使用openssl s_server 测试搭建https-server测试,选项如下:
usage: s_server [args ...]
-accept arg - port to accept on (default is 4433)
-verify_hostname host - check peer certificate matches "host"
-verify_email email - check peer certificate matches "email"
-verify_ip ipaddr - check peer certificate matches "ipaddr"
-context arg - set session ID context
-verify arg - turn on peer certificate verification
-Verify arg - turn on peer certificate verification, must have a cert.
-verify_return_error - return verification errors
-cert arg - certificate file to use
(default is server.pem)
-serverinfo arg - PEM serverinfo file for certificate
-auth - send and receive RFC 5878 TLS auth extensions and supplemental data
-auth_require_reneg - Do not send TLS auth extensions until renegotiation
-no_resumption_on_reneg - set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag
-crl_check - check the peer certificate has not been revoked by its CA.
The CRL(s) are appended to the certificate file
-crl_check_all - check the peer certificate has not been revoked by its CA
or any other CRL in the CA chain. CRL(s) are appened to the
the certificate file.
-certform arg - certificate format (PEM or DER) PEM default
-key arg - Private Key file to use, in cert file if
not specified (default is server.pem)
-keyform arg - key format (PEM, DER or ENGINE) PEM default
-pass arg - private key file pass phrase source
-dcert arg - second certificate file to use (usually for DSA)
-dcertform x - second certificate format (PEM or DER) PEM default
-dkey arg - second private key file to use (usually for DSA)
-dkeyform arg - second key format (PEM, DER or ENGINE) PEM default
-dpass arg - second private key file pass phrase source
-dhparam arg - DH parameter file to use, in cert file if not specified
or a default set of parameters is used
-named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.
Use "openssl ecparam -list_curves" for all names
(default is nistp256).
-nbio - Run with non-blocking IO
-nbio_test - test with the non-blocking test bio
-crlf - convert LF from terminal into CRLF
-debug - Print more output
-msg - Show protocol messages
-state - Print the SSL states
-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's
-trusted_first - Use trusted CA's first when building the trust chain
-no_alt_chains - only ever use the first certificate chain found
-nocert - Don't use any certificates (Anon-DH)
-cipher arg - play with 'openssl ciphers' to see what goes here
-serverpref - Use server's cipher preferences
-quiet - No server output
-no_tmp_rsa - Do not generate a tmp RSA key
-krb5svc arg - Kerberos service name
-keytab arg - Kerberos keytab filename
-psk_hint arg - PSK identity hint to use
-psk arg - PSK in hex (without 0x)
-ssl3 - Just talk SSLv3
-tls1_2 - Just talk TLSv1.2
-tls1_1 - Just talk TLSv1.1
-tls1 - Just talk TLSv1
-dtls1 - Just talk DTLSv1
-dtls1_2 - Just talk DTLSv1.2
-timeout - Enable timeouts
-mtu - Set link layer MTU
-chain - Read a certificate chain
-no_ssl2 - No-op, SSLv2 is always disabled
-no_ssl3 - Just disable SSLv3
-no_tls1 - Just disable TLSv1
-no_tls1_1 - Just disable TLSv1.1
-no_tls1_2 - Just disable TLSv1.2
-no_dhe - Disable ephemeral DH
-no_ecdhe - Disable ephemeral ECDH
-bugs - Turn on SSL bug compatibility
-hack - workaround for early Netscape code
-www - Respond to a 'GET /' with a status page
-WWW - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>
-HTTP - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>
with the assumption it contains a complete HTTP response.
-engine id - Initialise and use the specified engine
-id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'
-rand file:file:...
-servername host - servername for HostName TLS extension
-servername_fatal - on mismatch send fatal alert (default warning alert)
-cert2 arg - certificate file to use for servername
(default is server2.pem)
-key2 arg - Private Key file to use for servername, in cert file if
not specified (default is server2.pem)
-tlsextdebug - hex dump of all TLS extensions received
-no_ticket - disable use of RFC4507bis session tickets
-legacy_renegotiation - enable use of legacy renegotiation (dangerous)
-sigalgs arg - Signature algorithms to support (colon-separated list)
-client_sigalgs arg - Signature algorithms to support for client
certificate authentication (colon-separated list)
-nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)
-use_srtp profiles - Offer SRTP key management with a colon-separated profile list
-alpn arg - set the advertised protocols for the ALPN extension (comma-separated list)
-keymatexport label - Export keying material using label
-keymatexportlen len - Export len bytes of keying material (default 20)
-status - respond to certificate status requests
-status_verbose - enable status request verbose printout
-status_timeout n - status request responder timeout
-status_url URL - status request fallback URL选项解释:
-accept arg - port的默认监听端口4433
-key arg - 私钥
-cert arg - 签发的证书【用csr签发】
简单示例
说明: 采用根证书,自签证的证书;
--------------------------------------
1 单向认证
服务端:
openssl s_server -key server.key -cert server.crt客户端:
[root@localhost ~]# openssl s_client -connect localhost:4433 -verify_return_error
CONNECTED(00000003)
depth=0 C = CN, ST = FJ, L = xiamen, O = yl, OU = yl1, CN = yl2
verify error:num=18:self signed certificate //<--自签发
---
Certificate chain
0 s:/C=CN/ST=FJ/L=xiamen/O=yl/OU=yl1/CN=yl2
i:/C=CN/ST=FJ/L=xiamen/O=yl/OU=yl1/CN=yl2
---
Server certificate
-----BEGIN CERTIFICATE-----2 双向认证
服务端:
-Verify 1 客户端必须发送一个证书
openssl s_server -key 1.key -cert 1.crt -CAfile ../server.crt -Verify 1客户端:
openssl s_client -connect localhost:4433 -CAfile server.crt -cert 1/1.crt -key 1/1.key -showcerts
4358
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
