通常のTCPポート試験には、nc(1)コマンドを使う(以前はtelnet(1)コマンドがよく使われていた)。例えば、POP(110/tcp)は、以下の様に試験できる。
[user01@rhel01 ~]$ nc localhost 110 +OK Dovecot ready. USER user01 +OK PASS password +OK Logged in. LIST +OK 1 messages: 1 448 . QUIT +OK Logging out. [user01@rhel01 ~]$
では、SSL/TLSで暗号化されたTCPポートのテストはどうすればよいか?
まず、openssl(1)コマンドを用いる方法がある。このopensslコマンドのサブコマンドs_clientに、接続先を指定するオプション「-connect host:port」を与えて試験すればよい。例えば、POP3S(995/tcp)は、以下の様に試験できる。
[user01@rhel01 ~]$ openssl s_client -connect localhost:pop3s
CONNECTED(00000003)
depth=0 /OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
verify return:1
---
Certificate chain
0 s:/OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
i:/OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICQzCCAaygAwIBAgIJALDUM09AsGlJMA0GCSqGSIb3DQEBBQUAMFgxFDASBgNV
<<略>>
Mk2FmzapbpeX11HSqprCX984Ofn00Ou8/AS2d9yEeJ/fsbB6UO9L8DZb0gL9nrkL
L7oDAsrwYg==
-----END CERTIFICATE-----
subject=/OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
issuer=/OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
---
No client certificate CA names sent
---
SSL handshake has read 1154 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 69F38BFB461D7E2CA1ED16CD1F7CA61B0CEEE69E9EB6AB64A45FDEC3BC4EE710
Session-ID-ctx:
Master-Key: 77544FE452E4FE2E1D735F023CD36BB5C8F6BD91BB62FB7A12C105144FB85A6F6FD2D2442B97F8DA96E753C21E7FB78A
Key-Arg : None
Krb5 Principal: None
Start Time: 1348815266
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
+OK Dovecot ready.
USER user01
+OK
PASS password
+OK Logged in.
LIST
+OK 1 messages:
1 448
.
QUIT
DONE
[user01@rhel01 ~]$
別法として、gnutls-cli(1)コマンドを使う方法もある。
[user01@rhel01 ~]$ gnutls-cli --port pop3s localhostResolving 'localhost'... Connecting to '127.0.0.1:995'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: # The hostname in the certificate does NOT match 'localhost'. # valid since: Fri Sep 28 14:51:09 JST 2012 # expires at: Sat Sep 28 14:51:09 JST 2013 # fingerprint: E4:CB:D0:E4:F7:78:E8:59:20:45:0F:33:D4:4C:DB:01 # Subject's DN: OU=IMAP server,CN=imap.example.com,EMAIL=postmaster@example.com # Issuer's DN: OU=IMAP server,CN=imap.example.com,EMAIL=postmaster@example.com - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Version: TLS 1.0 - Key Exchange: DHE RSA - Cipher: AES 256 CBC - MAC: SHA - Compression: DEFLATE - Handshake was completed - Simple Client Mode: +OK Dovecot ready. USER user01 +OK PASS password +OK Logged in. LIST +OK 1 messages: 1 448 . QUIT +OK Logging out. *** Fatal error: A TLS packet with unexpected length was received. *** Server has terminated the connection abnormally. [user01@rhel01 ~]$
なお、Red Hat系であれば、openssl(1)・gnutls-cli(1)両コマンドはそれぞれ、openssl・gnutls-utilsの両パッケージに含まれる。
[user01@rhel01 ~]$ rpm -qf $(which openssl) openssl-0.9.8e-20.el5 openssl-0.9.8e-20.el5 [user01@rhel01 ~]$ rpm -qf $(which gnutls-cli) gnutls-utils-1.4.1-3.el5_4.8 [user01@rhel01 ~]$
0 件のコメント:
コメントを投稿