Opensourcetechブログ

OpensourcetechによるNGINX/Zabbix/Neo4j/Linuxなどオープンソース技術に関するブログです。

nginx-1.15.12 & openssl-1.1.1bでTLS1.3を試す!

 

こんにちは、LinuCエバンジェリストこと、鯨井貴博@opensourcetechです。

igore sysoevさんと一緒

 

 

今回は、nginx-1.15.12とopenssl-1.1.1bを使って、TLS1.3の環境を作ってみようと思います。

構築環境は、DockerコンテナのCentOS7イメージ上で行なっていきます。

※使用するコンテナイメージは「centos:latest」。

 

 

Dockerコンテナの準備

Docker環境はある前提としています。

 

まず、コンテナイメージの取得です。

bash-3.2$ docker pull centos
Using default tag: latest
latest: Pulling from library/centos
8ba884070f61: Pull complete
Digest: sha256:b5e66c4651870a1ad435cd75922fe2cb943c9e973a9673822d1414824a1d0475
Status: Downloaded newer image for centos:latest

bash-3.2$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos latest 9f38484d220f 2 months ago 202MB

 

続いてコンテナの起動。

コンテナの80/tcp・443/tcpをそれぞれ、ホストの7080/tcp・7443/tcpとバインドしています。

bash-3.2$ docker run --privileged -d -it --name="centos7-test-TLSv1.3" -p 7080:80 -p 7443:443 centos
6d684b0a7c9eda3541bc21431a1e0266ac706291f60b5eaa3eaa7c79c6c2b23f

bash-3.2$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6d684b0a7c9e centos "/bin/bash" 3 seconds ago Up 1 second 0.0.0.0:7080->80/tcp, 0.0.0.0:7443->443/tcp centos7-test-TLSv1.3

 

 

OpenSSL-1.1.1b・nginx-1.15.12のインストール

nginx-1.15.12はTLS1.3には対応済みですが、

yumレポジトリなどで用意されているパッケージはopenssl1.0.2kがビルドに使用されており、TLS1.3が使用できないので、ソースコードからインストールします。

 

 また、opensslも1.1.1以上でTLS1.3が利用でき、同様のソースコードからインストールします。

 

コンテナ内に入り、まずソースインストールに必要なパッケージを用意します。

必要なのは「Development Tools(開発系ツールのグループ)」・perl-core・zlib-devel・pcre-develです。これがないと、configureスクリプト実施時にerrorとなります。

なお、wgetはcurlを使ってもいいのでお好みでインストールしてください。

bash-3.2$ docker exec -it 6d684b0a7c9e /bin/bash
[root@6d684b0a7c9e /]#

[root@6d684b0a7c9e /]# yum group install 'Development Tools'
.
.
省略
.
.

[root@6d684b0a7c9e /]# yum install perl-core zlib-devel pcre-devel wget
.
.
省略
.
.

 

続いて、opensslのソースコード(tar.gz)を取得し、解凍します。

[root@6d684b0a7c9e /]# cd /usr/local/src/
[root@6d684b0a7c9e src]#

[root@6d684b0a7c9e src]# wget https://www.openssl.org/source/openssl-1.1.1b.tar.gz
--2019-05-21 19:47:54-- https://www.openssl.org/source/openssl-1.1.1b.tar.gz
Resolving www.openssl.org (www.openssl.org)... 104.71.144.179, 2600:1417:27:493::c1e, 2600:1417:27:491::c1e
Connecting to www.openssl.org (www.openssl.org)|104.71.144.179|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8213737 (7.8M) [application/x-gzip]
Saving to: 'openssl-1.1.1b.tar.gz'

100%[======================================>] 8,213,737 11.2MB/s in 0.7s

2019-05-21 19:47:55 (11.2 MB/s) - 'openssl-1.1.1b.tar.gz' saved [8213737/8213737]

[root@6d684b0a7c9e src]# ls -l
total 8024
-rw-r--r-- 1 root root 8213737 Feb 26 14:34 openssl-1.1.1b.tar.gz

[root@6d684b0a7c9e src]# tar zxvf openssl-1.1.1b.tar.gz
openssl-1.1.1b/
openssl-1.1.1b/ACKNOWLEDGEMENTS
openssl-1.1.1b/AUTHORS
openssl-1.1.1b/CHANGES
.
.
省略
.
.

[root@6d684b0a7c9e src]# ls
openssl-1.1.1b openssl-1.1.1b.tar.gz

[root@6d684b0a7c9e src]# cd openssl-1.1.1b

[root@6d684b0a7c9e openssl-1.1.1b]# ls
ACKNOWLEDGEMENTS INSTALL NOTES.VMS appveyor.yml e_os.h ssl
AUTHORS LICENSE NOTES.WIN build.info engines test
CHANGES NEWS README config external tools
CONTRIBUTING NOTES.ANDROID README.ENGINE config.com fuzz util
Configurations NOTES.DJGPP README.FIPS crypto include
Configure NOTES.PERL VMS demos ms
FAQ NOTES.UNIX apps doc os-dep

 

 ライブラリ周りを含めたOpenSSL-1.1.1bのソースインストールを行います。

[root@6d684b0a7c9e openssl-1.1.1b]# mkdir /usr/local/ssl

[root@6d684b0a7c9e openssl-1.1.1b]# ./configure --prefix=/usr/local/ssl --openssldir=/usr/local/ssl/shared zlib
Operating system: x86_64-whatever-linux2
Configuring OpenSSL version 1.1.1b (0x1010102fL) for linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Creating Makefile

**********************************************************************
*** ***
*** OpenSSL has been successfully configured ***
*** ***
*** If you encounter a problem while building, please open an ***
*** issue on GitHub <https://github.com/openssl/openssl/issues> ***
*** and include the output from the following command: ***
*** ***
*** perl configdata.pm --dump ***
*** ***
*** (If you are new to OpenSSL, you might want to consult the ***
*** 'Troubleshooting' section in the INSTALL file first) ***
*** ***
**********************************************************************

[root@6d684b0a7c9e openssl-1.1.1b]# ls
ACKNOWLEDGEMENTS INSTALL NOTES.UNIX apps demos ms
AUTHORS LICENSE NOTES.VMS appveyor.yml doc os-dep
CHANGES Makefile NOTES.WIN build.info e_os.h ssl
CONTRIBUTING NEWS README config engines test
Configurations NOTES.ANDROID README.ENGINE config.com external tools
Configure NOTES.DJGPP README.FIPS configdata.pm fuzz util
FAQ NOTES.PERL VMS crypto include

[root@6d684b0a7c9e openssl-1.1.1b]# make
/usr/bin/perl "-I." -Mconfigdata "util/dofile.pl" \
"-oMakefile" crypto/include/internal/bn_conf.h.in > crypto/include/internal/bn_conf.h
/usr/bin/perl "-I." -Mconfigdata "util/dofile.pl" \
"-oMakefile" crypto/include/internal/dso_conf.h.in > crypto/include/internal/dso_conf.h
.
.
省略
.
.

[root@6d684b0a7c9e openssl-1.1.1b]# make install
make depend && make _build_libs
make[1]: Entering directory `/usr/local/src/openssl-1.1.1b'
make[1]: Leaving directory `/usr/local/src/openssl-1.1.1b'
make[1]: Entering directory `/usr/local/src/openssl-1.1.1b'
make[1]: Nothing to be done for `_build_libs'.
make[1]: Leaving directory `/usr/local/src/openssl-1.1.1b'
created directory `/usr/local/ssl/lib'
.
.
省略
.
.

[root@6d684b0a7c9e openssl-1.1.1b]# cd /etc/ld.so.conf.d/
[root@6d684b0a7c9e ld.so.conf.d]# ls
dyninst-x86_64.conf
[root@6d684b0a7c9e ld.so.conf.d]# vi openssl-1.1.1b.conf
[root@6d684b0a7c9e ld.so.conf.d]# cat openssl-1.1.1b.conf
/usr/local/ssl/lib
[root@6d684b0a7c9e ld.so.conf.d]# ldconfig -v
ldconfig: Can't stat /libx32: No such file or directory
ldconfig: Path `/usr/lib' given more than once
ldconfig: Path `/usr/lib64' given more than once
ldconfig: Can't stat /usr/libx32: No such file or directory
/usr/lib64/dyninst:
libsymLite.so.9.3 -> libsymLite.so.9.3.1

.

.

省略

.

.
/lib/sse2: (hwcap: 0x0000000004000000)
/lib64/tls: (hwcap: 0x8000000000000000)
/lib64/sse2: (hwcap: 0x0000000004000000)

[root@6d684b0a7c9e ld.so.conf.d]# find / -name openssl
/usr/lib64/openssl
/usr/local/src/openssl-1.1.1b/include/openssl
/usr/local/src/openssl-1.1.1b/apps/openssl
/usr/local/src/openssl-1.1.1b/test/ossl_shim/include/openssl
/usr/local/ssl/bin/openssl
/usr/local/ssl/include/openssl
/usr/local/ssl/share/doc/openssl
/etc/pki/ca-trust/extracted/openssl

トラブルシュートなどで各作業の全体ログを見たい方じゃ、以下からどうぞ。

 ./configure

make

make install

 

 

 

 そして、PATHなどの環境を整えたらOpenSSLのインストールは完了となります。

[root@6d684b0a7c9e ~]# vi /etc/profile.d/openssl.sh

[root@6d684b0a7c9e ~]# cat /etc/profile.d/openssl.sh
OPENSSL_PATH=/usr/local/ssl/bin
export OPENSSL_PATH
PATH=$PATH:$OPENSSL_PATH
export PATH

[root@6d684b0a7c9e ~]# source /etc/profile.d/openssl.sh

[root@6d684b0a7c9e ~]# echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/ssl/bin

[root@6d684b0a7c9e ~]# openssl version
OpenSSL 1.1.1b 26 Feb 2019

[root@6d684b0a7c9e ~]# openssl version -a
OpenSSL 1.1.1b 26 Feb 2019
built on: Tue May 21 09:55:22 2019 UTC
platform: linux-x86_64
options: bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG
OPENSSLDIR: "/usr/local/ssl/shared"
ENGINESDIR: "/usr/local/ssl/lib/engines-1.1"
Seeding source: os-specific

 

 

 続いて、nginx-1.15.12のソースインストールです。

OpenSSL同様に、ソースパッケージをダウンロードし解凍します。

[root@6d684b0a7c9e ~]# cd /usr/local/src/

[root@6d684b0a7c9e src]# wget https://nginx.org/download/nginx-1.15.12.tar.gz
--2019-05-21 20:14:35-- https://nginx.org/download/nginx-1.15.12.tar.gz
Resolving nginx.org (nginx.org)... 95.211.80.227, 62.210.92.35, 2001:1af8:4060:a004:21::e3
Connecting to nginx.org (nginx.org)|95.211.80.227|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1032347 (1008K) [application/octet-stream]
Saving to: 'nginx-1.15.12.tar.gz'

100%[======================================>] 1,032,347 610KB/s in 1.7s

2019-05-21 20:14:38 (610 KB/s) - 'nginx-1.15.12.tar.gz' saved [1032347/1032347]

[root@6d684b0a7c9e src]# ls -l
total 9040
-rw-r--r-- 1 root root 1032347 Apr 16 15:01 nginx-1.15.12.tar.gz
drwxrwxr-x 18 root root 4096 May 21 20:00 openssl-1.1.1b
-rw-r--r-- 1 root root 8213737 Feb 26 14:34 openssl-1.1.1b.tar.gz
[root@6d684b0a7c9e src]# tar zxvf nginx-1.15.12.tar.gz
nginx-1.15.12/
nginx-1.15.12/auto/
nginx-1.15.12/conf/
nginx-1.15.12/contrib/
nginx-1.15.12/src/
.
.
省略
.
.

[root@6d684b0a7c9e src]# ls
nginx-1.15.12 nginx-1.15.12.tar.gz openssl-1.1.1b openssl-1.1.1b.tar.gz

 

 configureスクリプト・make・make installと進め、インストールします。

[root@6d684b0a7c9e nginx-1.15.12]# ./configure --prefix=/opt/nginx --user=nginx --group=nginx --with-threads --with-http_ssl_module --with-http_v2_module --with-openssl=/usr/local/src/openssl-1.1.1b
checking for OS
+ Linux 4.9.125-linuxkit x86_64
checking for C compiler ... found
+ using GNU C compiler
+ gcc version: 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
checking for gcc -pipe switch ... found
.
.
省略
.
.
creating objs/Makefile

Configuration summary
+ using threads
+ using system PCRE library
+ using OpenSSL library: /usr/local/src/openssl-1.1.1b
+ using system zlib library

nginx path prefix: "/opt/nginx"
nginx binary file: "/opt/nginx/sbin/nginx"
nginx modules path: "/opt/nginx/modules"
nginx configuration prefix: "/opt/nginx/conf"
nginx configuration file: "/opt/nginx/conf/nginx.conf"
nginx pid file: "/opt/nginx/logs/nginx.pid"
nginx error log file: "/opt/nginx/logs/error.log"
nginx http access log file: "/opt/nginx/logs/access.log"
nginx http client request body temporary files: "client_body_temp"
nginx http proxy temporary files: "proxy_temp"
nginx http fastcgi temporary files: "fastcgi_temp"
nginx http uwsgi temporary files: "uwsgi_temp"
nginx http scgi temporary files: "scgi_temp"

[root@6d684b0a7c9e nginx-1.15.12]# ls
CHANGES Finished Makefile README auto configure html objs
CHANGES.ru LICENSE Package Running conf contrib man src
[root@6d684b0a7c9e nginx-1.15.12]# cat Makefile

default: build

clean:
rm -rf Makefile objs

build:
$(MAKE) -f objs/Makefile

install:
$(MAKE) -f objs/Makefile install

modules:
$(MAKE) -f objs/Makefile modules

upgrade:
/opt/nginx/sbin/nginx -t

kill -USR2 `cat /opt/nginx/logs/nginx.pid`
sleep 1
test -f /opt/nginx/logs/nginx.pid.oldbin

kill -QUIT `cat /opt/nginx/logs/nginx.pid.oldbin`
[root@6d684b0a7c9e nginx-1.15.12]# make
make -f objs/Makefile
make[1]: Entering directory `/usr/local/src/nginx-1.15.12'
cd /usr/local/src/openssl-1.1.1b \
&& if [ -f Makefile ]; then make clean; fi \
&& ./config --prefix=/usr/local/src/openssl-1.1.1b/.openssl no-shared no-threads \
&& make \
&& make install_sw LIBDIR=lib
.
.
省略
.
.
[root@6d684b0a7c9e nginx-1.15.12]# make install
make -f objs/Makefile install
make[1]: Entering directory `/usr/local/src/nginx-1.15.12'
test -d '/opt/nginx' || mkdir -p '/opt/nginx'
test -d '/opt/nginx/sbin' \
|| mkdir -p '/opt/nginx/sbin'
.
.
省略
.
.
[root@6d684b0a7c9e nginx-1.15.12]# /opt/nginx/sbin/nginx -V
nginx version: nginx/1.15.12
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
built with OpenSSL 1.1.1b 26 Feb 2019
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx --user=nginx --group=nginx --with-threads --with-http_ssl_module --with-http_v2_module --with-openssl=/usr/local/src/openssl-1.1.1b

トラブルシュートなどで各作業の全体ログを見たい方じゃ、以下からどうぞ。 

 ./configure

make

make install

 

 

nginx-1.15.12の設定

nginx.confの緑太の部分を追加します。

[root@6d684b0a7c9e nginx-1.15.12]# cd
[root@6d684b0a7c9e ~]# vi /opt/nginx/conf/nginx.conf
[root@6d684b0a7c9e ~]# cat -n /opt/nginx/conf/nginx.conf
1
2 #user nobody;
3 worker_processes 1;
4
5 #error_log logs/error.log;
6 #error_log logs/error.log notice;
7 #error_log logs/error.log info;
8
9 #pid logs/nginx.pid;
10
11
12 events {
13 worker_connections 1024;
14 }
15
16
17 http {
18 include mime.types;
19 default_type application/octet-stream;
20
21 #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
22 # '$status $body_bytes_sent "$http_referer" '
23 # '"$http_user_agent" "$http_x_forwarded_for"';
24
25 #access_log logs/access.log main;
26
27 sendfile on;
28 #tcp_nopush on;
29
30 #keepalive_timeout 0;
31 keepalive_timeout 65;
32
33 #gzip on;
34
35 server {
36 listen 80;
37 listen 443 ssl;
38 # server_name localhost;
39 server_name www.test.local;
40
41 ssl_certificate /opt/nginx/conf/server.crt;
42 ssl_certificate_key /opt/nginx/conf/server.key;
43 ssl_protocols TLSv1.2 TLSv1.3;
44 ssl_prefer_server_ciphers on;
45
46 #charset koi8-r;
47
48 #access_log logs/host.access.log main;
49
50 location / {
51 root html;
52 index index.html index.htm;
53 }
54
55 #error_page 404 /404.html;
56
57 # redirect server error pages to the static page /50x.html
58 #
59 error_page 500 502 503 504 /50x.html;
60 location = /50x.html {
61 root html;
62 }
63
64 # proxy the PHP scripts to Apache listening on 127.0.0.1:80
65 #
66 #location ~ \.php$ {
67 # proxy_pass http://127.0.0.1;
68 #}
69
70 # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
71 #
72 #location ~ \.php$ {
73 # root html;
74 # fastcgi_pass 127.0.0.1:9000;
75 # fastcgi_index index.php;
76 # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
77 # include fastcgi_params;
78 #}
79
80 # deny access to .htaccess files, if Apache's document root
81 # concurs with nginx's one
82 #
83 #location ~ /\.ht {
84 # deny all;
85 #}
86 }
87
88
89 # another virtual host using mix of IP-, name-, and port-based configuration
90 #
91 #server {
92 # listen 8000;
93 # listen somename:8080;
94 # server_name somename alias another.alias;
95
96 # location / {
97 # root html;
98 # index index.html index.htm;
99 # }
100 #}
101
102
103 # HTTPS server
104 #
105 #server {
106 # listen 443 ssl;
107 # server_name localhost;
108
109 # ssl_certificate cert.pem;
110 # ssl_certificate_key cert.key;
111
112 # ssl_session_cache shared:SSL:1m;
113 # ssl_session_timeout 5m;
114
115 # ssl_ciphers HIGH:!aNULL:!MD5;
116 # ssl_prefer_server_ciphers on;
117
118

なお、nginx.confのディレクティブが間違いなどあると、「nginx: [emerg] no "ssl_certificate_key" is defined for certificate "/opt/nginx/conf/server.key"」というように怒られます。

 

nginxが動作するときに使用する、

 nginxユーザー・nginxグループを追加します。

[root@6d684b0a7c9e /]# groupadd nginx
[root@6d684b0a7c9e /]# useradd -g nginx nginx

 

 なお、上記ユーザーとグループがないと、nginx起動時に「nginx: [emerg] getpwnam("nginx") failed」と怒られます。

/etc/passwdや/etc/groupの中に「nginx」がいないぞっていう意味です。

[root@6d684b0a7c9e /]# /opt/nginx/sbin/nginx
Enter PEM pass phrase:
nginx: [emerg] getpwnam("nginx") failed

 

 

 

OpenSSLによる秘密鍵・公開鍵作成

①秘密鍵(server.key)作成

②CSR(server.csr)作成

③CSRへの署名[公開鍵](server.crt) と進めます。

また、秘密鍵と公開鍵は nginx.confで指定した場所へ置き、

秘密鍵のパスワードはnginxの起動/停止時などの際に使うので忘れないようにしましょう。

[root@6d684b0a7c9e ~]# openssl genrsa -aes256 2048 > /opt/nginx/conf/server.key
Generating RSA private key, 2048 bit long modulus (2 primes)
..+++++
...................................................+++++
e is 65537 (0x010001)
Enter pass phrase:
Verifying - Enter pass phrase:
[root@6d684b0a7c9e ~]# openssl req -new -key /opt/nginx/conf/server.key > /opt/nginx/conf/server.csr
Enter pass phrase for /opt/nginx/conf/server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) :Minato-ku
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Test.Co.Ltd
Organizational Unit Name (eg, section)
:test
Common Name (e.g. server FQDN or YOUR name) :www.test.local
Email Address
:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :
An optional company name
:
[root@6d684b0a7c9e ~]# openssl x509 -in /opt/nginx/conf/server.csr -days 3650 -req -signkey /opt/nginx/conf/server.key > /opt/nginx/conf/server.crt
Signature ok
subject=C = JP, ST = Tokyo, L = Minato-ku, O = Test.Co.Ltd, OU = test, CN = www.test.local
Getting Private key
Enter pass phrase for /opt/nginx/conf/server.key:
[root@6d684b0a7c9e ~]# ls -l /opt/nginx/conf/
total 80
-rw-r--r-- 1 root root 1077 May 21 20:31 fastcgi.conf
-rw-r--r-- 1 root root 1077 May 21 20:31 fastcgi.conf.default
-rw-r--r-- 1 root root 1007 May 21 20:31 fastcgi_params
-rw-r--r-- 1 root root 1007 May 21 20:31 fastcgi_params.default
-rw-r--r-- 1 root root 2837 May 21 20:31 koi-utf
-rw-r--r-- 1 root root 2223 May 21 20:31 koi-win
-rw-r--r-- 1 root root 5231 May 21 20:31 mime.types
-rw-r--r-- 1 root root 5231 May 21 20:31 mime.types.default
-rw-r--r-- 1 root root 2906 May 21 20:37 nginx.conf
-rw-r--r-- 1 root root 2656 May 21 20:31 nginx.conf.default
-rw-r--r-- 1 root root 636 May 21 20:31 scgi_params
-rw-r--r-- 1 root root 636 May 21 20:31 scgi_params.default
-rw-r--r-- 1 root root 1237 May 21 20:42 server.crt
-rw-r--r-- 1 root root 1013 May 21 20:41 server.csr
-rw-r--r-- 1 root root 1766 May 21 20:40 server.key
-rw-r--r-- 1 root root 664 May 21 20:31 uwsgi_params
-rw-r--r-- 1 root root 664 May 21 20:31 uwsgi_params.default
-rw-r--r-- 1 root root 3610 May 21 20:31 win-utf

 

 

 

nginxの起動

nginxを起動します。

起動時は、秘密鍵生成時のパスワード入力が必要です。

[root@6d684b0a7c9e /]# /opt/nginx/sbin/nginx
Enter PEM pass phrase:
 なお、停止は「/opt/nginx/sbin/nginx -s stop」で実施します。

 

 

クライアントからの接続テスト(openssl s_client)

 色々な確認方法があると思いますが、

今回は「openssl s_client」コマンドでの確認を実施します。

クライアントでは、TLS1.3に対応したバージョンのOpenSSL(1.1.1以上)を使ってください。

 

まずは、特にTLSバージョンを指定せずに接続します。

この場合、クライアント側とサーバ側双方で使用可能なTLS情報を確認し、

もっともセキュアな方法が選択されます。

bash-3.2$ openssl s_client -connect www.test.local:7443
CONNECTED(00000005)
depth=0 C = JP, ST = Tokyo, L = Minato-ku, O = Test.Co.Ltd, OU = test, CN = www.test.local
verify error:num=18:self signed certificate
verify return:1
depth=0 C = JP, ST = Tokyo, L = Minato-ku, O = Test.Co.Ltd, OU = test, CN = www.test.local
verify return:1
---
Certificate chain
0 s:C = JP, ST = Tokyo, L = Minato-ku, O = Test.Co.Ltd, OU = test, CN = www.test.local
i:C = JP, ST = Tokyo, L = Minato-ku, O = Test.Co.Ltd, OU = test, CN = www.test.local
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDZTCCAk0CFFcy0mg0KquMRBYXS8hJRXBTNt1yMA0GCSqGSIb3DQEBCwUAMG8x
CzAJBgNVBAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzESMBAGA1UEBwwJTWluYXRvLWt1
MRQwEgYDVQQKDAtUZXN0LkNvLkx0ZDENMAsGA1UECwwEdGVzdDEXMBUGA1UEAwwO
d3d3LnRlc3QubG9jYWwwHhcNMTkwNTIxMTA0MjA0WhcNMjkwNTE4MTA0MjA0WjBv
MQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xEjAQBgNVBAcMCU1pbmF0by1r
dTEUMBIGA1UECgwLVGVzdC5Dby5MdGQxDTALBgNVBAsMBHRlc3QxFzAVBgNVBAMM
Dnd3dy50ZXN0LmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
vODZHffE+uLXcQ4fFHb0ta8VH+9tmj+//NUteU3TOSNMt4i0OTyjI0o0sIAi1kt0
dTOEGIeLbhwZUlXJrVUnXmSXO7ctaagh0ps8bT4DWegqDNsvA6k89pbJDTxnPZKE
+hupfDKD2qVl35exymWLh3NPu/GZnvewWLOEdJP+GJeezZehd9wR/fsYdjrz9AAj
o40UA7IgaKmfC+BipBh48x6KzyO145fVct/n+n0nhfaLDf6WGJSHo9trjLW6mSKE
sF2cklYsjo+C/8lh08xx2PEVSKpoi/ODLWbWo8zlAQhNYCXiuX8h7JjKF442urFf
IX3YUkmlm+Y16uzUPa8YrwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCbYbyREHqS
I1cUwgACroaCXMYadhqLk+1h1z+qH1WmD8hke7vTf2E59f1sTd9KwlhZG+MItZdB
NMY2WNyn5oewSlMRuzB50vPUerIIrmF6OqUSRyIRjLZnF/Xj4pRHkiJ1CX4+b/YM
38h0WGNTMMVjiK64TkfWvWTrzTls+DniKuW7ssTW07r9JSA7RiZQtN2CrpAIfQsV
MFjCFbYeW+9iA+gQqEVL/ivZsnGEpgzbKEwffTXE0iMIAi5vR7ci5EeOiTS1Qbby
rrrg+C+HjFeCPBncOH1S8Dto9C/YcKmKw8FK5WlW7igRjcxzFkIzqBKKUE/igvKZ
NG+UgYDIPWh/
-----END CERTIFICATE-----
subject=C = JP, ST = Tokyo, L = Minato-ku, O = Test.Co.Ltd, OU = test, CN = www.test.local

issuer=C = JP, ST = Tokyo, L = Minato-ku, O = Test.Co.Ltd, OU = test, CN = www.test.local

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1433 bytes and written 396 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 40DC81F130E4EC6F21755B2DC8DAC3E48932ECE982473352F24AC9D0FA71C73F
Session-ID-ctx:
Resumption PSK: 556919F2F598AA9C5406FE586CC2311EC53C424768268622246BA3328A601950D022A61F1744A823320670F8C8C29D96
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 21 85 6a ea e2 c4 87 07-96 f4 7d de 50 5d bd c6 !.j.......}.P]..
0010 - 1a ce 9f 61 03 45 33 b6-24 72 99 ad cf fb 95 61 ...a.E3.$r.....a
0020 - dd 4a 7f cb 5f 04 b1 3e-81 3c 92 e4 c4 e5 3a 06 .J.._..>.<....:.
0030 - 27 8b 9c c7 a1 3c 2f e5-30 80 af 27 ef a9 32 e4 '....</.0..'..2.
0040 - 20 d6 5b c5 04 2e 5e e5-64 ff ea f9 9f 18 92 3e .[...^.d......>
0050 - 06 be 7e 28 c8 8f 59 49-12 65 94 8c 87 c2 c3 49 ..~(..YI.e.....I
0060 - 07 aa b1 7c af de 69 ca-10 b8 be f2 1a 41 fa d2 ...|..i......A..
0070 - 74 f1 fc 25 b8 13 89 30-82 bd 50 af 19 fa d9 9b t..%...0..P.....
0080 - df 13 cd ae 0b 4e 10 e9-62 eb 1b a9 d2 1d 3a 7c .....N..b.....:|
0090 - b8 d1 51 4b 2f 36 96 c8-e2 b6 b4 a5 ff 54 01 48 ..QK/6.......T.H
00a0 - fb a1 97 bf c1 f1 3b 72-af a3 50 7a d2 67 60 64 ......;r..Pz.g`d
00b0 - 2c 69 35 d0 01 fd de d9-32 d7 f5 ce f9 a2 4e 2e ,i5.....2.....N.
00c0 - d6 79 76 b3 d4 02 8f 14-17 e2 dc ff af 59 72 3d .yv..........Yr=
00d0 - b1 31 23 31 5d 4f e2 61-f0 de 42 58 35 7d 05 4a .1#1]O.a..BX5}.J
00e0 - e1 50 c9 52 85 1c e0 09-c6 a4 7c 9d 17 dc 14 a7 .P.R......|.....

Start Time: 1558451520
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 9CB2EB0636802CABE095026245A526DFA326F1E484E1E8EB2C63301F6EE52DE8
Session-ID-ctx:
Resumption PSK: B10A887E829C2D42A1A603427619E929682478BA229E01237DF0AD3FFC3C7EE96522C95049F172501B553E2A1D2D2B79
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 21 85 6a ea e2 c4 87 07-96 f4 7d de 50 5d bd c6 !.j.......}.P]..
0010 - 96 43 cf 4b c1 74 e8 85-87 cb da 7c be 92 dd b7 .C.K.t.....|....
0020 - 75 6b fb 45 57 1d fb 6f-7b 9e ae 23 bd 60 1e 4b uk.EW..o{..#.`.K
0030 - 4b 46 5b 18 51 cd d7 98-00 c1 9e 65 1b 50 d0 2d KF[.Q......e.P.-
0040 - c2 05 c9 ed 8d 6b 3c be-ee 2e 82 0a 07 89 cf 00 .....k<.........
0050 - 8e dd 5a 1c 10 da e0 d5-47 e8 32 c6 08 9e 4d a7 ..Z.....G.2...M.
0060 - f5 cc e2 4b d3 9f 14 8f-68 a6 7f 9c 80 c6 e5 99 ...K....h.......
0070 - ea 57 b3 af 6c 87 05 9c-8f 38 59 93 e5 0a 1a 86 .W..l....8Y.....
0080 - d4 b2 14 42 9e 65 eb 4a-8b fc 4f 79 e8 46 af d5 ...B.e.J..Oy.F..
0090 - 73 ff 40 e1 ab 78 a8 ed-0a ed 72 d4 b1 bf 84 ae s.@..x....r.....
00a0 - 28 95 27 e2 e7 8c 65 9b-2e 0c 79 61 20 5f 94 e9 (.'...e...ya _..
00b0 - 68 89 e5 fc 4f 2a fc 7b-39 fb b7 83 16 53 9c a3 h...O*.{9....S..
00c0 - 5a 4e 5b ac 0b a7 c1 ea-06 68 76 a5 b0 0b 10 b7 ZN[......hv.....
00d0 - f5 23 dc 1a c6 0a 86 9e-6c 92 89 83 ae 2d 6c 9e .#......l....-l.
00e0 - 44 2b f2 8d 42 3c 29 ef-39 22 97 3f 5f 72 84 dc D+..B<).9".?_r..

Start Time: 1558451520
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK

 

 

 続いて、TLS1.2を指定しての接続。

bash-3.2$ openssl s_client -tls1_2 www.test.local:7443
CONNECTED(00000005)
depth=0 C = JP, ST = Tokyo, L = Minato-ku, O = Test.Co.Ltd, OU = test, CN = www.test.local
verify error:num=18:self signed certificate
verify return:1
depth=0 C = JP, ST = Tokyo, L = Minato-ku, O = Test.Co.Ltd, OU = test, CN = www.test.local
verify return:1
---
Certificate chain
0 s:C = JP, ST = Tokyo, L = Minato-ku, O = Test.Co.Ltd, OU = test, CN = www.test.local
i:C = JP, ST = Tokyo, L = Minato-ku, O = Test.Co.Ltd, OU = test, CN = www.test.local
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDZTCCAk0CFFcy0mg0KquMRBYXS8hJRXBTNt1yMA0GCSqGSIb3DQEBCwUAMG8x
CzAJBgNVBAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzESMBAGA1UEBwwJTWluYXRvLWt1
MRQwEgYDVQQKDAtUZXN0LkNvLkx0ZDENMAsGA1UECwwEdGVzdDEXMBUGA1UEAwwO
d3d3LnRlc3QubG9jYWwwHhcNMTkwNTIxMTA0MjA0WhcNMjkwNTE4MTA0MjA0WjBv
MQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xEjAQBgNVBAcMCU1pbmF0by1r
dTEUMBIGA1UECgwLVGVzdC5Dby5MdGQxDTALBgNVBAsMBHRlc3QxFzAVBgNVBAMM
Dnd3dy50ZXN0LmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
vODZHffE+uLXcQ4fFHb0ta8VH+9tmj+//NUteU3TOSNMt4i0OTyjI0o0sIAi1kt0
dTOEGIeLbhwZUlXJrVUnXmSXO7ctaagh0ps8bT4DWegqDNsvA6k89pbJDTxnPZKE
+hupfDKD2qVl35exymWLh3NPu/GZnvewWLOEdJP+GJeezZehd9wR/fsYdjrz9AAj
o40UA7IgaKmfC+BipBh48x6KzyO145fVct/n+n0nhfaLDf6WGJSHo9trjLW6mSKE
sF2cklYsjo+C/8lh08xx2PEVSKpoi/ODLWbWo8zlAQhNYCXiuX8h7JjKF442urFf
IX3YUkmlm+Y16uzUPa8YrwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCbYbyREHqS
I1cUwgACroaCXMYadhqLk+1h1z+qH1WmD8hke7vTf2E59f1sTd9KwlhZG+MItZdB
NMY2WNyn5oewSlMRuzB50vPUerIIrmF6OqUSRyIRjLZnF/Xj4pRHkiJ1CX4+b/YM
38h0WGNTMMVjiK64TkfWvWTrzTls+DniKuW7ssTW07r9JSA7RiZQtN2CrpAIfQsV
MFjCFbYeW+9iA+gQqEVL/ivZsnGEpgzbKEwffTXE0iMIAi5vR7ci5EeOiTS1Qbby
rrrg+C+HjFeCPBncOH1S8Dto9C/YcKmKw8FK5WlW7igRjcxzFkIzqBKKUE/igvKZ
NG+UgYDIPWh/
-----END CERTIFICATE-----
subject=C = JP, ST = Tokyo, L = Minato-ku, O = Test.Co.Ltd, OU = test, CN = www.test.local

issuer=C = JP, ST = Tokyo, L = Minato-ku, O = Test.Co.Ltd, OU = test, CN = www.test.local

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1534 bytes and written 310 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: FCB5983BC6D27266AA3381EEC7954A93A4C1EC9441D1020A8690D93FC3127776
Session-ID-ctx:
Master-Key: B3B12235E1CC08F3630260C4AA44D55636B2AD578F90856EE4C62628B5DE808FE0C338F97046987D990F7E9A1697B064
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 21 85 6a ea e2 c4 87 07-96 f4 7d de 50 5d bd c6 !.j.......}.P]..
0010 - 72 ca 88 1b f0 bc 5d 4b-29 bf 26 19 01 3f 17 c6 r.....]K).&..?..
0020 - 9a 2d d9 60 cd 1a 69 b6-10 c0 0d 7b 28 ab 0b f1 .-.`..i....{(...
0030 - d2 a0 4e 47 90 90 3c 49-5f 89 11 22 c9 16 db 7e ..NG..<I_.."...~
0040 - 09 88 ed bf 34 c3 d2 d4-9a f0 3c ec f7 35 67 d3 ....4.....<..5g.
0050 - 7b a7 65 87 bc 89 d0 d6-e6 cd 86 2d 1f e7 65 64 {.e........-..ed
0060 - 1b 07 f4 42 32 8b 04 60-8b c1 83 21 be 6b 95 61 ...B2..`...!.k.a
0070 - 99 74 28 e5 cf 95 6c 5d-c6 b9 98 ce ea bc 5f e7 .t(...l]......_.
0080 - f7 6e a9 dd cb 87 27 f4-57 3f 9b 26 d8 7f 31 80 .n....'.W?.&..1.
0090 - 78 0c 39 97 8e 34 37 4f-db 40 88 ad e6 37 42 57 x.9..47O.@...7BW
00a0 - 9d 52 36 6f 39 56 ec a6-d1 d2 b1 a6 c8 32 21 bb .R6o9V.......2!.
00b0 - e6 37 ba 98 dc 6d f9 b9-7d 54 78 10 74 e8 25 8a .7...m..}Tx.t.%.

Start Time: 1558451595
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: yes
---

 

 

 そして、TLS1.3を指定しての接続。

bash-3.2$ openssl s_client -tls1_3 www.test.local:7443
CONNECTED(00000005)
depth=0 C = JP, ST = Tokyo, L = Minato-ku, O = Test.Co.Ltd, OU = test, CN = www.test.local
verify error:num=18:self signed certificate
verify return:1
depth=0 C = JP, ST = Tokyo, L = Minato-ku, O = Test.Co.Ltd, OU = test, CN = www.test.local
verify return:1
---
Certificate chain
0 s:C = JP, ST = Tokyo, L = Minato-ku, O = Test.Co.Ltd, OU = test, CN = www.test.local
i:C = JP, ST = Tokyo, L = Minato-ku, O = Test.Co.Ltd, OU = test, CN = www.test.local
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDZTCCAk0CFFcy0mg0KquMRBYXS8hJRXBTNt1yMA0GCSqGSIb3DQEBCwUAMG8x
CzAJBgNVBAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzESMBAGA1UEBwwJTWluYXRvLWt1
MRQwEgYDVQQKDAtUZXN0LkNvLkx0ZDENMAsGA1UECwwEdGVzdDEXMBUGA1UEAwwO
d3d3LnRlc3QubG9jYWwwHhcNMTkwNTIxMTA0MjA0WhcNMjkwNTE4MTA0MjA0WjBv
MQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xEjAQBgNVBAcMCU1pbmF0by1r
dTEUMBIGA1UECgwLVGVzdC5Dby5MdGQxDTALBgNVBAsMBHRlc3QxFzAVBgNVBAMM
Dnd3dy50ZXN0LmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
vODZHffE+uLXcQ4fFHb0ta8VH+9tmj+//NUteU3TOSNMt4i0OTyjI0o0sIAi1kt0
dTOEGIeLbhwZUlXJrVUnXmSXO7ctaagh0ps8bT4DWegqDNsvA6k89pbJDTxnPZKE
+hupfDKD2qVl35exymWLh3NPu/GZnvewWLOEdJP+GJeezZehd9wR/fsYdjrz9AAj
o40UA7IgaKmfC+BipBh48x6KzyO145fVct/n+n0nhfaLDf6WGJSHo9trjLW6mSKE
sF2cklYsjo+C/8lh08xx2PEVSKpoi/ODLWbWo8zlAQhNYCXiuX8h7JjKF442urFf
IX3YUkmlm+Y16uzUPa8YrwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCbYbyREHqS
I1cUwgACroaCXMYadhqLk+1h1z+qH1WmD8hke7vTf2E59f1sTd9KwlhZG+MItZdB
NMY2WNyn5oewSlMRuzB50vPUerIIrmF6OqUSRyIRjLZnF/Xj4pRHkiJ1CX4+b/YM
38h0WGNTMMVjiK64TkfWvWTrzTls+DniKuW7ssTW07r9JSA7RiZQtN2CrpAIfQsV
MFjCFbYeW+9iA+gQqEVL/ivZsnGEpgzbKEwffTXE0iMIAi5vR7ci5EeOiTS1Qbby
rrrg+C+HjFeCPBncOH1S8Dto9C/YcKmKw8FK5WlW7igRjcxzFkIzqBKKUE/igvKZ
NG+UgYDIPWh/
-----END CERTIFICATE-----
subject=C = JP, ST = Tokyo, L = Minato-ku, O = Test.Co.Ltd, OU = test, CN = www.test.local

issuer=C = JP, ST = Tokyo, L = Minato-ku, O = Test.Co.Ltd, OU = test, CN = www.test.local

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1433 bytes and written 318 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: CFE0DEF88ABAB3E18AA0D30C463E1C9B3FF5AE132D79857ECCA05270C81E7575
Session-ID-ctx:
Resumption PSK: 10A0F7D686EEAD0584B935AD79492E74ACC92E9B07495F37E191A76BBC9EF945D9CDAD84956D415AA857F231FAE10E4D
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 21 85 6a ea e2 c4 87 07-96 f4 7d de 50 5d bd c6 !.j.......}.P]..
0010 - 65 7f 7b 86 33 29 d6 60-52 a9 6c 58 a8 c2 c6 7b e.{.3).`R.lX...{
0020 - 0b db 94 fd 05 79 c7 39-0b da 58 f7 14 3c ea 70 .....y.9..X..<.p
0030 - 7f 36 6d 2b eb 98 fd 17-45 74 bb c5 74 dc df ae .6m+....Et..t...
0040 - 7b 0f da 52 b1 41 75 1f-87 b7 e3 20 60 4a 5b 8d {..R.Au.... `J[.
0050 - 1e 2e 58 dd 61 d2 a0 7d-e8 af 05 91 d7 95 fe fc ..X.a..}........
0060 - ee b4 21 8f aa 5c 8b 64-22 a6 90 38 ae 22 20 7b ..!..\.d"..8." {
0070 - ef 01 98 4d 75 f4 a2 bf-58 d7 f4 43 e1 67 00 2d ...Mu...X..C.g.-
0080 - 7d 09 b2 4d 13 73 cd 2f-6d 71 3c 4d 21 27 16 6b }..M.s./mq<M!'.k
0090 - 88 08 a9 13 2b 7a 67 a0-57 90 d9 5a 8e 21 1c cf ....+zg.W..Z.!..
00a0 - 0c 99 17 4d b2 51 90 3e-45 c3 d3 5f 4f f5 ef 98 ...M.Q.>E.._O...
00b0 - 84 be a5 d5 2b 1d 7b ab-69 64 95 14 81 13 d4 3a ....+.{.id.....:
00c0 - 4a ef 35 1a 2b aa a0 fa-4e 46 4d 63 10 b5 ed 74 J.5.+...NFMc...t
00d0 - 58 e1 e7 52 13 17 2d 41-c2 e2 83 02 88 13 ae 63 X..R..-A.......c
00e0 - 63 42 a6 91 6c 99 65 28-fa f0 13 a6 48 dd 4f 13 cB..l.e(....H.O.

Start Time: 1558451637
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 3CFB4DE6731C80DA6DD923037F36AA970295A1DBC469B16B484EC9B0A043ABB1
Session-ID-ctx:
Resumption PSK: 42BF9F5C0BA9C6F1186B9A66714FA384138BD5F1584F8789A8E45A3CC89296EBC7E8A0B96BD6A7C47000D7A2C780F8F2
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 21 85 6a ea e2 c4 87 07-96 f4 7d de 50 5d bd c6 !.j.......}.P]..
0010 - 36 cb 4f 3e e3 06 66 ff-34 a9 0c fb 70 f5 d0 2e 6.O>..f.4...p...
0020 - 9d f0 43 7d 4a 85 7b 5e-8a 7a 27 ee 72 f9 a2 bf ..C}J.{^.z'.r...
0030 - 38 fa 2d 31 7f bf 07 65-68 85 6e de 74 23 d1 8a 8.-1...eh.n.t#..
0040 - ef d8 96 bf 82 08 b0 b1-95 87 b1 5e 9d bf ff 58 ...........^...X
0050 - 0b 04 62 0f da c1 6e 27-ff 24 ca 23 e6 6a 13 96 ..b...n'.$.#.j..
0060 - 1a 8d 96 de d4 e7 95 1f-35 12 a8 11 67 d1 ce 50 ........5...g..P
0070 - a9 8a 2c c3 a2 22 bb a7-e7 8e 98 6b a1 1c b8 7f ..,..".....k....
0080 - 3d 1b fd 25 4b c2 42 17-6b 28 9e 9e 9e b4 dd d0 =..%K.B.k(......
0090 - af fb 68 d5 42 db 2c d2-bf b9 af 82 da 85 ce d0 ..h.B.,.........
00a0 - 55 20 0c 9a 9e c8 f8 b3-81 1e 9c 7f 7c 65 49 e2 U ..........|eI.
00b0 - 6f 0f fa b0 9d fe 19 91-fd d8 91 23 29 b1 8d e0 o..........#)...
00c0 - ab 3d 46 61 11 65 e5 00-93 f6 4c 1b fa 6f 47 22 .=Fa.e....L..oG"
00d0 - 79 a5 d8 d5 79 4d 41 b0-cd 2a 38 43 97 48 29 1a y...yMA..*8C.H).
00e0 - 94 fa 83 67 fe f5 fb 2b-01 f7 42 94 83 fc 41 99 ...g...+..B...A.

Start Time: 1558451637
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK

 

無事に完了です!

 

 

おわりに

 たまにはソースパッケージからのインストールをしておくと、

リハビリになっていいですねw

 

また、yumやaptなどパッケージマネージャーで簡単にインストールできるようになっているのありがたさを再確認しました。

 

オープンソースに感謝!!

 

 

また、作成したコンテナイメージは以下へアップしてありますので、

TLS1.3をちょっと試してみようという方はどうぞ!

https://cloud.docker.com/u/kujiraitakahiro/repository/docker/kujiraitakahiro/nginx_1.15.12_tlsv1.3

 

bash-3.2$ docker commit 6d684b0a7c9e nginx_centos_tlsv1.3
sha256:c725902c212eddbbcc01187ec93fcc20533baae24c708496af91ee046c098686
bash-3.2$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx_centos_tlsv1.3 latest c725902c212e 6 seconds ago 1.12GB

 

 

 

 

 

 

アフィリエイトのアクセストレード

 

 

 

 

 

 

www.slideshare.net

github.com

www.facebook.com

twitter.com

www.instagram.com

 

 

にほんブログ村 IT技術ブログ Linuxへ
Linux

にほんブログ村 IT技術ブログ オープンソースへ
オープンソース

 

 

Opensourcetech by Takahiro Kujirai