k "passwordkey"    //enc를 사용 -a base64 enc  
U2FsdGVkX1+fe5EdA+UkQOAxj2rYLb6ZDgNcGcd0A4Y=

$ echo 'U2FsdGVkX19LEynrqiD3WZHqvOAU5R/hUpeKLR4IYO4=' | openssl aes-256-cbc -a -d  -k "passwordkey"  // dec 사용시 동작 
hello world!

$ cat > test.txt // TEXT File 생성 
hellow world

$ openssl enc -e -aes-128-cbc -in test.txt -out test.enc -k "password1234"  // enc 사용 

$ openssl enc -d -aes-128-cbc -in test.enc -out test.dec -k "password1234"  // dec 사용 

$ cat test.dec  // dec 확인 
hello world

$ openssl enc -e -aria-128-cbc -in test.txt -out test.enc -k "password1234" // enc 사용 

$ openssl enc -d -aria-128-cbc -in test.enc -out test.dec -k "password1234" // dec 사용 

$ cat test.dec  // dec 확인 
hello world

ARIA
  https://en.wikipedia.org/wiki/ARIA_(cipher)
  https://wiki.openssl.org/index.php/How_to_Integrate_a_Symmetric_Cipher
  https://getrfc.com/rfc6209

openssl suites
  https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
  https://sarc.io/index.php/httpd/581-openssl-suites
  https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
  https://www.thesslstore.com/blog/cipher-suites-algorithms-security-settings/
  https://serverfault.com/questions/638691/how-can-i-verify-if-tls-1-2-is-supported-on-a-remote-web-server-from-the-rhel-ce
  https://m.blog.naver.com/PostView.nhn?blogId=seri0528&logNo=20188280116&proxyReferer=https%3A%2F%2Fwww.google.com%2F
  https://confluence.atlassian.com/jira/connecting-to-ssl-services-117455.html#ConnectingtoSSLservices-Usingopenssl


CBC 관련 Encrytipn and Decrytion Example
  https://wiki.openssl.org/index.php/EVP_Symmetric_Encryption_and_Decryption

GCM/CCM 관련 Encrytion and Decrytion Example
  https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption
  https://wiki.openssl.org/index.php/EVP_Asymmetric_Encryption_and_Decryption_of_an_Envelope

ECB/CBC/CFB/CTR
  https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation

댓글 없음 :
Tags: , , ,
피드 구독하기: 글 ( Atom )