본문 바로가기

시스템 운용툴

서버의 TLS 버전 확인 방법

반응형

OpenSSL을 이용한 확인

  • openssl s_client를 이용하여 tls 버전 별로 negotiation 테스트 및 지원 여부를 알 수 있다.
  • s_client tls protocol 관련 args
usage: s_client args

 ...
 -ssl3         - just use SSLv3
 -tls1_2       - just use TLSv1.2
 -tls1_1       - just use TLSv1.1
 -tls1         - just use TLSv1
 -dtls1        - just use DTLSv1
...

 

  • TLS 1.2 
    • 아래와 같이 지원 가능 결과 출력
> openssl s_client -connect ploz.tistory.com:443 -tls1_2

...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 403084C8121618CBD56187DE3BEF0B061716A63A49393F22C65FEC8C3FEC390A
    Session-ID-ctx: 
    Master-Key: F518D796C51DD14879387848D58D622A3B21C8AB66CC2C9C9A223FED9428CA0F09096BE64BD52499393F558190AE4AC5
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
  ...

 

  • SSLv3
    • 아래와 같이 지원 않는 결과 출력
> openssl s_client -connect ploz.tistory.com:443 -ssl3

CONNECTED(00000003)
140178768439184:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1493:SSL alert number 40
140178768439184:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1652325409
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

 

 

WEB 사이트에서 확인

 

SSL Server Test (Powered by Qualys SSL Labs)

SSL Server Test This free online service performs a deep analysis of the configuration of any SSL web server on the public Internet. Please note that the information you submit here is used only to provide you the service. We don't use the domain names or

www.ssllabs.com

  • 아래와 같이 도메인을 입력

 

  • 결과값 중 아래내용으로 지원여부를 알수 있다.

반응형