openssl コマンドで https サーバー証明書検証をする方法
openssl の s_client サブコマンドで https サーバー証明書のチェインおよび失効リスト (CRL) の確認ができる。たとえば twitter.com の証明書を検証するには openssl s_client -connect twitter.com:443 -no_ssl2 -showcerts -crl_check_all とすればよい。
$ openssl s_client -connect twitter.com:443 \ > -no_ssl2 -showcerts -crl_check_all << EOF > HEAD / HTTP/1.0 > > EOF
こんな応答が返ってくる:
CONNECTED(00000003) depth=0 /C=US/O=twitter.com/OU=GT09721236/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=twitter.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/O=twitter.com/OU=GT09721236/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=twitter.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/O=twitter.com/OU=GT09721236/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=twitter.com verify error:num=3:unable to get certificate CRL verify return:1 depth=0 /C=US/O=twitter.com/OU=GT09721236/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=twitter.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/O=twitter.com/OU=GT09721236/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=twitter.com i:/C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1 -----BEGIN CERTIFICATE----- MIIDQzCCAqygAwIBAgIDC7XxMA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNVBAYTAlVT MRwwGgYDVQQKExNFcXVpZmF4IFNlY3VyZSBJbmMuMS0wKwYDVQQDEyRFcXVpZmF4 IFNlY3VyZSBHbG9iYWwgZUJ1c2luZXNzIENBLTEwHhcNMDkwNTI2MTkzNDQ4WhcN MTAwNTI4MTY1ODEzWjCBsjELMAkGA1UEBhMCVVMxFDASBgNVBAoTC3R3aXR0ZXIu Y29tMRMwEQYDVQQLEwpHVDA5NzIxMjM2MTEwLwYDVQQLEyhTZWUgd3d3LnJhcGlk c3NsLmNvbS9yZXNvdXJjZXMvY3BzIChjKTA5MS8wLQYDVQQLEyZEb21haW4gQ29u dHJvbCBWYWxpZGF0ZWQgLSBSYXBpZFNTTChSKTEUMBIGA1UEAxMLdHdpdHRlci5j b20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAObNJ9AKUT3V3ls5J3Cxvs5R OqQO7h+DZ2aBppy2GZFPWza3rhnRk/PBIvasRx82aKL7rAFtVyXggivp32XVZwCy io74Br+cdVV7SgMwMhZgpUKsQTBwQ3InKuuczNyd9qdMF9t/TIf+HpfEXmHTxHIn fJYv8OT5zfE0Fl9iACjTAgMBAAGjgb0wgbowDgYDVR0PAQH/BAQDAgTwMB0GA1Ud DgQWBBQrGm3fNiHRrszg4IuqhAFAK6bWBzA7BgNVHR8ENDAyMDCgLqAshipodHRw Oi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL2dsb2JhbGNhMS5jcmwwHwYDVR0jBBgw FoAUvqigdHJQa0S3ySPY+6j/s1draGwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG AQUFBwMCMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAebTa/jX//SrR Gt8kccVQvohpKnegZC1HFSfgWfqSOEPjnQQQa7D65znFciw/fD4JS6vbphk5ZeXv jzyk27jdEvJ+02qwr22L2PpgJIndmyNeaBphp72PB604S82j29hfbfzmZy6LIiT8 DHwb3GjhBKhGy1+NLYyWV6T0UaQcLSk= -----END CERTIFICATE----- --- Server certificate subject=/C=US/O=twitter.com/OU=GT09721236/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=twitter.com issuer=/C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1 --- No client certificate CA names sent --- SSL handshake has read 1403 bytes and written 285 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 6638A5B2ED3DD7EB649D47E63DD64A4A13E43A24DE6D432619A793D9D57B98F7 Session-ID-ctx: Master-Key: 86C8B0E32303E2F30D015B9AB5DDCEF0CE9F54F9FCCD5E9D31195D57509FA02ED7A35B5A239286B23906AE950F0EB5B2 Key-Arg : None Compression: 1 (zlib compression) Start Time: 1247565236 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- DONE
参考: