웹 사이트 SSL/TLS 지원 프로토콜 확인

2020년 상반기에 4대 주요 웹브라우저 회사인 Google, Microsoft, Apple, Mozilla의 브라우저에서 TLS 1.0 및 1.1 지원을 종료한다고 합니다. 현재 TLS 프로토콜은 TLS 1.0, 1.1, 1.2, 1.3의 4가지 버전이 있지만, 1.0, 1.1은 POODLE 및 DEAST와 같은 공격에 취약한 것으로 알려져 있습니다. 이에 OpenSSL을 명령어로 프로토콜에 따라서 접속이 가능한지 확인 하는 방법을 소개합니다.

OpenSSL로 프로토콜 접속 테스트

openssl의 s_client 명령어와 프로토콜 옵션을 넣어서, 특정 프로토콜로 접속이 가능한지 확인할 수 있습니다. 정상적으로 접속이되면, 인증서 정보 및 접속 정보가 출력되고 종료 됩니다.

# openssl s_client -connect naver.com:443 -tls1  
CONNECTED(00000003)
depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify return:1
depth=2 /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
verify return:1
depth=1 /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Organization Validation Secure Server CA
verify return:1
depth=0 /C=KR/postalCode=13561/ST=Gyeonggi-do/L=Seongnam-si/streetAddress=6, Buljeong-ro/O=NAVER Corp./OU=Information Security Team/OU=Hosted by Korea Information Certificate Authority, Inc./OU=PremiumSSL Wildcard/CN=*.www.naver.com
verify return:1
---
Certificate chain
 0 s:/C=KR/postalCode=13561/ST=Gyeonggi-do/L=Seongnam-si/streetAddress=6, Buljeong-ro/O=NAVER Corp./OU=Information Security Team/OU=Hosted by Korea Information Certificate Authority, Inc./OU=PremiumSSL Wildcard/CN=*.www.naver.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Organization Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Organization Validation Secure Server CA
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHnTCCBoWgAwIBAgIRAPG4tSHPCotEtG1VzRODH4owDQYJKoZIhvcNAQELBQAw
gZUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE9MDsGA1UE
AxM0U2VjdGlnbyBSU0EgT3JnYW5pemF0aW9uIFZhbGlkYXRpb24gU2VjdXJlIFNl
cnZlciBDQTAeFw0xOTA0MTAwMDAwMDBaFw0yMTA0MjgyMzU5NTlaMIIBFjELMAkG
A1UEBhMCS1IxDjAMBgNVBBETBTEzNTYxMRQwEgYDVQQIEwtHeWVvbmdnaS1kbzEU
MBIGA1UEBxMLU2VvbmduYW0tc2kxFzAVBgNVBAkTDjYsIEJ1bGplb25nLXJvMRQw
EgYDVQQKEwtOQVZFUiBDb3JwLjEiMCAGA1UECxMZSW5mb3JtYXRpb24gU2VjdXJp
dHkgVGVhbTFAMD4GA1UECxM3SG9zdGVkIGJ5IEtvcmVhIEluZm9ybWF0aW9uIENl
cnRpZmljYXRlIEF1dGhvcml0eSwgSW5jLjEcMBoGA1UECxMTUHJlbWl1bVNTTCBX
aWxkY2FyZDEYMBYGA1UEAwwPKi53d3cubmF2ZXIuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAri825vCxtjFOswvvlJ0Nm1UEY80kt33LbKmjqFnM
S9CiB7VODBp7e3Sw09F4Q2gu98L3BNEhR245O06ClFUj5mq9JJnGrRGcmjp/PhTJ
puYnPxlHdRXOsAYK/j97GJTpM05Xzzm94N/6Shr6h+LDvtZ7MDc9tNHv5ZquxBxx
tRvfnYAiZp0+zzWocCp2bj2ghvRlhXp7MRhT1S8BV1SwrN1aOjaua2hmjmBC9jav
6VOc72K5jNBhAsPQ0iFYmc1cFCCch6LFQaGXwssDfmVVRjSeRwRwIcJbiyVShaqY
gk9FtgSln3tc1Z60/89PsGgOItpIVoWwk/rgkzSAIkQvRQIDAQABo4IDYjCCA14w
HwYDVR0jBBgwFoAUF9nWJSdn+THCSUPZMDZEjGypT+swHQYDVR0OBBYEFLh6Zc2P
k8619JQ6JoHvw+9/CdsyMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBKBgNVHSAEQzBBMDUGDCsGAQQB
sjEBAgEDBDAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAI
BgZngQwBAgIwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2NybC5zZWN0aWdvLmNv
bS9TZWN0aWdvUlNBT3JnYW5pemF0aW9uVmFsaWRhdGlvblNlY3VyZVNlcnZlckNB
LmNybDCBigYIKwYBBQUHAQEEfjB8MFUGCCsGAQUFBzAChklodHRwOi8vY3J0LnNl
Y3RpZ28uY29tL1NlY3RpZ29SU0FPcmdhbml6YXRpb25WYWxpZGF0aW9uU2VjdXJl
U2VydmVyQ0EuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNv
bTApBgNVHREEIjAggg8qLnd3dy5uYXZlci5jb22CDXd3dy5uYXZlci5jb20wggF9
BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB1ALvZ37wfinG1k5Qjl6qSe0c4V5UKq1Lo
GpCWZDaOHtGFAAABagYQtsUAAAQDAEYwRAIgcvnYKlDj5iiMyXUXDZaL+3klOjFl
1kpDV8smCZmgrsUCIFLq43RudmteYHp/Vz13MfOjpeQ1spviyauCe/zA9XVzAHYA
RJRlLrDuzq/EQAfYqP4owNrmgr7YyzG1P9MzlrW2gagAAAFqBhC2xAAABAMARzBF
AiAGC+BNdF49ESvhqGhprDN0SndEXXp8Bvu8lCgPpJGkJgIhANuhe20ajyfGk0m5
e07meCD6NP5roWv/kdtA9yESZsITAHYAXNxDkv7mq0VEsV6a1FbmEDf71fpH3KFz
lLJe5vbHDsoAAAFqBhC27gAABAMARzBFAiB4z/lDFMMQDEIR7HuYO5m2oVFVgsyG
slTJz9S9OUVhmQIhAO2S+srpfoOTAYLYXStlidzGdOql4RUuCUOUyhJ1/eybMA0G
CSqGSIb3DQEBCwUAA4IBAQAOYLCmqVASHh1ybN8AMGpTvnVglf4G7EOZVffQ0A/b
EZzfKT1amG6Ha24P5REPZs81/nHH0biLTN5LusRU9wPWzxpnxyZKAsyuPP9zxc9K
2h0quJIEZMTNy6JDP1BU6BHnGlz7TeuLfmcm/H3EeKcU6m5LiyB+W8q5c7ND5Sv6
/nIuwZolhF2EeLjVZ+gTFjvqEaBtnXLWyNr7XIV5xpqSXyFDOeHcRfTVA7UZH3j/
JmmmIlwcdsvUAZ1nNXxFX/xQ1C5aiqe0fJuLTa8glfPzYvZwjG88Kx0KFSvcbFEF
rCcMKOi42bm/30le9Ul2rHH4wLaGoZemkjz0uxDbanpR
-----END CERTIFICATE-----
subject=/C=KR/postalCode=13561/ST=Gyeonggi-do/L=Seongnam-si/streetAddress=6, Buljeong-ro/O=NAVER Corp./OU=Information Security Team/OU=Hosted by Korea Information Certificate Authority, Inc./OU=PremiumSSL Wildcard/CN=*.www.naver.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Organization Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 6174 bytes and written 413 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 6BCE041B1F64BC3876272307D8B4AA679C5319FF7592FF97A5CBE75137CAFBFA
    Session-ID-ctx: 
    Master-Key: 819D24CDBECE180F26286CEE10AF96BBB34BDF98D1A0A5F24638CB7D117DE795A39639ABB5FD37AA63EEB2CB0B0B2BF4
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1585117802
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
closed

프로토콜 옵션은 다음과 같습니다.

Option	Description
-ssl2	just use SSLv2
-ssl3	just use SSLv3
-tls1_2	just use TLSv1.2
-tls1_1	just use TLSv1.1
-tls1	just use TLSv1
-dtls1	just use DTLSv1