openssl 을 이용해서 google.com 인증서를 확인하는 방법이다.


$ openssl s_client -connect www.google.com:443

CONNECTED(00000003)

depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

verify error:num=20:unable to get local issuer certificate

verify return:0

---

Certificate chain

 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com

   i:/C=US/O=Google Inc/CN=Google Internet Authority G2

 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2

   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIEgDCCA2igAwIBAgIITq9JKLrGf5EwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE

BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl

cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUxMjEwMTgwMzQ3WhcNMTYwMzA5MDAwMDAw

WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN

TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3

Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCVwcpO

O/ntr0YcvEwMII6pb6oKH0kZjFfRCUEJM7PvWg08qULwfN8Z/HeeXQRec4YmpQxt

0u2R7X7qVMrAnzOQCtWsa951+SlzuRXaLaDcC0P/sT6KD2xnyFTVF9/Oq3k44wap

QooOYLQleHru6Fi3UYJM2xLq8jKXSotaOhYEjY/6/vMvZVQVaczfMsu8FZPL22qa

gVwbEca2maC8DT9oEjVlpiiiMRU4QnzSNuD/rssklqUXuRs+MDQPjkrh0VzzYgOo

jHvrxttFPHFUrmMGVWkKiPgwIK3f8fI6Ao2U4HUKEc5+bngQubg5YkLdkxBSPNSc

Bfff9IspCu/V0t4rAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI

KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE

XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0

MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G

A1UdDgQWBBTRV+KjkFiVN5eQP1h1Fz4F4rTwbzAMBgNVHRMBAf8EAjAAMB8GA1Ud

IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW

eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n

bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAQr4lzcjyBQZ5fn/Z

drUDqpN4fx8Sa6hafoGVOfWMktt003x8ylXb3Pxhgw27f6wiFFRXlX85a2F0/AnC

eoV23mHmV6/0mOwocVYt/Th96WNGGmhANkFW//HCphRWnhaOqIG6yFRQ/jxArTvZ

QJEGI5AiYHzQn7LdUM8mH1o3ifR+lX+QiAwyeU9oegdlRslI2KMoPOuOFj329NFx

Bw+XVQXMsRJITPg8pnegPmLCOjpz8y7pBxbxGnfaI66I8X4dArsaXX4r5mkfhk2e

mm7fxQ8qUaW9mKoW0XvwGxU0AwKI8OopuXHoD97vr2GSK0QNZ19A96mtTWnQ2cu2

i9qjGw==

-----END CERTIFICATE-----

subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com

issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2

---

No client certificate CA names sent

---

SSL handshake has read 3240 bytes and written 456 bytes

---

New, TLSv1/SSLv3, Cipher is AES128-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1

    Cipher    : AES128-SHA

    Session-ID: EC7CB675C0117DBEC466D0444B91A5FBD81E173E1636E7D0E1DF2E60C4661FD0

    Session-ID-ctx:

    Master-Key: 849D9BCC56523450185D47C92D70FC782659F53D1369A34636443290801EA3C588B6956244B8D8B00AEC016B331BB060

    Key-Arg   : None

    Start Time: 1451295587

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---


HTTP/1.0 400 Bad Request

Content-Length: 54

Content-Type: text/html; charset=UTF-8

Date: Mon, 28 Dec 2015 09:39:49 GMT

Server: GFE/2.0


<html><title>Error 400 (Bad Request)!!1</title></html>read:errno=0



open ssl 요청을 하면 정보를 받으려 하는데, 대충 넣으면 400에러가 발생한다. 



원하는 것은 인증서 정보이니. echo를 open ssl 명령 앞에 사용한다.



$ echo | openssl s_client -connect www.google.com:443


CONNECTED(00000003)

depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

verify error:num=20:unable to get local issuer certificate

verify return:0

---

Certificate chain

 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com

   i:/C=US/O=Google Inc/CN=Google Internet Authority G2

 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2

   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIEgDCCA2igAwIBAgIITq9JKLrGf5EwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE

BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl

cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUxMjEwMTgwMzQ3WhcNMTYwMzA5MDAwMDAw

WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN

TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3

Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCVwcpO

O/ntr0YcvEwMII6pb6oKH0kZjFfRCUEJM7PvWg08qULwfN8Z/HeeXQRec4YmpQxt

0u2R7X7qVMrAnzOQCtWsa951+SlzuRXaLaDcC0P/sT6KD2xnyFTVF9/Oq3k44wap

QooOYLQleHru6Fi3UYJM2xLq8jKXSotaOhYEjY/6/vMvZVQVaczfMsu8FZPL22qa

gVwbEca2maC8DT9oEjVlpiiiMRU4QnzSNuD/rssklqUXuRs+MDQPjkrh0VzzYgOo

jHvrxttFPHFUrmMGVWkKiPgwIK3f8fI6Ao2U4HUKEc5+bngQubg5YkLdkxBSPNSc

Bfff9IspCu/V0t4rAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI

KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE

XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0

MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G

A1UdDgQWBBTRV+KjkFiVN5eQP1h1Fz4F4rTwbzAMBgNVHRMBAf8EAjAAMB8GA1Ud

IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW

eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n

bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAQr4lzcjyBQZ5fn/Z

drUDqpN4fx8Sa6hafoGVOfWMktt003x8ylXb3Pxhgw27f6wiFFRXlX85a2F0/AnC

eoV23mHmV6/0mOwocVYt/Th96WNGGmhANkFW//HCphRWnhaOqIG6yFRQ/jxArTvZ

QJEGI5AiYHzQn7LdUM8mH1o3ifR+lX+QiAwyeU9oegdlRslI2KMoPOuOFj329NFx

Bw+XVQXMsRJITPg8pnegPmLCOjpz8y7pBxbxGnfaI66I8X4dArsaXX4r5mkfhk2e

mm7fxQ8qUaW9mKoW0XvwGxU0AwKI8OopuXHoD97vr2GSK0QNZ19A96mtTWnQ2cu2

i9qjGw==

-----END CERTIFICATE-----

subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com

issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2

---

No client certificate CA names sent

---

SSL handshake has read 3240 bytes and written 456 bytes

---

New, TLSv1/SSLv3, Cipher is AES128-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1

    Cipher    : AES128-SHA

    Session-ID: 72651A382C87293E8EE016DC08F14D5AEB583C8EC1B327E51C30E0A90CDE1594

    Session-ID-ctx:

    Master-Key: 140E09B68C0F61DBD4201E9B52A1EB3A60DC49E83E8243DB307AF77ADFF0EACD45182425087A2E287E7B35E98816332C

    Key-Arg   : None

    Start Time: 1451295479

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---

DONE


interactive없이 문자열을 받을 수 있다. 




$ echo | openssl s_client -connect www.google.com:443 | grep subject

depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

verify error:num=20:unable to get local issuer certificate

verify return:0

DONE

subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com



그리고, 여기에 터미널 출력(verify error:num=20:unable to get local issuer certificate

verify return:0, DONE)을 안보이게 하기 위해 아웃풋 출력을 안보이게 2>/dev/null을 추가한다. 



$ echo | openssl s_client -connect www.google.com:443 2>/dev/null

...



$ echo | openssl s_client -connect www.google.com:443 2>/dev/null | grep subject

subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com




어느 싸이트에 대해서 인증서를 발급했는지 알려면 subject를 보고, 어느 기관에서 발행했는지 보려면 issuer를 확인한다.


subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com

issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2



SSL인증 시간을 확인하려면, openssl을 다시 사용하여 x509 형태로 파싱하여 certificate 내용을 보이지 않도록 한다.


$ echo | openssl s_client -connect www.google.com:443 2>/dev/null | openssl x509 -noout -dates

notBefore=Dec 10 18:03:47 2015 GMT

notAfter=Mar  9 00:00:00 2016 GMT




Posted by '김용환'
,