Go to Qiita Advent Calendar 2024 Top
LoginSignup
1
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 1 year has passed since last update.

@nkoseki

どの暗号アルゴリズムを使って通信しているか確認する方法

Posted at

事前情報

  • 暗号アルゴリズムの一覧表示すると、強度の強いものから表示される
  • 暗号アルゴリズムはクライアントとサーバで異なる
  • で、双方が合意できる一番強度の強いものが選択される

暗号アルゴリズムの一覧確認

キーワードをつけることでフィルターも可能
コマンドを発行したサーバ自身の情報を確認できる。

# openssl ciphers -v
# openssl ciphers -V
# openssl ciphers -v RSA # RSAを検索する場合

接続先サーバの証明書や状況確認

ここで確認できる情報でどのアルゴリズムでクライアントとサーバが接続しているか確認できる

# openssl s_client -connect xxx.com:443 -showcerts
# openssl s_client -connect xxx.com:443 -state

openssl s_client -connect www.google.com:443 -state < /dev/null
CONNECTED(00000005)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
SSL_connect:TLSv1.3 read encrypted extensions
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = www.google.com
verify return:1
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:TLSv1.3 read server certificate verify
SSL_connect:SSLv3/TLS read finished
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
---
Certificate chain
 0 s:CN = www.google.com
   i:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
 1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEhzCCA2+gAwIBAgIQApXgY9gvMKsSvozNWMVYnjANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
・・・(省略)
H2pu/ta+UyujJSregKLzrdOxouhQz80R1pHuiuvhQ7x2PtKi0DB1pcMv2pMe/EGa
5Lgt6w76MYXkXMY=
-----END CERTIFICATE-----
subject=CN = www.google.com

issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1C3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4294 bytes and written 396 bytes
Verification: OK
---
#### TLS1.3、アルゴリズムがTLS_AES_256_GCM_SHA384だとわかる
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE
SSL3 alert write:warning:close notify

暗号アルゴリズムの確認方法

どのアルゴリズムを使って接続しているか、は以下で確認可能

# openssl s_client -connect www.google.com:443 -cipher TLS_AES_256_GCM_SHA384 < /dev/null
Error with command: "-cipher TLS_AES_256_GCM_SHA384"
4569343488:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2571:

このエラーが出た場合、TLS1.3のフォーマットでないため発生したエラー。
以下に情報あり
https://stackoverflow.com/questions/57212182/openssl-s-client-no-cipher-match

TLS1.3の場合、以下で確認可能

openssl s_client -connect www.google.com:443 -ciphersuites TLS_AES_256_GCM_SHA384 < /dev/null
CONNECTED(00000005)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = www.google.com
verify return:1
---
Certificate chain
 0 s:CN = www.google.com
   i:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
 1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEhzCCA2+gAwIBAgIQApXgY9gvMKsSvozNWMVYnjANBgkqhkiG9w0BAQsFADBG
・・・(省略)
2pu/ta+UyujJSregKLzrdOxouhQz80R1pHuiuvhQ7x2PtKi0DB1pcMv2pMe/EGa
5Lgt6w76MYXkXMY=
-----END CERTIFICATE-----
subject=CN = www.google.com

issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1C3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4294 bytes and written 392 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE
1
1
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
1
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?