openssl 的 tls 命令和相关使用心得
声明:本文基于 openssl 1.1.1f 版本
服务端:
Usage: s_server [options]
Valid options are:-help Display this summary-port +int TCP/IP port to listen on for connections (default is 4433)-accept val TCP/IP optional host and port to listen on for connections (default is *:4433)-unix val Unix domain socket to accept on-4 Use IPv4 only-6 Use IPv6 only-unlink For -unix, unlink existing socket first-context val Set session ID context-verify int Turn on peer certificate verification-Verify int Turn on peer certificate verification, must have a cert-cert infile Certificate file to use; default is server.pem-nameopt val Various certificate name options-naccept +int Terminate after #num connections-serverinfo val PEM serverinfo file for certificate-certform PEM|DER Certificate format (PEM or DER) PEM default-key val Private Key if not in -cert; default is server.pem-keyform format Key format (PEM, DER or ENGINE) PEM default-pass val Private key file pass phrase source-dcert infile Second certificate file to use (usually for DSA)-dhparam infile DH parameters file to use-dcertform PEM|DER Second certificate format (PEM or DER) PEM default-dkey infile Second private key file to use (usually for DSA)-dkeyform PEM|DER Second key format (PEM, DER or ENGINE) PEM default-dpass val Second private key file pass phrase source-nbio_test Test with the non-blocking test bio-crlf Convert LF from terminal into CRLF-debug Print more output-msg Show protocol messages-msgfile outfile File to send output of -msg or -trace, instead of stdout-state Print the SSL states-CAfile infile PEM format file of CA's-CApath dir PEM format directory of CA's-no-CAfile Do not load the default certificates file-no-CApath Do not load certificates from the default certificates directory-nocert Don't use any certificates (Anon-DH)-quiet No server output-no_resume_ephemeral Disable caching and tickets if ephemeral (EC)DH is used-www Respond to a 'GET /' with a status page-WWW Respond to a 'GET with the file ./path-servername val Servername for HostName TLS extension-servername_fatal mismatch send fatal alert (default warning alert)-cert2 infile Certificate file to use for servername; default isserver2.pem-key2 infile -Private Key file to use for servername if not in -cert2-tlsextdebug Hex dump of all TLS extensions received-HTTP Like -WWW but ./path includes HTTP headers-id_prefix val Generate SSL/TLS session IDs prefixed by arg-rand val Load the file(s) into the random number generator-writerand outfile Write random data to the specified file-keymatexport val Export keying material using label-keymatexportlen +int Export len bytes of keying material (default 20)-CRL infile CRL file to use-crl_download Download CRL from distribution points-cert_chain infile certificate chain file in PEM format-dcert_chain infile second certificate chain file in PEM format-chainCApath dir use dir as certificate store path to build CA certificate chain-verifyCApath dir use dir as certificate store path to verify CA certificate-no_cache Disable session cache-ext_cache Disable internal cache, setup and use external cache-CRLform PEM|DER CRL format (PEM or DER) PEM is default-verify_return_error Close connection on verification error-verify_quiet No verify output except verify errors-build_chain Build certificate chain-chainCAfile infile CA file for certificate chain (PEM format)-verifyCAfile infile CA file for certificate verification (PEM format)-ign_eof ignore input eof (default when -quiet)-no_ign_eof Do not ignore input eof-status Request certificate status from server-status_verbose Print more output in certificate status callback-status_timeout int Status request responder timeout-status_url val Status request fallback URL-status_file infile File containing DER encoded OCSP Response-security_debug Print output from SSL/TLS security framework-security_debug_verbose Print more output from SSL/TLS security framework-brief Restrict output to brief summary of connection parameters-rev act as a simple test server which just sends back with the received text reversed-async Operate in asynchronous mode-ssl_config val Configure SSL_CTX using the configuration 'val'-max_send_frag +int Maximum Size of send frames -split_send_frag +int Size used to split data for encrypt pipelines-max_pipelines +int Maximum number of encrypt/decrypt pipelines to be used-read_buf +int Default read buffer size to be used for connections-no_ssl3 Just disable SSLv3-no_tls1 Just disable TLSv1-no_tls1_1 Just disable TLSv1.1-no_tls1_2 Just disable TLSv1.2-no_tls1_3 Just disable TLSv1.3-bugs Turn on SSL bug compatibility-no_comp Disable SSL/TLS compression (default)-comp Use SSL/TLS-level compression-no_ticket Disable use of TLS session tickets-serverpref Use server's cipher preferences-legacy_renegotiation Enable use of legacy renegotiation (dangerous)-no_renegotiation Disable all renegotiation.-legacy_server_connect Allow initial connection to servers that don't support RI-no_resumption_on_reneg Disallow session resumption on renegotiation-no_legacy_server_connect Disallow initial connection to servers that don't support RI-allow_no_dhe_kex In TLSv1.3 allow non-(ec)dhe based key exchange on resumption-prioritize_chacha Prioritize ChaCha ciphers when preferred by clients-strict Enforce strict certificate checks as per TLS standard-sigalgs val Signature algorithms to support (colon-separated list)-client_sigalgs val Signature algorithms to support for client certificate authentication (colon-separated list)-groups val Groups to advertise (colon-separated list)-curves val Groups to advertise (colon-separated list)-named_curve val Elliptic curve used for ECDHE (server-side only)-cipher val Specify TLSv1.2 and below cipher list to be used-ciphersuites val Specify TLSv1.3 ciphersuites to be used-min_protocol val Specify the minimum protocol version to be used-max_protocol val Specify the maximum protocol version to be used-record_padding val Block size to pad TLS 1.3 records to.-debug_broken_protocol Perform all sorts of protocol violations for testing purposes-no_middlebox Disable TLSv1.3 middlebox compat mode-policy val adds policy to the acceptable policy set-purpose val certificate chain purpose-verify_name val verification policy name-verify_depth int chain depth limit-auth_level int chain authentication security level-attime intmax verification epoch time-verify_hostname val expected peer hostname-verify_email val expected peer email-verify_ip val expected peer IP address-ignore_critical permit unhandled critical extensions-issuer_checks (deprecated)-crl_check check leaf certificate revocation-crl_check_all check full chain revocation-policy_check perform rfc5280 policy checks-explicit_policy set policy variable require-explicit-policy-inhibit_any set policy variable inhibit-any-policy-inhibit_map set policy variable inhibit-policy-mapping-x509_strict disable certificate compatibility work-arounds-extended_crl enable extended CRL features-use_deltas use delta CRLs-policy_print print policy processing diagnostics-check_ss_sig check root CA self-signatures-trusted_first search trust store first (default)-suiteB_128_only Suite B 128-bit-only mode-suiteB_128 Suite B 128-bit mode allowing 192-bit algorithms-suiteB_192 Suite B 192-bit-only mode-partial_chain accept chains anchored by intermediate trust-store CAs-no_alt_chains (deprecated)-no_check_time ignore certificate validity time-allow_proxy_certs allow the use of proxy certificates-xkey infile key for Extended certificates-xcert infile cert for Extended certificates-xchain infile chain for Extended certificates-xchain_build build certificate chain for the extended certificates-xcertform PEM|DER format of Extended certificate (PEM or DER) PEM default -xkeyform PEM|DER format of Extended certificate's key (PEM or DER) PEM default-nbio Use non-blocking IO-psk_identity val PSK identity to expect-psk_hint val PSK identity hint to use-psk val PSK in hex (without 0x)-psk_session infile File to read PSK SSL session from-srpvfile infile The verifier file for SRP-srpuserseed val A seed string for a default user salt-ssl3 Just talk SSLv3-tls1 Just talk TLSv1-tls1_1 Just talk TLSv1.1-tls1_2 just talk TLSv1.2-tls1_3 just talk TLSv1.3-dtls Use any DTLS version-timeout Enable timeouts-mtu +int Set link layer MTU-listen Listen for a DTLS ClientHello with a cookie and then connect-stateless Require TLSv1.3 cookies-dtls1 Just talk DTLSv1-dtls1_2 Just talk DTLSv1.2-sctp Use SCTP-sctp_label_bug Enable SCTP label length bug-no_dhe Disable ephemeral DH-nextprotoneg val Set the advertised protocols for the NPN extension (comma-separated list)-use_srtp val Offer SRTP key management with a colon-separated profile list-alpn val Set the advertised protocols for the ALPN extension (comma-separated list)-engine val Use engine, possibly a hardware device-keylogfile outfile Write TLS secrets to file-max_early_data int The maximum number of bytes of early data as advertised in tickets-recv_max_early_data int The maximum number of bytes of early data (hard limit)-early_data Attempt to read early data-num_tickets int The number of TLSv1.3 session tickets that a server will automatically issue-anti_replay Switch on anti-replay protection (default)-no_anti_replay Switch off anti-replay protection
客户端:
Usage: s_client [options]
Valid options are:-help Display this summary-host val Use -connect instead-port +int Use -connect instead-connect val TCP/IP where to connect (default is :4433)-bind val bind local address for connection-proxy val Connect to via specified proxy to the real server-unix val Connect over the specified Unix-domain socket-4 Use IPv4 only-6 Use IPv6 only-verify +int Turn on peer certificate verification-cert infile Certificate file to use, PEM format assumed-certform PEM|DER Certificate format (PEM or DER) PEM default-nameopt val Various certificate name options-key val Private key file to use, if not in -cert file-keyform PEM|DER|ENGINE Key format (PEM, DER or engine) PEM default-pass val Private key file pass phrase source-CApath dir PEM format directory of CA's-CAfile infile PEM format file of CA's-no-CAfile Do not load the default certificates file-no-CApath Do not load certificates from the default certificates directory-requestCAfile infile PEM format file of CA names to send to the server-dane_tlsa_domain val DANE TLSA base domain-dane_tlsa_rrdata val DANE TLSA rrdata presentation form-dane_ee_no_namechecks Disable name checks when matching DANE-EE(3) TLSA records-reconnect Drop and re-make the connection with the same Session-ID-showcerts Show all certificates sent by the server-debug Extra output-msg Show protocol messages-msgfile outfile File to send output of -msg or -trace, instead of stdout-nbio_test More ssl protocol testing-state Print the ssl states-crlf Convert LF from terminal into CRLF-quiet No s_client output-ign_eof Ignore input eof (default when -quiet)-no_ign_eof Don't ignore input eof-starttls val Use the appropriate STARTTLS command before starting TLS-xmpphost val Alias of -name option for "-starttls xmpp[-server]"-rand val Load the file(s) into the random number generator-writerand outfile Write random data to the specified file-sess_out outfile File to write SSL session to-sess_in infile File to read SSL session from-use_srtp val Offer SRTP key management with a colon-separated profile list-keymatexport val Export keying material using label-keymatexportlen +int Export len bytes of keying material (default 20)-maxfraglen +int Enable Maximum Fragment Length Negotiation (len values: 512, 1024, 2048 and 4096)-fallback_scsv Send the fallback SCSV-name val Hostname to use for "-starttls lmtp", "-starttls smtp" or "-starttls xmpp[-server]"-CRL infile CRL file to use-crl_download Download CRL from distribution points-CRLform PEM|DER CRL format (PEM or DER) PEM is default-verify_return_error Close connection on verification error-verify_quiet Restrict verify output to errors-brief Restrict output to brief summary of connection parameters-prexit Print session information when the program exits-security_debug Enable security debug messages-security_debug_verbose Output more security debug output-cert_chain infile Certificate chain file (in PEM format)-chainCApath dir Use dir as certificate store path to build CA certificate chain-verifyCApath dir Use dir as certificate store path to verify CA certificate-build_chain Build certificate chain-chainCAfile infile CA file for certificate chain (PEM format)-verifyCAfile infile CA file for certificate verification (PEM format)-nocommands Do not use interactive command letters-servername val Set TLS extension servername (SNI) in ClientHello (default)-noservername Do not send the server name (SNI) extension in the ClientHello-tlsextdebug Hex dump of all TLS extensions received-status Request certificate status from server-serverinfo val types Send empty ClientHello extensions (comma-separated numbers)-alpn val Enable ALPN extension, considering named protocols supported (comma-separated list)-async Support asynchronous operation-ssl_config val Use specified configuration file-max_send_frag +int Maximum Size of send frames -split_send_frag +int Size used to split data for encrypt pipelines-max_pipelines +int Maximum number of encrypt/decrypt pipelines to be used-read_buf +int Default read buffer size to be used for connections-no_ssl3 Just disable SSLv3-no_tls1 Just disable TLSv1-no_tls1_1 Just disable TLSv1.1-no_tls1_2 Just disable TLSv1.2-no_tls1_3 Just disable TLSv1.3-bugs Turn on SSL bug compatibility-no_comp Disable SSL/TLS compression (default)-comp Use SSL/TLS-level compression-no_ticket Disable use of TLS session tickets-serverpref Use server's cipher preferences-legacy_renegotiation Enable use of legacy renegotiation (dangerous)-no_renegotiation Disable all renegotiation.-legacy_server_connect Allow initial connection to servers that don't support RI-no_resumption_on_reneg Disallow session resumption on renegotiation-no_legacy_server_connect Disallow initial connection to servers that don't support RI-allow_no_dhe_kex In TLSv1.3 allow non-(ec)dhe based key exchange on resumption-prioritize_chacha Prioritize ChaCha ciphers when preferred by clients-strict Enforce strict certificate checks as per TLS standard-sigalgs val Signature algorithms to support (colon-separated list)-client_sigalgs val Signature algorithms to support for client certificate authentication (colon-separated list)-groups val Groups to advertise (colon-separated list)-curves val Groups to advertise (colon-separated list)-named_curve val Elliptic curve used for ECDHE (server-side only)-cipher val Specify TLSv1.2 and below cipher list to be used-ciphersuites val Specify TLSv1.3 ciphersuites to be used-min_protocol val Specify the minimum protocol version to be used-max_protocol val Specify the maximum protocol version to be used-record_padding val Block size to pad TLS 1.3 records to.-debug_broken_protocol Perform all sorts of protocol violations for testing purposes-no_middlebox Disable TLSv1.3 middlebox compat mode-policy val adds policy to the acceptable policy set-purpose val certificate chain purpose-verify_name val verification policy name-verify_depth int chain depth limit-auth_level int chain authentication security level-attime intmax verification epoch time-verify_hostname val expected peer hostname-verify_email val expected peer email-verify_ip val expected peer IP address-ignore_critical permit unhandled critical extensions-issuer_checks (deprecated)-crl_check check leaf certificate revocation-crl_check_all check full chain revocation-policy_check perform rfc5280 policy checks-explicit_policy set policy variable require-explicit-policy-inhibit_any set policy variable inhibit-any-policy-inhibit_map set policy variable inhibit-policy-mapping-x509_strict disable certificate compatibility work-arounds-extended_crl enable extended CRL features-use_deltas use delta CRLs-policy_print print policy processing diagnostics-check_ss_sig check root CA self-signatures-trusted_first search trust store first (default)-suiteB_128_only Suite B 128-bit-only mode-suiteB_128 Suite B 128-bit mode allowing 192-bit algorithms-suiteB_192 Suite B 192-bit-only mode-partial_chain accept chains anchored by intermediate trust-store CAs-no_alt_chains (deprecated)-no_check_time ignore certificate validity time-allow_proxy_certs allow the use of proxy certificates-xkey infile key for Extended certificates-xcert infile cert for Extended certificates-xchain infile chain for Extended certificates-xchain_build build certificate chain for the extended certificates-xcertform PEM|DER format of Extended certificate (PEM or DER) PEM default -xkeyform PEM|DER format of Extended certificate's key (PEM or DER) PEM default-ssl3 Just use SSLv3-tls1 Just use TLSv1-tls1_1 Just use TLSv1.1-tls1_2 Just use TLSv1.2-tls1_3 Just use TLSv1.3-dtls Use any version of DTLS-timeout Enable send/receive timeout on DTLS connections-mtu +int Set the link layer MTU-dtls1 Just use DTLSv1-dtls1_2 Just use DTLSv1.2-sctp Use SCTP-sctp_label_bug Enable SCTP label length bug-nbio Use non-blocking IO-psk_identity val PSK identity-psk val PSK in hex (without 0x)-psk_session infile File to read PSK SSL session from-srpuser val SRP authentication for 'user'-srppass val Password for 'user'-srp_lateuser SRP username into second ClientHello message-srp_moregroups Tolerate other than the known g N values.-srp_strength +int Minimal length in bits for N-nextprotoneg val Enable NPN extension, considering named protocols supported (comma-separated list)-engine val Use engine, possibly a hardware device-ssl_client_engine val Specify engine to be used for client certificate operations-ct Request and parse SCTs (also enables OCSP stapling)-noct Do not request or parse SCTs (default)-ctlogfile infile CT log list CONF file-keylogfile outfile Write TLS secrets to file-early_data infile File to send as early data-enable_pha Enable post-handshake-authentication
使用举例:
openssl s_server -www -accept 8090 -tls1_3 -psk 1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A -allow_no_dhe_kex -nocert -no_middlebox -msg -num_tickets 0
openssl s_client -connect localhost:+8090 -tls1_3 -psk 1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A -allow_no_dhe_kex -msg -curves P-256
使用心得:
1、使用 -msg 可以打印 openssl 在通信时的 log
2、ecdhe 的相关通信必须加上 -cert 和 -key
3、如果在shell脚本中使用openssl命令,需要加上 -www
4、TLS1.3中,如果需要使用 psk_ke 模式,需要加上 -allow_no_dhe_kex
5、TLS1.3中,openssl 的客户端没有单独选择 psk_ke 的选项,如果没有加上 -allow_no_dhe_kex,默认使用 psk_dhe_ke 模式
6、TLS1.3中,openssl 默认使用中间代理,会在serverHello后跟一个CCS消息,可以加上指令 -no_middlebox 不使用中间代理
7、openssl 默认使用 tickets,可以加上 -num_tickets 0 不使用 tickets
8、如果不想使用证书,可以加上 -nocert
9、使用 ecdhe 时,如果想要指定某一条曲线,可以使用 -curves P-256
10、调试TLS1.3时,如果需要抓包查看报文,可以加上-keylogfile xxx/key.log将建链的密钥保存下来,然后在wireshare-首选项-protocols-Tls中,在(Pre)-Master-Secret log filename一栏将密钥文件填入即可
11、如果需要客户单在建链完成后直接发送数据,可以使用命令:
echo 'HTTP/1.0 200 OK' | openssl s_client -connect localhost:+8090 -port 8090 -tls1_3
openssl 的 tls 命令和相关使用心得相关推荐
- 加密与解密、OpenSSL(SSL/TLS)、OpenSSH(ssh)、dropbear
下面介绍的是Linux的加密与解密.OpenSSL(SSL/TLS).OpenSSH(ssh).dropbear. 一.数据的加密与解密 1.进程间通信基础 (1).进程间通信方式 同一主机间进程间的 ...
- 用户和组命令及相关配置文件
用户和组命令及相关配置文件 目录 一.创建用户.组和权限相关命令 1.useradd 帐号建立 2.usermod 用户属性更改 3.Passwd 4.userdel 6.chfn. 7.Chsh 8 ...
- 【新星计划】Linux命令行相关指令汇总
命令行相关指令汇总-补充ing linux-->terminal ---------------------------------------------------------------- ...
- 演讲预告:一个月的住院经历,我悟到了哪些和程序员职场发展相关的心得
时间过得很快,一转眼我出院后上班已经快两个月了. 最近有公众号的关注者给我留言,询问一些ABAP开发的细节问题.不巧的是,我八月份返回公司之后,领了新的开发电脑,SAPGUI和ABAP Develop ...
- 容器编排技术 -- Kubernetes kubectl create secret tls 命令详解
容器编排技术 -- Kubernetes kubectl create secret tls 命令详解 1 create secret tls 2 语法 3 示例 4 Flags create sec ...
- 仅需5道题轻松掌握Python命令行相关标准库 | Python技能树征题
仅需5道题轻松掌握Python命令行相关标准库 | Python技能树征题 0. 前言 1. 第 1 题:命令行日志记录 2. 第 2 题:将日志存储在磁盘上 3. 第 3 题:命令行参数解析 4. ...
- Kafka命令及相关参数解释
Kafka命令及相关参数解释 由于kafka是去中心化的架构,,所以需要在每台节点上启动kafka,且依赖于zookeeper,需要先启动zookeeper 启动kafka: kafka-server ...
- linux命令——帮助相关命令
linux命令--帮助相关命令 文章目录 linux命令--帮助相关命令 1.man命令 命令概述: 使用语法: 参数用法: 参考示例: man命令帮助信息的结构以及意义 man命令中常用按键以及用途 ...
- 空间杜宾模型-多种权重矩阵制作、空间相关性检验、SDM、SEM、SAR模型的命令、相关检验及其结果分析
一.数据介绍 数据名称:[stata代码]空间杜宾模型相关检验及结果分析 数据说明:包含全面的空间计量步骤--多种权重矩阵制作.空间相关性检验.SDM.SEM.SAR模型的命令.相关检验及其结果分析. ...
最新文章
- 内存接口芯片,服务器平台,PCIe 芯片
- Linux内核之话说进程
- Parameter-Efficient Fine-tuning 相关工作梳理
- flex与java间用json传输数据,如何在Java中使用flexjson通过@JSON注释控制序列化?
- ManagedObject this[oPropertyInfo._sMutator](oValue);
- python的for语句写新的字符串_python写for循环python字符串排序方法
- 计算机考试用远程桌面,职称计算机考试:教你体验XP远程桌面多用户登录
- fluent python 第二版_Fluent Python 笔记(二):序列基础
- TypeScript--函数
- gtest linux 性能测试,Linux下Gtest的安装与使用
- deal.II链接PETSc过程记录
- 「陶哲軒實分析」 習題 3.4.4
- You have an error in your SQL syntax.....for the right syntax to use near 'describe
- 存用部首查字典如何查_SCI文献阅读技巧:3位博士总结如何看文献,干货满满!...
- 为什么训练时测试准确率大幅度波动_Nature Mach Intell|类药性预测准确率有极限...
- 通达信资金净流入公式_资金净流入(通达信)公式
- 杰里之1T8 烧写器使用文档【篇】
- UE4 设置Play下的默认相机FOV(Field Of View)视角
- Linux 复制、粘贴快捷键
- offsetof宏的模拟实现
热门文章
- 解决 操作必须使用一个可更新的查询的错误
- 计算机财务管理技术pdf,计算机财务管理技术在财务管理方面的应用研究.pdf
- 剖析cmwap和cmnet接入点区别和应用
- 2022-2027年中国农村网络零售行业市场深度分析及投资战略规划报告
- 2020年广东工业大学第十届文远知行杯新生程序设计竞赛(同步赛)G- 排解忧伤
- 给孩子们的美术史(1)-艺术的起源
- SEO外链策略之链接诱饵的制作需知
- linux怎么用ping通测试连接,ping网络是否连通的步骤_使用ping命令检查网络连通性的方法-系统城...
- Linux服务器:Linux中VMware虚拟机硬盘空间扩大方法
- 机械键盘按键不灵敏怎么办、机械键盘按键坏了怎么办、维修机械键盘