openssl 的 tls 命令和相关使用心得

声明：本文基于 openssl 1.1.1f 版本

服务端：

Usage: s_server [options]
Valid options are:-help                      Display this summary-port +int                 TCP/IP port to listen on for connections (default is 4433)-accept val                TCP/IP optional host and port to listen on for connections (default is *:4433)-unix val                  Unix domain socket to accept on-4                         Use IPv4 only-6                         Use IPv6 only-unlink                    For -unix, unlink existing socket first-context val               Set session ID context-verify int                Turn on peer certificate verification-Verify int                Turn on peer certificate verification, must have a cert-cert infile               Certificate file to use; default is server.pem-nameopt val               Various certificate name options-naccept +int              Terminate after #num connections-serverinfo val            PEM serverinfo file for certificate-certform PEM|DER          Certificate format (PEM or DER) PEM default-key val                   Private Key if not in -cert; default is server.pem-keyform format            Key format (PEM, DER or ENGINE) PEM default-pass val                  Private key file pass phrase source-dcert infile              Second certificate file to use (usually for DSA)-dhparam infile            DH parameters file to use-dcertform PEM|DER         Second certificate format (PEM or DER) PEM default-dkey infile               Second private key file to use (usually for DSA)-dkeyform PEM|DER          Second key format (PEM, DER or ENGINE) PEM default-dpass val                 Second private key file pass phrase source-nbio_test                 Test with the non-blocking test bio-crlf                      Convert LF from terminal into CRLF-debug                     Print more output-msg                       Show protocol messages-msgfile outfile           File to send output of -msg or -trace, instead of stdout-state                     Print the SSL states-CAfile infile             PEM format file of CA's-CApath dir                PEM format directory of CA's-no-CAfile                 Do not load the default certificates file-no-CApath                 Do not load certificates from the default certificates directory-nocert                    Don't use any certificates (Anon-DH)-quiet                     No server output-no_resume_ephemeral       Disable caching and tickets if ephemeral (EC)DH is used-www                       Respond to a 'GET /' with a status page-WWW                       Respond to a 'GET with the file ./path-servername val            Servername for HostName TLS extension-servername_fatal          mismatch send fatal alert (default warning alert)-cert2 infile              Certificate file to use for servername; default isserver2.pem-key2 infile               -Private Key file to use for servername if not in -cert2-tlsextdebug               Hex dump of all TLS extensions received-HTTP                      Like -WWW but ./path includes HTTP headers-id_prefix val             Generate SSL/TLS session IDs prefixed by arg-rand val                  Load the file(s) into the random number generator-writerand outfile         Write random data to the specified file-keymatexport val          Export keying material using label-keymatexportlen +int      Export len bytes of keying material (default 20)-CRL infile                CRL file to use-crl_download              Download CRL from distribution points-cert_chain infile         certificate chain file in PEM format-dcert_chain infile        second certificate chain file in PEM format-chainCApath dir           use dir as certificate store path to build CA certificate chain-verifyCApath dir          use dir as certificate store path to verify CA certificate-no_cache                  Disable session cache-ext_cache                 Disable internal cache, setup and use external cache-CRLform PEM|DER           CRL format (PEM or DER) PEM is default-verify_return_error       Close connection on verification error-verify_quiet              No verify output except verify errors-build_chain               Build certificate chain-chainCAfile infile        CA file for certificate chain (PEM format)-verifyCAfile infile       CA file for certificate verification (PEM format)-ign_eof                   ignore input eof (default when -quiet)-no_ign_eof                Do not ignore input eof-status                    Request certificate status from server-status_verbose            Print more output in certificate status callback-status_timeout int        Status request responder timeout-status_url val            Status request fallback URL-status_file infile        File containing DER encoded OCSP Response-security_debug            Print output from SSL/TLS security framework-security_debug_verbose    Print more output from SSL/TLS security framework-brief                     Restrict output to brief summary of connection parameters-rev                       act as a simple test server which just sends back with the received text reversed-async                     Operate in asynchronous mode-ssl_config val            Configure SSL_CTX using the configuration 'val'-max_send_frag +int        Maximum Size of send frames -split_send_frag +int      Size used to split data for encrypt pipelines-max_pipelines +int        Maximum number of encrypt/decrypt pipelines to be used-read_buf +int             Default read buffer size to be used for connections-no_ssl3                   Just disable SSLv3-no_tls1                   Just disable TLSv1-no_tls1_1                 Just disable TLSv1.1-no_tls1_2                 Just disable TLSv1.2-no_tls1_3                 Just disable TLSv1.3-bugs                      Turn on SSL bug compatibility-no_comp                   Disable SSL/TLS compression (default)-comp                      Use SSL/TLS-level compression-no_ticket                 Disable use of TLS session tickets-serverpref                Use server's cipher preferences-legacy_renegotiation      Enable use of legacy renegotiation (dangerous)-no_renegotiation          Disable all renegotiation.-legacy_server_connect     Allow initial connection to servers that don't support RI-no_resumption_on_reneg    Disallow session resumption on renegotiation-no_legacy_server_connect  Disallow initial connection to servers that don't support RI-allow_no_dhe_kex          In TLSv1.3 allow non-(ec)dhe based key exchange on resumption-prioritize_chacha         Prioritize ChaCha ciphers when preferred by clients-strict                    Enforce strict certificate checks as per TLS standard-sigalgs val               Signature algorithms to support (colon-separated list)-client_sigalgs val        Signature algorithms to support for client certificate authentication (colon-separated list)-groups val                Groups to advertise (colon-separated list)-curves val                Groups to advertise (colon-separated list)-named_curve val           Elliptic curve used for ECDHE (server-side only)-cipher val                Specify TLSv1.2 and below cipher list to be used-ciphersuites val          Specify TLSv1.3 ciphersuites to be used-min_protocol val          Specify the minimum protocol version to be used-max_protocol val          Specify the maximum protocol version to be used-record_padding val        Block size to pad TLS 1.3 records to.-debug_broken_protocol     Perform all sorts of protocol violations for testing purposes-no_middlebox              Disable TLSv1.3 middlebox compat mode-policy val                adds policy to the acceptable policy set-purpose val               certificate chain purpose-verify_name val           verification policy name-verify_depth int          chain depth limit-auth_level int            chain authentication security level-attime intmax             verification epoch time-verify_hostname val       expected peer hostname-verify_email val          expected peer email-verify_ip val             expected peer IP address-ignore_critical           permit unhandled critical extensions-issuer_checks             (deprecated)-crl_check                 check leaf certificate revocation-crl_check_all             check full chain revocation-policy_check              perform rfc5280 policy checks-explicit_policy           set policy variable require-explicit-policy-inhibit_any               set policy variable inhibit-any-policy-inhibit_map               set policy variable inhibit-policy-mapping-x509_strict               disable certificate compatibility work-arounds-extended_crl              enable extended CRL features-use_deltas                use delta CRLs-policy_print              print policy processing diagnostics-check_ss_sig              check root CA self-signatures-trusted_first             search trust store first (default)-suiteB_128_only           Suite B 128-bit-only mode-suiteB_128                Suite B 128-bit mode allowing 192-bit algorithms-suiteB_192                Suite B 192-bit-only mode-partial_chain             accept chains anchored by intermediate trust-store CAs-no_alt_chains             (deprecated)-no_check_time             ignore certificate validity time-allow_proxy_certs         allow the use of proxy certificates-xkey infile               key for Extended certificates-xcert infile              cert for Extended certificates-xchain infile             chain for Extended certificates-xchain_build              build certificate chain for the extended certificates-xcertform PEM|DER         format of Extended certificate (PEM or DER) PEM default -xkeyform PEM|DER          format of Extended certificate's key (PEM or DER) PEM default-nbio                      Use non-blocking IO-psk_identity val          PSK identity to expect-psk_hint val              PSK identity hint to use-psk val                   PSK in hex (without 0x)-psk_session infile        File to read PSK SSL session from-srpvfile infile           The verifier file for SRP-srpuserseed val           A seed string for a default user salt-ssl3                      Just talk SSLv3-tls1                      Just talk TLSv1-tls1_1                    Just talk TLSv1.1-tls1_2                    just talk TLSv1.2-tls1_3                    just talk TLSv1.3-dtls                      Use any DTLS version-timeout                   Enable timeouts-mtu +int                  Set link layer MTU-listen                    Listen for a DTLS ClientHello with a cookie and then connect-stateless                 Require TLSv1.3 cookies-dtls1                     Just talk DTLSv1-dtls1_2                   Just talk DTLSv1.2-sctp                      Use SCTP-sctp_label_bug            Enable SCTP label length bug-no_dhe                    Disable ephemeral DH-nextprotoneg val          Set the advertised protocols for the NPN extension (comma-separated list)-use_srtp val              Offer SRTP key management with a colon-separated profile list-alpn val                  Set the advertised protocols for the ALPN extension (comma-separated list)-engine val                Use engine, possibly a hardware device-keylogfile outfile        Write TLS secrets to file-max_early_data int        The maximum number of bytes of early data as advertised in tickets-recv_max_early_data int   The maximum number of bytes of early data (hard limit)-early_data                Attempt to read early data-num_tickets int           The number of TLSv1.3 session tickets that a server will automatically  issue-anti_replay               Switch on anti-replay protection (default)-no_anti_replay            Switch off anti-replay protection

客户端：

Usage: s_client [options]
Valid options are:-help                      Display this summary-host val                  Use -connect instead-port +int                 Use -connect instead-connect val               TCP/IP where to connect (default is :4433)-bind val                  bind local address for connection-proxy val                 Connect to via specified proxy to the real server-unix val                  Connect over the specified Unix-domain socket-4                         Use IPv4 only-6                         Use IPv6 only-verify +int               Turn on peer certificate verification-cert infile               Certificate file to use, PEM format assumed-certform PEM|DER          Certificate format (PEM or DER) PEM default-nameopt val               Various certificate name options-key val                   Private key file to use, if not in -cert file-keyform PEM|DER|ENGINE    Key format (PEM, DER or engine) PEM default-pass val                  Private key file pass phrase source-CApath dir                PEM format directory of CA's-CAfile infile             PEM format file of CA's-no-CAfile                 Do not load the default certificates file-no-CApath                 Do not load certificates from the default certificates directory-requestCAfile infile      PEM format file of CA names to send to the server-dane_tlsa_domain val      DANE TLSA base domain-dane_tlsa_rrdata val      DANE TLSA rrdata presentation form-dane_ee_no_namechecks     Disable name checks when matching DANE-EE(3) TLSA records-reconnect                 Drop and re-make the connection with the same Session-ID-showcerts                 Show all certificates sent by the server-debug                     Extra output-msg                       Show protocol messages-msgfile outfile           File to send output of -msg or -trace, instead of stdout-nbio_test                 More ssl protocol testing-state                     Print the ssl states-crlf                      Convert LF from terminal into CRLF-quiet                     No s_client output-ign_eof                   Ignore input eof (default when -quiet)-no_ign_eof                Don't ignore input eof-starttls val              Use the appropriate STARTTLS command before starting TLS-xmpphost val              Alias of -name option for "-starttls xmpp[-server]"-rand val                  Load the file(s) into the random number generator-writerand outfile         Write random data to the specified file-sess_out outfile          File to write SSL session to-sess_in infile            File to read SSL session from-use_srtp val              Offer SRTP key management with a colon-separated profile list-keymatexport val          Export keying material using label-keymatexportlen +int      Export len bytes of keying material (default 20)-maxfraglen +int           Enable Maximum Fragment Length Negotiation (len values: 512, 1024, 2048 and 4096)-fallback_scsv             Send the fallback SCSV-name val                  Hostname to use for "-starttls lmtp", "-starttls smtp" or "-starttls xmpp[-server]"-CRL infile                CRL file to use-crl_download              Download CRL from distribution points-CRLform PEM|DER           CRL format (PEM or DER) PEM is default-verify_return_error       Close connection on verification error-verify_quiet              Restrict verify output to errors-brief                     Restrict output to brief summary of connection parameters-prexit                    Print session information when the program exits-security_debug            Enable security debug messages-security_debug_verbose    Output more security debug output-cert_chain infile         Certificate chain file (in PEM format)-chainCApath dir           Use dir as certificate store path to build CA certificate chain-verifyCApath dir          Use dir as certificate store path to verify CA certificate-build_chain               Build certificate chain-chainCAfile infile        CA file for certificate chain (PEM format)-verifyCAfile infile       CA file for certificate verification (PEM format)-nocommands                Do not use interactive command letters-servername val            Set TLS extension servername (SNI) in ClientHello (default)-noservername              Do not send the server name (SNI) extension in the ClientHello-tlsextdebug               Hex dump of all TLS extensions received-status                    Request certificate status from server-serverinfo val            types  Send empty ClientHello extensions (comma-separated numbers)-alpn val                  Enable ALPN extension, considering named protocols supported (comma-separated list)-async                     Support asynchronous operation-ssl_config val            Use specified configuration file-max_send_frag +int        Maximum Size of send frames -split_send_frag +int      Size used to split data for encrypt pipelines-max_pipelines +int        Maximum number of encrypt/decrypt pipelines to be used-read_buf +int             Default read buffer size to be used for connections-no_ssl3                   Just disable SSLv3-no_tls1                   Just disable TLSv1-no_tls1_1                 Just disable TLSv1.1-no_tls1_2                 Just disable TLSv1.2-no_tls1_3                 Just disable TLSv1.3-bugs                      Turn on SSL bug compatibility-no_comp                   Disable SSL/TLS compression (default)-comp                      Use SSL/TLS-level compression-no_ticket                 Disable use of TLS session tickets-serverpref                Use server's cipher preferences-legacy_renegotiation      Enable use of legacy renegotiation (dangerous)-no_renegotiation          Disable all renegotiation.-legacy_server_connect     Allow initial connection to servers that don't support RI-no_resumption_on_reneg    Disallow session resumption on renegotiation-no_legacy_server_connect  Disallow initial connection to servers that don't support RI-allow_no_dhe_kex          In TLSv1.3 allow non-(ec)dhe based key exchange on resumption-prioritize_chacha         Prioritize ChaCha ciphers when preferred by clients-strict                    Enforce strict certificate checks as per TLS standard-sigalgs val               Signature algorithms to support (colon-separated list)-client_sigalgs val        Signature algorithms to support for client certificate authentication (colon-separated list)-groups val                Groups to advertise (colon-separated list)-curves val                Groups to advertise (colon-separated list)-named_curve val           Elliptic curve used for ECDHE (server-side only)-cipher val                Specify TLSv1.2 and below cipher list to be used-ciphersuites val          Specify TLSv1.3 ciphersuites to be used-min_protocol val          Specify the minimum protocol version to be used-max_protocol val          Specify the maximum protocol version to be used-record_padding val        Block size to pad TLS 1.3 records to.-debug_broken_protocol     Perform all sorts of protocol violations for testing purposes-no_middlebox              Disable TLSv1.3 middlebox compat mode-policy val                adds policy to the acceptable policy set-purpose val               certificate chain purpose-verify_name val           verification policy name-verify_depth int          chain depth limit-auth_level int            chain authentication security level-attime intmax             verification epoch time-verify_hostname val       expected peer hostname-verify_email val          expected peer email-verify_ip val             expected peer IP address-ignore_critical           permit unhandled critical extensions-issuer_checks             (deprecated)-crl_check                 check leaf certificate revocation-crl_check_all             check full chain revocation-policy_check              perform rfc5280 policy checks-explicit_policy           set policy variable require-explicit-policy-inhibit_any               set policy variable inhibit-any-policy-inhibit_map               set policy variable inhibit-policy-mapping-x509_strict               disable certificate compatibility work-arounds-extended_crl              enable extended CRL features-use_deltas                use delta CRLs-policy_print              print policy processing diagnostics-check_ss_sig              check root CA self-signatures-trusted_first             search trust store first (default)-suiteB_128_only           Suite B 128-bit-only mode-suiteB_128                Suite B 128-bit mode allowing 192-bit algorithms-suiteB_192                Suite B 192-bit-only mode-partial_chain             accept chains anchored by intermediate trust-store CAs-no_alt_chains             (deprecated)-no_check_time             ignore certificate validity time-allow_proxy_certs         allow the use of proxy certificates-xkey infile               key for Extended certificates-xcert infile              cert for Extended certificates-xchain infile             chain for Extended certificates-xchain_build              build certificate chain for the extended certificates-xcertform PEM|DER         format of Extended certificate (PEM or DER) PEM default -xkeyform PEM|DER          format of Extended certificate's key (PEM or DER) PEM default-ssl3                      Just use SSLv3-tls1                      Just use TLSv1-tls1_1                    Just use TLSv1.1-tls1_2                    Just use TLSv1.2-tls1_3                    Just use TLSv1.3-dtls                      Use any version of DTLS-timeout                   Enable send/receive timeout on DTLS connections-mtu +int                  Set the link layer MTU-dtls1                     Just use DTLSv1-dtls1_2                   Just use DTLSv1.2-sctp                      Use SCTP-sctp_label_bug            Enable SCTP label length bug-nbio                      Use non-blocking IO-psk_identity val          PSK identity-psk val                   PSK in hex (without 0x)-psk_session infile        File to read PSK SSL session from-srpuser val               SRP authentication for 'user'-srppass val               Password for 'user'-srp_lateuser              SRP username into second ClientHello message-srp_moregroups            Tolerate other than the known g N values.-srp_strength +int         Minimal length in bits for N-nextprotoneg val          Enable NPN extension, considering named protocols supported (comma-separated list)-engine val                Use engine, possibly a hardware device-ssl_client_engine val     Specify engine to be used for client certificate operations-ct                        Request and parse SCTs (also enables OCSP stapling)-noct                      Do not request or parse SCTs (default)-ctlogfile infile          CT log list CONF file-keylogfile outfile        Write TLS secrets to file-early_data infile         File to send as early data-enable_pha                Enable post-handshake-authentication

使用举例：

openssl s_server -www -accept 8090 -tls1_3 -psk 1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A -allow_no_dhe_kex -nocert -no_middlebox -msg -num_tickets 0

openssl s_client -connect localhost:+8090 -tls1_3 -psk 1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A -allow_no_dhe_kex -msg -curves P-256

使用心得：

1、使用 -msg 可以打印 openssl 在通信时的 log

2、ecdhe 的相关通信必须加上 -cert 和 -key

3、如果在shell脚本中使用openssl命令，需要加上 -www

4、TLS1.3中，如果需要使用 psk_ke 模式，需要加上 -allow_no_dhe_kex

5、TLS1.3中，openssl 的客户端没有单独选择 psk_ke 的选项，如果没有加上 -allow_no_dhe_kex，默认使用 psk_dhe_ke 模式

6、TLS1.3中，openssl 默认使用中间代理，会在serverHello后跟一个CCS消息，可以加上指令 -no_middlebox 不使用中间代理

7、openssl 默认使用 tickets，可以加上 -num_tickets 0 不使用 tickets

8、如果不想使用证书，可以加上 -nocert

9、使用 ecdhe 时，如果想要指定某一条曲线，可以使用 -curves P-256

10、调试TLS1.3时，如果需要抓包查看报文，可以加上-keylogfile xxx/key.log将建链的密钥保存下来，然后在wireshare-首选项-protocols-Tls中，在(Pre)-Master-Secret log filename一栏将密钥文件填入即可

11、如果需要客户单在建链完成后直接发送数据，可以使用命令：

echo 'HTTP/1.0 200 OK' | openssl s_client -connect localhost:+8090 -port 8090 -tls1_3

openssl 的 tls 命令和相关使用心得相关推荐

加密与解密、OpenSSL(SSL/TLS)、OpenSSH(ssh)、dropbear
下面介绍的是Linux的加密与解密.OpenSSL(SSL/TLS).OpenSSH(ssh).dropbear. 一.数据的加密与解密 1.进程间通信基础 (1).进程间通信方式同一主机间进程间的 ...
用户和组命令及相关配置文件
用户和组命令及相关配置文件目录一.创建用户.组和权限相关命令 1.useradd 帐号建立 2.usermod 用户属性更改 3.Passwd 4.userdel 6.chfn. 7.Chsh 8 ...
【新星计划】Linux命令行相关指令汇总
命令行相关指令汇总-补充ing linux-->terminal ---------------------------------------------------------------- ...
演讲预告：一个月的住院经历，我悟到了哪些和程序员职场发展相关的心得
时间过得很快,一转眼我出院后上班已经快两个月了. 最近有公众号的关注者给我留言,询问一些ABAP开发的细节问题.不巧的是,我八月份返回公司之后,领了新的开发电脑,SAPGUI和ABAP Develop ...
容器编排技术 -- Kubernetes kubectl create secret tls 命令详解
容器编排技术 -- Kubernetes kubectl create secret tls 命令详解 1 create secret tls 2 语法 3 示例 4 Flags create sec ...
仅需5道题轻松掌握Python命令行相关标准库 | Python技能树征题
仅需5道题轻松掌握Python命令行相关标准库 | Python技能树征题 0. 前言 1. 第 1 题:命令行日志记录 2. 第 2 题:将日志存储在磁盘上 3. 第 3 题:命令行参数解析 4. ...
Kafka命令及相关参数解释
Kafka命令及相关参数解释由于kafka是去中心化的架构,,所以需要在每台节点上启动kafka,且依赖于zookeeper,需要先启动zookeeper 启动kafka: kafka-server ...
linux命令——帮助相关命令
linux命令--帮助相关命令文章目录 linux命令--帮助相关命令 1.man命令命令概述: 使用语法: 参数用法: 参考示例: man命令帮助信息的结构以及意义 man命令中常用按键以及用途 ...
空间杜宾模型-多种权重矩阵制作、空间相关性检验、SDM、SEM、SAR模型的命令、相关检验及其结果分析
一.数据介绍数据名称:[stata代码]空间杜宾模型相关检验及结果分析数据说明:包含全面的空间计量步骤--多种权重矩阵制作.空间相关性检验.SDM.SEM.SAR模型的命令.相关检验及其结果分析. ...

openssl 的 tls 命令和相关使用心得

openssl 的 tls 命令和相关使用心得相关推荐

最新文章

热门文章