Zenn
🍇

SSL/TLS接続先の情報を簡単に出力する

2023/09/10に公開
Tips
#
TLS
#
openssl
tech

この記事の目的

  • SSL/TLS接続を行う際の接続先情報や証明書の詳しい情報を確認する情報が知りたい

方法

echo | openssl s_client -connect example.com:443

example.com部分は接続先サーバに合わせて変更。

成功すると以下のような接続情報が表示され、証明書の発行元や署名、求めている暗号化スイートなどを確認できる(一部情報を修正してあります)

CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = Microsoft Corporation, CN = Microsoft Azure TLS Issuing CA 05
verify return:1
depth=0 C = US, ST = WA, L = Redmond, O = Microsoft Corporation, CN = example-server.japaneast.azurecontainerapps.io
verify return:1
---
Certificate chain
 0 s:C = US, ST = WA, L = Redmond, O = Microsoft Corporation, CN = example-server.japaneast.azurecontainerapps.io
   i:C = US, O = Microsoft Corporation, CN = Microsoft Azure TLS Issuing CA 05
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
   v:NotBefore: Sep  7 03:51:11 2023 GMT; NotAfter: Jun 27 23:59:59 2024 GMT
 1 s:C = US, O = Microsoft Corporation, CN = Microsoft Azure TLS Issuing CA 05
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384
   v:NotBefore: Jul 29 12:30:00 2020 GMT; NotAfter: Jun 27 23:59:59 2024 GMT
 2 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug  1 12:00:00 2013 GMT; NotAfter: Jan 15 12:00:00 2038 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIJUTCCBzmgAwIBAgITMwDTE5Qmd/QTcPfdZQAAANMTlDANBgkqhkiG9w0BAQwF
ADBZMQswCQYDVQQGEwJ(中略)dzXA4mruYroV6xYRa1N1z+qWMVOeruQWanNaw3Uc
mmVHTnvhg8WVfxiWqQIMnjIQ8nVYH3BrmWr3rtavQvuHoOI5NAmXmgylwyffmEdm
4ss0enYcEDnlwdshvpBtqVD9wQY4xYx0CmEjDcIpUaaW2e3cDGa/iA5eJ4IMAfK5
IbudwNy5WzzSdcIIggYbIm1MaXsu/BuE9gBy/QLowOmqF3QBrQ==
-----END CERTIFICATE-----
subject=C = US, ST = WA, L = Redmond, O = Microsoft Corporation, CN = example-server.japaneast.azurecontainerapps.io
issuer=C = US, O = Microsoft Corporation, CN = Microsoft Azure TLS Issuing CA 05
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5483 bytes and written 458 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: 7E47048FC1203048642E04F16C6E789C751EC54215357EBEEA21A0FC626F055D
    Session-ID-ctx: 
    Master-Key: 5AA9BFBF104A30AA250126704C21CBB017B45FDDFA7887C6128DBBAD3C15835F4A2F0CAD9075032558948676ACEA36C6
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - b5 e0 37 cf 40 af 0d 56-f3 47 88 4c 90 a5 e9 5c   ..7.@..V.G.L...\
    0010 - 46 98 63 8e 91 39 13 65-7f 82 42 c3 8d d7 97 b5   F.c..9.e..B.....
    0020 - 20 ae 81 af 97 6d e8 c9-9a d1 a0 3d 1e c8 9d 28    ....m.....=...(
    0030 - 48 37 a5 31 56 d3 0f 78-05 46 68 49 2a 4e c7 2e   H8.1V..x.FhI*N..
    0040 - 68 ab fa 8c ab 45 51 ec-f9 a5 e9 3e 35 ab 9d 05   h....EQ....>5...
    0050 - 3e 5f f0 43 32 85 2f f3-57 fe b1 ca aa 92 5c 46   >_.C2./.W.....\F
    0060 - 08 79 ee b4 98 11 cd a8-ef a0 17 ca 6b f1 be 85   .y..........k...
    0070 - 12 e1 42 0e 08 33 7a 04-44 3d 98 27 6b cf fa 7b   ..B..3z.D=.'k..{
    0080 - c6 6e 73 44 ef f1 40 6c-f5 7a 84 a7 fb c1 b5 63   .nsD..@l.z.....c
    0090 - f4 2a e1 90 c3 2b 8a 35-29 d8 d9 65 87 bf 89 89   .*...+.5)..e....
    00a0 - 78 e8 a8 98 61 60 db d5-14 06 02 b8 64 6e e9 79   x...a`......dn.y
    00b0 - 41 f0 64 44 0c 2e f5 86-17 b6 91 3a d7 2e 7e 41   A.dD.......:..~A

    Start Time: 1694350485
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
DONE
  • depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2: いわゆるルート証明書がdigicertのものであることが分かります
  • depth=1 C = US, O = Microsoft Corporation, CN = Microsoft Azure TLS Issuing CA 05 verify return:1: いわゆる中間証明書はMicrosoft Azure TLS Issuing CA 05によるもの
  • depth=0 C = US, ST = WA, L = Redmond, O = Microsoft Corporation, CN = example-server.japaneast.azurecontainerapps.io: サーバ証明書が Microsoft Corporation によって発行されたものであることを示します。

Discussion