openssl命令

已于 2024-07-15 07:59:54 修改
阅读量855 收藏 4
点赞数 4
分类专栏: 命令 文章标签: ssl linux 运维
于 2024-02-01 10:10:34 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/u012533481/article/details/135967367
版权

文章目录

常见问题

本地openssl支持的秘钥套件

# openssl 支持的 cipher 列表,可以用 
openssl ciphers -V | column -t

证书链结构

-----BEGIN CERTIFICATE-----
网站证书
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
CA 中间证书机构
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
CA 根证书机构
-----END CERTIFICATE-----

serial无法读取的解决方法

echo 01 > serial

RSA私钥免除密码

openssl rsa -in server.key -out server2.key

私钥输出公钥

# 私钥出公钥
openssl rsa -in xxx.key -pubout 
# 证书出公钥
openssl x509 -in xxx_crt -pubkey -noout

父子证书验证

openssl verify -CAfile IT-RootCA.crt -untrusted tmp_server1.crt tmp_server2.crt 
# 证书链必须完整,根证书必须存在
openssl verify -CAfile 根证书 -untrusted 证书链 子证书

OCSP验证方法

从无法开启 OCSP Stapling 说起
OpenSSL 通过OCSP手动验证证书

# 获取ocsp的地址
openssl x509 -in xxx.crt -noout -ocsp_uri

# 测试是否可用
# OpenSSL 1.0.2k,证书链不能保留子证书chain.crt,子证书单独一个文件xxx.crt
openssl ocsp -CAfile chain.crt -issuer chain.crt -cert xxx.crt -text -no_nonce -url http://ocsp.dcocsp.cn -header "HOST" ocsp.dcocsp.cn -resp_text
# OpenSSL 1.1.1k
openssl ocsp -issuer chain.crt -cert xxx.crt  -no_nonce -url "http://ocsp.digicert.cn" -header HOST=ocsp.digicert.cn -resp_text

# 能否通过HTTPS服务,查询ocsp状态
openssl s_client -connect 127.0.0.1:443 -status
openssl s_client -connect 127.0.0.1:443 -status -tlsextdebug

SSL证书有效期

# 对证书操作
openssl x509 -subject -enddate
# 对HTTPS服务器操作
echo | openssl s_client  -servername www.vip.com -connect 10.200.86.46:443 2>/dev/null | openssl x509 -noout -dates

证书功能验证

enc 对称秘钥算法加密

[root@Euler01 ~]# openssl enc -aes-256-cbc -salt -in a -out a.enc -p
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
salt=804009488E0E893D
key=ABE60C6D58945599083144FFD08E1971F013FFF79F5ED8740109426DEDEDA6C5
iv =D923951E002E6CA00ED92CD80D63B7DE

# 验证
[root@Euler01 ~]# openssl enc -d -aes-256-cbc -in a.enc 
enter aes-256-cbc decryption password:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
hello world

dgst 内容摘要

[root@Euler01 ~]# openssl dgst -sha1 a
SHA1(a)= 22596363b3de40b06f981fb85d82312e8c0ed511

rsa秘钥

# 不需要口令
[root@Euler01 ~]# openssl genrsa -out temp_rsa.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...+++++
..............+++++
e is 65537 (0x010001)

# 需要输入口令
[root@Euler01 ~]# openssl genrsa -des3 -out temp_rsa2.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
......................................+++++
................+++++
e is 65537 (0x010001)
Enter pass phrase for temp_rsa2.pem:
Verifying - Enter pass phrase for temp_rsa2.pem:

dhparam

生成key
openssl dhparam -out dhparam.pem -2 1024
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..............................................+........+................................................+......................................................+....................................................................................................................+..........................+....................+.........................................................+............................................+........................................................+..................+..............................+.................................................+..................+........+..................+........+...................................+.....................................................................+....................+...................+..............+..............+.............................................................................................................................................................................................................+.............................................++*++*++*++*++*
[root@Euler01 ~]# openssl genpkey -paramfile dhparam.pem -out dhkey.pem
[root@Euler01 ~]# openssl pkey -in dhkey.pem  -text -noout
DH Private-Key: (1024 bit)
    private-key: #私钥
        79:95:70:05:a3:2d:c8:86:4c:24:6a:a5:0f:7e:5e:
        c8:1b:97:ad:88:22:39:09:04:68:3d:fa:2b:c2:02:
        c3:82:24:57:2a:2f:97:eb:d8:d3:2f:fb:29:ba:26:
        ff:72:b5:ec:b5:33:86:af:02:9d:ea:64:2d:ce:cf:
        32:35:b6:cf:71:ba:4f:e0:23:a4:ae:93:35:69:03:
        cf:fa:13:77:71:78:0a:a8:e9:47:0d:ab:ab:5f:7c:
        84:db:71:42:10:75:5d:9e:89:e3:70:95:12:12:41:
        46:19:6d:b5:c8:72:6c:82:d9:12:f5:ab:d7:13:57:
        24:76:b4:05:c1:ad:3b:a0
    public-key: #公钥
        7c:67:c9:ea:5a:3a:54:cd:d8:f0:e7:ca:9d:f6:06:
        dc:cb:d9:e1:bc:53:af:81:b4:7f:65:d5:26:f9:c8:
        bb:6c:d3:f2:3e:fe:a8:15:55:02:2b:04:d5:97:8a:
        84:d4:43:ab:f5:d5:92:ea:ab:37:ff:e6:66:c3:1f:
        a1:e2:86:41:ad:bc:73:ec:0e:6d:86:cc:f4:b0:5b:
        a5:8d:cd:dc:85:a7:a8:97:38:f4:7e:d7:fe:6e:6e:
        13:09:d1:f9:08:27:b9:e1:2e:5f:49:41:80:1d:cf:
        3b:8e:84:f3:22:e6:05:33:ef:59:46:e1:7b:de:ee:
        e1:65:f4:58:a3:dc:6c:68
    prime: # 大质数
        00:97:37:a2:19:96:52:a4:d8:ed:73:6b:97:bd:8b:
        e5:cf:06:6b:06:10:48:7f:44:f3:10:d1:ce:6f:b1:
        b8:72:45:f7:59:03:85:c2:d8:0e:fd:86:46:81:dd:
        eb:ef:b5:e2:ea:45:97:35:fd:f6:ee:15:f4:78:1f:
        48:be:78:ae:7f:37:27:19:ae:f9:5a:66:df:f7:94:
        ad:70:68:09:49:fa:0d:63:8e:8a:7c:1f:3d:0a:d0:
        b9:92:1d:4d:b0:e4:5f:89:70:5f:81:af:44:44:a3:
        3a:c9:5d:e0:e5:c4:44:b4:40:0d:de:db:07:92:7c:
        72:63:73:e1:02:06:c1:6d:43
    generator: 2 (0x2)  # 生成元
DH验证
[root@Euler01 ~]# openssl genpkey -genparam -algorithm DH -out dhp_pub.pem
........+.............................................................+......................................................................+.......................................................+...............................................................................................+.......................................................................................................................................................+........+...............................................................................................................................................................+.....................................................+................................................................................................++*++*++*++*
[root@Euler01 ~]# openssl pkeyparam -in dhp_pub.pem -text
DH Parameters: (2048 bit)
    prime:
        00:bb:c5:e0:90:cb:1d:57:68:a2:fb:d9:8b:4d:ca:

    generator: 2 (0x2)
[root@Euler01 ~]# openssl genpkey -paramfile dhp_pub.pem -out akey.pem
[root@Euler01 ~]# openssl genpkey -paramfile dhp_pub.pem -out bkey.pem
[root@Euler01 ~]# openssl pkey -in akey.pem -text
DH Private-Key: (2048 bit)
    private-key:
        6d:30:57:61:37:e1:fa:67:e8:f9:6a:ee:2e:6d:a0:
        ab:c4:c0:21:40:3b:62:20:66:c4:16:1c:ea:c5:63:
        7d:89:7c:65:26:f0:3c:0b:b9:9f:80:e2:31:d8:9d:
        45:e4:a8:62:5a:07:3b:05:59:76:3f:a0:2d:b3:8c:
        31:97:2c:10:1e:59:3b:b0:5e:0d:b9:9b:8b:b4:20:

    public-key:
        00:85:27:c8:6b:58:65:a4:26:86:07:93:96:f9:f0:
        98:03:3f:cd:cc:08:c1:bd:a5:e8:16:7d:68:ce:b5:
        1f:2b:62:cc:ba:2f:31:53:b7:b2:91:1e:0c:23:5d:
        d2:42:23:94:a4:e3:3c:d8:3c:14:49:5a:eb:f6:69:
        7c:c8:b1:6f:e1:4d:09:1e:46:81:96:7e:9c:16:ee:
        f7:d7:be:74:cf:7b:40:31:c8:be:64:35:9b:c1:35:

    prime:
        00:bb:c5:e0:90:cb:1d:57:68:a2:fb:d9:8b:4d:ca:
        6b:91:60:bb:75:5b:8c:ad:aa:76:ec:2a:43:5c:d1:

    generator: 2 (0x2)
[root@Euler01 ~]# openssl pkey -in bkey.pem -text -noout
DH Private-Key: (2048 bit)
    private-key:
        68:b3:36:e6:0a:9d:43:05:63:29:a9:d3:09:af:a5:
        7e:73:2a:d1:d8:75:d5:16:49:4f:5f:3d:bf:be:35:
        07:73:b7:46:62:2c:d4:78:9b:fd:36:49:c0:27:c4:
        66:bd:d9:1f:9f:59:a4:dd:24:67:a5:c7:73:19:8a:
        a1:5c:6a:a5:26:74:ef:9a:39:77:c0:1e:60:74:d4:
        4c:e3:64:e2:30:82:4c:be:d0:3d:37:a7:c0:f7:19:

    public-key:
        00:8f:5f:5a:ef:bd:c7:18:8c:80:5f:ca:86:de:46:
        be:83:91:45:12:15:ed:4a:5b:aa:a4:4f:b5:3f:bb:
        46:77:49:4e:81:a8:c6:5b:74:73:de:7f:80:22:21:
        1e:9d:a8:20:de:f0:ee:2d:d9:0a:d6:10:b8:2b:3b:

    prime:
        00:bb:c5:e0:90:cb:1d:57:68:a2:fb:d9:8b:4d:ca:
        6b:91:60:bb:75:5b:8c:ad:aa:76:ec:2a:43:5c:d1:
        bc:09:5e:11:71:8c:cd:5e:b1:5b:4d:cc:f2:4b:f4:
        57:88:35:34:19:df:1e:97:4b:66:88:1b:2c:14:a8:
        6f:95:79:6c:81:e9:2a:bb:90:10:9f:49:01:53:3b:

    generator: 2 (0x2)
[root@Euler01 ~]# openssl pkey -in akey.pem -pubout -out akey_pub.pem
[root@Euler01 ~]# openssl pkey -in bkey.pem -pubout -out bkey_pub.pem

[root@Euler01 ~]# openssl pkeyutl -derive -inkey akey.pem -peerkey bkey_pub.pem -out data_a.txt
[root@Euler01 ~]# openssl pkeyutl -derive -inkey bkey.pem -peerkey akey_pub.pem -out data_b.txt
# 内容是一致
[root@Euler01 ~]# diff data_a.txt data_b.txt

SSL客户端

SSL信息

openssl s_client -servername test11.justin.com -connect 127.0.0.1:443

验证支持的tls协议

openssl s_client -connect 10.0.0.3:8443 -ciphersuites TLS_AES_128_GCM_SHA256 -tls1_3

验证支持的秘钥套件

# 执行不成功
openssl s_client -cipher ECDHE-RSA-AES256-GCM-SHA384 -servername www.justin.com -connect 10.200.86.46:443 2>/dev/null

#!/usr/bin/env bash
    
# OpenSSL requires the port number.
SERVER=$1
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')
    
echo Obtaining cipher list from $(openssl version).
    
for cipher in ${ciphers[@]}
do
  echo -n Testing $cipher...
  result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
  if [[ "$result" =~ ":error:" ]] ; then
    error=$(echo -n $result | cut -d':' -f6)
    echo NO \($error\)
  else
    if [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher    :" ]] ; then
      echo YES
    else
      echo UNKNOWN RESPONSE
      echo $result
    fi
  fi
  sleep $DELAY
done

获取站点默认证书

openssl s_client -connect 127.0.0.1:443 -showcerts

算法压测

openssl speed <加密算法>
# 可以看到支持的算法
openssl speed help
# 示范
sudo openssl speed aes-256-cbc
Doing aes-256 cbc for 3s on 16 size blocks: 6974956 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 64 size blocks: 1821846 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 256 size blocks: 460156 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 1024 size blocks: 115711 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 8192 size blocks: 14465 aes-256 cbc's in 3.00s
OpenSSL 1.0.2k-fips  26 Jan 2017
built on: reproducible build, date unspecified
options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) 
compiler: gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256 cbc      37199.77k    38866.05k    39266.65k    39496.02k    39499.09k
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值