通常のTCPポート試験には、
nc(1)コマンドを使う
(以前はtelnet(1)コマンドがよく使われていた)。例えば、POP(110/tcp)は、以下の様に試験できる。
[user01@rhel01 ~]$ nc localhost 110
+OK Dovecot ready.
USER user01
+OK
PASS password
+OK Logged in.
LIST
+OK 1 messages:
1 448
.
QUIT
+OK Logging out.
[user01@rhel01 ~]$
では、SSL/TLSで暗号化されたTCPポートのテストはどうすればよいか?
まず、
openssl(1)コマンドを用いる方法がある。この
opensslコマンドのサブコマンド
s_clientに、接続先を指定するオプション「
-connect host:port」を与えて試験すればよい。例えば、POP3S(995/tcp)は、以下の様に試験できる。
[user01@rhel01 ~]$ openssl s_client -connect localhost:pop3s
CONNECTED(00000003)
depth=0 /OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
verify return:1
---
Certificate chain
0 s:/OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
i:/OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICQzCCAaygAwIBAgIJALDUM09AsGlJMA0GCSqGSIb3DQEBBQUAMFgxFDASBgNV
<<略>>
Mk2FmzapbpeX11HSqprCX984Ofn00Ou8/AS2d9yEeJ/fsbB6UO9L8DZb0gL9nrkL
L7oDAsrwYg==
-----END CERTIFICATE-----
subject=/OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
issuer=/OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
---
No client certificate CA names sent
---
SSL handshake has read 1154 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 69F38BFB461D7E2CA1ED16CD1F7CA61B0CEEE69E9EB6AB64A45FDEC3BC4EE710
Session-ID-ctx:
Master-Key: 77544FE452E4FE2E1D735F023CD36BB5C8F6BD91BB62FB7A12C105144FB85A6F6FD2D2442B97F8DA96E753C21E7FB78A
Key-Arg : None
Krb5 Principal: None
Start Time: 1348815266
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
+OK Dovecot ready.
USER user01
+OK
PASS password
+OK Logged in.
LIST
+OK 1 messages:
1 448
.
QUIT
DONE
[user01@rhel01 ~]$
別法として、
gnutls-cli(1)コマンドを使う方法もある。
[user01@rhel01 ~]$ gnutls-cli --port pop3s localhostResolving 'localhost'...
Connecting to '127.0.0.1:995'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
# The hostname in the certificate does NOT match 'localhost'.
# valid since: Fri Sep 28 14:51:09 JST 2012
# expires at: Sat Sep 28 14:51:09 JST 2013
# fingerprint: E4:CB:D0:E4:F7:78:E8:59:20:45:0F:33:D4:4C:DB:01
# Subject's DN: OU=IMAP server,CN=imap.example.com,EMAIL=postmaster@example.com
# Issuer's DN: OU=IMAP server,CN=imap.example.com,EMAIL=postmaster@example.com
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS 1.0
- Key Exchange: DHE RSA
- Cipher: AES 256 CBC
- MAC: SHA
- Compression: DEFLATE
- Handshake was completed
- Simple Client Mode:
+OK Dovecot ready.
USER user01
+OK
PASS password
+OK Logged in.
LIST
+OK 1 messages:
1 448
.
QUIT
+OK Logging out.
*** Fatal error: A TLS packet with unexpected length was received.
*** Server has terminated the connection abnormally.
[user01@rhel01 ~]$
なお、Red Hat系であれば、
openssl(1)・
gnutls-cli(1)両コマンドはそれぞれ、openssl・gnutls-utilsの両パッケージに含まれる。
[user01@rhel01 ~]$ rpm -qf $(which openssl)
openssl-0.9.8e-20.el5
openssl-0.9.8e-20.el5
[user01@rhel01 ~]$ rpm -qf $(which gnutls-cli)
gnutls-utils-1.4.1-3.el5_4.8
[user01@rhel01 ~]$