대상이 허용하는 Protocol 및 Cipher 확인

소개



회사 시스템에 HTTPS로 연결하려고 할 때 오류가 발생하여 원인을 추적하기 위해 대상에서 사용할 수있는 Protocol과 Cipher를 조사해야했습니다.
서버의 설정을 보지 않으면 모르겠다고 생각했습니다만, 아무래도 클라이언트측에서도 조사할 수 있으므로 기록으로서 남겨 둡니다.

동작 확인 환경



OS:Window 10

1. TestSSLServer4.exe 다운로드



htps //w w. 보트 t. rg / stst s L r r ょ r /
를 방문하여 다음 위치에서 소스 코드가 아닌 바이너리(TestSSLServer4.exe)를 다운로드합니다.



2. 체크



다음과 같이 DOS 창에서 실행하면 연결 대상에서 사용할 수있는 Protocol과 Cipher를 알 수 있습니다.
C:\dev\TestSSLServer>TestSSLServer4.exe www.facebook.com 443
Connection: www.facebook.com:443
SNI: www.facebook.com
  TLSv1.0:
     server selection: enforce server preferences
     3f- (key:   EC)  ECDHE_ECDSA_WITH_AES_128_CBC_SHA
     3f- (key:   EC)  ECDHE_ECDSA_WITH_AES_256_CBC_SHA
     3f- (key:  RSA)  ECDHE_RSA_WITH_AES_128_CBC_SHA
     3f- (key:  RSA)  ECDHE_RSA_WITH_AES_256_CBC_SHA
     3-- (key:  RSA)  RSA_WITH_AES_128_CBC_SHA
     3-- (key:  RSA)  RSA_WITH_AES_256_CBC_SHA
     3f- (key:   EC)  ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
     3f- (key:  RSA)  ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
     3-- (key:  RSA)  RSA_WITH_3DES_EDE_CBC_SHA
     3f- (key:   EC)  ECDHE_ECDSA_WITH_RC4_128_SHA
     3f- (key:  RSA)  ECDHE_RSA_WITH_RC4_128_SHA
     3-- (key:  RSA)  RSA_WITH_RC4_128_SHA
  TLSv1.1: idem
  TLSv1.2:
     server selection: complex
     3-- (key:  RSA)  RSA_WITH_RC4_128_SHA
     3-- (key:  RSA)  RSA_WITH_3DES_EDE_CBC_SHA
     3-- (key:  RSA)  RSA_WITH_AES_128_CBC_SHA
     3-- (key:  RSA)  RSA_WITH_AES_256_CBC_SHA
     3-- (key:  RSA)  RSA_WITH_AES_128_GCM_SHA256
     3-- (key:  RSA)  RSA_WITH_AES_256_GCM_SHA384
     3f- (key:   EC)  ECDHE_ECDSA_WITH_RC4_128_SHA
     3f- (key:   EC)  ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
     3f- (key:   EC)  ECDHE_ECDSA_WITH_AES_128_CBC_SHA
     3f- (key:   EC)  ECDHE_ECDSA_WITH_AES_256_CBC_SHA
     3f- (key:  RSA)  ECDHE_RSA_WITH_RC4_128_SHA
     3f- (key:  RSA)  ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
     3f- (key:  RSA)  ECDHE_RSA_WITH_AES_128_CBC_SHA
     3f- (key:  RSA)  ECDHE_RSA_WITH_AES_256_CBC_SHA
     3f- (key:   EC)  ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
     3f- (key:   EC)  ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
     3f- (key:  RSA)  ECDHE_RSA_WITH_AES_128_GCM_SHA256
     3f- (key:  RSA)  ECDHE_RSA_WITH_AES_256_GCM_SHA384
     3f- (key:  RSA)  ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
     3f- (key:   EC)  ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
=========================================
+++++ SSLv3/TLS: 2 certificate chain(s)
+++ chain: length=2
names match:        yes
includes root:      no
signature hash(es): SHA-256
+ certificate order: 0
thumprint:  7AA970C4D34F963B182B945534D0BF40522C605F
serial:     025245D02918FECF45417523AFFF3990
subject:    CN=*.facebook.com,O=Facebook\, Inc.,L=Menlo Park,ST=California,C=US
issuer:     CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
valid from: 2018-05-17 00:00:00 UTC
valid to:   2019-07-31 12:00:00 UTC
key type:   RSA
key size:   2048
sign hash:  SHA-256
server names:
   *.facebook.com
   *.facebook.net
   *.fb.com
   *.fbcdn.net
   *.fbsbx.com
   *.m.facebook.com
   *.messenger.com
   *.xx.fbcdn.net
   *.xy.fbcdn.net
   *.xz.fbcdn.net
   facebook.com
   fb.com
   messenger.com
+ certificate order: 1
thumprint:  A031C46782E6E6C662C2C87C76DA9AA62CCABD8E
serial:     04E1E7A4DC5CF2F36DC02B42B85D159F
subject:    CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
issuer:     CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
valid from: 2013-10-22 12:00:00 UTC
valid to:   2028-10-22 12:00:00 UTC
key type:   RSA
key size:   2048
sign hash:  SHA-256
+++ chain: length=2
names match:        yes
includes root:      no
signature hash(es): SHA-256
+ certificate order: 0
thumprint:  BD258C1F62A4A6D9CF7D9812D22E2FF57E84FB36
serial:     0B3C3B601A18F59EE2B6BB05605EF2C0
subject:    CN=*.facebook.com,O=Facebook\, Inc.,L=Menlo Park,ST=California,C=US
issuer:     CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
valid from: 2017-12-15 00:00:00 UTC
valid to:   2019-03-22 12:00:00 UTC
key type:   EC
key size:   256
key curve:  ansix9p256r1 (P-256)
sign hash:  SHA-256
server names:
   *.facebook.com
   *.xx.fbcdn.net
   *.fbsbx.com
   *.xz.fbcdn.net
   *.facebook.net
   *.xy.fbcdn.net
   *.messenger.com
   fb.com
   *.fbcdn.net
   *.fb.com
   *.m.facebook.com
   messenger.com
   facebook.com
+ certificate order: 1
thumprint:  A031C46782E6E6C662C2C87C76DA9AA62CCABD8E
serial:     04E1E7A4DC5CF2F36DC02B42B85D159F
subject:    CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
issuer:     CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
valid from: 2013-10-22 12:00:00 UTC
valid to:   2028-10-22 12:00:00 UTC
key type:   RSA
key size:   2048
sign hash:  SHA-256
=========================================
Server compression support: no
Server sends a random system time.
Secure renegotiation support: yes
Encrypt-then-MAC support (RFC 7366): no
SSLv2 ClientHello format (for SSLv3+): yes
Minimum EC size (no extension):   256
Minimum EC size (with extension): 256
ECDH parameter reuse:  no
Supported curves (size and name) ('*' = selected by server):
  * 256  secp256r1 (P-256)
=========================================
WARN[CS005]: Server supports RC4.
WARN[CS006]: Server supports cipher suites with no forward secrecy.


이번은 옵션은 지정하지 않고 실행했습니다만, 옵션을 지정하면 파일에 로그를 출력할 수 있거나, 좀 더 세세한 정보도 출력할 수 있습니다.

덧붙여서 인터넷상이라면 온라인 SSL 검사기에서도 확인할 수 있습니다. 온라인 체커의 URL은, 이하 참고 URL에 실어 두었습니다.

참고 URL



h tps : // 게다가 kf ぁ레. 이 m / sl - st-se r chifukate /
htps //w w.ぁbs. 이 m / sl st /
htps : // / ss ly r. 어머니. 코m/

좋은 웹페이지 즐겨찾기