目次

2017.12.25 TLS1.2 OpenSSL 確認

OpenSSL 1.0.1以降
https://github.com/openssl/openssl/blob/OpenSSL_1_0_1-stable/CHANGES
httpd 2.2.23以降
http://www.apache.org/dist/httpd/CHANGES_2.2

CentOS5/RHEL5は、OpenSSLは0.9.8eのため、curlなどOpenSSLをベースにアウトバウンドのhttps通信を行う場合、SHA-2やTLS1.2には未対応です(SHA-2はOpenSSL 0.9.8o以降、TLS1.2はOpenSSL 1.0.1以降が必要)。

確認方法

OK

$ openssl s_client -connect wiki.fl8.jp:443 -tls1
CONNECTED(00000003)



---
SSL handshake has read 1569 bytes and written 353 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported

NG

$ openssl s_client -connect wiki.fl8.jp:443 -tls1_2
CONNECTED(00000003)
140160114657096:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
$ openssl s_client -connect wiki.fl8.jp:443 -tls1_1
CONNECTED(00000003)
139868423800648:error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version:s3_pkt.c:1275:SSL alert number 70
139868423800648:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported