curlコマンドでTLSバージョンを指定する方法

背景

• AWSのインフラ構築をしている
• ALBのセキュリティポリシーを変更しTLS1.0、1.1を無効化する案件があった
• 設定変更の効果確認のため、TLS1.0、1.1でアクセスして、ALBでブロックされることを確認したい
• ALBのセキュリティポリシーについて

コマンド例

❯ curl -s -v --tls-max 1.0 https://www.fsa.go.jp/ -I

TLSバージョンを指定するオプション

--tls-max <TLSバージョン>

• TLSバージョンの上限を指定するオプションです。
• 上限を低いバージョンに指定することでALBのセキュリティポリシーがサポートしていないバージョンのリクエストがブロックされるか確認できる。
• curlのドキュメントはこちら

注意事項

• --tlsv1.0のように似たようなオプションがあります。指定する内容は全く異なる、というか正反対なので混同しないようにすること。
• このオプションは、TLSバージョンの下限を指定するオプションです。

コマンド実行結果サンプル

• TLS1.0と１TLS1.3各バージョンを指定して金融庁のホームページにアクセスした結果を以下に記載します。
• TLS1.0では失敗、TLS1.3では成功している状態を確認できます。

TLS1.0を指定した場合

❯ curl -s -v --tls-max 1.0 https://www.fsa.go.jp/ -I
*   Trying 18.65.202.112:443...
* Connected to www.fsa.go.jp (18.65.202.112) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
* Closing connection 0

TLS1.３を指定した場合

❯ curl -s -v --tls-max 1.3 https://www.fsa.go.jp/ -I
*   Trying 18.65.202.112:443...
* Connected to www.fsa.go.jp (18.65.202.112) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=JP; ST=Tokyo-to; L=Chiyoda-ku; O=Financial Services Agency; OU=Public Relations Office; CN=www.fsa.go.jp
*  start date: May 30 06:08:30 2022 GMT
*  expire date: Jun 28 14:59:59 2023 GMT
*  subjectAltName: host "www.fsa.go.jp" matched cert's "www.fsa.go.jp"
*  issuer: C=JP; O=SECOM Trust Systems CO.,LTD.; CN=SECOM Passport for Web SR 3.0 CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x135811400)
> HEAD / HTTP/2
> Host: www.fsa.go.jp
> user-agent: curl/7.79.1
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
HTTP/2 200
< content-type: text/html
content-type: text/html
< content-length: 20346
content-length: 20346
< server: Apache
server: Apache
< last-modified: Mon, 08 May 2023 04:12:01 GMT
last-modified: Mon, 08 May 2023 04:12:01 GMT
< accept-ranges: bytes
accept-ranges: bytes
< x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
< x-xss-protection: 1; mode=block
x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
x-content-type-options: nosniff
< date: Fri, 19 May 2023 19:14:50 GMT
date: Fri, 19 May 2023 19:14:50 GMT
< vary: Accept-Encoding
vary: Accept-Encoding
< x-cache: Hit from cloudfront
x-cache: Hit from cloudfront
< via: 1.1 e70028cb30f78307280e23c065d90090.cloudfront.net (CloudFront)
via: 1.1 e70028cb30f78307280e23c065d90090.cloudfront.net (CloudFront)
< x-amz-cf-pop: NRT57-P3
x-amz-cf-pop: NRT57-P3
< x-amz-cf-id: ysCRlgll5PrdcNFB7630KP54On-OpgXXeBJk89y23xplmdvHpZBcMw==
x-amz-cf-id: ysCRlgll5PrdcNFB7630KP54On-OpgXXeBJk89y23xplmdvHpZBcMw==
< age: 246008
age: 246008

<
* Connection #0 to host www.fsa.go.jp left intact

オプション指定しない場合はTLS1.3でアクセスする

❯ curl -s -v https://www.fsa.go.jp/ -I
*   Trying 18.65.202.13:443...
* Connected to www.fsa.go.jp (18.65.202.13) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=JP; ST=Tokyo-to; L=Chiyoda-ku; O=Financial Services Agency; OU=Public Relations Office; CN=www.fsa.go.jp
*  start date: May 30 06:08:30 2022 GMT
*  expire date: Jun 28 14:59:59 2023 GMT
*  subjectAltName: host "www.fsa.go.jp" matched cert's "www.fsa.go.jp"
*  issuer: C=JP; O=SECOM Trust Systems CO.,LTD.; CN=SECOM Passport for Web SR 3.0 CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x15b013a00)
> HEAD / HTTP/2
> Host: www.fsa.go.jp
> user-agent: curl/7.79.1
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
HTTP/2 200
< content-type: text/html
content-type: text/html
< content-length: 20346
content-length: 20346
< server: Apache
server: Apache
< last-modified: Mon, 08 May 2023 04:12:01 GMT
last-modified: Mon, 08 May 2023 04:12:01 GMT
< accept-ranges: bytes
accept-ranges: bytes
< x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
< x-xss-protection: 1; mode=block
x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
x-content-type-options: nosniff
< date: Fri, 19 May 2023 19:14:50 GMT
date: Fri, 19 May 2023 19:14:50 GMT
< vary: Accept-Encoding
vary: Accept-Encoding
< x-cache: Hit from cloudfront
x-cache: Hit from cloudfront
< via: 1.1 2e09729c09747cfaa237f08151b53d06.cloudfront.net (CloudFront)
via: 1.1 2e09729c09747cfaa237f08151b53d06.cloudfront.net (CloudFront)
< x-amz-cf-pop: NRT57-P3
x-amz-cf-pop: NRT57-P3
< x-amz-cf-id: XUKQYgxmeEvezRVlm4eMd8HVgDDiC3e1zU9WTVFBAXNztaH85kZpZQ==
x-amz-cf-id: XUKQYgxmeEvezRVlm4eMd8HVgDDiC3e1zU9WTVFBAXNztaH85kZpZQ==
< age: 246300
age: 246300

<
* Connection #0 to host www.fsa.go.jp left intact