要使用OpenSSL查看SSL握手过程,您可以使用以下命令:
openssl s_client -connect example.com:443 -debug 将example.com替换为您要查看SSL握手过程的服务器域名或IP地址,将443替换为相应的端口号(如果使用的是非标准端口)。
这个命令会启动一个OpenSSL客户端,连接到指定的服务器和端口,并显示SSL握手过程中的详细信息。输出中包含了诸如协议版本、密码套件、证书信息等。
例如,运行此命令后,您可能会看到如下输出:
CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify error:num=20:unable to get local issuer certificate verify return:1 depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify error:num=27:certificate not trusted verify return:1 depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:CN = example.com i:C = US, O = Let's Encrypt, CN = R3 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 --- Server certificate -----BEGIN CERTIFICATE----- MIIDdzCCAl+gAwIBAgIEb9zLjANBgkqhkiG9w0BAQsFADBzMQswCQYDVQQGEwJV ... -----END CERTIFICATE----- subject=CN = example.com issuer=C = US, O = Let's Encrypt, CN = R3 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3544 bytes and written 434 bytes Verification error: unable to get local issuer certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 20 (unable to get local issuer certificate) --- 在这个例子中,我们可以看到服务器证书的详细信息,以及使用的加密套件(TLS_AES_256_GCM_SHA384)。同时,我们还可以看到握手过程中的一些其他信息,如协议版本和密钥交换算法。
