背景
由于最近openssl的心脏问题,更换了1.0.1g的ssl库,工作上需要使用这个库连接服务器,但是发现更换库之后,对于某些域名的ssl握手就会出现失败的情况。为了找出失败的原因,最后在openssl自带的工具发现可以跟踪握手情况
跟踪网站的ssl端口
1.跟踪不带任何协议参数握手情况
openssl s_client -connect gmail.com:443
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEeDCCA2CgAwIBAgIILdHLb3yg3v8wDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwNTIyMTEyNjU3WhcNMTQwODIwMDAwMDAw
WjBpMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEYMBYGA1UEAwwPbWFp
bC5nb29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs7il
DvSrk0jlEY0HSNv+7V1LUhUD9r7RUHsFHpkYo5Z+9vD9PJvYuHVbkUPHXMC0XLid
7R5esEf7l1Cn29nBO8swVCgOcd2bn2rVG6N/N0YfBL5Hk11NNrl4BtX9E6TpD1Xp
pUQumwL10Zqk4MF4zhj7VQMeg9eeS4FBWPz7LShcdJt6jfgC2yQ9dk3M/2OVztPt
oOwkGDpmSxzXrFBglJmwjnOKER9GiZHmbp4OjcQQ+0vdoRbOTSrgyIfS22idWLei
1ZLwfqHlcNn+OhLBzT4pTAjFOZBw5ez2+QqxiufY8qiuzT+KOIlKXQn/Nj/YFk2p
TYvJEBolZ6pEVnwm5QIDAQABo4IBQjCCAT4wHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMBoGA1UdEQQTMBGCD21haWwuZ29vZ2xlLmNvbTBoBggrBgEFBQcB
AQRcMFowKwYIKwYBBQUHMAKGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5j
cnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly9jbGllbnRzMS5nb29nbGUuY29tL29jc3Aw
HQYDVR0OBBYEFJ+aSQdtCR/3p4hwPsDDYjPn6HJTMAwGA1UdEwEB/wQCMAAwHwYD
VR0jBBgwFoAUSt0GFhu89mi1dvWBtrtiGrpagS8wFwYDVR0gBBAwDjAMBgorBgEE
AdZ5AgUBMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNvbS9H
SUFHMi5jcmwwDQYJKoZIhvcNAQEFBQADggEBAF5N1Dj+Y9k4MjADPH0qEebzd/8+
b2SlsYjGJAn3gsdrkIB+HFwQJ4XjsS6FL8lsJhIqMWO4uw5Kt+hwLc8b6uuWTcx8
Mx6O56YLivdFJ62ki0vxAwpDemjP7ktXwsW4vnjAyUYgO1CGxUlSy0PWYK5lmYJ8
qXwfVKLBRZIXc/6cFYX5QiNZExQeFXzHogGgHtKwRU+yQSnd6mUSBmbCuEydR0hI
ESmCgnYHK48QRxYKOlenuXPeJoMAsuks0dqtAzYFZa0H/jwXSByNQAkwyRmOP62j
s1JIVXxc8V+zEf5Kp655M2VOZ6ihv89XAI5ADDNXFttfbfBVTvDYceb3nyQ=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 3741 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: E91F0144E74B2A6E363BBEF57E9366D8B8EEFA6BE0C45BF97079786D08B4DDC4
Session-ID-ctx:
Master-Key: 7751AAA26F0E30F4A4C01468912E41A412684F9D2C422EF15D105375591358B5239045BF361CBB55810F38AE1560AC75
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - 92 80 c7 a1 08 8f d6 9f-2f bd 71 73 f7 4f 51 59 ......../.qs.OQY
0010 - 41 8a 03 5d f3 3e 87 df-5b 5e d3 3b 0d 1a eb 65 A..].>..[^.;...e
0020 - 5d de a9 36 24 6e 9a 69-b3 37 87 35 c9 bb 3e a6 ]..6$n.i.7.5..>.
0030 - 63 30 c1 19 10 d5 d9 0d-5c d0 9c 37 6e 47 dc a3 c0......\..7nG..
0040 - 48 40 ce 13 92 8c e9 c5-ed 4b 5a f0 a6 30 fe cc [email protected]..
0050 - b0 b5 23 ac 6c 76 63 63-54 d1 ff 76 e6 28 3d 31 ..#.lvccT..v.(=1
0060 - 7c 08 3b fe f2 bd 93 28-76 6d 01 ba 3a d4 e7 3f |.;....(vm..:..?
0070 - 82 bd 31 cf 4d 3b a6 50-c7 76 0a 92 63 a9 78 b6 ..1.M;.P.v..c.x.
0080 - 8f 19 5f 83 85 84 36 da-be da 87 4c af 80 1a c8 .._...6....L....
0090 - ff 2e 00 8e 11 95 f5 8f-59 b1 cb e1 e7 62 cc 9a ........Y....b..
00a0 - 44 8d 07 1b D...
Start Time: 1401703776
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---connect参数是基本参数,上面的内容会显示服务器证书以及最后采用的握手协议
## 2.跟踪详细的握手过程
可以增加-msg参数
openssl s_client -msg -connect hotmail.com:443
CONNECTED(00000003)
>>> TLS 1.2 Handshake [length 0138], ClientHello
01 00 01 34 03 03 d0 c0 d2 37 b7 d5 87 73 29 67
60 15 07 3f 05 3b fe b2 49 89 7e e4 18 60 9d c5
98 d9 b2 21 d2 7f 00 00 9e c0 30 c0 2c c0 28 c0
24 c0 14 c0 0a c0 22 c0 21 00 a3 00 9f 00 6b 00
6a 00 39 00 38 00 88 00 87 c0 32 c0 2e c0 2a c0
26 c0 0f c0 05 00 9d 00 3d 00 35 00 84 c0 12 c0
08 c0 1c c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0
2f c0 2b c0 27 c0 23 c0 13 c0 09 c0 1f c0 1e 00
a2 00 9e 00 67 00 40 00 33 00 32 00 9a 00 99 00
45 00 44 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 00
9c 00 3c 00 2f 00 96 00 41 c0 11 c0 07 c0 0c c0
02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00
08 00 06 00 03 00 ff 01 00 00 6d 00 0b 00 04 03
00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 00
0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 00
06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 00
01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 00
0d 00 20 00 1e 06 01 06 02 06 03 05 01 05 02 05
03 04 01 04 02 04 03 03 01 03 02 03 03 02 01 02
02 02 03 00 0f 00 01 01
<<< TLS 1.0 Handshake [length 0051], ServerHello
02 00 00 4d 03 01 53 8c 4e d5 e0 c1 a4 5a a6 d0
90 4f ba b9 39 b1 f0 d9 8f 83 7f 93 a8 06 32 6c
e6 bc 7a 71 33 f4 20 6d 07 00 00 80 44 45 b5 d4
53 9c 88 4c 80 70 f8 a1 fe 48 61 0a 8a b4 db 74
62 c7 6c f4 ea fe 0a 00 2f 00 00 05 ff 01 00 01
00
<<< TLS 1.0 Handshake [length 17be], Certificate
0b 00 17 ba 00 17 b7 00 0c b8 30 82 0c b4 30 82
0b 9c a0 03 02 01 02 02 10 62 cb 44 b9 c9 36 90
......
subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Washington/businessCategory=Private Organization/serialNumber=600413485/C=US/postalCode=98052/ST=Washingto
n/L=Redmond/street=1 Microsoft Way/O=Microsoft Corporation/OU=Outlook Kahuna SNT-DC A May2013/CN=mail.live.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
---
No client certificate CA names sent
---
SSL handshake has read 6227 bytes and written 643 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 6D070000804445B5D4539C884C8070F8A1FE48610A8AB4DB7462C76CF4EAFE0A
Session-ID-ctx:
Master-Key: AEA9E75A6B34444A3B9D10355CFD5F12F75A950E5F51FD1415D8ACB535D9156D0F0A0CBA41C1E9DFD6C0424CFB0B8EC8
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1401704135
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
--- 3.openssl s_client的其它可用参数openssl s_client -h
unknown option -h
usage: s_client args
-host host - use -connect instead
-port port - use -connect instead
-connect host:port - who to connect to (default is localhost:4433)
-ssl2 - just use SSLv2
-ssl3 - just use SSLv3
-tls1_2 - just use TLSv1.2
-tls1_1 - just use TLSv1.1
-tls1 - just use TLSv1
-dtls1 - just use DTLSv1
-mtu - set the link layer MTU
-no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol
-bugs - Switch on all SSL implementation bug workarounds
-serverpref - Use server's cipher preferences (only SSLv2)
-cipher - preferred cipher to use, use the 'openssl ciphers'
command to see what is availablecipher参数表示客户端与服务器协商加密算法
ssl2,ssl3,tls1,tls1_1,tls1_2 表示只使用哪种协议跟服务器交互
no_*表示禁用使用指定协议跟服务器交互
# 跟踪邮件系统的25端口握手
可以在参数中指定-startls参数
openssl s_client -connect gmail-smtp-in.l.google.com.:25 -starttls smtp
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGhDCCBWygAwIBAgIIMl2Cl5h9ULAwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTMwOTA5MTEzMjM1WhcNMTQwOTA5MTEzMjM1
WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEWMBQGA1UEAwwNbXgu
Z29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOQmg0q3
bImRb43P8haKbOdXQfu/70b8bAocDzb6EmbwSxQ26TxkekhyMPV6i+eD/LKuOhOZ
apTlWEF8Wtx+OePmhSNQalHnM6UoOEXt9/2ZpZcMQxTYUI+MWPDMbYnU3HF1j6L8
B81Ien4fvRJkKhORIEkLRtqxo7jxusmw82Ocjjx8WZINBJB5Q5jcX2FKXMZMWj0w
OzfGmIwb/qlrf4nKHOpwZmGbkvqw9xYld+lnYrz/BRYIJ0YQWx7E5kCp4A4ymsDp
Gzagy+UiYVLu4lh8rPOYJa4Ft1spelj/PJ/yb45/oFNSs6P2zBfJaLN95Fa5OmvM
YyvIcKc01slMvKECAwEAAaOCA1AwggNMMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjCCAiYGA1UdEQSCAh0wggIZghJhc3BteC5sLmdvb2dsZS5jb22CF2Fs
dDEuYXNwbXgubC5nb29nbGUuY29tghdhbHQyLmFzcG14LmwuZ29vZ2xlLmNvbYIX
YWx0My5hc3BteC5sLmdvb2dsZS5jb22CF2FsdDQuYXNwbXgubC5nb29nbGUuY29t
ghpnbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIfYWx0MS5nbWFpbC1zbXRwLWlu
LmwuZ29vZ2xlLmNvbYIfYWx0Mi5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIf
YWx0My5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIfYWx0NC5nbWFpbC1zbXRw
LWluLmwuZ29vZ2xlLmNvbYIYZ21yLXNtdHAtaW4ubC5nb29nbGUuY29tgh1hbHQx
Lmdtci1zbXRwLWluLmwuZ29vZ2xlLmNvbYIdYWx0Mi5nbXItc210cC1pbi5sLmdv
b2dsZS5jb22CHWFsdDMuZ21yLXNtdHAtaW4ubC5nb29nbGUuY29tgh1hbHQ0Lmdt
ci1zbXRwLWluLmwuZ29vZ2xlLmNvbYINbXguZ29vZ2xlLmNvbYIVYXNwbXgyLmdv
b2dsZW1haWwuY29tghVhc3BteDMuZ29vZ2xlbWFpbC5jb22CFWFzcG14NC5nb29n
bGVtYWlsLmNvbYIVYXNwbXg1Lmdvb2dsZW1haWwuY29tMGgGCCsGAQUFBwEBBFww
WjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcyLmNydDAr
BggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2NzcDAdBgNV
HQ4EFgQU24ESi+juxG5r5hR9BEYIUDYGXmIwDAYDVR0TAQH/BAIwADAfBgNVHSME
GDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAEEDAOMAwGCisGAQQB1nkC
BQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcy
LmNybDANBgkqhkiG9w0BAQUFAAOCAQEAYdeafaH4JBz+Bq+m2P/VKlCLWYhzNHc4
hV+KdqQYVtdUXtwvm3DmLYcoR75Wr8exsA9pN+/WaOLjnZITWAOAy/yce/X/POH2
iWLt2O/EMvclqiKTczTHcmMYAz5UlmUktyZCGwT0WUgyJRL25HfAblVyei0NcthX
XfvCHiCNU19TuaWnTVVv1W4iAMJpvOzOMlGhoKoineHMQF1jbYQLldWlqxgseE55
YDgyneHbRRzmPOxtQwuN7LFKC5EN1+WY/xOp5Es9MJkOjbO5EVaLh+nLR7gwUN3f
4yf37nLIMSyQZ2j/R39yfAhZR50aOwPQDbiCequZoNd1i352lfyHFA==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 4485 bytes and written 478 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: CE3B604D876B1010D655B012FD383C9C06F72932FCD53A3C13272F94EE684ACC
Session-ID-ctx:
Master-Key: 7C72F8BB7FED11F80A1C207CEE447635A8B41859D3C2043705D15E42FB2E5D9315B465B17D564EF2C72A453EDE4630D5
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - de 5b 3b e2 8a 56 28 7d-6b e9 5d 06 be bc 6c c7 .[;..V(}k.]...l.
0010 - 14 5d b1 00 93 bf a5 5a-bb 42 a2 d6 6f fa a6 61 .].....Z.B..o..a
0020 - 83 9d 08 1e 25 27 50 6e-04 5f 43 ac 30 bb e9 c5 ....%'Pn._C.0...
0030 - a2 40 7d f3 e3 0e 8c ff-6f 01 78 73 11 a1 66 e8 .@}.....o.xs..f.
0040 - 57 aa 09 1a d5 c5 a6 af-ba 9e 05 46 e2 34 1a 6d W..........F.4.m
0050 - 70 01 86 c7 e5 d3 ce 32-57 dc 81 86 75 b3 0c e8 p......2W...u...
0060 - f5 75 0e 23 15 ce 42 55-7b ee 9d f9 45 3c 2d 38 .u.#..BU{...E<-8
0070 - b0 07 60 e6 78 05 06 c6-ff a1 90 f1 04 2f 7c 39 ..`.x......../|9
0080 - f2 a6 a7 58 b6 57 bf b0-60 2c ad 59 24 22 ca b1 ...X.W..`,.Y$"..
0090 - 04 6d 35 6b 17 e6 28 f5-28 f7 9d e2 e5 ff 1a 08 .m5k..(.(.......
00a0 - a1 16 e9 79 ...y
Start Time: 1401704720
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
250 CHUNKING