일반적으로 암호화 관련 Protocol 하면, SSL(Secure Sockets Layer)/ TLS(Transport Layer Security) or
DTLS(Datagram Transport Layer Security)를 사용하며 각 사용용도와 기본개념만을 이해하도록 하자.
https://ko.wikipedia.org/wiki/TLS_%EA%B5%AC%ED%98%84%EC%9D%98_%EB%B9%84%EA%B5%90
https://www.oreilly.com/library/view/high-performance-browser/9781449344757/ch04.html
TLSv1.2
https://www.ietf.org/rfc/rfc5246.txt
https://chipmaker.tistory.com/entry/%E3%85%87
이후 생략
나도 화면 캡쳐하기가 귀찮음 상위 구조대로 잘 동작함.
2.2 TLS/DTLS Key 및 Certificate 준비
2.3 TLS/DTLS 기본테스트 소스
3. OpenSSL 설치 및 테스트
RootCA / SubCA / Digital Signature Sign
https://en.wikipedia.org/wiki/Root_certificate
https://en.wikipedia.org/wiki/Certificate_authority
https://en.wikipedia.org/wiki/Public_key_certificate
OpenSSL 로 ROOT CA 발급
https://www.lesstif.com/pages/viewpage.action?pageId=6979614
https://www.lesstif.com/pages/viewpage.action?pageId=7635159
OpenSSL Command 사용법
https://wiki.openssl.org/index.php/Command_Line_Utilities
https://en.wikipedia.org/wiki/OpenSSL
openssl s_client -connect
https://www.feistyduck.com/library/openssl-cookbook/online/ch-testing-with-openssl.html
https://www.poftut.com/use-openssl-s_client-check-verify-ssltls-https-webserver/
http://coffeenix.net/board_view.php?bd_code=1661
https://xbloger.tistory.com/18
https://spin.atomicobject.com/2018/07/30/openssl-s-client/
https://www.freebsd.org/cgi/man.cgi?query=s_client&manpath=FreeBSD+11-current
https://www.openssl.org/docs/man1.0.2/man1/openssl-s_client.html
openssl s_server
https://www.openssl.org/docs/man1.0.2/man1/s_server.html
https://github.com/openssl/openssl/blob/master/apps/server.pem
https://theswlee.tistory.com/48
https://superhero.ninja/2015/07/22/create-a-simple-https-server-with-openssl-s_server/
https://www.rabbitmq.com/troubleshooting-ssl.html
https://www.rabbitmq.com/troubleshooting-networking.html
https://www.rabbitmq.com/ssl.html#certificates-and-keys
일반적으로 pem or crt는 base64로 encoding하여 쉽게 cat으로 확인가능하지만, der은 binary로 구성이 된 것 같아 아래와 같이 변경해주자.
https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them
https://wiki.openssl.org/index.php/DER
3.1 HTTPS Google Server 연결 테스트
3.2 Google Server의 Certificate 분석
현재의 Certificate가 검증이 안된것이라고 생각되어짐
아래사이트에서 이부분을 해결함
https://github.com/nghttp2/nghttp2/issues/928
3.3 다른 HTTPS Server 직접분석방법
BASE64를 ASCII로 Encode
https://www.base64encode.org/
https://base64.guru/converter/encode/hex
3.4 HTTPS 의 Local TEST 진행
OpenSSL 기반으로 Ceritifacte와 Private Key를 발급 후 Server를 동작 후 이를 테스트 진행
RSA 기반으로 Key 발급
https://www.openssl.org/docs/man1.0.2/man1/openssl-req.html
ARIA
https://en.wikipedia.org/wiki/ARIA_(cipher)
https://wiki.openssl.org/index.php/How_to_Integrate_a_Symmetric_Cipher
https://getrfc.com/rfc6209
openssl suites
https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
https://sarc.io/index.php/httpd/581-openssl-suites
https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
https://www.thesslstore.com/blog/cipher-suites-algorithms-security-settings/
https://serverfault.com/questions/638691/how-can-i-verify-if-tls-1-2-is-supported-on-a-remote-web-server-from-the-rhel-ce
https://m.blog.naver.com/PostView.nhn?blogId=seri0528&logNo=20188280116&proxyReferer=https%3A%2F%2Fwww.google.com%2F
https://confluence.atlassian.com/jira/connecting-to-ssl-services-117455.html#ConnectingtoSSLservices-Usingopenssl
CBC 관련 Encrytipn and Decrytion Example
https://wiki.openssl.org/index.php/EVP_Symmetric_Encryption_and_Decryption
GCM/CCM 관련 Encrytion and Decrytion Example
https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption
https://wiki.openssl.org/index.php/EVP_Asymmetric_Encryption_and_Decryption_of_an_Envelope
ECB/CBC/CFB/CTR
https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
- 약어 및 TCP/UDP
- SSL(Socket Security Layer) TCP기반
- TLS(Transport Layer Security) TCP 기반
- DTLS(Datagram Transport Layer Security) UDP기반
SSL(Secure Sockets Layer)
SSL(Secure Sockets Layer)/ TLS(Transport Layer Security)
SSL(Secure Sockets Layer)/ TLS(Transport Layer Security)는 TCP를 이용하는 보안 채널로 HTTP or FTP or
다른 Network Protocol들을 암호화하여 통신을 해주도록 한다.
SSL의 경우는 SSH에 많이 사용되었으며, 여기서 더 발전된 것이 TLS인데 보통 HTTPS에서 사용을 비롯, 다양한 곳에서
사용되어지는 암호화되는 Protocol 이다.
SSL의 경우는 거의 사라지는 추세이며, 주요하게 볼것은 TLS or DTLS이며 관련해서 다룬다.
DTLS의 경우, 나의 경우는 CMVP(Cryptographic Module Validation Program) or KCMVP 장비에서 주로 사용되어지는 것만 보았다.
DTLS의 경우는 TLS를 UDP로 사용한다고 보면 될것 같다.
OpenSSL 관련링크
OpenSSL의 Version History를 확인
1.1 SSL/TLS 지원 Library
Linux에서는 OpenSSL를 많이 사용하지만, Embedded에서는 Size문제로 OpenSSL이외의 Library가 아래와 같이 변경되어 사용되어 질 수 있다.
ARM 은 주로 (MbedTLS) 사용하며 , 그 다음 유명한게 wolfSSL 인 것 같다.
iOS는 잘모르니 넘어간다.
- TLS version 지원확인
보통 OpenSSL 사용하며 다른 TLS Library와 비교하며 표에서 확인하면 될 것 같다.
최근 ARM에서 제공하는 mbed OS에서도 TLS를 지원하므로 관련사항 아래 링크확인.
Implementation | SSL 2.0 (insecure) | SSL 3.0 (insecure) | TLS 1.0 | TLS 1.1 | TLS 1.2 | TLS 1.3 |
---|---|---|---|---|---|---|
Botan | No | No[199] | Yes | Yes | Yes | |
cryptlib | No | Disabled by default at compile time | Yes | Yes | Yes | |
GnuTLS | No[a] | Disabled by default[200] | Yes | Yes | Yes | Yes[201] |
Java Secure Socket Extension | No[a] | Disabled by default[202] | Yes | Yes | Yes | Yes |
LibreSSL | No[203] | No[204] | Yes | Yes | Yes | As of version 3.2.2 [205][206] |
MatrixSSL | No | Disabled by default at compile time[207] | Yes | Yes | Yes | yes (draft version) |
mbed TLS (previously PolarSSL) | No | Disabled by default[208] | Yes | Yes | Yes | |
Network Security Services | No[b] | Disabled by default[209] | Yes | Yes[210] | Yes[211] | Yes[212] |
OpenSSL | No[213] | Enabled by default | Yes | Yes[214] | Yes[214] | Yes[215] |
RSA BSAFE Micro Edition Suite | No | Disabled by default | Yes | Yes | Yes | Not yet |
RSA BSAFE SSL-J | No | Disabled by default | Yes | Yes | Yes | Not yet |
SChannel XP / 2003[216] | Disabled by default by MSIE 7 | Enabled by default | Enabled by default by MSIE 7 | No | No | No |
SChannel Vista[217] | Disabled by default | Enabled by default | Yes | No | No | No |
SChannel 2008[217] | Disabled by default | Enabled by default | Yes | Disabled by default (KB4019276)[149] | Disabled by default (KB4019276)[149] | No |
SChannel 7 / 2008 R2[218] | Disabled by default | Disabled by default in MSIE 11 | Yes | Enabled by default by MSIE 11 | Enabled by default by MSIE 11 | No |
SChannel 8 / 2012[218] | Disabled by default | Enabled by default | Yes | Disabled by default | Disabled by default | No |
SChannel 8.1 / 2012 R2, 10 v1507 & v1511[218] | Disabled by default | Disabled by default in MSIE 11 | Yes | Yes | Yes | No |
SChannel 10 v1607 / 2016[159] | No | Disabled by default | Yes | Yes | Yes | No |
Secure Transport OS X 10.2–10.8 / iOS 1–4 | Yes | Yes | Yes | No | No | |
Secure Transport OS X 10.9–10.10 / iOS 5–8 | No[c] | Yes | Yes | Yes[c] | Yes[c] | |
Secure Transport OS X 10.11 / iOS 9 | No | No[c] | Yes | Yes | Yes | |
Seed7 TLS/SSL Library | No | Yes | Yes | Yes | Yes | |
wolfSSL (previously CyaSSL) | No | Disabled by default[219] | Yes | Yes | Yes | yes (draft version)[220] |
Implementation | SSL 2.0 (insecure) | SSL 3.0 (insecure) | TLS 1.0 | TLS 1.1 | TLS 1.2 | TLS 1.3 |
출처
1.2 HTTPS 관련 Browser 관련정보
HTTPS는 HTTP에 TLS 통신이 추가되어진 Protocol이라고 생각하면 되겠다.
각 인터넷 Browser들의 암호화 Protocol 지원사항이며, 각각의 사항을 비교해서 알자.
위키에서 가져온 정보이기 때문에, 최신은 아래 위키에서 확인
아래의 그림 좌측 부터 보안이 강화 될 수록 SSL -> TLS 로 점차 변경되어지는 것을 알수 있다.
더불어 SSL/TLS의 버전도 같이 보도록 하자.
Browser | Version | Platforms | SSL protocols | TLS protocols | Certificate support | Vulnerabilities fixed[n 1] | Protocol selection by user [n 2] | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
SSL 2.0 (insecure) | SSL 3.0 (insecure) | TLS 1.0 | TLS 1.1 | TLS 1.2 | TLS 1.3 | EV [n 3][70] | SHA-2 [71] | ECDSA [72] | BEAST[n 4] | CRIME[n 5] | POODLE (SSLv3)[n 6] | RC4[n 7] | FREAK[73][74] | Logjam | |||||
Google Chrome (Chrome for Android) [n 8] [n 9] | 1–9 | Windows (7+) macOS (10.10+) Linux Android (4.4+) iOS (10.0+) Chrome OS | Disabled by default | Enabled by default | Yes | No | No | No | Yes (only desktop) | needs SHA-2 compatible OS[71] | needs ECC compatible OS[72] | Not affected [79] | Vulnerable (HTTPS) | Vulnerable | Vulnerable | Vulnerable (except Windows) | Vulnerable | Yes[n 10] | |
10–20 | No[80] | Enabled by default | Yes | No | No | No | Yes (only desktop) | needs SHA-2 compatible OS[71] | needs ECC compatible OS[72] | Not affected | Vulnerable (HTTPS/SPDY) | Vulnerable | Vulnerable | Vulnerable (except Windows) | Vulnerable | Yes[n 10] | |||
21 | No | Enabled by default | Yes | No | No | No | Yes (only desktop) | needs SHA-2 compatible OS[71] | needs ECC compatible OS[72] | Not affected | Mitigated [81] | Vulnerable | Vulnerable | Vulnerable (except Windows) | Vulnerable | Yes[n 10] | |||
22–29 | No | Enabled by default | Yes | Yes[82] | No[82][83][84][85] | No | Yes (only desktop) | needs SHA-2 compatible OS[71] | needs ECC compatible OS[72] | Not affected | Mitigated | Vulnerable | Vulnerable | Vulnerable (except Windows) | Vulnerable | Temporary [n 11] | |||
30–32 | No | Enabled by default | Yes | Yes | Yes[83][84][85] | No | Yes (only desktop) | needs SHA-2 compatible OS[71] | needs ECC compatible OS[72] | Not affected | Mitigated | Vulnerable | Vulnerable | Vulnerable (except Windows) | Vulnerable | Temporary [n 11] | |||
33–37 | No | Enabled by default | Yes | Yes | Yes | No | Yes (only desktop) | needs SHA-2 compatible OS[71] | needs ECC compatible OS[72] | Not affected | Mitigated | Partly mitigated [n 12] | Lowest priority [88][89][90] | Vulnerable (except Windows) | Vulnerable | Temporary [n 11] | |||
38, 39 | No | Enabled by default | Yes | Yes | Yes | No | Yes (only desktop) | Yes | needs ECC compatible OS[72] | Not affected | Mitigated | Partly mitigated | Lowest priority | Vulnerable (except Windows) | Vulnerable | Temporary [n 11] | |||
40 | No | Disabled by default[87][91] | Yes | Yes | Yes | No | Yes (only desktop) | Yes | needs ECC compatible OS[72] | Not affected | Mitigated | Mitigated [n 13] | Lowest priority | Vulnerable (except Windows) | Vulnerable | Yes[n 14] | |||
41, 42 | No | Disabled by default | Yes | Yes | Yes | No | Yes (only desktop) | Yes | needs ECC compatible OS[72] | Not affected | Mitigated | Mitigated | Lowest priority | Mitigated | Vulnerable | Yes[n 14] | |||
43 | No | Disabled by default | Yes | Yes | Yes | No | Yes (only desktop) | Yes | needs ECC compatible OS[72] | Not affected | Mitigated | Mitigated | Only as fallback [n 15][92] | Mitigated | Vulnerable | Yes[n 14] | |||
44–47 | No | No[93] | Yes | Yes | Yes | No | Yes (only desktop) | Yes | needs ECC compatible OS[72] | Not affected | Mitigated | Not affected | Only as fallback [n 15] | Mitigated | Mitigated[94] | Temporary [n 11] | |||
48, 49 | No | No | Yes | Yes | Yes | No | Yes (only desktop) | Yes | needs ECC compatible OS[72] | Not affected | Mitigated | Not affected | Disabled by default[n 16][95][96] | Mitigated | Mitigated | Temporary [n 11] | |||
50–53 | No | No | Yes | Yes | Yes | No | Yes (only desktop) | Yes | Yes | Not affected | Mitigated | Not affected | Disabled by default[n 16][95][96] | Mitigated | Mitigated | Temporary [n 11] | |||
54–66 | No | No | Yes | Yes | Yes | Disabled by default (draft version) | Yes (only desktop) | Yes | Yes | Not affected | Mitigated | Not affected | Disabled by default[n 16][95][96] | Mitigated | Mitigated | Temporary [n 11] | |||
67–69 | No | No | Yes | Yes | Yes | Yes (draft version) | Yes (only desktop) | Yes | Yes | Not affected | Mitigated | Not affected | Disabled by default[n 16][95][96] | Mitigated | Mitigated | Temporary [n 11] | |||
70–83 | No | No | Yes | Yes | Yes | Yes | Yes (only desktop) | Yes | Yes | Not affected | Mitigated | Not affected | Disabled by default[n 16][95][96] | Mitigated | Mitigated | Temporary [n 11] | |||
84–85 | 86 | No | No | Warn by default | Warn by default | Yes | Yes | Yes (only desktop) | Yes | Yes | Not affected | Mitigated | Not affected | Disabled by default[n 16][95][96] | Mitigated | Mitigated | Temporary [n 11] | ||
Browser | Version | Platforms | SSL 2.0 (insecure) | SSL 3.0 (insecure) | TLS 1.0 | TLS 1.1 | TLS 1.2 | TLS 1.3 | EV certificate | SHA-2 certificate | ECDSA certificate | BEAST | CRIME | POODLE (SSLv3) | RC4 | FREAK | Logjam | Protocol selection by user | |
Microsoft Edge (Chromium based) OS independent | 79–83 | Windows (7+) macOS (10.12+) Linux Android (4.4+) iOS (11.0+) | No | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Mitigated | Not affected | Not affected | Disabled by default | Mitigated | Mitigated | Yes[n 10] | |
84–85 | 86 | No | No | Warn by default | Warn by default | Yes | Yes | Yes | Yes | Yes | Mitigated | Not affected | Not affected | Disabled by default | Mitigated | Mitigated | Yes[n 10] | ||
88[97] | No | No | No | No | Yes | Yes | Yes | Yes | Yes | Mitigated | Not affected | Not affected | Disabled by default | Mitigated | Mitigated | Yes[n 10] | |||
Browser | Version | Platforms | SSL 2.0 (insecure) | SSL 3.0 (insecure) | TLS 1.0 | TLS 1.1 | TLS 1.2 | TLS 1.3 | EV certificate | SHA-2 certificate | ECDSA certificate | BEAST | CRIME | POODLE (SSLv3) | RC4 | FREAK | Logjam | Protocol selection by user | |
Mozilla Firefox (Firefox for mobile) [n 17] | 1.0, 1.5 | Windows (7+) macOS (10.12+) Linux Android (4.1+) iOS (10.3+) ESR only for: Windows (7+) macOS (10.9+) Linux | Enabled by default [98] | Enabled by default [98] | Yes[98] | No | No | No | No | Yes[71] | No | Not affected [99] | Not affected | Vulnerable | Vulnerable | Not affected | Vulnerable | Yes[n 10] | |
2 | Disabled by default [98][100] | Enabled by default | Yes | No | No | No | No | Yes | Yes[72] | Not affected | Not affected | Vulnerable | Vulnerable | Not affected | Vulnerable | Yes[n 10] | |||
3–7 | Disabled by default | Enabled by default | Yes | No | No | No | Yes | Yes | Yes | Not affected | Not affected | Vulnerable | Vulnerable | Not affected | Vulnerable | Yes[n 10] | |||
8–10 ESR 10 | No[100] | Enabled by default | Yes | No | No | No | Yes | Yes | Yes | Not affected | Not affected | Vulnerable | Vulnerable | Not affected | Vulnerable | Yes[n 10] | |||
11–14 | No | Enabled by default | Yes | No | No | No | Yes | Yes | Yes | Not affected | Vulnerable (SPDY)[81] | Vulnerable | Vulnerable | Not affected | Vulnerable | Yes[n 10] | |||
15–22 ESR 17.0–17.0.10 | No | Enabled by default | Yes | No | No | No | Yes | Yes | Yes | Not affected | Mitigated | Vulnerable | Vulnerable | Not affected | Vulnerable | Yes[n 10] | |||
ESR 17.0.11 | No | Enabled by default | Yes | No | No | No | Yes | Yes | Yes | Not affected | Mitigated | Vulnerable | Lowest priority [101][102] | Not affected | Vulnerable | Yes[n 10] | |||
23 | No | Enabled by default | Yes | Disabled by default [103] | No | No | Yes | Yes | Yes | Not affected | Mitigated | Vulnerable | Vulnerable | Not affected | Vulnerable | Yes[n 18] | |||
24, 25.0.0 ESR 24.0–24.1.0 | No | Enabled by default | Yes | Disabled by default | Disabled by default [104] | No | Yes | Yes | Yes | Not affected | Mitigated | Vulnerable | Vulnerable | Not affected | Vulnerable | Yes[n 18] | |||
25.0.1, 26 ESR 24.1.1 | No | Enabled by default | Yes | Disabled by default | Disabled by default | No | Yes | Yes | Yes | Not affected | Mitigated | Vulnerable | Lowest priority [101][102] | Not affected | Vulnerable | Yes[n 18] | |||
27–33 ESR 31.0–31.2 | No | Enabled by default | Yes | Yes[105][106] | Yes[107][106] | No | Yes | Yes | Yes | Not affected | Mitigated | Vulnerable | Lowest priority | Not affected | Vulnerable | Yes[n 18] | |||
34, 35 ESR 31.3–31.7 | No | Disabled by default [108][109] | Yes | Yes | Yes | No | Yes | Yes | Yes | Not affected | Mitigated | Mitigated [n 19] | Lowest priority | Not affected | Vulnerable | Yes[n 18] | |||
ESR 31.8 | No | Disabled by default | Yes | Yes | Yes | No | Yes | Yes | Yes | Not affected | Mitigated | Mitigated | Lowest priority | Not affected | Mitigated[112] | Yes[n 18] | |||
36–38 ESR 38.0 | No | Disabled by default | Yes | Yes | Yes | No | Yes | Yes | Yes | Not affected | Mitigated | Mitigated | Only as fallback [n 15][113] | Not affected | Vulnerable | Yes[n 18] | |||
ESR 38.1–38.8 | No | Disabled by default | Yes | Yes | Yes | No | Yes | Yes | Yes | Not affected | Mitigated | Mitigated | Only as fallback [n 15] | Not affected | Mitigated[112] | Yes[n 18] | |||
39–43 | No | No[114] | Yes | Yes | Yes | No | Yes | Yes | Yes | Not affected | Mitigated | Not affected | Only as fallback [n 15] | Not affected | Mitigated[112] | Yes[n 18] | |||
44–48 ESR 45 | No | No | Yes | Yes | Yes | No | Yes | Yes | Yes | Not affected | Mitigated | Not affected | Disabled by default[n 16][115][116][117][118] | Not affected | Mitigated | Yes[n 18] | |||
49–59 ESR 52 | No | No | Yes | Yes | Yes | Disabled by default (draft version)[119] | Yes | Yes | Yes | Not affected | Mitigated | Not affected | Disabled by default[n 16] | Not affected | Mitigated | Yes[n 18] | |||
60–62 ESR 60 | No | No | Yes | Yes | Yes | Yes (draft version) | Yes | Yes | Yes | Not affected | Mitigated | Not affected | Disabled by default[n 16] | Not affected | Mitigated | Yes[n 18] | |||
63–77 ESR 68 | No | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Not affected | Mitigated | Not affected | Disabled by default[n 16] | Not affected | Mitigated | Yes[n 18] | |||
78–81 ESR 78.0–78.3 | No | No | Disabled by default[120] | Disabled by default[120] | Yes | Yes | Yes | Yes | Yes | Not affected | Mitigated | Not affected | Disabled by default[n 16] | Not affected | Mitigated | Yes[n 18] | |||
ESR 78.4 | 82 | ||||||||||||||||||
Browser | Version | Platforms | SSL 2.0 (insecure) | SSL 3.0 (insecure) | TLS 1.0 | TLS 1.1 | TLS 1.2 | TLS 1.3 | EV certificate | SHA-2 certificate | ECDSA certificate | BEAST | CRIME | POODLE (SSLv3) | RC4 | FREAK | Logjam | Protocol selection by user | |
Opera Browser (Opera Mobile) (Pre-Presto and Presto) [n 20] | 1–2 | No SSL/TLS support[122] | |||||||||||||||||
3 | Yes[123] | No | No | No | No | No | No | No | No | No SSL 3.0 or TLS support | Vulnerable | Unknown | Unknown | N/A | |||||
4 | Yes | Yes[124] | No | No | No | No | No | No | No | Vulnerable | Not affected | Vulnerable | Vulnerable | Unknown | Unknown | Unknown | |||
5 | Enabled by default | Enabled by default | Yes[125] | No | No | No | No | No | No | Vulnerable | Not affected | Vulnerable | Vulnerable | Unknown | Unknown | Yes[n 10] | |||
6–7 | Enabled by default | Enabled by default | Yes[125] | No | No | No | No | Yes[71] | No | Vulnerable | Not affected | Vulnerable | Vulnerable | Unknown | Unknown | Yes[n 10] | |||
8 | Enabled by default | Enabled by default | Yes | Disabled by default [126] | No | No | No | Yes | No | Vulnerable | Not affected | Vulnerable | Vulnerable | Unknown | Unknown | Yes[n 10] | |||
9 | Disabled by default [127] | Enabled by default | Yes | Yes | No | No | since v9.5 (only desktop) | Yes | No | Vulnerable | Not affected | Vulnerable | Vulnerable | Unknown | Unknown | Yes[n 10] | |||
10–11.52 | No[128] | Enabled by default | Yes | Disabled by default | Disabled by default [128] | No | Yes (only desktop) | Yes | No | Vulnerable | Not affected | Vulnerable | Vulnerable | Unknown | Unknown | Yes[n 10] | |||
11.60–11.64 | No | Enabled by default | Yes | Disabled by default | Disabled by default | No | Yes (only desktop) | Yes | No | Mitigated [129] | Not affected | Vulnerable | Vulnerable | Unknown | Unknown | Yes[n 10] | |||
12–12.14 | No | Disabled by default [n 21] | Yes | Disabled by default | Disabled by default | No | Yes (only desktop) | Yes | No | Mitigated | Not affected | Mitigated [n 21] | Vulnerable | Unknown | Mitigated[131] | Yes[n 10] | |||
12.15–12.17 | No | Disabled by default | Yes | Disabled by default | Disabled by default | No | Yes (only desktop) | Yes | No | Mitigated | Not affected | Mitigated | Partly mitigated [132][133] | Unknown | Mitigated[131] | Yes[n 10] | |||
12.18 | No | Disabled by default | Yes | Yes[134] | Yes[134] | No | Yes (only desktop) | Yes | Yes[134] | Mitigated | Not affected | Mitigated | Disabled by default[n 16][134] | Mitigated[134] | Mitigated[131] | Yes[n 10] | |||
Browser | Version | Platforms | SSL 2.0 (insecure) | SSL 3.0 (insecure) | TLS 1.0 | TLS 1.1 | TLS 1.2 | TLS 1.3 | EV certificate | SHA-2 certificate | ECDSA certificate | BEAST | CRIME | POODLE (SSLv3) | RC4 | FREAK | Logjam | Protocol selection by user | |
Opera Browser (Opera Mobile) (Webkit and Blink) [n 22] | 14–16 | Windows (7+) macOS (10.11+) Linux Android (4.4+) | No | Enabled by default | Yes | Yes[137] | No[137] | No | Yes (only desktop) | needs SHA-2 compatible OS[71] | needs ECC compatible OS[72] | Not affected | Mitigated | Vulnerable | Vulnerable | Vulnerable (except Windows) | Vulnerable | Temporary [n 11] | |
17–19 | No | Enabled by default | Yes | Yes[138] | Yes[138] | No | Yes (only desktop) | needs SHA-2 compatible OS[71] | needs ECC compatible OS[72] | Not affected | Mitigated | Vulnerable | Vulnerable | Vulnerable (except Windows) | Vulnerable | Temporary [n 11] | |||
20–24 | No | Enabled by default | Yes | Yes | Yes | No | Yes (only desktop) | needs SHA-2 compatible OS[71] | needs ECC compatible OS[72] | Not affected | Mitigated | Partly mitigated [n 23] | Lowest priority [139] | Vulnerable (except Windows) | Vulnerable | Temporary [n 11] | |||
25, 26 | No | Enabled by default [n 24] | Yes | Yes | Yes | No | Yes (only desktop) | Yes | needs ECC compatible OS[72] | Not affected | Mitigated | Mitigated [n 25] | Lowest priority | Vulnerable (except Windows) | Vulnerable | Temporary [n 11] | |||
27 | No | Disabled by default [91] | Yes | Yes | Yes | No | Yes (only desktop) | Yes | needs ECC compatible OS[72] | Not affected | Mitigated | Mitigated [n 26] | Lowest priority | Vulnerable (except Windows) | Vulnerable | Yes[n 27] (only desktop) | |||
28, 29 | No | Disabled by default | Yes | Yes | Yes | No | Yes (only desktop) | Yes | needs ECC compatible OS[72] | Not affected | Mitigated | Mitigated | Lowest priority | Mitigated | Vulnerable | Yes[n 27] (only desktop) | |||
30 | No | Disabled by default | Yes | Yes | Yes | No | Yes (only desktop) | Yes | needs ECC compatible OS[72] | Not affected | Mitigated | Mitigated | Only as fallback [n 15][92] | Mitigated | Mitigated[131] | Yes[n 27] (only desktop) | |||
31–34 | No | No[93] | Yes | Yes | Yes | No | Yes (only desktop) | Yes | needs ECC compatible OS[72] | Not affected | Mitigated | Not affected | Only as fallback [n 15][92] | Mitigated | Mitigated | Temporary [n 11] | |||
35, 36 | No | No | Yes | Yes | Yes | No | Yes (only desktop) | Yes | needs ECC compatible OS[72] | Not affected | Mitigated | Not affected | Disabled by default[n 16][95][96] | Mitigated | Mitigated | Temporary [n 11] | |||
37–40 | No | No | Yes | Yes | Yes | No | Yes (only desktop) | Yes | Yes | Not affected | Mitigated | Not affected | Disabled by default[n 16][95][96] | Mitigated | Mitigated | Temporary [n 11] | |||
41–56 | No | No | Yes | Yes | Yes | Disabled by default (draft version) | Yes (only desktop) | Yes | Yes | Not affected | Mitigated | Not affected | Disabled by default[n 16][95][96] | Mitigated | Mitigated | Temporary [n 11] | |||
57–71 | 72 | No | No | Yes | Yes | Yes | Yes | Yes (only desktop) | Yes | Yes | Not affected | Mitigated | Not affected | Disabled by default[n 16][95][96] | Mitigated | Mitigated | Temporary [n 11] | ||
Browser | Version | Platforms | SSL 2.0 (insecure) | SSL 3.0 (insecure) | TLS 1.0 | TLS 1.1 | TLS 1.2 | TLS 1.3 | EV certificate | SHA-2 certificate | ECDSA certificate | BEAST | CRIME | POODLE (SSLv3) | RC4 | FREAK | Logjam | Protocol selection by user | |
Microsoft Internet Explorer (1–10) [n 28] | 1.x | Windows 3.1, 95, NT,[n 29][n 30] Mac OS 7, 8 | No SSL/TLS support | ||||||||||||||||
2 | Yes | No | No | No | No | No | No | No | No | No SSL 3.0 or TLS support | Vulnerable | Vulnerable | Vulnerable | N/A | |||||
3 | Yes | Yes[142] | No | No | No | No | No | No | No | Vulnerable | Not affected | Vulnerable | Vulnerable | Vulnerable | Vulnerable | Unknown | |||
4, 5, 6 | Windows 3.1, 95, 98, NT, 2000[n 29][n 30] Mac OS 7.1, 8, X, Solaris, HP-UX | Enabled by default | Enabled by default | Disabled by default [142] | No | No | No | No | No | No | Vulnerable | Not affected | Vulnerable | Vulnerable | Vulnerable | Vulnerable | Yes[n 10] | ||
6 | Windows XP[n 30] | Enabled by default | Enabled by default | Disabled by default | No | No | No | No | Yes [n 31][143] | No | Mitigated | Not affected | Vulnerable | Vulnerable | Vulnerable | Vulnerable | Yes[n 10] | ||
7, 8 | Disabled by default [144] | Enabled by default | Yes[144] | No | No | No | Yes | Yes [n 31][143] | No | Mitigated | Not affected | Vulnerable | Vulnerable | Vulnerable | Vulnerable | Yes[n 10] | |||
6 | Server 2003[n 30] | Enabled by default | Enabled by default | Disabled by default | No | No | No | No | Yes [n 31][143] | No | Mitigated | Not affected | Vulnerable | Vulnerable | Mitigated [147] | Mitigated [148] | Yes[n 10] | ||
7, 8 | Disabled by default [144] | Enabled by default | Yes[144] | No | No | No | Yes | Yes [n 31][143] | No | Mitigated | Not affected | Vulnerable | Vulnerable | Mitigated [147] | Mitigated [148] | Yes[n 10] | |||
7, 8, 9 | Windows Vista | Disabled by default | Enabled by default | Yes | No | No | No | Yes | Yes | Yes[72] | Mitigated | Not affected | Vulnerable | Vulnerable | Mitigated [147] | Mitigated [148] | Yes[n 10] | ||
7, 8, 9 | Server 2008 | Disabled by default | Enabled by default | Yes | Disabled by default[149] (KB4019276) | Disabled by default[149] (KB4019276) | No | Yes | Yes | Yes[72] | Mitigated | Not affected | Vulnerable | Vulnerable | Mitigated [147] | Mitigated [148] | Yes[n 10] | ||
8, 9, 10 | Windows 7 / 8 Server 2008 R2 / 2012 | Disabled by default | Enabled by default | Yes | Disabled by default [150] | Disabled by default [150] | No | Yes | Yes | Yes | Mitigated | Not affected | Vulnerable | Lowest priority [151][n 32] | Mitigated [147] | Mitigated [148] | Yes[n 10] | ||
Internet Explorer 11 [n 28] | 11 | Windows 7 Server 2008 R2 | Disabled by default | Disabled by default [n 33] | Yes | Yes[153] | Yes[153] | No | Yes | Yes | Yes | Mitigated | Not affected | Mitigated [n 33] | Disabled by default[157] | Mitigated [147] | Mitigated [148] | Yes[n 10] | |
11[158] | Windows 8.1 | Disabled by default | Disabled by default [n 33] | Yes | Yes[153] | Yes[153] | No | Yes | Yes | Yes | Mitigated | Not affected | Mitigated [n 33] | Disabled by default[n 16] | Mitigated [147] | Mitigated [148] | Yes[n 10] | ||
Server 2012 Server 2012 R2 | |||||||||||||||||||
Browser | Version | Platforms | SSL 2.0 (insecure) | SSL 3.0 (insecure) | TLS 1.0 | TLS 1.1 | TLS 1.2 | TLS 1.3 | EV certificate | SHA-2 certificate | ECDSA certificate | BEAST | CRIME | POODLE (SSLv3) | RC4 | FREAK | Logjam | Protocol selection by user | |
Microsoft Edge (12–18) (EdgeHTML based) Client only Internet Explorer 11 [n 28] | 11 | 12–13 | Windows 10 1507–1511 | Disabled by default | Disabled by default | Yes | Yes | Yes | No | Yes | Yes | Yes | Mitigated | Not affected | Mitigated | Disabled by default[n 16] | Mitigated | Mitigated | Yes[n 10] |
11 | 14–18 (client only) | Windows 10 1607–1809 Windows Server (SAC) 1709–1809 | No[159] | Disabled by default | Yes | Yes | Yes | No | Yes | Yes | Yes | Mitigated | Not affected | Mitigated | Disabled by default[n 16] | Mitigated | Mitigated | Yes[n 10] | |
11 | 18 (client only) | Windows 10 1903 Windows Server (SAC) 1903 | No | Disabled by default | Yes | Yes | Yes | No | Yes | Yes | Yes | Mitigated | Not affected | Mitigated | Disabled by default[n 16] | Mitigated | Mitigated | Yes[n 10] | |
11 | 18 (client only) | Windows 10 1909 Windows Server (SAC) 1909 | No | Disabled by default | Yes | Yes | Yes | No | Yes | Yes | Yes | Mitigated | Not affected | Mitigated | Disabled by default[n 16] | Mitigated | Mitigated | Yes[n 10] | |
11 | 18 (client only) | Windows 10 2004 Windows Server (SAC) 2004 | No | Disabled by default | Yes | Yes | Yes | No | Yes | Yes | Yes | Mitigated | Not affected | Mitigated | Disabled by default[n 16] | Mitigated | Mitigated | Yes[n 10] | |
Internet Explorer 11 [n 28] | 11 | Windows 10 20H2 Windows Server (SAC) 20H2 | No | Disabled by default | Yes | Yes | Yes | No | Yes | Yes | Yes | Mitigated | Not affected | Mitigated | Disabled by default[n 16] | Mitigated | Mitigated | Yes[n 10] | |
11 | Windows 10 21Hx Windows Server (SAC) 21Hx | No | Disabled by default | Yes | Yes | Yes | Enabled by default (experimental) since Dev 10.0.20170[160] | Yes | Yes | Yes | Mitigated | Not affected | Mitigated | Disabled by default[n 16] | Mitigated | Mitigated | Yes[n 10] | ||
Internet Explorer 11 [n 28] | 11 | Windows 10 LTSB 2015 (1507) | Disabled by default | Disabled by default | Yes | Yes | Yes | No | Yes | Yes | Yes | Mitigated | Not affected | Mitigated | Disabled by default[n 16] | Mitigated | Mitigated | Yes[n 10] | |
11 | Windows 10 LTSB 2016 (1607) | No[159] | Disabled by default | Yes | Yes | Yes | No | Yes | Yes | Yes | Mitigated | Not affected | Mitigated | Disabled by default[n 16] | Mitigated | Mitigated | Yes[n 10] | ||
11 | Windows Server 2016 (LTSB / 1607) | No[159] | Disabled by default | Yes | Yes | Yes | No | Yes | Yes | Yes | Mitigated | Not affected | Mitigated | Disabled by default[n 16] | Mitigated | Mitigated | Yes[n 10] | ||
11 | Windows 10 LTSC 2019 (1809) Windows Server 2019 (LTSC / 1809) | No | Disabled by default | Yes | Yes | Yes | No | Yes | Yes | Yes | Mitigated | Not affected | Mitigated | Disabled by default[n 16] | Mitigated | Mitigated | Yes[n 10] | ||
Browser | Version | Platforms | SSL 2.0 (insecure) | SSL 3.0 (insecure) | TLS 1.0 | TLS 1.1 | TLS 1.2 | TLS 1.3 | EV certificate | SHA-2 certificate | ECDSA certificate | BEAST | CRIME | POODLE (SSLv3) | RC4 | FREAK | Logjam | Protocol selection by user | |
Microsoft Internet Explorer Mobile [n 28] | 7, 9 | Windows Phone 7, 7.5, 7.8 | Disabled by default [144] | Enabled by default | Yes | No [citation needed] | No [citation needed] | No | No [citation needed] | Yes | Yes[161] | Unknown | Not affected | Vulnerable | Vulnerable | Vulnerable | Vulnerable | Only with 3rd party tools[n 34] | |
10 | Windows Phone 8 | Disabled by default | Enabled by default | Yes | Disabled by default [163] | Disabled by default [163] | No | No [citation needed] | Yes | Yes[164] | Mitigated | Not affected | Vulnerable | Vulnerable | Vulnerable | Vulnerable | Only with 3rd party tools[n 34] | ||
11 | Windows Phone 8.1 | Disabled by default | Enabled by default | Yes | Yes[165] | Yes[165] | No | No [citation needed] | Yes | Yes | Mitigated | Not affected | Vulnerable | Only as fallback [n 15][166][167] | Vulnerable | Vulnerable | Only with 3rd party tools[n 34] | ||
Microsoft Edge (13–15) (EdgeHTML based) [n 35] | 13 | Windows 10 Mobile 1511 | Disabled by default | Disabled by default | Yes | Yes | Yes | No | Yes | Yes | Yes | Mitigated | Not affected | Mitigated | Disabled by default[n 16] | Mitigated | Mitigated | No | |
14, 15 | Windows 10 Mobile 1607–1709 | No[159] | Disabled by default | Yes | Yes | Yes | No | Yes | Yes | Yes | Mitigated | Not affected | Mitigated | Disabled by default[n 16] | Mitigated | Mitigated | No | ||
Browser | Version | Platforms | SSL 2.0 (insecure) | SSL 3.0 (insecure) | TLS 1.0 | TLS 1.1 | TLS 1.2 | TLS 1.3 | EV certificate | SHA-2 certificate | ECDSA certificate | BEAST | CRIME | POODLE (SSLv3) | RC4 | FREAK | Logjam | Protocol selection by user | |
Apple Safari [n 36] | 1 | Mac OS X 10.2, 10.3 | No[172] | Yes | Yes | No | No | No | No | No | No | Vulnerable | Not affected | Vulnerable | Vulnerable | Vulnerable | Vulnerable | No | |
2–5 | Mac OS X 10.4, 10.5, Win XP | No | Yes | Yes | No | No | No | since v3.2 | No | No | Vulnerable | Not affected | Vulnerable | Vulnerable | Vulnerable | Vulnerable | No | ||
3–5 | Vista, Win 7 | No | Yes | Yes | No | No | No | since v3.2 | No | Yes[161] | Vulnerable | Not affected | Vulnerable | Vulnerable | Vulnerable | Vulnerable | No | ||
4–6 | Mac OS X 10.6, 10.7 | No | Yes | Yes | No | No | No | Yes | Yes[71] | Yes[72] | Vulnerable | Not affected | Vulnerable | Vulnerable | Vulnerable | Vulnerable | No | ||
6 | OS X 10.8 | No | Yes | Yes | No | No | No | Yes | Yes | Yes[72] | Mitigated [n 37] | Not affected | Mitigated [n 38] | Vulnerable [n 38] | Mitigated [178] | Vulnerable | No | ||
7, 9 | OS X 10.9 | No | Yes | Yes | Yes[179] | Yes[179] | No | Yes | Yes | Yes | Mitigated [174] | Not affected | Mitigated [n 38] | Vulnerable [n 38] | Mitigated [178] | Vulnerable | No | ||
8–10 | OS X 10.10 | No | Yes | Yes | Yes | Yes | No | Yes | Yes | Yes | Mitigated | Not affected | Mitigated [n 38] | Lowest priority [180][n 38] | Mitigated [178] | Mitigated [181] | No | ||
9–11 | OS X 10.11 | No | No | Yes | Yes | Yes | No | Yes | Yes | Yes | Mitigated | Not affected | Not affected | Lowest priority | Mitigated | Mitigated | No | ||
10–12 | macOS 10.12 | No | No | Yes | Yes | Yes | No | Yes | Yes | Yes | Mitigated | Not affected | Not affected | Disabled by default[n 16] | Mitigated | Mitigated | No | ||
11, 12 | 13 | macOS 10.13 | No | No | Yes | Yes | Yes | No | Yes | Yes | Yes | Mitigated | Not affected | Not affected | Disabled by default[n 16] | Mitigated | Mitigated | No | |
12, 13 | 14 | macOS 10.14 | No | No | Yes | Yes | Yes | Yes (since macOS 10.14.4)[182] | Yes | Yes | Yes | Mitigated | Not affected | Not affected | Disabled by default[n 16] | Mitigated | Mitigated | No | |
13 | 14 | macOS 10.15 | No | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Mitigated | Not affected | Not affected | Disabled by default[n 16] | Mitigated | Mitigated | No | |
14 | macOS 11.0 | No | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Mitigated | Not affected | Not affected | Disabled by default[n 16] | Mitigated | Mitigated | No | ||
Browser | Version | Platforms | SSL 2.0 (insecure) | SSL 3.0 (insecure) | TLS 1.0 | TLS 1.1 | TLS 1.2 | TLS 1.3 | EV certificate | SHA-2 certificate | ECDSA certificate | BEAST | CRIME | POODLE (SSLv3) | RC4 | FREAK | Logjam | Protocol selection by user | |
Apple Safari (mobile) [n 39] | 3 | iPhone OS 1, 2 | No[186] | Yes | Yes | No | No | No | No | No | No | Vulnerable | Not affected | Vulnerable | Vulnerable | Vulnerable | Vulnerable | No | |
4, 5 | iPhone OS 3, iOS 4 | No | Yes | Yes | No | No | No | Yes[187] | Yes | since iOS 4[161] | Vulnerable | Not affected | Vulnerable | Vulnerable | Vulnerable | Vulnerable | No | ||
5, 6 | iOS 5, 6 | No | Yes | Yes | Yes[183] | Yes[183] | No | Yes | Yes | Yes | Vulnerable | Not affected | Vulnerable | Vulnerable | Vulnerable | Vulnerable | No | ||
7 | iOS 7 | No | Yes | Yes | Yes | Yes | No | Yes | Yes | Yes[188] | Mitigated [189] | Not affected | Vulnerable | Vulnerable | Vulnerable | Vulnerable | No | ||
8 | iOS 8 | No | Yes | Yes | Yes | Yes | No | Yes | Yes | Yes | Mitigated | Not affected | Mitigated [n 38] | Lowest priority [190][n 38] | Mitigated [191] | Mitigated [192] | No | ||
9 | iOS 9 | No | No | Yes | Yes | Yes | No | Yes | Yes | Yes | Mitigated | Not affected | Not affected | Lowest priority | Mitigated | Mitigated | No | ||
10–11 | iOS 10, 11 | No | No | Yes | Yes | Yes | No | Yes | Yes | Yes | Mitigated | Not affected | Not affected | Disabled by default[n 16] | Mitigated | Mitigated | No | ||
12 | iOS 12 | No | No | Yes | Yes | Yes | Yes (since iOS 12.2)[182] | Yes | Yes | Yes | Mitigated | Not affected | Not affected | Disabled by default[n 16] | Mitigated | Mitigated | No | ||
13 | iOS 13 | No | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Mitigated | Not affected | Not affected | Disabled by default[n 16] | Mitigated | Mitigated | No | ||
iPadOS 13 | |||||||||||||||||||
14 | iOS 14 | No | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Mitigated | Not affected | Not affected | Disabled by default[n 16] | Mitigated | Mitigated | No | ||
iPadOS 14 | |||||||||||||||||||
Browser | Version | Platforms | SSL 2.0 (insecure) | SSL 3.0 (insecure) | TLS 1.0 | TLS 1.1 | TLS 1.2 | TLS 1.3 | EV [n 3] | SHA-2 | ECDSA | BEAST[n 4] | CRIME[n 5] | POODLE (SSLv3)[n 6] | RC4[n 7] | FREAK[73][74] | Logjam | Protocol selection by user | |
SSL protocols | TLS protocols | Certificate Support | Vulnerabilities fixed | ||||||||||||||||
Google Android OS [193] | Android 1.0–4.0.4 | No | Enabled by default | Yes | No | No | No | Unknown | Yes[71] | since 3.0[161][72] | Unknown | Unknown | Vulnerable | Vulnerable | Vulnerable | Vulnerable | No | ||
Android 4.1–4.4.4 | No | Enabled by default | Yes | Disabled by default[194] | Disabled by default[194] | No | Unknown | Yes | Yes | Unknown | Unknown | Vulnerable | Vulnerable | Vulnerable | Vulnerable | No | |||
Android 5.0–5.0.2 | No | Enabled by default | Yes | Yes[194][195] | Yes[194][195] | No | Unknown | Yes | Yes | Unknown | Unknown | Vulnerable | Vulnerable | Vulnerable | Vulnerable | No | |||
Android 5.1–5.1.1 | No | Disabled by default [citation needed] | Yes | Yes | Yes | No | Unknown | Yes | Yes | Unknown | Unknown | Not affected | Only as fallback [n 15] | Mitigated | Mitigated | No | |||
Android 6.0–7.1.2 | No | Disabled by default [citation needed] | Yes | Yes | Yes | No | Unknown | Yes | Yes | Unknown | Unknown | Not affected | Disabled by default | Mitigated | Mitigated | No | |||
Android 8.0–9.0 | No | No [196] | Yes | Yes | Yes | No | Unknown | Yes | Yes | Unknown | Unknown | Not affected | Disabled by default | Mitigated | Mitigated | No | |||
Android 10.0 | No | No | Yes | Yes | Yes | Yes | Unknown | Yes | Yes | Unknown | Unknown | Not affected | Disabled by default | Mitigated | Mitigated | No | |||
Android 11.0 | No | No | Yes | Yes | Yes | Yes | Unknown | Yes | Yes | Unknown | Unknown | Not affected | Disabled by default | Mitigated | Mitigated | No | |||
Browser | Version | Platforms | SSL 2.0 (insecure) | SSL 3.0 (insecure) | TLS 1.0 | TLS 1.1 | TLS 1.2 | TLS 1.3 | EV certificate | SHA-2 certificate | ECDSA certificate | BEAST | CRIME | POODLE (SSLv3) | RC4 | FREAK | Logjam | Protocol selection by user |
Color or Note | Significance | |
---|---|---|
Browser version | Platform | |
Browser version | Operating system | Future release; under development |
Browser version | Operating system | Current latest release |
Browser version | Operating system | Former release; still supported |
Browser version | Operating system | Former release; long-term support still active, but will end in less than 12 months |
Browser version | Operating system | Former release; no longer supported |
n/a | Operating system | Mixed / Unspecified |
Operating system (Version+) | Minimum required operating system version (for supported versions of the browser) | |
No longer supported for this operating system |
2. SSL/TLS 의 기본분석
요즘 많이 사용도어지는 SSL/TLS 동작 방식은 주로 TCP기반으로 키를 서로 교환한 후,
이를 암호화하여 통신하는 Protocol을 말하며, TLS Version 과 지원되는 암호화방식에 따라 달라진다.
- SSL/TLS 기본동작 방식
기본동작 방식은 Client/Server 암호화이며, 각각 Key 교환 후 암호화 진행
- TLS관련정보
https://ko.wikipedia.org/wiki/TLS_%EA%B5%AC%ED%98%84%EC%9D%98_%EB%B9%84%EA%B5%90
https://www.oreilly.com/library/view/high-performance-browser/9781449344757/ch04.html
Simple TLS Server Source
https://wiki.openssl.org/index.php/Simple_TLS_Server
https://wiki.openssl.org/index.php/Simple_TLS_Server
Simple SSL/TLS Client Source
https://wiki.openssl.org/index.php/SSL/TLS_Client
2.1 TLS Handshake 와 Cipher Suite
TLS의 Cipher Suite설명 및 TLS 관련설명
https://wiki.openssl.org/index.php/SSL/TLS_Client
2.1 TLS Handshake 와 Cipher Suite
TLS의 Cipher Suite설명 및 TLS 관련설명
TLS 처음 통신할 때, Handshake 할 때 키교환 방법을 Cipher Suite
아래사이트에서 잘 설명해주기 때문에 생략
https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/
https://www.mobiinside.co.kr/2019/02/13/buzzvil-tls/
https://tools.ietf.org/html/rfc8446
https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/
https://www.mobiinside.co.kr/2019/02/13/buzzvil-tls/
https://tools.ietf.org/html/rfc8446
- TLS v1.2 Handshake 방법
https://en.wikipedia.org/wiki/Cipher_suite |
Cipher Suite 절차 확인
TLSv1.2
https://www.ietf.org/rfc/rfc5246.txt
https://chipmaker.tistory.com/entry/%E3%85%87
- TLS v1.3 Handshake 방법
https://en.wikipedia.org/wiki/Cipher_suite |
- TLSv1.2 의 전체흐름 분석
- 1st Message Client->Server ( Client Hello)
- Random: Client에서 Time (4Byte) 와 Random Data (12Byte) 로 구성
- Cipher Suites: Client 지원가능한 Cipher Suite 을 Server 에 제안
- Client 지원가능한 Signature HASH Algorithm Server에게 제안 (Hash 와 Signature 제안)
이후 생략
나도 화면 캡쳐하기가 귀찮음 상위 구조대로 잘 동작함.
2.2 TLS/DTLS Key 및 Certificate 준비
TLS를 테스트 하기전에 Cetificate를 준비
DTLS or TLS 를 TEST를 진행을 위해서 Key 와 Certificate 아래와 같이 발급진행
- Client Key 와 Client Certificate 발급
$ openssl req -x509 -newkey rsa:2048 -days 3650 -nodes -keyout client-key.pem -out client-cert.pem ..... //각 본인 정보 입력 Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []: //10 (3650) 년 RSA Private Key 발급 및 이 기반으로 Certificate 발급
- Server Key 와 Server Certificate 발급
$ openssl req -x509 -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem -out server-cert.pem //각 본인 정보 입력 .... //10 (3650) 년 RSA Private Key 발급 및 이 기반으로 Certificate 발급
$ cat client-key.pem
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDY7C6QOrmTrVcw
FbSTs8A7rXd/hXAelFb8YYhAglOKCkfhVzJyS1M7OAk052QXOfVzTMxCoYiIIGI/
Vo2GGoE2KbGrOrQi8GHYNxFVuaY9Pwd5WiV708hIBbq9zENQgbwiDrg5TOYXahnd
5DviuWMMsK/dgakbnJ58Z+UuhBE1fHLrYwBZIHq6npy0oTEiBaBPJXYTxmQdp6X5
E7O883PWUOdLNFx9K7FDaZFHhVbA0ObOpbTtLzrWNvZWwGdr/wZ3z3NKbaimkjZq
rHqs0T8ffixP4MaUJDRtwXZ1pkOIIsS30eqkV/6Z4/JqVRKu3YdTHvbveCuuogLP
/w0SM/TJAgMBAAECggEAYqHpfi0lim9r0HJeHDbENp5mUnZzB4R9lN4oHOTlZUPN
cTm7t1pmquuMzCBWU3VIFLgbvEREl1jaM2CAkzRkAiOtJGVZ2PUiGDTZzffPDdQl
6tjBaG9ghtcMFRbWmLmUuIum2m8LxCO7RThsvmd7ER8ZqAc3xFVPftOi0qa8SGvK
YzoKY630xImH6KwLCu6mKH0cfxyrxw0sVuTafDt+ufZX8YYjf7F/S5h1ZQ3NvnOf
z7yZd+uTzYHB08cF5hWYEV0Ly1wS6PvW9NlqAO7fcAteiHQnDVDECdQcmhK/xsP5
c2Q9uMc6sGVwAeoSmRsLKn8u6txp0S1+9N7nBvoZ3QKBgQDv62DvCC3Q1yMdu9R7
nE2cqfm7bdJkCFI1TUNyoBEZlOnZMwfGkhOsMTzxDuPZQGYCAqWPmUiXvl90j83P
9VyNqbsTVZVpX0zWLh4hMxMj5T0kG2RPiBx9Yv3wbgOHoul101AGujfeFm7WrEL8
jFFbaG75lnh4qVPprQfR78YXiwKBgQDndjcPP4ovmgKyE80dg+rYhIpQoEpQYE6Q
ZZBpg9rTyXKEIDbrlpFtKE57jzmt/IbqO1f1zGesttZV8Rq7KFvae9rtGe7HXcFp
Z9wL+5PsAQ66N+qqJnLdvSkzn9iZo5vYBp/c6a3fajmUH6Uzets9Ys+Xi5IQqjr3
Eg9hgKCPewKBgQCfi8nUa338SXUiysvMv+6k5iwaxjeJKjdxFsZpraRxfKPeOp9L
H81RTxUVwS8oRDkR0SzER80MjB7yZscZKjO4SU0M2HcZsbRpIhYLQenSjxmPr1+P
vBYmE/SHNMHIK0BRiIrJToDkgcqHm9qYE7/up45VEAlhREl3NgfjRi5XbQKBgEx4
TfCHuYvIgiN7T0T1FF28TEYe7u5nIw2pwHBb06ws3dyxF/P1ps49htBjnVbSG3C/
cmwOwCHbtixmn8I9rzsbuFSlQLI1U3UTjyuWTmSmZMs5NhpI4aJIoJghs1nvJ8nT
RnWh7oPlgGhjnBzJ9iztvFABGJzQ4PJH0TURXfqJAoGABTFao05w3Uw8y3ucN9Qd
qvkcDs1+7GePncijVWkHX0lQV4BmzTPG+ZfImWwlLj3vo5iFD1FCFndNsF06AX4I
DiPQW1PjmGT31wt0QWWjoXnVtjgsRlxBZkFrPDpXv/Dbrr6la4weHHo+Rr2Z3pUb
z1Bgsu7M4Mz1pG7vlbgtUU4=
-----END PRIVATE KEY-----
$ openssl pkey -in client-key.pem -text //상위 Private Key 분석
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDY7C6QOrmTrVcw
FbSTs8A7rXd/hXAelFb8YYhAglOKCkfhVzJyS1M7OAk052QXOfVzTMxCoYiIIGI/
Vo2GGoE2KbGrOrQi8GHYNxFVuaY9Pwd5WiV708hIBbq9zENQgbwiDrg5TOYXahnd
5DviuWMMsK/dgakbnJ58Z+UuhBE1fHLrYwBZIHq6npy0oTEiBaBPJXYTxmQdp6X5
E7O883PWUOdLNFx9K7FDaZFHhVbA0ObOpbTtLzrWNvZWwGdr/wZ3z3NKbaimkjZq
rHqs0T8ffixP4MaUJDRtwXZ1pkOIIsS30eqkV/6Z4/JqVRKu3YdTHvbveCuuogLP
/w0SM/TJAgMBAAECggEAYqHpfi0lim9r0HJeHDbENp5mUnZzB4R9lN4oHOTlZUPN
cTm7t1pmquuMzCBWU3VIFLgbvEREl1jaM2CAkzRkAiOtJGVZ2PUiGDTZzffPDdQl
6tjBaG9ghtcMFRbWmLmUuIum2m8LxCO7RThsvmd7ER8ZqAc3xFVPftOi0qa8SGvK
YzoKY630xImH6KwLCu6mKH0cfxyrxw0sVuTafDt+ufZX8YYjf7F/S5h1ZQ3NvnOf
z7yZd+uTzYHB08cF5hWYEV0Ly1wS6PvW9NlqAO7fcAteiHQnDVDECdQcmhK/xsP5
c2Q9uMc6sGVwAeoSmRsLKn8u6txp0S1+9N7nBvoZ3QKBgQDv62DvCC3Q1yMdu9R7
nE2cqfm7bdJkCFI1TUNyoBEZlOnZMwfGkhOsMTzxDuPZQGYCAqWPmUiXvl90j83P
9VyNqbsTVZVpX0zWLh4hMxMj5T0kG2RPiBx9Yv3wbgOHoul101AGujfeFm7WrEL8
jFFbaG75lnh4qVPprQfR78YXiwKBgQDndjcPP4ovmgKyE80dg+rYhIpQoEpQYE6Q
ZZBpg9rTyXKEIDbrlpFtKE57jzmt/IbqO1f1zGesttZV8Rq7KFvae9rtGe7HXcFp
Z9wL+5PsAQ66N+qqJnLdvSkzn9iZo5vYBp/c6a3fajmUH6Uzets9Ys+Xi5IQqjr3
Eg9hgKCPewKBgQCfi8nUa338SXUiysvMv+6k5iwaxjeJKjdxFsZpraRxfKPeOp9L
H81RTxUVwS8oRDkR0SzER80MjB7yZscZKjO4SU0M2HcZsbRpIhYLQenSjxmPr1+P
vBYmE/SHNMHIK0BRiIrJToDkgcqHm9qYE7/up45VEAlhREl3NgfjRi5XbQKBgEx4
TfCHuYvIgiN7T0T1FF28TEYe7u5nIw2pwHBb06ws3dyxF/P1ps49htBjnVbSG3C/
cmwOwCHbtixmn8I9rzsbuFSlQLI1U3UTjyuWTmSmZMs5NhpI4aJIoJghs1nvJ8nT
RnWh7oPlgGhjnBzJ9iztvFABGJzQ4PJH0TURXfqJAoGABTFao05w3Uw8y3ucN9Qd
qvkcDs1+7GePncijVWkHX0lQV4BmzTPG+ZfImWwlLj3vo5iFD1FCFndNsF06AX4I
DiPQW1PjmGT31wt0QWWjoXnVtjgsRlxBZkFrPDpXv/Dbrr6la4weHHo+Rr2Z3pUb
z1Bgsu7M4Mz1pG7vlbgtUU4=
-----END PRIVATE KEY-----
RSA Private-Key: (2048 bit, 2 primes)
modulus:
00:d8:ec:2e:90:3a:b9:93:ad:57:30:15:b4:93:b3:
c0:3b:ad:77:7f:85:70:1e:94:56:fc:61:88:40:82:
53:8a:0a:47:e1:57:32:72:4b:53:3b:38:09:34:e7:
64:17:39:f5:73:4c:cc:42:a1:88:88:20:62:3f:56:
8d:86:1a:81:36:29:b1:ab:3a:b4:22:f0:61:d8:37:
11:55:b9:a6:3d:3f:07:79:5a:25:7b:d3:c8:48:05:
ba:bd:cc:43:50:81:bc:22:0e:b8:39:4c:e6:17:6a:
19:dd:e4:3b:e2:b9:63:0c:b0:af:dd:81:a9:1b:9c:
9e:7c:67:e5:2e:84:11:35:7c:72:eb:63:00:59:20:
7a:ba:9e:9c:b4:a1:31:22:05:a0:4f:25:76:13:c6:
64:1d:a7:a5:f9:13:b3:bc:f3:73:d6:50:e7:4b:34:
5c:7d:2b:b1:43:69:91:47:85:56:c0:d0:e6:ce:a5:
b4:ed:2f:3a:d6:36:f6:56:c0:67:6b:ff:06:77:cf:
73:4a:6d:a8:a6:92:36:6a:ac:7a:ac:d1:3f:1f:7e:
2c:4f:e0:c6:94:24:34:6d:c1:76:75:a6:43:88:22:
c4:b7:d1:ea:a4:57:fe:99:e3:f2:6a:55:12:ae:dd:
87:53:1e:f6:ef:78:2b:ae:a2:02:cf:ff:0d:12:33:
f4:c9
publicExponent: 65537 (0x10001)
privateExponent:
62:a1:e9:7e:2d:25:8a:6f:6b:d0:72:5e:1c:36:c4:
36:9e:66:52:76:73:07:84:7d:94:de:28:1c:e4:e5:
65:43:cd:71:39:bb:b7:5a:66:aa:eb:8c:cc:20:56:
53:75:48:14:b8:1b:bc:44:44:97:58:da:33:60:80:
93:34:64:02:23:ad:24:65:59:d8:f5:22:18:34:d9:
cd:f7:cf:0d:d4:25:ea:d8:c1:68:6f:60:86:d7:0c:
15:16:d6:98:b9:94:b8:8b:a6:da:6f:0b:c4:23:bb:
45:38:6c:be:67:7b:11:1f:19:a8:07:37:c4:55:4f:
7e:d3:a2:d2:a6:bc:48:6b:ca:63:3a:0a:63:ad:f4:
c4:89:87:e8:ac:0b:0a:ee:a6:28:7d:1c:7f:1c:ab:
c7:0d:2c:56:e4:da:7c:3b:7e:b9:f6:57:f1:86:23:
7f:b1:7f:4b:98:75:65:0d:cd:be:73:9f:cf:bc:99:
77:eb:93:cd:81:c1:d3:c7:05:e6:15:98:11:5d:0b:
cb:5c:12:e8:fb:d6:f4:d9:6a:00:ee:df:70:0b:5e:
88:74:27:0d:50:c4:09:d4:1c:9a:12:bf:c6:c3:f9:
73:64:3d:b8:c7:3a:b0:65:70:01:ea:12:99:1b:0b:
2a:7f:2e:ea:dc:69:d1:2d:7e:f4:de:e7:06:fa:19:
dd
prime1:
00:ef:eb:60:ef:08:2d:d0:d7:23:1d:bb:d4:7b:9c:
4d:9c:a9:f9:bb:6d:d2:64:08:52:35:4d:43:72:a0:
11:19:94:e9:d9:33:07:c6:92:13:ac:31:3c:f1:0e:
e3:d9:40:66:02:02:a5:8f:99:48:97:be:5f:74:8f:
cd:cf:f5:5c:8d:a9:bb:13:55:95:69:5f:4c:d6:2e:
1e:21:33:13:23:e5:3d:24:1b:64:4f:88:1c:7d:62:
fd:f0:6e:03:87:a2:e9:75:d3:50:06:ba:37:de:16:
6e:d6:ac:42:fc:8c:51:5b:68:6e:f9:96:78:78:a9:
53:e9:ad:07:d1:ef:c6:17:8b
prime2:
00:e7:76:37:0f:3f:8a:2f:9a:02:b2:13:cd:1d:83:
ea:d8:84:8a:50:a0:4a:50:60:4e:90:65:90:69:83:
da:d3:c9:72:84:20:36:eb:96:91:6d:28:4e:7b:8f:
39:ad:fc:86:ea:3b:57:f5:cc:67:ac:b6:d6:55:f1:
1a:bb:28:5b:da:7b:da:ed:19:ee:c7:5d:c1:69:67:
dc:0b:fb:93:ec:01:0e:ba:37:ea:aa:26:72:dd:bd:
29:33:9f:d8:99:a3:9b:d8:06:9f:dc:e9:ad:df:6a:
39:94:1f:a5:33:7a:db:3d:62:cf:97:8b:92:10:aa:
3a:f7:12:0f:61:80:a0:8f:7b
exponent1:
00:9f:8b:c9:d4:6b:7d:fc:49:75:22:ca:cb:cc:bf:
ee:a4:e6:2c:1a:c6:37:89:2a:37:71:16:c6:69:ad:
a4:71:7c:a3:de:3a:9f:4b:1f:cd:51:4f:15:15:c1:
2f:28:44:39:11:d1:2c:c4:47:cd:0c:8c:1e:f2:66:
c7:19:2a:33:b8:49:4d:0c:d8:77:19:b1:b4:69:22:
16:0b:41:e9:d2:8f:19:8f:af:5f:8f:bc:16:26:13:
f4:87:34:c1:c8:2b:40:51:88:8a:c9:4e:80:e4:81:
ca:87:9b:da:98:13:bf:ee:a7:8e:55:10:09:61:44:
49:77:36:07:e3:46:2e:57:6d
exponent2:
4c:78:4d:f0:87:b9:8b:c8:82:23:7b:4f:44:f5:14:
5d:bc:4c:46:1e:ee:ee:67:23:0d:a9:c0:70:5b:d3:
ac:2c:dd:dc:b1:17:f3:f5:a6:ce:3d:86:d0:63:9d:
56:d2:1b:70:bf:72:6c:0e:c0:21:db:b6:2c:66:9f:
c2:3d:af:3b:1b:b8:54:a5:40:b2:35:53:75:13:8f:
2b:96:4e:64:a6:64:cb:39:36:1a:48:e1:a2:48:a0:
98:21:b3:59:ef:27:c9:d3:46:75:a1:ee:83:e5:80:
68:63:9c:1c:c9:f6:2c:ed:bc:50:01:18:9c:d0:e0:
f2:47:d1:35:11:5d:fa:89
coefficient:
05:31:5a:a3:4e:70:dd:4c:3c:cb:7b:9c:37:d4:1d:
aa:f9:1c:0e:cd:7e:ec:67:8f:9d:c8:a3:55:69:07:
5f:49:50:57:80:66:cd:33:c6:f9:97:c8:99:6c:25:
2e:3d:ef:a3:98:85:0f:51:42:16:77:4d:b0:5d:3a:
01:7e:08:0e:23:d0:5b:53:e3:98:64:f7:d7:0b:74:
41:65:a3:a1:79:d5:b6:38:2c:46:5c:41:66:41:6b:
3c:3a:57:bf:f0:db:ae:be:a5:6b:8c:1e:1c:7a:3e:
46:bd:99:de:95:1b:cf:50:60:b2:ee:cc:e0:cc:f5:
a4:6e:ef:95:b8:2d:51:4e
$ cat client-cert.pem
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUMZtS2tJd9h7UX4kqm0RszoVYTRkwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDA2MDkwMjQ5NTNaFw0zMDA2
MDcwMjQ5NTNaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDY7C6QOrmTrVcwFbSTs8A7rXd/hXAelFb8YYhAglOK
CkfhVzJyS1M7OAk052QXOfVzTMxCoYiIIGI/Vo2GGoE2KbGrOrQi8GHYNxFVuaY9
Pwd5WiV708hIBbq9zENQgbwiDrg5TOYXahnd5DviuWMMsK/dgakbnJ58Z+UuhBE1
fHLrYwBZIHq6npy0oTEiBaBPJXYTxmQdp6X5E7O883PWUOdLNFx9K7FDaZFHhVbA
0ObOpbTtLzrWNvZWwGdr/wZ3z3NKbaimkjZqrHqs0T8ffixP4MaUJDRtwXZ1pkOI
IsS30eqkV/6Z4/JqVRKu3YdTHvbveCuuogLP/w0SM/TJAgMBAAGjUzBRMB0GA1Ud
DgQWBBTEBigrdkOYiqC9WSGwPd7+gTM+VzAfBgNVHSMEGDAWgBTEBigrdkOYiqC9
WSGwPd7+gTM+VzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBn
tVibGcZrOMG3/xvMZvE31qn3x6qQS2lrGLqhaYN5q94eY5PIMOCMHnkWr1h0Qu/I
IN+H4HduuNtVtwMekxWDCMHBupjKIUY6kpNybImFauj6STaMxKp4X9XKYLByo6/L
toVVI0ibqxs/EGv6GeWA+xR49EKWbvshdAGb8CdMaSEmzfxUrneGsLkYPjcWl2tQ
59A3DLh9WbblPTWjZd6bXYwPxSPCavaEFL9aE35mUCC3JSis0vjQuMJH8Vb2TBrH
ryoqoVh/+aQPtwnwgC4/x0EvEmOm4+Cdl4qTjpuavUibcuyxRYV5dARhZjO2G4Fp
9T71PvqoAm8ZaNGdHxeq
-----END CERTIFICATE-----
$ openssl x509 -in client-cert.pem -noout -text //상위 Certifacte 전체 분석 (상위 Privae Key 정보포함)
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
31:9b:52:da:d2:5d:f6:1e:d4:5f:89:2a:9b:44:6c:ce:85:58:4d:19
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Validity
Not Before: Jun 9 02:49:53 2020 GMT
Not After : Jun 7 02:49:53 2030 GMT
Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:d8:ec:2e:90:3a:b9:93:ad:57:30:15:b4:93:b3:
c0:3b:ad:77:7f:85:70:1e:94:56:fc:61:88:40:82:
53:8a:0a:47:e1:57:32:72:4b:53:3b:38:09:34:e7:
64:17:39:f5:73:4c:cc:42:a1:88:88:20:62:3f:56:
8d:86:1a:81:36:29:b1:ab:3a:b4:22:f0:61:d8:37:
11:55:b9:a6:3d:3f:07:79:5a:25:7b:d3:c8:48:05:
ba:bd:cc:43:50:81:bc:22:0e:b8:39:4c:e6:17:6a:
19:dd:e4:3b:e2:b9:63:0c:b0:af:dd:81:a9:1b:9c:
9e:7c:67:e5:2e:84:11:35:7c:72:eb:63:00:59:20:
7a:ba:9e:9c:b4:a1:31:22:05:a0:4f:25:76:13:c6:
64:1d:a7:a5:f9:13:b3:bc:f3:73:d6:50:e7:4b:34:
5c:7d:2b:b1:43:69:91:47:85:56:c0:d0:e6:ce:a5:
b4:ed:2f:3a:d6:36:f6:56:c0:67:6b:ff:06:77:cf:
73:4a:6d:a8:a6:92:36:6a:ac:7a:ac:d1:3f:1f:7e:
2c:4f:e0:c6:94:24:34:6d:c1:76:75:a6:43:88:22:
c4:b7:d1:ea:a4:57:fe:99:e3:f2:6a:55:12:ae:dd:
87:53:1e:f6:ef:78:2b:ae:a2:02:cf:ff:0d:12:33:
f4:c9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
C4:06:28:2B:76:43:98:8A:A0:BD:59:21:B0:3D:DE:FE:81:33:3E:57
X509v3 Authority Key Identifier:
keyid:C4:06:28:2B:76:43:98:8A:A0:BD:59:21:B0:3D:DE:FE:81:33:3E:57
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
67:b5:58:9b:19:c6:6b:38:c1:b7:ff:1b:cc:66:f1:37:d6:a9:
f7:c7:aa:90:4b:69:6b:18:ba:a1:69:83:79:ab:de:1e:63:93:
c8:30:e0:8c:1e:79:16:af:58:74:42:ef:c8:20:df:87:e0:77:
6e:b8:db:55:b7:03:1e:93:15:83:08:c1:c1:ba:98:ca:21:46:
3a:92:93:72:6c:89:85:6a:e8:fa:49:36:8c:c4:aa:78:5f:d5:
ca:60:b0:72:a3:af:cb:b6:85:55:23:48:9b:ab:1b:3f:10:6b:
fa:19:e5:80:fb:14:78:f4:42:96:6e:fb:21:74:01:9b:f0:27:
4c:69:21:26:cd:fc:54:ae:77:86:b0:b9:18:3e:37:16:97:6b:
50:e7:d0:37:0c:b8:7d:59:b6:e5:3d:35:a3:65:de:9b:5d:8c:
0f:c5:23:c2:6a:f6:84:14:bf:5a:13:7e:66:50:20:b7:25:28:
ac:d2:f8:d0:b8:c2:47:f1:56:f6:4c:1a:c7:af:2a:2a:a1:58:
7f:f9:a4:0f:b7:09:f0:80:2e:3f:c7:41:2f:12:63:a6:e3:e0:
9d:97:8a:93:8e:9b:9a:bd:48:9b:72:ec:b1:45:85:79:74:04:
61:66:33:b6:1b:81:69:f5:3e:f5:3e:fa:a8:02:6f:19:68:d1:
9d:1f:17:aa
아래소스로 테스트 가능
https://github.com/JeonghunLee/DTLS-Examples/blob/master/src/dtls_udp_echo.c
DTLS Programming Example and API
https://github.com/nplab/DTLS-Examples
https://chris-wood.github.io/2016/05/06/OpenSSL-DTLS.html
https://gist.github.com/Jxck/b211a12423622fe304d2370b1f1d30d5
OpenSSL Programming
https://developer.ibm.com/technologies/security/tutorials/l-openssl/
https://www.linuxjournal.com/article/4822
DTLS Manual
https://www.openssl.org/docs/man1.1.0/man3/DTLS_client_method.html
https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_use_PrivateKey_file.html
https://github.com/JeonghunLee/DTLS-Examples/blob/master/src/dtls_udp_echo.c
DTLS Programming Example and API
https://github.com/nplab/DTLS-Examples
https://chris-wood.github.io/2016/05/06/OpenSSL-DTLS.html
https://gist.github.com/Jxck/b211a12423622fe304d2370b1f1d30d5
OpenSSL Programming
https://developer.ibm.com/technologies/security/tutorials/l-openssl/
https://www.linuxjournal.com/article/4822
DTLS Manual
https://www.openssl.org/docs/man1.1.0/man3/DTLS_client_method.html
https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_use_PrivateKey_file.html
세부내용은 상위 링크 참조
LIBS += -lssl -lcrypto
#include <openssl/bio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
SSL_CTX *ctx;
SSL *ssl;
BIO *bio;
OpenSSL_add_ssl_algorithms();
SSL_load_error_strings();
ctx = SSL_CTX_new(DTLS_client_method());
if (!SSL_CTX_use_certificate_file(ctx, "certs/client-cert.pem", SSL_FILETYPE_PEM))
SSLMSG("ERROR: no certificate found!\n");
if (!SSL_CTX_use_PrivateKey_file(ctx, "certs/client-key.pem", SSL_FILETYPE_PEM))
SSLMSG("ERROR: no private key found!\n");
if (!SSL_CTX_check_private_key (ctx))
SSLMSG("ERROR: invalid private key!\n");
//Cipher Suite List 설정가능
SSL_CTX_set_cipher_list(ctx, ":AES");
3. OpenSSL 설치 및 테스트
RootCA / SubCA / Digital Signature Sign
https://en.wikipedia.org/wiki/Root_certificate
https://en.wikipedia.org/wiki/Certificate_authority
https://en.wikipedia.org/wiki/Public_key_certificate
OpenSSL 로 ROOT CA 발급
https://www.lesstif.com/pages/viewpage.action?pageId=6979614
https://www.lesstif.com/pages/viewpage.action?pageId=7635159
OpenSSL Command 사용법
https://wiki.openssl.org/index.php/Command_Line_Utilities
https://en.wikipedia.org/wiki/OpenSSL
openssl s_client -connect
https://www.feistyduck.com/library/openssl-cookbook/online/ch-testing-with-openssl.html
https://www.poftut.com/use-openssl-s_client-check-verify-ssltls-https-webserver/
http://coffeenix.net/board_view.php?bd_code=1661
https://xbloger.tistory.com/18
https://spin.atomicobject.com/2018/07/30/openssl-s-client/
https://www.freebsd.org/cgi/man.cgi?query=s_client&manpath=FreeBSD+11-current
https://www.openssl.org/docs/man1.0.2/man1/openssl-s_client.html
openssl s_server
https://www.openssl.org/docs/man1.0.2/man1/s_server.html
https://github.com/openssl/openssl/blob/master/apps/server.pem
https://theswlee.tistory.com/48
https://superhero.ninja/2015/07/22/create-a-simple-https-server-with-openssl-s_server/
https://www.rabbitmq.com/troubleshooting-ssl.html
https://www.rabbitmq.com/troubleshooting-networking.html
https://www.rabbitmq.com/ssl.html#certificates-and-keys
- openssl 기본 테스트
$ openssl version OpenSSL 1.1.1b 26 Feb 2019 $ openssl OpenSSL> help Standard commands asn1parse ca ciphers cms crl crl2pkcs7 dgst dhparam dsa dsaparam ec ecparam enc engine errstr gendsa genpkey genrsa help list nseq ocsp passwd pkcs12 pkcs7 pkcs8 pkey pkeyparam pkeyutl prime rand rehash req rsa rsautl s_client s_server s_time sess_id smime speed spkac srp storeutl ts verify version x509 Message Digest commands (see the `dgst' command for more details) blake2b512 blake2s256 gost md4 md5 mdc2 rmd160 sha1 sha224 sha256 sha3-224 sha3-256 sha3-384 sha3-512 sha384 sha512 sha512-224 sha512-256 shake128 shake256 sm3 Cipher commands (see the `enc' command for more details) aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1 aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8 aria-256-ctr aria-256-ecb aria-256-ofb base64 bf bf-cbc bf-cfb bf-ecb bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb camellia-256-cbc camellia-256-ecb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx idea idea-cbc idea-cfb idea-ecb idea-ofb rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40 seed seed-cbc seed-cfb seed-ecb seed-ofb sm4-cbc sm4-cfb sm4-ctr sm4-ecb sm4-ofb OpenSSL> quit
- DER 인증서 및 KEY 변환
일반적으로 pem or crt는 base64로 encoding하여 쉽게 cat으로 확인가능하지만, der은 binary로 구성이 된 것 같아 아래와 같이 변경해주자.
$ openssl x509 -inform DER -outform PEM -text -in test.der -out test.pem
https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them
https://wiki.openssl.org/index.php/DER
3.1 HTTPS Google Server 연결 테스트
- HTTPS 443 Port TEST 진행
$ openssl s_client -connect google.com:443 //HTTPS 443 Port TLSv 1.3 Fail CONNECTED(00000003) depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com verify return:1 --- Certificate chain 0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com i:C = US, O = Google Trust Services, CN = GTS CA 1O1 1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1 i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign --- Server certificate -----BEGIN CERTIFICATE----- MIIJRDCCCCygAwIBAgIRAO7eZWDNNcCvAgAAAABZcbcwDQYJKoZIhvcNAQELBQAw QjELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczET MBEGA1UEAxMKR1RTIENBIDFPMTAeFw0yMDAyMTIxMTQ3MTFaFw0yMDA1MDYxMTQ3 MTFaMGYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH Ew1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgTExDMRUwEwYDVQQDDAwq Lmdvb2dsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATKjE9IuwUMNbIb CmiOS1XWI2yPFLanStLIADumajnPmHrED+4/bPKa3HXecM4hPVHL8OgqwVYWveZs S6OdF9Pqo4IG2jCCBtYwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF BwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFCRtN1AKArkz3KlGMpfhLYkaPFkY MB8GA1UdIwQYMBaAFJjR+G4Q68+b7GCfGJAboOt9Cf0rMGQGCCsGAQUFBwEBBFgw VjAnBggrBgEFBQcwAYYbaHR0cDovL29jc3AucGtpLmdvb2cvZ3RzMW8xMCsGCCsG AQUFBzAChh9odHRwOi8vcGtpLmdvb2cvZ3NyMi9HVFMxTzEuY3J0MIIEnQYDVR0R BIIElDCCBJCCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lkLmNvbYIWKi5hcHBlbmdp bmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29tghgqLmNyb3dkc291cmNl Lmdvb2dsZS5jb22CBiouZy5jb4IOKi5nY3AuZ3Z0Mi5jb22CESouZ2NwY2RuLmd2 dDEuY29tggoqLmdncGh0LmNugg4qLmdrZWNuYXBwcy5jboIWKi5nb29nbGUtYW5h bHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNsgg4qLmdvb2dsZS5j by5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVrgg8qLmdvb2dsZS5j b20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29tLmJygg8qLmdvb2ds ZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUuY29tLnRygg8qLmdv b2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5lc4ILKi5nb29nbGUu ZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29nbGUubmyCCyouZ29v Z2xlLnBsggsqLmdvb2dsZS5wdIISKi5nb29nbGVhZGFwaXMuY29tgg8qLmdvb2ds ZWFwaXMuY26CESouZ29vZ2xlY25hcHBzLmNughQqLmdvb2dsZWNvbW1lcmNlLmNv bYIRKi5nb29nbGV2aWRlby5jb22CDCouZ3N0YXRpYy5jboINKi5nc3RhdGljLmNv bYISKi5nc3RhdGljY25hcHBzLmNuggoqLmd2dDEuY29tggoqLmd2dDIuY29tghQq Lm1ldHJpYy5nc3RhdGljLmNvbYIMKi51cmNoaW4uY29tghAqLnVybC5nb29nbGUu Y29tghMqLndlYXIuZ2tlY25hcHBzLmNughYqLnlvdXR1YmUtbm9jb29raWUuY29t gg0qLnlvdXR1YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tghEqLnlvdXR1 YmVraWRzLmNvbYIHKi55dC5iZYILKi55dGltZy5jb22CGmFuZHJvaWQuY2xpZW50 cy5nb29nbGUuY29tggthbmRyb2lkLmNvbYIbZGV2ZWxvcGVyLmFuZHJvaWQuZ29v Z2xlLmNughxkZXZlbG9wZXJzLmFuZHJvaWQuZ29vZ2xlLmNuggRnLmNvgghnZ3Bo dC5jboIMZ2tlY25hcHBzLmNuggZnb28uZ2yCFGdvb2dsZS1hbmFseXRpY3MuY29t ggpnb29nbGUuY29tgg9nb29nbGVjbmFwcHMuY26CEmdvb2dsZWNvbW1lcmNlLmNv bYIYc291cmNlLmFuZHJvaWQuZ29vZ2xlLmNuggp1cmNoaW4uY29tggp3d3cuZ29v Lmdsggh5b3V0dS5iZYILeW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29t gg95b3V0dWJla2lkcy5jb22CBXl0LmJlMCEGA1UdIAQaMBgwCAYGZ4EMAQICMAwG CisGAQQB1nkCBQMwLwYDVR0fBCgwJjAkoCKgIIYeaHR0cDovL2NybC5wa2kuZ29v Zy9HVFMxTzEuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUAsh4FzIuizYog Todm+Su5iiUgZ2va+nDnsklTLe+LkF4AAAFwOXBpZwAABAMARjBEAiA+QN+Y1BC1 iTg87rmcpsUM/Gu24qPQtScwEkDt1exEhAIgQZ65pwiFU6WtL7WIBUDRTSLLJtQz SUb9E8H/e+H3kv8AdwBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAA AXA5cGl4AAAEAwBIMEYCIQD9qpknf9RA9NTnDbJ1R740ilIoZ5axO70RNKA2ozIp DQIhAI1NyadJ74gUNJMOwgVolIAXXkoTlllaI+RlhpKJXQelMA0GCSqGSIb3DQEB CwUAA4IBAQB/1D1o4bHjhENzzSVqw/WiW7R1Yg4kZjli4Jx+LL27l0iKIq5Je3M7 N9seKeytHKln9LJWcZKJU0ZbTMAspum0myuT9TCRUzlQySsFdd3w5wh0ORzaaMxf dFZXbP5bVcGkuC/FdoNgnFFjfdJlif8ZWazQdGNT68dXSNYBrSWcZvTi6UHviVzy KRNF8NXQPkmfEGnd4JAhXr/bNfKhYp/n8vsemQpmKWuA2eO+1W3C8iCVQ2JaQUSE kOquDseMqEKLRl+Rqg9HWNZpZ7CJfxVEk9f8L9nc9fqQrRM3CB6E4nNwbo7jkwdk w9vcyse48vXjWRg69iSIEEw4VHtES7QN -----END CERTIFICATE----- subject=C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com issuer=C = US, O = Google Trust Services, CN = GTS CA 1O1 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 3787 bytes and written 392 bytes Verification error: unable to get local issuer certificate // openssl verify (검증에러) --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 256 bit Secure Renegotiation IS NOT supported // TLSv1.3 협상실패 Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent //문제 사항 확인 Verify return code: 20 (unable to get local issuer certificate) --- Ctrl+c
- HTTPS 443 Port TEST 진행 (TLSv1.2)
$ openssl s_client -connect google.com:443 -tls1_2 //HTTPS 443 Port TLS1.2 CONNECTED(00000003) depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com verify return:1 --- Certificate chain 0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com i:C = US, O = Google Trust Services, CN = GTS CA 1O1 1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1 i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign --- Server certificate -----BEGIN CERTIFICATE----- MIIJRDCCCCygAwIBAgIRAO7eZWDNNcCvAgAAAABZcbcwDQYJKoZIhvcNAQELBQAw QjELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczET MBEGA1UEAxMKR1RTIENBIDFPMTAeFw0yMDAyMTIxMTQ3MTFaFw0yMDA1MDYxMTQ3 MTFaMGYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH Ew1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgTExDMRUwEwYDVQQDDAwq Lmdvb2dsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATKjE9IuwUMNbIb CmiOS1XWI2yPFLanStLIADumajnPmHrED+4/bPKa3HXecM4hPVHL8OgqwVYWveZs S6OdF9Pqo4IG2jCCBtYwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF BwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFCRtN1AKArkz3KlGMpfhLYkaPFkY MB8GA1UdIwQYMBaAFJjR+G4Q68+b7GCfGJAboOt9Cf0rMGQGCCsGAQUFBwEBBFgw VjAnBggrBgEFBQcwAYYbaHR0cDovL29jc3AucGtpLmdvb2cvZ3RzMW8xMCsGCCsG AQUFBzAChh9odHRwOi8vcGtpLmdvb2cvZ3NyMi9HVFMxTzEuY3J0MIIEnQYDVR0R BIIElDCCBJCCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lkLmNvbYIWKi5hcHBlbmdp bmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29tghgqLmNyb3dkc291cmNl Lmdvb2dsZS5jb22CBiouZy5jb4IOKi5nY3AuZ3Z0Mi5jb22CESouZ2NwY2RuLmd2 dDEuY29tggoqLmdncGh0LmNugg4qLmdrZWNuYXBwcy5jboIWKi5nb29nbGUtYW5h bHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNsgg4qLmdvb2dsZS5j by5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVrgg8qLmdvb2dsZS5j b20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29tLmJygg8qLmdvb2ds ZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUuY29tLnRygg8qLmdv b2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5lc4ILKi5nb29nbGUu ZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29nbGUubmyCCyouZ29v Z2xlLnBsggsqLmdvb2dsZS5wdIISKi5nb29nbGVhZGFwaXMuY29tgg8qLmdvb2ds ZWFwaXMuY26CESouZ29vZ2xlY25hcHBzLmNughQqLmdvb2dsZWNvbW1lcmNlLmNv bYIRKi5nb29nbGV2aWRlby5jb22CDCouZ3N0YXRpYy5jboINKi5nc3RhdGljLmNv bYISKi5nc3RhdGljY25hcHBzLmNuggoqLmd2dDEuY29tggoqLmd2dDIuY29tghQq Lm1ldHJpYy5nc3RhdGljLmNvbYIMKi51cmNoaW4uY29tghAqLnVybC5nb29nbGUu Y29tghMqLndlYXIuZ2tlY25hcHBzLmNughYqLnlvdXR1YmUtbm9jb29raWUuY29t gg0qLnlvdXR1YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tghEqLnlvdXR1 YmVraWRzLmNvbYIHKi55dC5iZYILKi55dGltZy5jb22CGmFuZHJvaWQuY2xpZW50 cy5nb29nbGUuY29tggthbmRyb2lkLmNvbYIbZGV2ZWxvcGVyLmFuZHJvaWQuZ29v Z2xlLmNughxkZXZlbG9wZXJzLmFuZHJvaWQuZ29vZ2xlLmNuggRnLmNvgghnZ3Bo dC5jboIMZ2tlY25hcHBzLmNuggZnb28uZ2yCFGdvb2dsZS1hbmFseXRpY3MuY29t ggpnb29nbGUuY29tgg9nb29nbGVjbmFwcHMuY26CEmdvb2dsZWNvbW1lcmNlLmNv bYIYc291cmNlLmFuZHJvaWQuZ29vZ2xlLmNuggp1cmNoaW4uY29tggp3d3cuZ29v Lmdsggh5b3V0dS5iZYILeW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29t gg95b3V0dWJla2lkcy5jb22CBXl0LmJlMCEGA1UdIAQaMBgwCAYGZ4EMAQICMAwG CisGAQQB1nkCBQMwLwYDVR0fBCgwJjAkoCKgIIYeaHR0cDovL2NybC5wa2kuZ29v Zy9HVFMxTzEuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUAsh4FzIuizYog Todm+Su5iiUgZ2va+nDnsklTLe+LkF4AAAFwOXBpZwAABAMARjBEAiA+QN+Y1BC1 iTg87rmcpsUM/Gu24qPQtScwEkDt1exEhAIgQZ65pwiFU6WtL7WIBUDRTSLLJtQz SUb9E8H/e+H3kv8AdwBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAA AXA5cGl4AAAEAwBIMEYCIQD9qpknf9RA9NTnDbJ1R740ilIoZ5axO70RNKA2ozIp DQIhAI1NyadJ74gUNJMOwgVolIAXXkoTlllaI+RlhpKJXQelMA0GCSqGSIb3DQEB CwUAA4IBAQB/1D1o4bHjhENzzSVqw/WiW7R1Yg4kZjli4Jx+LL27l0iKIq5Je3M7 N9seKeytHKln9LJWcZKJU0ZbTMAspum0myuT9TCRUzlQySsFdd3w5wh0ORzaaMxf dFZXbP5bVcGkuC/FdoNgnFFjfdJlif8ZWazQdGNT68dXSNYBrSWcZvTi6UHviVzy KRNF8NXQPkmfEGnd4JAhXr/bNfKhYp/n8vsemQpmKWuA2eO+1W3C8iCVQ2JaQUSE kOquDseMqEKLRl+Rqg9HWNZpZ7CJfxVEk9f8L9nc9fqQrRM3CB6E4nNwbo7jkwdk w9vcyse48vXjWRg69iSIEEw4VHtES7QN -----END CERTIFICATE----- subject=C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com issuer=C = US, O = Google Trust Services, CN = GTS CA 1O1 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 3978 bytes and written 298 bytes Verification error: unable to get local issuer certificate // 동일하게 검증에러 --- New, TLSv1.2, Cipher is ECDHE-ECDSA-CHACHA20-POLY1305 Server public key is 256 bit Secure Renegotiation IS supported //TLSv1.2 로 협상 Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-ECDSA-CHACHA20-POLY1305 Session-ID: 1C072CAEAD8AC810F33CC68F2C687F8841ED13FFB9B9668FF4E6CA770CCABCC4 Session-ID-ctx: Master-Key: 098E8AC1E0DEEA97F12895234B1B2DD332953D5AE4D2D1EF6679DA3CD80558AF36821E68EFED9EDF1A41DB355B7F63BE PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 100800 (seconds) TLS session ticket: 0000 - 01 4e 19 86 f8 af c8 74-f0 4a 2d bc b3 bd 49 07 .N.....t.J-...I. 0010 - d4 bc b5 dd 95 fa 34 fb-f8 95 20 cb e6 91 19 6e ......4... ....n 0020 - 98 8c 87 54 82 76 16 72-49 41 a6 36 a9 bb 18 00 ...T.v.rIA.6.... 0030 - dd 77 aa 6f cb e9 1b e2-de 38 4e a2 54 c6 21 89 .w.o.....8N.T.!. 0040 - 5f a1 28 e2 0a f1 1d eb-c1 ed 3f 6d 85 7d ba f7 _.(.......?m.}.. 0050 - 9d 4b 1f 8e 66 9c c4 19-bd 99 dd b5 31 6b 5e 49 .K..f.......1k^I 0060 - 95 39 70 c1 11 26 00 ba-04 4c 18 05 82 20 72 7d .9p..&...L... r} 0070 - 5d 2c 31 21 c5 76 da 1a-b7 91 e4 b3 ff 93 d3 9a ],1!.v.......... 0080 - b0 06 6d 0d 04 f7 fc 21-8d 0c 37 29 dd fc 17 a5 ..m....!..7).... 0090 - b4 5e a3 50 e9 b2 0c 91-8c 2c 22 4b 13 52 e2 13 .^.P.....,"K.R.. 00a0 - f4 9f 99 76 43 8a 4c fc-28 22 94 de d4 0a a0 58 ...vC.L.(".....X 00b0 - 91 1c 14 b1 c1 87 03 fa-a0 87 a6 36 81 b4 55 bf ...........6..U. 00c0 - 0d 69 a3 93 66 bd 68 72-b3 25 ce d1 63 6b 19 15 .i..f.hr.%..ck.. 00d0 - 5b 30 0d c3 9a de 82 85-d2 de f4 6d ae 40 e4 8a [0.........m.@.. 00e0 - 51 66 Qf Start Time: 1583817303 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate) // 검증에러 Extended master secret: yes --- Ctrl+c
3.2 Google Server의 Certificate 분석
- Google Server의 Certificate를 저장
$ openssl s_client -connect google.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt $ cat public.crt -----BEGIN CERTIFICATE----- MIIJRDCCCCygAwIBAgIRAO7eZWDNNcCvAgAAAABZcbcwDQYJKoZIhvcNAQELBQAw QjELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczET MBEGA1UEAxMKR1RTIENBIDFPMTAeFw0yMDAyMTIxMTQ3MTFaFw0yMDA1MDYxMTQ3 MTFaMGYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH Ew1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgTExDMRUwEwYDVQQDDAwq Lmdvb2dsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATKjE9IuwUMNbIb CmiOS1XWI2yPFLanStLIADumajnPmHrED+4/bPKa3HXecM4hPVHL8OgqwVYWveZs S6OdF9Pqo4IG2jCCBtYwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF BwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFCRtN1AKArkz3KlGMpfhLYkaPFkY MB8GA1UdIwQYMBaAFJjR+G4Q68+b7GCfGJAboOt9Cf0rMGQGCCsGAQUFBwEBBFgw VjAnBggrBgEFBQcwAYYbaHR0cDovL29jc3AucGtpLmdvb2cvZ3RzMW8xMCsGCCsG AQUFBzAChh9odHRwOi8vcGtpLmdvb2cvZ3NyMi9HVFMxTzEuY3J0MIIEnQYDVR0R BIIElDCCBJCCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lkLmNvbYIWKi5hcHBlbmdp bmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29tghgqLmNyb3dkc291cmNl Lmdvb2dsZS5jb22CBiouZy5jb4IOKi5nY3AuZ3Z0Mi5jb22CESouZ2NwY2RuLmd2 dDEuY29tggoqLmdncGh0LmNugg4qLmdrZWNuYXBwcy5jboIWKi5nb29nbGUtYW5h bHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNsgg4qLmdvb2dsZS5j by5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVrgg8qLmdvb2dsZS5j b20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29tLmJygg8qLmdvb2ds ZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUuY29tLnRygg8qLmdv b2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5lc4ILKi5nb29nbGUu ZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29nbGUubmyCCyouZ29v Z2xlLnBsggsqLmdvb2dsZS5wdIISKi5nb29nbGVhZGFwaXMuY29tgg8qLmdvb2ds ZWFwaXMuY26CESouZ29vZ2xlY25hcHBzLmNughQqLmdvb2dsZWNvbW1lcmNlLmNv bYIRKi5nb29nbGV2aWRlby5jb22CDCouZ3N0YXRpYy5jboINKi5nc3RhdGljLmNv bYISKi5nc3RhdGljY25hcHBzLmNuggoqLmd2dDEuY29tggoqLmd2dDIuY29tghQq Lm1ldHJpYy5nc3RhdGljLmNvbYIMKi51cmNoaW4uY29tghAqLnVybC5nb29nbGUu Y29tghMqLndlYXIuZ2tlY25hcHBzLmNughYqLnlvdXR1YmUtbm9jb29raWUuY29t gg0qLnlvdXR1YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tghEqLnlvdXR1 YmVraWRzLmNvbYIHKi55dC5iZYILKi55dGltZy5jb22CGmFuZHJvaWQuY2xpZW50 cy5nb29nbGUuY29tggthbmRyb2lkLmNvbYIbZGV2ZWxvcGVyLmFuZHJvaWQuZ29v Z2xlLmNughxkZXZlbG9wZXJzLmFuZHJvaWQuZ29vZ2xlLmNuggRnLmNvgghnZ3Bo dC5jboIMZ2tlY25hcHBzLmNuggZnb28uZ2yCFGdvb2dsZS1hbmFseXRpY3MuY29t ggpnb29nbGUuY29tgg9nb29nbGVjbmFwcHMuY26CEmdvb2dsZWNvbW1lcmNlLmNv bYIYc291cmNlLmFuZHJvaWQuZ29vZ2xlLmNuggp1cmNoaW4uY29tggp3d3cuZ29v Lmdsggh5b3V0dS5iZYILeW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29t gg95b3V0dWJla2lkcy5jb22CBXl0LmJlMCEGA1UdIAQaMBgwCAYGZ4EMAQICMAwG CisGAQQB1nkCBQMwLwYDVR0fBCgwJjAkoCKgIIYeaHR0cDovL2NybC5wa2kuZ29v Zy9HVFMxTzEuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUAsh4FzIuizYog Todm+Su5iiUgZ2va+nDnsklTLe+LkF4AAAFwOXBpZwAABAMARjBEAiA+QN+Y1BC1 iTg87rmcpsUM/Gu24qPQtScwEkDt1exEhAIgQZ65pwiFU6WtL7WIBUDRTSLLJtQz SUb9E8H/e+H3kv8AdwBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAA AXA5cGl4AAAEAwBIMEYCIQD9qpknf9RA9NTnDbJ1R740ilIoZ5axO70RNKA2ozIp DQIhAI1NyadJ74gUNJMOwgVolIAXXkoTlllaI+RlhpKJXQelMA0GCSqGSIb3DQEB CwUAA4IBAQB/1D1o4bHjhENzzSVqw/WiW7R1Yg4kZjli4Jx+LL27l0iKIq5Je3M7 N9seKeytHKln9LJWcZKJU0ZbTMAspum0myuT9TCRUzlQySsFdd3w5wh0ORzaaMxf dFZXbP5bVcGkuC/FdoNgnFFjfdJlif8ZWazQdGNT68dXSNYBrSWcZvTi6UHviVzy KRNF8NXQPkmfEGnd4JAhXr/bNfKhYp/n8vsemQpmKWuA2eO+1W3C8iCVQ2JaQUSE kOquDseMqEKLRl+Rqg9HWNZpZ7CJfxVEk9f8L9nc9fqQrRM3CB6E4nNwbo7jkwdk w9vcyse48vXjWRg69iSIEEw4VHtES7QN -----END CERTIFICATE-----
- Google Server의 Certificate 분석
$ openssl x509 -in public.crt -noout -text // 상위 Certifacte 전체 분석 Certificate: Data: Version: 3 (0x2) Serial Number: ee:de:65:60:cd:35:c0:af:02:00:00:00:00:59:71:b7 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Google Trust Services, CN = GTS CA 1O1 Validity Not Before: Feb 12 11:47:11 2020 GMT Not After : May 6 11:47:11 2020 GMT Subject: C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:ca:8c:4f:48:bb:05:0c:35:b2:1b:0a:68:8e:4b: 55:d6:23:6c:8f:14:b6:a7:4a:d2:c8:00:3b:a6:6a: 39:cf:98:7a:c4:0f:ee:3f:6c:f2:9a:dc:75:de:70: ce:21:3d:51:cb:f0:e8:2a:c1:56:16:bd:e6:6c:4b: a3:9d:17:d3:ea ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 24:6D:37:50:0A:02:B9:33:DC:A9:46:32:97:E1:2D:89:1A:3C:59:18 X509v3 Authority Key Identifier: keyid:98:D1:F8:6E:10:EB:CF:9B:EC:60:9F:18:90:1B:A0:EB:7D:09:FD:2B Authority Information Access: OCSP - URI:http://ocsp.pki.goog/gts1o1 CA Issuers - URI:http://pki.goog/gsr2/GTS1O1.crt X509v3 Subject Alternative Name: DNS:*.google.com, DNS:*.android.com, DNS:*.appengine.google.com, DNS:*.cloud.google.com, DNS:*.crowdsource.google.com, DNS:*.g.co, DNS:*.gcp.gvt2.com, DNS:*.gcpcdn.gvt1.com, DNS:*.ggpht.cn, DNS:*.gkecnapps.cn, DNS:*.google-analytics.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google.pt, DNS:*.googleadapis.com, DNS:*.googleapis.cn, DNS:*.googlecnapps.cn, DNS:*.googlecommerce.com, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic.com, DNS:*.gstaticcnapps.cn, DNS:*.gvt1.com, DNS:*.gvt2.com, DNS:*.metric.gstatic.com, DNS:*.urchin.com, DNS:*.url.google.com, DNS:*.wear.gkecnapps.cn, DNS:*.youtube-nocookie.com, DNS:*.youtube.com, DNS:*.youtubeeducation.com, DNS:*.youtubekids.com, DNS:*.yt.be, DNS:*.ytimg.com, DNS:android.clients.google.com, DNS:android.com, DNS:developer.android.google.cn, DNS:developers.android.google.cn, DNS:g.co, DNS:ggpht.cn, DNS:gkecnapps.cn, DNS:goo.gl, DNS:google-analytics.com, DNS:google.com, DNS:googlecnapps.cn, DNS:googlecommerce.com, DNS:source.android.google.cn, DNS:urchin.com, DNS:www.goo.gl, DNS:youtu.be, DNS:youtube.com, DNS:youtubeeducation.com, DNS:youtubekids.com, DNS:yt.be X509v3 Certificate Policies: Policy: 2.23.140.1.2.2 Policy: 1.3.6.1.4.1.11129.2.5.3 X509v3 CRL Distribution Points: Full Name: URI:http://crl.pki.goog/GTS1O1.crl CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : B2:1E:05:CC:8B:A2:CD:8A:20:4E:87:66:F9:2B:B9:8A: 25:20:67:6B:DA:FA:70:E7:B2:49:53:2D:EF:8B:90:5E Timestamp : Feb 12 12:47:13.255 2020 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:3E:40:DF:98:D4:10:B5:89:38:3C:EE:B9: 9C:A6:C5:0C:FC:6B:B6:E2:A3:D0:B5:27:30:12:40:ED: D5:EC:44:84:02:20:41:9E:B9:A7:08:85:53:A5:AD:2F: B5:88:05:40:D1:4D:22:CB:26:D4:33:49:46:FD:13:C1: FF:7B:E1:F7:92:FF Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 5E:A7:73:F9:DF:56:C0:E7:B5:36:48:7D:D0:49:E0:32: 7A:91:9A:0C:84:A1:12:12:84:18:75:96:81:71:45:58 Timestamp : Feb 12 12:47:13.272 2020 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:FD:AA:99:27:7F:D4:40:F4:D4:E7:0D: B2:75:47:BE:34:8A:52:28:67:96:B1:3B:BD:11:34:A0: 36:A3:32:29:0D:02:21:00:8D:4D:C9:A7:49:EF:88:14: 34:93:0E:C2:05:68:94:80:17:5E:4A:13:96:59:5A:23: E4:65:86:92:89:5D:07:A5 Signature Algorithm: sha256WithRSAEncryption 7f:d4:3d:68:e1:b1:e3:84:43:73:cd:25:6a:c3:f5:a2:5b:b4: 75:62:0e:24:66:39:62:e0:9c:7e:2c:bd:bb:97:48:8a:22:ae: 49:7b:73:3b:37:db:1e:29:ec:ad:1c:a9:67:f4:b2:56:71:92: 89:53:46:5b:4c:c0:2c:a6:e9:b4:9b:2b:93:f5:30:91:53:39: 50:c9:2b:05:75:dd:f0:e7:08:74:39:1c:da:68:cc:5f:74:56: 57:6c:fe:5b:55:c1:a4:b8:2f:c5:76:83:60:9c:51:63:7d:d2: 65:89:ff:19:59:ac:d0:74:63:53:eb:c7:57:48:d6:01:ad:25: 9c:66:f4:e2:e9:41:ef:89:5c:f2:29:13:45:f0:d5:d0:3e:49: 9f:10:69:dd:e0:90:21:5e:bf:db:35:f2:a1:62:9f:e7:f2:fb: 1e:99:0a:66:29:6b:80:d9:e3:be:d5:6d:c2:f2:20:95:43:62: 5a:41:44:84:90:ea:ae:0e:c7:8c:a8:42:8b:46:5f:91:aa:0f: 47:58:d6:69:67:b0:89:7f:15:44:93:d7:fc:2f:d9:dc:f5:fa: 90:ad:13:37:08:1e:84:e2:73:70:6e:8e:e3:93:07:64:c3:db: dc:ca:c7:b8:f2:f5:e3:59:18:3a:f6:24:88:10:4c:38:54:7b: 44:4b:b4:0d $ openssl x509 -in public.crt -noout -dates // 날짜 분석 notBefore=Feb 12 11:47:11 2020 GMT notAfter=May 6 11:47:11 2020 GMT
- Google Certificate Verification
현재의 Certificate가 검증이 안된것이라고 생각되어짐
$ openssl verify public.crt // 상위 검증에러 부분 다시 점검 (동일하게 에러발생) C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com error 20 at 0 depth lookup: unable to get local issuer certificate error public.crt: verification failed //openssl certs 저장장소 (현재 아무것도 없음, 검증된 certificate가 있다면 그것으로 TEST) $ ls -lah /etc/ssl/certs ... $ echo -n | openssl s_client -connect google.com:443 -CAfile ./public.crt -tls1_2 | grep Verify //verfication 때문에 다시 테스트진행 depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com verify return:1 Verify return code: 20 (unable to get local issuer certificate) // 상위와 같이 검증부분에러 DONE // 직접 발급 Certificate $ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes $ echo -n | openssl s_client -connect google.com:443 -CAfile ./cert.pem -tls1_2 | grep Verify //verfication 때문에 다시 테스트진행 depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com verify return:1 Verify return code: 20 (unable to get local issuer certificate) // 상위와 같이 검증부분에러 DONE
아래사이트에서 이부분을 해결함
https://github.com/nghttp2/nghttp2/issues/928
3.3 다른 HTTPS Server 직접분석방법
BASE64를 ASCII로 Encode
https://www.base64encode.org/
https://base64.guru/converter/encode/hex
- HTTPS Server 직접 분석
$ echo "" | openssl s_client -connect 서버:443 | openssl x509 -noout -dates // 상위에서 File 저장할 필요없이 직접 분석 $ echo "" | openssl s_client -connect 서버:443 | openssl x509 -noout -text // 상위에서 File 저장할 필요없이 직접 분석
- feistyduck Server 분석
$ openssl s_client -connect www.feistyduck.com:443 //기본 TLS v1.2 연결됨 확인
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.feistyduck.com
verify return:1
---
Certificate chain
0 s:OU = Domain Control Validated, OU = PositiveSSL, CN = www.feistyduck.com
i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
1 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
2 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFUzCCBDugAwIBAgIRAPR/CbWZEksfCIRqxNcesPIwDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
Q0EwHhcNMTgwMjEyMDAwMDAwWhcNMjEwMjE3MjM1OTU5WjBWMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxFDASBgNVBAsTC1Bvc2l0aXZlU1NMMRsw
GQYDVQQDExJ3d3cuZmVpc3R5ZHVjay5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQC7qdk9MwGLohNIs+Yjfcie2RZQtbnvaykbeHB0gVi4UhLW7Z1Q
zkrgxHQdtFRdycHs2s/mr2y2on7d5/ZcorvioSwJw+uRmpANlw+bw6plwYaDgLRU
SOCB/XYmyhygm8SfxyK3j9vo2t5lgGgUB+WFHhSEWbGZc2iTcvWmSSxXqkl01CHP
lagHQ6cXiWDx6Nq65p7J/dhD+dI6N97mYU54r1TZXxIw86cIJxYXmIT1byHxgY2p
U/NiTAhnkZpLJIWBeZt224Ap3StzSMgeWKIAiNlK5gpP68Vn3UexQVbt4iNRnZZI
hht7GkGvnMFNtocJMzyaFv90TCNFHu7EDwmDAgMBAAGjggHfMIIB2zAfBgNVHSME
GDAWgBSQr2o6lFoL2JDqElZz30O0Oija5zAdBgNVHQ4EFgQUqXM3+6Zd7KD6Dgtf
7SJOOG8ermgwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGyMQECAgcw
KzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwCAYG
Z4EMAQIBMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2EuY29t
L0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYUG
CCsGAQUFBwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5jb21vZG9jYS5j
b20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAk
BggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMC0GA1UdEQQmMCSC
End3dy5mZWlzdHlkdWNrLmNvbYIOZmVpc3R5ZHVjay5jb20wDQYJKoZIhvcNAQEL
BQADggEBADYaCw8RhIrvN/fgZ8gQWpMXeCwnVDM4HqjgweMAdSISBGw9vry6q9w6
jTNAeGRhDYplk7prJjI8HWH8W3eT0K/LafuQdblpohm/rdtXqOyoi8pQqDN1bqwr
8TKHT6o1MUOAkK0ptkiUSLuc3lh2J1Ivyh8NTkeI+3ntxjJvE4z89ib7mQj/LPBy
L1MPjFiB5pyvf9jDBxv8TmG4Q6TnDDhw2t2Qil6lhsPAMZ9odP22W3uaLE1y7aB6
zbQXjVsc3E1THfFZWRzDPsU4fN/1iGlbrcAWa2sFfhJXrCDfAowFJ8A1n9jMiNEG
WfQfGgA2ar2xUtsqA7Re6XlXOlwBPuQ=
-----END CERTIFICATE-----
subject=OU = Domain Control Validated, OU = PositiveSSL, CN = www.feistyduck.com
issuer=C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5027 bytes and written 446 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 6B6C93F4B46A273D51F2EEBF1FCA910218EC34521BA4D9FAE45BFB839B3F8356
Session-ID-ctx:
Master-Key: 0A865001506F6133227E5C02290D48804041D50B7DDF8A23AE87B87BF61F287BE8C8D08CA7EE648A3E7BD004EF97D1E3
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 2b e5 ee 02 ca 6b 71 e2-af 6c c3 04 5b 40 07 60 +....kq..l..[@.`
0010 - 71 15 fd 86 9e 56 ce bc-17 b4 1c 8c 3a 90 87 2f q....V......:../
0020 - bc aa 2b e6 dc 86 e4 b0-1b 2a 94 a7 96 c1 4e 2b ..+......*....N+
0030 - 94 33 fb 37 cb 98 ac 27-5b d5 6a f6 8c 72 c8 61 .3.7...'[.j..r.a
0040 - 61 a5 bc e8 0d 00 3a c7-a2 4d fb 75 3e 06 3a 6b a.....:..M.u>.:k
0050 - 0d 86 3c cb 4a 53 1e 3f-fc ec 22 92 8e f3 e2 1c ..<.JS.?..".....
0060 - 67 d2 95 aa 2b c8 80 cb-5f 76 95 33 ec 32 b3 c7 g...+..._v.3.2..
0070 - fd e5 db 1d 7c 0b ac 7c-cd 2d 49 62 f2 ed a5 71 ....|..|.-Ib...q
0080 - dd 2e f3 63 8d 1a 5a 90-58 85 93 3a 1b 3b ec af ...c..Z.X..:.;..
0090 - a7 35 0f 30 1c 08 c6 98-5b 99 d0 ae 7d 20 a7 06 .5.0....[...} ..
00a0 - 0f b1 5f bd 82 31 29 f4-12 b9 52 7b ea 35 25 0a .._..1)...R{.5%.
00b0 - 53 2f ad 16 13 21 10 5b-6f 79 ee 67 06 3d 14 e8 S/...!.[oy.g.=..
00c0 - 1f 2f 41 55 c5 e1 cf 5a-ad de 57 c7 d1 d0 a4 a3 ./AU...Z..W.....
Start Time: 1591687396
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
---
$ echo "" | openssl s_client -connect www.feistyduck.com:443 | openssl x509 -noout -text
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.feistyduck.com
verify return:1
DONE
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f4:7f:09:b5:99:12:4b:1f:08:84:6a:c4:d7:1e:b0:f2
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
Validity
Not Before: Feb 12 00:00:00 2018 GMT
Not After : Feb 17 23:59:59 2021 GMT
Subject: OU = Domain Control Validated, OU = PositiveSSL, CN = www.feistyduck.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:bb:a9:d9:3d:33:01:8b:a2:13:48:b3:e6:23:7d:
c8:9e:d9:16:50:b5:b9:ef:6b:29:1b:78:70:74:81:
58:b8:52:12:d6:ed:9d:50:ce:4a:e0:c4:74:1d:b4:
54:5d:c9:c1:ec:da:cf:e6:af:6c:b6:a2:7e:dd:e7:
f6:5c:a2:bb:e2:a1:2c:09:c3:eb:91:9a:90:0d:97:
0f:9b:c3:aa:65:c1:86:83:80:b4:54:48:e0:81:fd:
76:26:ca:1c:a0:9b:c4:9f:c7:22:b7:8f:db:e8:da:
de:65:80:68:14:07:e5:85:1e:14:84:59:b1:99:73:
68:93:72:f5:a6:49:2c:57:aa:49:74:d4:21:cf:95:
a8:07:43:a7:17:89:60:f1:e8:da:ba:e6:9e:c9:fd:
d8:43:f9:d2:3a:37:de:e6:61:4e:78:af:54:d9:5f:
12:30:f3:a7:08:27:16:17:98:84:f5:6f:21:f1:81:
8d:a9:53:f3:62:4c:08:67:91:9a:4b:24:85:81:79:
9b:76:db:80:29:dd:2b:73:48:c8:1e:58:a2:00:88:
d9:4a:e6:0a:4f:eb:c5:67:dd:47:b1:41:56:ed:e2:
23:51:9d:96:48:86:1b:7b:1a:41:af:9c:c1:4d:b6:
87:09:33:3c:9a:16:ff:74:4c:23:45:1e:ee:c4:0f:
09:83
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7
X509v3 Subject Key Identifier:
A9:73:37:FB:A6:5D:EC:A0:FA:0E:0B:5F:ED:22:4E:38:6F:1E:AE:68
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.7
CPS: https://secure.comodo.com/CPS
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
Authority Information Access:
CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
OCSP - URI:http://ocsp.comodoca.com
X509v3 Subject Alternative Name:
DNS:www.feistyduck.com, DNS:feistyduck.com
Signature Algorithm: sha256WithRSAEncryption
36:1a:0b:0f:11:84:8a:ef:37:f7:e0:67:c8:10:5a:93:17:78:
2c:27:54:33:38:1e:a8:e0:c1:e3:00:75:22:12:04:6c:3d:be:
bc:ba:ab:dc:3a:8d:33:40:78:64:61:0d:8a:65:93:ba:6b:26:
32:3c:1d:61:fc:5b:77:93:d0:af:cb:69:fb:90:75:b9:69:a2:
19:bf:ad:db:57:a8:ec:a8:8b:ca:50:a8:33:75:6e:ac:2b:f1:
32:87:4f:aa:35:31:43:80:90:ad:29:b6:48:94:48:bb:9c:de:
58:76:27:52:2f:ca:1f:0d:4e:47:88:fb:79:ed:c6:32:6f:13:
8c:fc:f6:26:fb:99:08:ff:2c:f0:72:2f:53:0f:8c:58:81:e6:
9c:af:7f:d8:c3:07:1b:fc:4e:61:b8:43:a4:e7:0c:38:70:da:
dd:90:8a:5e:a5:86:c3:c0:31:9f:68:74:fd:b6:5b:7b:9a:2c:
4d:72:ed:a0:7a:cd:b4:17:8d:5b:1c:dc:4d:53:1d:f1:59:59:
1c:c3:3e:c5:38:7c:df:f5:88:69:5b:ad:c0:16:6b:6b:05:7e:
12:57:ac:20:df:02:8c:05:27:c0:35:9f:d8:cc:88:d1:06:59:
f4:1f:1a:00:36:6a:bd:b1:52:db:2a:03:b4:5e:e9:79:57:3a:
5c:01:3e:e4
$ echo "" | openssl s_client -connect www.feistyduck.com:443 | openssl x509 -noout -dates
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.feistyduck.com
verify return:1
DONE
notBefore=Feb 12 00:00:00 2018 GMT
notAfter=Feb 17 23:59:59 2021 GMT
3.4 HTTPS 의 Local TEST 진행
OpenSSL 기반으로 Ceritifacte와 Private Key를 발급 후 Server를 동작 후 이를 테스트 진행
RSA 기반으로 Key 발급
- Local HTTPS Server의 Certififace 와 Private Key 발급
//RSA 기반 $ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes //cert.pem Certificate Clinet가 접속시 확인가능 //key.pem Private Key
https://www.openssl.org/docs/man1.0.2/man1/openssl-req.html
$ openssl req -new -key key.pem -out cert.pem
//cert.pem Certificate Clinet가 접속시 확인가능
//key.pem Private Key
- Local HTTPS Server 동작 (Server)
$ openssl s_server -key key.pem -cert cert.pem -accept 443 -www & Using default temp DH parameters ACCEPT
- Local HTTPS Client 연결
$ openssl s_client -connect 127.0.0.1:443 // 상위 cert.pem 와 동일
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify return:1
---
Certificate chain
0 s:C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
i:C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIURnorX3QpJ93WAOOr7qar5EaAgI0wDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDA2MDkwNjE3NTdaFw0yMTA2
MDkwNjE3NTdaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCdT9nzl+IwWYLdWFCsNWRTBHgMVaQmQgQVWrrtU/HE
5xrRzxRlHMocuVO93dTBN9swAucNKa9zOYAmrBuqETnAMun3duWfqpO8OR3uFmOl
l2j2dmPl7NiFnRgWtUinOKoDcyAIyZ+fptqK4m/5+DaR2VSq9QkMJDCam34DwGaP
vWTWikHPXejzCLV8iBf8NYLDk+hyfoazSIy5Nnv7chYrgTokPowT+KuSx5FkhO1s
CpkaoWkZhCMObzkFgAg9p8m7gJXqH9BTZZ7/+0Hix2ikQ6AvSHqlFWq1HByMgret
x8FFIxV/hiAjc7693e9IhfgJWiUBtrebMvEJX8DRHJINAgMBAAGjUzBRMB0GA1Ud
DgQWBBRO/YApwyXr9ZZ7KOajIgXKDVSiazAfBgNVHSMEGDAWgBRO/YApwyXr9ZZ7
KOajIgXKDVSiazAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA8
9HXQUU6LcpMqYdeHA+bINkRZNgwLgv5UApw0pYsmoBZzSyxEvIJZQX/kq21Vbjq0
BiRl3/2+kptxlKClTM0Zr21ZDW6T2Jkzx7cYGk2mCkxnEHO4em3bIwS/Me5LKiiw
wmiN2dXcqIeKWgjrnRqE+eAnjZCPxYdZ5HwWb6yIXmbEZa63UZ3ky28jS9nZq/Xi
rTsUboQjiGivqkLQBG6OB0sgOtTxA27StHr9Xo5n2Hz0+WEigbdofM8AdJhMIjn9
tAUteoj4JUxvLJTtZuVVxdKxpmI+gDydsx1osTbrCzOJ+VkJjijJ6/Yk2/0NS2VH
CTWLAqrOcsyrtdlgXRbs
-----END CERTIFICATE-----
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
issuer=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1435 bytes and written 373 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: ECCF57A71FE4DA0AD66DE23685BD58CD3F5BC88756033845BB3460472A40389E
Session-ID-ctx:
Resumption PSK: 651BA37791F1ABF1C1A7319B6386484ADE95960E666B5F14B3759AEA2DCFDB47D021A0C64F69AC383C2909E9D99127D8
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 36 62 86 65 f9 7d 97 af-32 99 0d 13 71 8b 96 fc 6b.e.}..2...q...
0010 - af 37 d6 56 1e 5a bd 46-d2 a6 6b cc e1 9a 5a 91 .7.V.Z.F..k...Z.
0020 - 5d b7 fa 5a e0 d1 c7 e0-c2 13 37 fe 47 f1 df da ]..Z......7.G...
0030 - 4e e3 5a 94 95 b5 ea 26-99 ef af 2e 91 60 64 98 N.Z....&.....`d.
0040 - f4 18 5e 4e 91 41 07 b1-cf 45 c0 0a d4 da 9a 72 ..^N.A...E.....r
0050 - 5b 8d d1 78 9d 51 01 73-e4 1b d5 53 2c 4c d5 28 [..x.Q.s...S,L.(
0060 - eb e6 f1 21 be 78 87 d5-24 8a 33 10 c0 ae 32 cf ...!.x..$.3...2.
0070 - a3 15 d1 a0 21 d5 57 35-20 59 d3 d4 90 b4 cc 42 ....!.W5 Y.....B
0080 - 5e 3d 90 67 be 93 25 e9-25 74 39 2b 08 04 99 a0 ^=.g..%.%t9+....
0090 - 28 8b 4d ef a5 08 8c 36-8c f3 1e ce 6e 3f 40 59 (.M....6....n?@Y
00a0 - 58 7f 20 f4 f4 ac 5f 1c-28 be 01 f1 3a d0 00 00 X. ..._.(...:...
00b0 - 38 ed e3 74 4c ca a9 3e-02 ff 35 8f 41 b0 ba e1 8..tL..>..5.A...
Start Time: 1591683618
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 08C9BB5B706488A4657B05D86629EA0518E72E0C73498DA59BF3337E7C7CB346
Session-ID-ctx:
Resumption PSK: 8D7303226BB700F521767764C32383FDC598B4E99185E8502A0787159DDA50DDBE2570A7D659AB4CCA85E5BF3B9F59E1
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 36 62 86 65 f9 7d 97 af-32 99 0d 13 71 8b 96 fc 6b.e.}..2...q...
0010 - f7 4c 20 42 14 1b 61 c0-8b d2 2b b4 c9 f8 20 d1 .L B..a...+... .
0020 - 29 6c 8c e0 8b 40 c9 f2-29 93 5d b2 e3 7a df 41 )l...@..).]..z.A
0030 - 96 7b a6 d3 73 4d c4 31-9e ca 74 88 49 53 0f 71 .{..sM.1..t.IS.q
0040 - bb 1f f6 0a ba 77 76 09-d3 d6 13 1e 96 21 60 91 .....wv......!`.
0050 - c4 46 ff a6 c2 60 c8 99-a2 fd 94 8d 3a 26 ea 99 .F...`......:&..
0060 - 7c c9 77 b1 2f 88 b8 09-35 9b d1 2d 21 43 ce 3a |.w./...5..-!C.:
0070 - 17 e3 78 37 a3 4b 61 32-ed 60 09 ac 92 dd 11 00 ..x7.Ka2.`......
0080 - bb 13 6e d6 90 24 bf 39-c8 4a 9a ba ff 83 dd 2f ..n..$.9.J...../
0090 - 21 eb 18 23 49 bb d7 3d-71 61 0a 3f ae a2 8f 10 !..#I..=qa.?....
00a0 - 04 06 62 f3 0c c0 99 77-c0 0e f7 81 6c cf b9 ab ..b....w....l...
00b0 - b1 bf fe 4a d1 7b 66 b3-56 02 fd ef ba aa 3d d1 ...J.{f.V.....=.
00c0 - f9 a8 f4 c1 6d 40 cb fc-36 21 67 5e 2f 6c e1 c2 ....m@..6!g^/l..
Start Time: 1591683618
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
- Encode 와 Decode TEST 진행
$ echo 'hello world!' | openssl aes-256-cbc -a -k "passwordkey" //enc를 사용 -a base64 enc U2FsdGVkX1+fe5EdA+UkQOAxj2rYLb6ZDgNcGcd0A4Y= $ echo 'U2FsdGVkX19LEynrqiD3WZHqvOAU5R/hUpeKLR4IYO4=' | openssl aes-256-cbc -a -d -k "passwordkey" // dec 사용시 동작 hello world!
$ cat > test.txt // TEXT File 생성 hellow world $ openssl enc -e -aes-128-cbc -in test.txt -out test.enc -k "password1234" // enc 사용 $ openssl enc -d -aes-128-cbc -in test.enc -out test.dec -k "password1234" // dec 사용 $ cat test.dec // dec 확인 hello world $ openssl enc -e -aria-128-cbc -in test.txt -out test.enc -k "password1234" // enc 사용 $ openssl enc -d -aria-128-cbc -in test.enc -out test.dec -k "password1234" // dec 사용 $ cat test.dec // dec 확인 hello world
ARIA
https://en.wikipedia.org/wiki/ARIA_(cipher)
https://wiki.openssl.org/index.php/How_to_Integrate_a_Symmetric_Cipher
https://getrfc.com/rfc6209
openssl suites
https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
https://sarc.io/index.php/httpd/581-openssl-suites
https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
https://www.thesslstore.com/blog/cipher-suites-algorithms-security-settings/
https://serverfault.com/questions/638691/how-can-i-verify-if-tls-1-2-is-supported-on-a-remote-web-server-from-the-rhel-ce
https://m.blog.naver.com/PostView.nhn?blogId=seri0528&logNo=20188280116&proxyReferer=https%3A%2F%2Fwww.google.com%2F
https://confluence.atlassian.com/jira/connecting-to-ssl-services-117455.html#ConnectingtoSSLservices-Usingopenssl
CBC 관련 Encrytipn and Decrytion Example
https://wiki.openssl.org/index.php/EVP_Symmetric_Encryption_and_Decryption
GCM/CCM 관련 Encrytion and Decrytion Example
https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption
https://wiki.openssl.org/index.php/EVP_Asymmetric_Encryption_and_Decryption_of_an_Envelope
ECB/CBC/CFB/CTR
https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
GCM
https://en.wikipedia.org/wiki/Galois/Counter_Mode
OpenSSL File Encryption/Decryption
https://m.blog.naver.com/PostView.nhn?blogId=seongjeongki7&logNo=220815806184&proxyReferer=https%3A%2F%2Fwww.google.com%2F
https://johngrib.github.io/wiki/openssl/
https://www.openssl.org/docs/man1.0.2/man1/openssl-enc.html
https://en.wikipedia.org/wiki/Galois/Counter_Mode
OpenSSL File Encryption/Decryption
https://m.blog.naver.com/PostView.nhn?blogId=seongjeongki7&logNo=220815806184&proxyReferer=https%3A%2F%2Fwww.google.com%2F
https://johngrib.github.io/wiki/openssl/
https://www.openssl.org/docs/man1.0.2/man1/openssl-enc.html