在Linux下,您可以使用OpenSSL命令行工具进行SSL握手测试。以下是一个简单的示例,展示了如何使用OpenSSL与服务器建立SSL连接并进行握手:
打开终端。
运行以下命令,将your_server_domain替换为您要测试的服务器域名或IP地址,将your_port替换为SSL端口(通常为443):
openssl s_client -connect your_server_domain:your_port
例如,要测试与www.example.com上运行的SSL服务的连接,您可以运行:
openssl s_client -connect www.example.com:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = www.example.com
verify return:1
---
Certificate chain
0 s:CN = www.example.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIEbJ9zjANBgkqhkiG9w0BAQsFADBzMQswCQYDVQQGEwJV
...
-----END CERTIFICATE-----
subject=CN=www.example.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3544 bytes and written 430 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self signed certificate in certificate chain)
---
请注意,如果服务器使用的是自签名证书,您可能会收到一个验证错误,如上所示的“Verification error: self signed certificate in certificate chain”。这意味着服务器证书不是由受信任的证书颁发机构签发的。在实际生产环境中,您应该使用由受信任的证书颁发机构签发的证书。
如果您只关心握手过程,而不关心证书验证,可以使用-verify_return_error选项忽略验证错误:
openssl s_client -connect your_server_domain:your_port -verify_return_error
这将返回握手的摘要信息,即使证书验证失败。