openssl 을 이용해서 google.com 인증서를 확인하는 방법이다.
$ openssl s_client -connect www.google.com:443
CONNECTED(00000003)
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIITq9JKLrGf5EwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUxMjEwMTgwMzQ3WhcNMTYwMzA5MDAwMDAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCVwcpO
O/ntr0YcvEwMII6pb6oKH0kZjFfRCUEJM7PvWg08qULwfN8Z/HeeXQRec4YmpQxt
0u2R7X7qVMrAnzOQCtWsa951+SlzuRXaLaDcC0P/sT6KD2xnyFTVF9/Oq3k44wap
QooOYLQleHru6Fi3UYJM2xLq8jKXSotaOhYEjY/6/vMvZVQVaczfMsu8FZPL22qa
gVwbEca2maC8DT9oEjVlpiiiMRU4QnzSNuD/rssklqUXuRs+MDQPjkrh0VzzYgOo
jHvrxttFPHFUrmMGVWkKiPgwIK3f8fI6Ao2U4HUKEc5+bngQubg5YkLdkxBSPNSc
Bfff9IspCu/V0t4rAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBTRV+KjkFiVN5eQP1h1Fz4F4rTwbzAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAQr4lzcjyBQZ5fn/Z
drUDqpN4fx8Sa6hafoGVOfWMktt003x8ylXb3Pxhgw27f6wiFFRXlX85a2F0/AnC
eoV23mHmV6/0mOwocVYt/Th96WNGGmhANkFW//HCphRWnhaOqIG6yFRQ/jxArTvZ
QJEGI5AiYHzQn7LdUM8mH1o3ifR+lX+QiAwyeU9oegdlRslI2KMoPOuOFj329NFx
Bw+XVQXMsRJITPg8pnegPmLCOjpz8y7pBxbxGnfaI66I8X4dArsaXX4r5mkfhk2e
mm7fxQ8qUaW9mKoW0XvwGxU0AwKI8OopuXHoD97vr2GSK0QNZ19A96mtTWnQ2cu2
i9qjGw==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 3240 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: EC7CB675C0117DBEC466D0444B91A5FBD81E173E1636E7D0E1DF2E60C4661FD0
Session-ID-ctx:
Master-Key: 849D9BCC56523450185D47C92D70FC782659F53D1369A34636443290801EA3C588B6956244B8D8B00AEC016B331BB060
Key-Arg : None
Start Time: 1451295587
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
HTTP/1.0 400 Bad Request
Content-Length: 54
Content-Type: text/html; charset=UTF-8
Date: Mon, 28 Dec 2015 09:39:49 GMT
Server: GFE/2.0
<html><title>Error 400 (Bad Request)!!1</title></html>read:errno=0
open ssl 요청을 하면 정보를 받으려 하는데, 대충 넣으면 400에러가 발생한다.
원하는 것은 인증서 정보이니. echo를 open ssl 명령 앞에 사용한다.
$ echo | openssl s_client -connect www.google.com:443
CONNECTED(00000003)
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIITq9JKLrGf5EwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUxMjEwMTgwMzQ3WhcNMTYwMzA5MDAwMDAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCVwcpO
O/ntr0YcvEwMII6pb6oKH0kZjFfRCUEJM7PvWg08qULwfN8Z/HeeXQRec4YmpQxt
0u2R7X7qVMrAnzOQCtWsa951+SlzuRXaLaDcC0P/sT6KD2xnyFTVF9/Oq3k44wap
QooOYLQleHru6Fi3UYJM2xLq8jKXSotaOhYEjY/6/vMvZVQVaczfMsu8FZPL22qa
gVwbEca2maC8DT9oEjVlpiiiMRU4QnzSNuD/rssklqUXuRs+MDQPjkrh0VzzYgOo
jHvrxttFPHFUrmMGVWkKiPgwIK3f8fI6Ao2U4HUKEc5+bngQubg5YkLdkxBSPNSc
Bfff9IspCu/V0t4rAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBTRV+KjkFiVN5eQP1h1Fz4F4rTwbzAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAQr4lzcjyBQZ5fn/Z
drUDqpN4fx8Sa6hafoGVOfWMktt003x8ylXb3Pxhgw27f6wiFFRXlX85a2F0/AnC
eoV23mHmV6/0mOwocVYt/Th96WNGGmhANkFW//HCphRWnhaOqIG6yFRQ/jxArTvZ
QJEGI5AiYHzQn7LdUM8mH1o3ifR+lX+QiAwyeU9oegdlRslI2KMoPOuOFj329NFx
Bw+XVQXMsRJITPg8pnegPmLCOjpz8y7pBxbxGnfaI66I8X4dArsaXX4r5mkfhk2e
mm7fxQ8qUaW9mKoW0XvwGxU0AwKI8OopuXHoD97vr2GSK0QNZ19A96mtTWnQ2cu2
i9qjGw==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 3240 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 72651A382C87293E8EE016DC08F14D5AEB583C8EC1B327E51C30E0A90CDE1594
Session-ID-ctx:
Master-Key: 140E09B68C0F61DBD4201E9B52A1EB3A60DC49E83E8243DB307AF77ADFF0EACD45182425087A2E287E7B35E98816332C
Key-Arg : None
Start Time: 1451295479
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE
interactive없이 문자열을 받을 수 있다.
$ echo | openssl s_client -connect www.google.com:443 | grep subject
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
DONE
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
그리고, 여기에 터미널 출력(verify error:num=20:unable to get local issuer certificate
verify return:0, DONE)을 안보이게 하기 위해 아웃풋 출력을 안보이게 2>/dev/null을 추가한다.
$ echo | openssl s_client -connect www.google.com:443 2>/dev/null
...
$ echo | openssl s_client -connect www.google.com:443 2>/dev/null | grep subject
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
어느 싸이트에 대해서 인증서를 발급했는지 알려면 subject를 보고, 어느 기관에서 발행했는지 보려면 issuer를 확인한다.
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
SSL인증 시간을 확인하려면, openssl을 다시 사용하여 x509 형태로 파싱하여 certificate 내용을 보이지 않도록 한다.
$ echo | openssl s_client -connect www.google.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Dec 10 18:03:47 2015 GMT
notAfter=Mar 9 00:00:00 2016 GMT
'c or linux' 카테고리의 다른 글
| zcat의 No such file or directory 해결하기 (0) | 2017.05.17 |
|---|---|
| [linux] keepalive 정보 살펴보기 (0) | 2016.04.22 |
| 테스트용 포트(port) 열기 (0) | 2015.12.24 |
| [팁] linux에서 bash script를 이용하여 날짜 빼기(또는 더하기) (0) | 2015.12.01 |
| screen 툴에서 모든 screen 종료하기 (kill all attached screen) (0) | 2015.11.26 |
