要使用OpenSSL查看SSL握手过程,您可以使用以下命令:
openssl s_client -connect example.com:443 -debug
将example.com替换为您要查看SSL握手过程的服务器域名或IP地址,将443替换为相应的端口号(如果使用的是非标准端口)。
这个命令会启动一个OpenSSL客户端,连接到指定的服务器和端口,并显示SSL握手过程中的详细信息。输出中包含了诸如协议版本、密码套件、证书信息等。
例如,运行此命令后,您可能会看到如下输出:
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=27:certificate not trusted
verify return:1
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:CN = example.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIEb9zLjANBgkqhkiG9w0BAQsFADBzMQswCQYDVQQGEwJV
...
-----END CERTIFICATE-----
subject=CN = example.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3544 bytes and written 434 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
在这个例子中,我们可以看到服务器证书的详细信息,以及使用的加密套件(TLS_AES_256_GCM_SHA384)。同时,我们还可以看到握手过程中的一些其他信息,如协议版本和密钥交换算法。