2011年2月17日木曜日

サポートされているSSL/TLSのバージョンの確認方法



SSL 2.0にはいくつかの脆弱性があるため、セキュリティを要求される通信の
プロトコルとして使われていることはなくなってきている、はず。

サービスが"SSL2.0"、"SSL3,0"、"TLS1.0"のどのバージョンに対応しているか、
確認する方法をメモしておく。
SoftBankのEmail(i)のimap sslを試験に使わせてもらいます。


◆ SSL2.0 がサポートされているか確認
$ openssl s_client -ssl2 -connect imap.softbank.jp:993
SSL2.0 がサポートされていない場合下記のようになる
CONNECTED(00000003)
write:errno=104

◆ SSL3.0 がサポートされているか確認
$ openssl s_client -ssl3 -connect imap.softbank.jp:993
SSL3.0 がサポートされている場合下記のようになる
CONNECTED(00000003)
depth=2 /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
verify return:1
depth=1 /C=JP/O=Betrusted Japan Co., Ltd./CN=Cybertrust Japan Public CA
verify return:1
depth=0 /C=JP/ST=Tokyo/L=Minato-ku/O=SOFTBANK MOBILE Corp./OU=Server Operation Department 1/CN=imap.softbank.jp
verify return:1
---
Certificate chain
 0 s:/C=JP/ST=Tokyo/L=Minato-ku/O=SOFTBANK MOBILE Corp./OU=Server Operation Department 1/CN=imap.softbank.jp
   i:/C=JP/O=Betrusted Japan Co., Ltd./CN=Cybertrust Japan Public CA
 1 s:/C=JP/O=Betrusted Japan Co., Ltd./CN=Cybertrust Japan Public CA
   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEBTCCA26gAwIBAgIDAPY+MA0GCSqGSIb3DQEBBQUAMFYxCzAJBgNVBAYTAkpQ
MSIwIAYDVQQKExlCZXRydXN0ZWQgSmFwYW4gQ28uLCBMdGQuMSMwIQYDVQQDExpD
eWJlcnRydXN0IEphcGFuIFB1YmxpYyBDQTAeFw0xMDAzMDIxMTAzMDJaFw0xMzA2
MDIxNDU5MDBaMIGUMQswCQYDVQQGEwJKUDEOMAwGA1UECBMFVG9reW8xEjAQBgNV
BAcTCU1pbmF0by1rdTEeMBwGA1UEChMVU09GVEJBTksgTU9CSUxFIENvcnAuMSYw
JAYDVQQLEx1TZXJ2ZXIgT3BlcmF0aW9uIERlcGFydG1lbnQgMTEZMBcGA1UEAxMQ
aW1hcC5zb2Z0YmFuay5qcDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtZ3L
gAvpts9RJhTeDFhu8mxQ/IcGQmElrdubBLoSQVlBgH79Nop1fXoYgnCsKvsOcqHW
FUy+zuHN0DowASUDiSx2DHonyefRecCRVSVNql+OfbdaaEMKrw9vimdXFIn3pTn8
JLkEKnIx/celB3oEgpmz5c4PpMshLPbDh03erCUCAwEAAaOCAaAwggGcMAkGA1Ud
EwQCMAAwTAYJYIZIAYb4QgEIBD8WPWh0dHBzOi8vd3d3LmN5YmVydHJ1c3QubmUu
anAvU3VyZVNlcnZlci9yZXBvc2l0b3J5L2luZGV4Lmh0bWwwgb8GA1UdIASBtzCB
tDCBsQYIKoMIjJsRAQEwgaQwVwYIKwYBBQUHAgIwSxpJRm9yIG1vcmUgZGV0YWls
cywgcGxlYXNlIHZpc2l0IG91ciB3ZWJzaXRlIGh0dHA6Ly93d3cuY3liZXJ0cnVz
dC5uZS5qcC8gLjBJBggrBgEFBQcCARY9aHR0cHM6Ly93d3cuY3liZXJ0cnVzdC5u
ZS5qcC9TdXJlU2VydmVyL3JlcG9zaXRvcnkvaW5kZXguaHRtbDALBgNVHQ8EBAMC
BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFMGA1UdHwRMMEowSKBG
oESGQmh0dHA6Ly9zdXJlc2VyaWVzLWNybC5jeWJlcnRydXN0Lm5lLmpwL1N1cmVT
ZXJ2ZXIvMjAxOF9jdGovY2RwLmNybDANBgkqhkiG9w0BAQUFAAOBgQCvU3ycB5uk
fnthZZ88cNqhFRnCkpzdQlhnt2xMDtNe5g+m2YyOlp2zELWEv9lWVXJTbqJ/HeIL
7mUQYBzhtoFLSRcVHTycIit9i4dTDIY6aoI6eoepvz9bN0MDeTQ262mN6Xi3WNJ6
3sK+pTQKpmW/FB4biy7t+kppGQsrg/npgA==
-----END CERTIFICATE-----
subject=/C=JP/ST=Tokyo/L=Minato-ku/O=SOFTBANK MOBILE Corp./OU=Server Operation Department 1/CN=imap.softbank.jp
issuer=/C=JP/O=Betrusted Japan Co., Ltd./CN=Cybertrust Japan Public CA
---
No client certificate CA names sent
---
SSL handshake has read 2569 bytes and written 301 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 88716C7BA30BF1D53FC7F92E00007D2C1E65B0766EF7BDDF815A40B241D7CB33
    Session-ID-ctx:
    Master-Key: 8FD66EA91ACAC20B84F8551DD8D1EA46559001E91F1EF2E95FD0AE524028EAB90DAC8F47FF01E3D23A7F78654110F709
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1297909814
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
* OK IMAP4



◆ TSL1.0 がサポートされているか確認
$ openssl s_client -tls1 -connect imap.softbank.jp:993
TLS1.0 がサポートされている場合下記のようになる
CONNECTED(00000003)
depth=2 /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
verify return:1
depth=1 /C=JP/O=Betrusted Japan Co., Ltd./CN=Cybertrust Japan Public CA
verify return:1
depth=0 /C=JP/ST=Tokyo/L=Minato-ku/O=SOFTBANK MOBILE Corp./OU=Server Operation Department 1/CN=imap.softbank.jp
verify return:1
---
Certificate chain
 0 s:/C=JP/ST=Tokyo/L=Minato-ku/O=SOFTBANK MOBILE Corp./OU=Server Operation Department 1/CN=imap.softbank.jp
   i:/C=JP/O=Betrusted Japan Co., Ltd./CN=Cybertrust Japan Public CA
 1 s:/C=JP/O=Betrusted Japan Co., Ltd./CN=Cybertrust Japan Public CA
   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEBTCCA26gAwIBAgIDAPY+MA0GCSqGSIb3DQEBBQUAMFYxCzAJBgNVBAYTAkpQ
MSIwIAYDVQQKExlCZXRydXN0ZWQgSmFwYW4gQ28uLCBMdGQuMSMwIQYDVQQDExpD
eWJlcnRydXN0IEphcGFuIFB1YmxpYyBDQTAeFw0xMDAzMDIxMTAzMDJaFw0xMzA2
MDIxNDU5MDBaMIGUMQswCQYDVQQGEwJKUDEOMAwGA1UECBMFVG9reW8xEjAQBgNV
BAcTCU1pbmF0by1rdTEeMBwGA1UEChMVU09GVEJBTksgTU9CSUxFIENvcnAuMSYw
JAYDVQQLEx1TZXJ2ZXIgT3BlcmF0aW9uIERlcGFydG1lbnQgMTEZMBcGA1UEAxMQ
aW1hcC5zb2Z0YmFuay5qcDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtZ3L
gAvpts9RJhTeDFhu8mxQ/IcGQmElrdubBLoSQVlBgH79Nop1fXoYgnCsKvsOcqHW
FUy+zuHN0DowASUDiSx2DHonyefRecCRVSVNql+OfbdaaEMKrw9vimdXFIn3pTn8
JLkEKnIx/celB3oEgpmz5c4PpMshLPbDh03erCUCAwEAAaOCAaAwggGcMAkGA1Ud
EwQCMAAwTAYJYIZIAYb4QgEIBD8WPWh0dHBzOi8vd3d3LmN5YmVydHJ1c3QubmUu
anAvU3VyZVNlcnZlci9yZXBvc2l0b3J5L2luZGV4Lmh0bWwwgb8GA1UdIASBtzCB
tDCBsQYIKoMIjJsRAQEwgaQwVwYIKwYBBQUHAgIwSxpJRm9yIG1vcmUgZGV0YWls
cywgcGxlYXNlIHZpc2l0IG91ciB3ZWJzaXRlIGh0dHA6Ly93d3cuY3liZXJ0cnVz
dC5uZS5qcC8gLjBJBggrBgEFBQcCARY9aHR0cHM6Ly93d3cuY3liZXJ0cnVzdC5u
ZS5qcC9TdXJlU2VydmVyL3JlcG9zaXRvcnkvaW5kZXguaHRtbDALBgNVHQ8EBAMC
BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFMGA1UdHwRMMEowSKBG
oESGQmh0dHA6Ly9zdXJlc2VyaWVzLWNybC5jeWJlcnRydXN0Lm5lLmpwL1N1cmVT
ZXJ2ZXIvMjAxOF9jdGovY2RwLmNybDANBgkqhkiG9w0BAQUFAAOBgQCvU3ycB5uk
fnthZZ88cNqhFRnCkpzdQlhnt2xMDtNe5g+m2YyOlp2zELWEv9lWVXJTbqJ/HeIL
7mUQYBzhtoFLSRcVHTycIit9i4dTDIY6aoI6eoepvz9bN0MDeTQ262mN6Xi3WNJ6
3sK+pTQKpmW/FB4biy7t+kppGQsrg/npgA==
-----END CERTIFICATE-----
subject=/C=JP/ST=Tokyo/L=Minato-ku/O=SOFTBANK MOBILE Corp./OU=Server Operation Department 1/CN=imap.softbank.jp
issuer=/C=JP/O=Betrusted Japan Co., Ltd./CN=Cybertrust Japan Public CA
---
No client certificate CA names sent
---
SSL handshake has read 2553 bytes and written 285 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 7AF04F9E5B02157EE2AC563A5FDD533AEF49ED054293357C6BB1DB5E7144570A
    Session-ID-ctx:
    Master-Key: 159FD603C7CCB5C0F67F4B8916BCDCB7054BB0014AFBFAA956D60E5D2F94C2DE0160C69471AE7E4D5D447BF07D909697
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1297909887
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
* OK IMAP4



◆ cipherの確認
サーバ側がどのciperを利用できるかも確認できる。
クライアント側が利用するciperの一覧(接続元クライアント側に依存する)。
$ openssl cipher -v
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
KRB5-DES-CBC3-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=MD5
KRB5-DES-CBC3-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5
KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
KRB5-DES-CBC-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(56) Mac=MD5
KRB5-DES-CBC-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(56) Mac=SHA1
EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
EXP-KRB5-RC2-CBC-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC2(40) Mac=MD5 export
EXP-KRB5-DES-CBC-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(40) Mac=MD5 export
EXP-KRB5-RC2-CBC-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC2(40) Mac=SHA1 export
EXP-KRB5-DES-CBC-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(40) Mac=SHA1 export
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=MD5 export
EXP-KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=SHA1 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export


コマンド結果の一行目を、opensslコマンドの-cipherオプションで指定すれば、サポートの有無を判断できる。
$ openssl s_client -tls1 -connect 接続先:ポート -ciper サイファ