아래와 같이 SSLv3를 활성화/비활성화 하여 테스트 해보았다.
> openssl s_client -no_tls1 -no_tls1_1 -no_tls1_2 -host {서버주소} -port 443
[debug] ssl_engine_init.c(367): Creating new SSL context (protocols: TLSv1, TLSv1.1, TLSv1.2)
부분을 보면, 지원하는 프로토콜만 나오므로 명확하다.
<IfModule mod_ssl.c>
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-agent}i"" vhost_combined
LogFormat "%v %h %l %u %t "%r" %>s %b" vhost_common
CustomLog /var/log/apache2/ssl_access.log vhost_combined
ErrorLog /var/log/apache2/ssl_engine.log
LogLevel debug
</IfModule>
[sslv3를 지원하는 서버에서의 error 로그]
[Sat Jul 29 16:09:02 2017] [debug] ssl_engine_init.c(367): Creating new SSL context (protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2)
[Sat Jul 29 16:09:02 2017] [debug] ssl_engine_init.c(608): Configuring permitted SSL ciphers [!aNULL:!eNULL:!EXP:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA]
[Sat Jul 29 16:09:02 2017] [debug] ssl_engine_init.c(692): Configuring server certificate chain (1 CA certificate)
[Sat Jul 29 16:09:02 2017] [debug] ssl_engine_init.c(316): Configuring TLS extension handling
[Sat Jul 29 16:09:02 2017] [debug] ssl_engine_init.c(739): Configuring RSA server certificate
[Sat Jul 29 16:09:02 2017] [debug] ssl_engine_init.c(785): Configuring RSA server private key
[Sat Jul 29 16:10:01 2017] [info] [client 121.138.33.91] Connection to child 3 established (server .cafe24.com:443)
[Sat Jul 29 16:10:01 2017] [info] Seeding PRNG with 656 bytes of entropy
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_kernel.c(1819): OpenSSL: Handshake: start
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_kernel.c(1827): OpenSSL: Loop: before/accept initialization
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1897): OpenSSL: read 11/11 bytes from BIO#7f97356405a0 [mem: 7f9735645b80] (BIO dump follows)
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1869): | 0000: 16 03 00 00 7b 01 00 00-77 03 ....{...w. |
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1873): | 0011 - <SPACES/NULS>
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1897): OpenSSL: read 117/117 bytes from BIO#7f97356405a0 [mem: 7f9735645b8e] (BIO dump follows)
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1869): | 0000: 75 a9 03 19 95 64 a6 33-6e 0c 59 8a 57 ec c0 8e u....d.3n.Y.W... |
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1869): | 0010: ba 84 26 1b 53 01 ce 95-35 07 1a 57 c6 cc 67 c5 ..&.S...5..W..g. |
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1869): | 0020: 00 00 50 c0 14 c0 0a 00-39 00 38 00 88 00 87 c0 ..P.....9.8..... |
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1869): | 0030: 0f c0 05 00 35 00 84 c0-13 c0 09 00 33 00 32 00 ....5.......3.2. |
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1869): | 0040: 9a 00 99 00 45 00 44 c0-0e c0 04 00 2f 00 96 00 ....E.D...../... |
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1869): | 0050: 41 c0 11 c0 07 c0 0c c0-02 00 05 00 04 c0 12 c0 A............... |
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1869): | 0060: 08 00 16 00 13 c0 0d c0-03 00 0a 00 15 00 12 00 ................ |
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1869): | 0070: 09 00 ff 01 .... |
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1873): | 0117 - <SPACES/NULS>
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_kernel.c(1827): OpenSSL: Loop: SSLv3 read client hello A
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_kernel.c(1827): OpenSSL: Loop: SSLv3 write server hello A
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_kernel.c(1827): OpenSSL: Loop: SSLv3 write certificate A
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_kernel.c(1827): OpenSSL: Loop: SSLv3 write key exchange A
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_kernel.c(1827): OpenSSL: Loop: SSLv3 write server done A
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_kernel.c(1827): OpenSSL: Loop: SSLv3 flush data
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1897): OpenSSL: read 5/5 bytes from BIO#7f97356405a0 [mem: 7f9735645b83] (BIO dump follows)
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1869): | 0000: 16 03 00 00 46 ....F |
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1897): OpenSSL: read 70/70 bytes from BIO#7f97356405a0 [mem: 7f9735645b88] (BIO dump follows)
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1869): | 0000: 10 00 00 42 41 04 64 e7-4a ac 19 18 f2 92 6f fc ...BA.d.J.....o. |
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1869): | 0010: cb 58 90 73 01 e4 9c c9-ad f2 2e 2d 52 d8 13 04 .X.s.......-R... |
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1869): | 0020: bb 43 ec e4 f0 6d 7f b0-7e 55 36 75 b9 a7 12 7a .C...m..~U6u...z |
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1869): | 0030: aa ea 89 54 cd 93 60 65-76 d5 c6 ff 56 11 50 0e ...T..`ev...V.P. |
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1869): | 0040: 37 69 26 e6 ce 3d 7i&..= |
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_kernel.c(1827): OpenSSL: Loop: SSLv3 read client key exchange A
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1897): OpenSSL: read 5/5 bytes from BIO#7f97356405a0 [mem: 7f9735645b83] (BIO dump follows)
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1869): | 0000: 14 03 00 00 01 ..... |
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1897): OpenSSL: read 1/1 bytes from BIO#7f97356405a0 [mem: 7f9735645b88] (BIO dump follows)
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1869): | 0000: 01 . |
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1897): OpenSSL: read 5/5 bytes from BIO#7f97356405a0 [mem: 7f9735645b83] (BIO dump follows)
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1869): | 0000: 16 03 00 00 40 ....@ |
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1897): OpenSSL: read 64/64 bytes from BIO#7f97356405a0 [mem: 7f9735645b88] (BIO dump follows)
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1869): | 0000: cb e2 a7 4a c6 e5 29 bf-92 d2 d3 84 a4 48 08 61 ...J..)......H.a |
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1869): | 0010: 13 32 70 12 b8 8d 67 e5-38 fa 91 f9 19 22 04 a9 .2p...g.8....".. |
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1869): | 0020: ca fa 37 ef 49 06 5c 77-ad 17 99 b0 f4 f5 56 66 ..7.I.\w......Vf |
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1869): | 0030: fa 28 ba 39 86 44 65 de-4f 2d 0a 09 65 b6 fa fe .(.9.De.O-..e... |
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_kernel.c(1827): OpenSSL: Loop: SSLv3 read finished A
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_kernel.c(1827): OpenSSL: Loop: SSLv3 write change cipher spec A
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_kernel.c(1827): OpenSSL: Loop: SSLv3 write finished A
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_kernel.c(1827): OpenSSL: Loop: SSLv3 flush data
[Sat Jul 29 16:10:01 2017] [debug] ssl_scache_shmcb.c(353): ssl_scache_shmcb_store (0x9b -> subcache 27)
[Sat Jul 29 16:10:01 2017] [debug] ssl_scache_shmcb.c(645): insert happened at idx=0, data=0
[Sat Jul 29 16:10:01 2017] [debug] ssl_scache_shmcb.c(647): finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/148
[Sat Jul 29 16:10:01 2017] [debug] ssl_scache_shmcb.c(378): leaving ssl_scache_shmcb_store successfully
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_kernel.c(1685): Inter-Process Session Cache: request=SET status=OK id=9B63EFB2BC6D1B54F5807A64622908CA949A6A0429BE841CD239CCD330395961 timeout=300s (session caching)
[Sat Jul 29 16:10:01 2017] [debug] ssl_engine_kernel.c(1823): OpenSSL: Handshake: done
[Sat Jul 29 16:10:01 2017] [info] Connection: Client IP: 121.138.33.91, Protocol: SSLv3, Cipher: ECDHE-RSA-AES128-SHA (128/128 bits)
[Sat Jul 29 16:10:21 2017] [info] [client 121.138.33.91] Request header read timeout
[Sat Jul 29 16:10:21 2017] [debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected to read on BIO#7f97356405a0 [mem: 7f9735645b83]
[Sat Jul 29 16:10:21 2017] [info] [client 121.138.33.91] (70007)The timeout specified has expired: SSL input filter read failed.
[Sat Jul 29 16:10:21 2017] [debug] ssl_engine_kernel.c(1837): OpenSSL: Write: SSL negotiation finished successfully
[Sat Jul 29 16:10:21 2017] [info] [client 121.138.33.91] Connection closed to child 3 with standard shutdown (server .cafe24.com:443)
[sslv3를 지원하지 않는 서버에서의 error 로그]
[Fri Jul 28 19:12:09 2017] [debug] ssl_engine_init.c(367): Creating new SSL context (protocols: TLSv1, TLSv1.1, TLSv1.2)
[Fri Jul 28 19:12:09 2017] [debug] ssl_engine_init.c(608): Configuring permitted SSL ciphers [!aNULL:!eNULL:!EXP:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA]
[Fri Jul 28 19:12:09 2017] [debug] ssl_engine_init.c(692): Configuring server certificate chain (1 CA certificate)
[Fri Jul 28 19:12:09 2017] [debug] ssl_engine_init.c(316): Configuring TLS extension handling
[Fri Jul 28 19:12:09 2017] [debug] ssl_engine_init.c(739): Configuring RSA server certificate
[Fri Jul 28 19:12:09 2017] [debug] ssl_engine_init.c(785): Configuring RSA server private key
[Fri Jul 28 19:13:34 2017] [info] [client 175.196.36.77] Connection to child 1 established (server :443)
[Fri Jul 28 19:13:34 2017] [info] Seeding PRNG with 656 bytes of entropy
[Fri Jul 28 19:13:34 2017] [debug] ssl_engine_kernel.c(1819): OpenSSL: Handshake: start
[Fri Jul 28 19:13:34 2017] [debug] ssl_engine_kernel.c(1827): OpenSSL: Loop: before/accept initialization
[Fri Jul 28 19:13:34 2017] [debug] ssl_engine_io.c(1897): OpenSSL: read 11/11 bytes from BIO#7f00f16e55a0 [mem: 7f00f16eab80] (BIO dump follows)
[Fri Jul 28 19:13:34 2017] [debug] ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
[Fri Jul 28 19:13:34 2017] [debug] ssl_engine_io.c(1869): | 0000: 16 03 00 00 7b 01 00 00-77 03 ....{...w. |
[Fri Jul 28 19:13:34 2017] [debug] ssl_engine_io.c(1873): | 0011 - <SPACES/NULS>
[Fri Jul 28 19:13:34 2017] [debug] ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
[Fri Jul 28 19:13:34 2017] [debug] ssl_engine_io.c(1897): OpenSSL: read 117/117 bytes from BIO#7f00f16e55a0 [mem: 7f00f16eab8e] (BIO dump follows)
[Fri Jul 28 19:13:34 2017] [debug] ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
[Fri Jul 28 19:13:34 2017] [debug] ssl_engine_io.c(1869): | 0000: f0 c9 7e cc bd 30 49 02-0c 83 00 75 7f f4 80 c9 ..~..0I....u.... |
[Fri Jul 28 19:13:34 2017] [debug] ssl_engine_io.c(1869): | 0010: 42 91 8d cf c5 13 bc d3-a2 c5 68 ed 44 1c 3f e2 B.........h.D.?. |
[Fri Jul 28 19:13:34 2017] [debug] ssl_engine_io.c(1869): | 0020: 00 00 50 c0 14 c0 0a 00-39 00 38 00 88 00 87 c0 ..P.....9.8..... |
[Fri Jul 28 19:13:34 2017] [debug] ssl_engine_io.c(1869): | 0030: 0f c0 05 00 35 00 84 c0-13 c0 09 00 33 00 32 00 ....5.......3.2. |
[Fri Jul 28 19:13:34 2017] [debug] ssl_engine_io.c(1869): | 0040: 9a 00 99 00 45 00 44 c0-0e c0 04 00 2f 00 96 00 ....E.D...../... |
[Fri Jul 28 19:13:34 2017] [debug] ssl_engine_io.c(1869): | 0050: 41 c0 11 c0 07 c0 0c c0-02 00 05 00 04 c0 12 c0 A............... |
[Fri Jul 28 19:13:34 2017] [debug] ssl_engine_io.c(1869): | 0060: 08 00 16 00 13 c0 0d c0-03 00 0a 00 15 00 12 00 ................ |
[Fri Jul 28 19:13:34 2017] [debug] ssl_engine_io.c(1869): | 0070: 09 00 ff 01 .... |
[Fri Jul 28 19:13:34 2017] [debug] ssl_engine_io.c(1873): | 0117 - <SPACES/NULS>
[Fri Jul 28 19:13:34 2017] [debug] ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
[Fri Jul 28 19:13:34 2017] [debug] ssl_engine_kernel.c(1837): OpenSSL: Write: SSLv3 read client hello C
[Fri Jul 28 19:13:34 2017] [debug] ssl_engine_kernel.c(1856): OpenSSL: Exit: error in SSLv3 read client hello C
[Fri Jul 28 19:13:34 2017] [debug] ssl_engine_kernel.c(1856): OpenSSL: Exit: error in SSLv3 read client hello C
[Fri Jul 28 19:13:34 2017] [info] [client 175.196.36.77] SSL library error 1 in handshake (server :443)
[Fri Jul 28 19:13:34 2017] [info] SSL Library Error: 336109835 error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
[Fri Jul 28 19:13:34 2017] [info] [client 175.196.36.77] Connection closed to child 1 with abortive shutdown (server :443)
TLSv1.2 로 정상 테스트 되었을 때 응답
[Fri Jul 28 19:15:05 2017] [info] Connection: Client IP: 175.196.36.77, Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
댓글 달기