OpenSSL

提供: セキュリティ
2013年1月19日 (土) 02:12時点におけるDaemon (トーク | 投稿記録)による版

移動: 案内検索
スポンサーリンク

OpenSSLは、SSLプロトコル・TLSプロトコルのオープンソースの実装です。

読み方 おーぷんえすえすえる

概要

OpenSSLは、SSLプロトコル・TLSプロトコルのオープンソースの実装です。 暗号化関数やツールを提供しています。

インストール

  • FreeBSD では、デフォルトでインストールされています。

使い方

暗号スイートの一覧表示

SSL/TLSで使用できる暗号スイート一覧を表示する方法は、以下の通りです。 oepnssl ciphers

% openssl ciphers -v
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export

SSL/TLS でサーバに接続

% openssl s_client -connect google.com:443
CONNECTED(00000004)
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF/DCCBWWgAwIBAgIKGIvRAgAAAAB3jzANBgkqhkiG9w0BAQUFADBGMQswCQYD
 
省略
 
si+tAo/VJDvoI61TzsqgyrJJtOq0gzyQ6GXWl3dX6qai9sOfB/p4HnQrcgWXaDf6
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 2388 bytes and written 325 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: 689C4F8028D93C1F1350086145641B36593FAE0032BC1A0DAE5F35B2FBC35934
    Session-ID-ctx:
    Master-Key: FB2C1A4486171F4386B0507169D2009A29C52B0B0AEB1842D95828ADC154A7D7                                                                                                                                                                8C1E608BDC87789596891B65AD583B44
    Key-Arg   : None
    Start Time: 1358525542
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

この状態では、入力待ちになります。ここで、終わらせてよければ、C-d を押します。

ここで、HTTPリクエストをタイプします。

GET / HTTP/1.0

HTTP リクエストをタイプして、Enterを2回押すと、リクエストが送信され、サーバからレスポンスが返ってきます。

---
GET / HTTP/1.0
 
HTTP/1.0 302 Found
Location: https://www.google.co.jp/
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=09c87f28f4622827:FF=0:TM=1358525980:LM=1358525980:S=t-wBwz-uG-gDr-5y; expires=Sun, 18-Jan-2015 16:19:40 GMT; path=/; domain=.google.com
Set-Cookie: NID=67=g8nsPGaG3o7zArGCN-OZ5AU-A4pRCxwwvL3doRhaBUML4Ty0XMZoJJEF73lNlRBMdHmShk0nM-tQJL8yDgl2XJ6G4LHqm95q8uavATsvUdp2LfVi1-WNc40NEcrh15jm; expires=Sat, 20-Jul-2013 16:19:40 GMT; path=/; domain=.google.com; HttpOnly
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Date: Fri, 18 Jan 2013 16:19:40 GMT
Server: gws
Content-Length: 222
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
 
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="https://www.google.co.jp/">here</A>.
</BODY></HTML>
read:errno=0

アルゴリズムのベンチマーク

AES256 CBC のみのベンチマークの例。

% openssl speed aes-256-cbc
To get the most accurate results, try to run this
program when this computer is idle.
Doing aes-256 cbc for 3s on 16 size blocks: 26644419 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 64 size blocks: 6817974 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 256 size blocks: 1747901 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 1024 size blocks: 438119 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 8192 size blocks: 54924 aes-256 cbc's in 3.00s
OpenSSL 0.9.8q 2 Dec 2010
built on: date not available
options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,16,int) aes(partial) blowfish(idx)
compiler: cc
available timing options: USE_TOD HZ=128 [sysconf value]
timing function used: getrusage
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256 cbc     141934.24k   145357.23k   149058.18k   149499.12k   149933.11k

複数コアでベンチマークするには、 -multi オプションを利用します。

2コアでベンチマークする例。

% openssl speed aes-256-cbc -multi 2
Forked child 0
Forked child 1
+DT:aes-256 cbc:3:16
+DT:aes-256 cbc:3:16
省略
Got: +H:16:64:256:1024:8192 from 0
Got: +F:18:aes-256 cbc:142927729.47:146718336.51:149192498.57:149494545.48:149924508.21 from 0
Got: +H:16:64:256:1024:8192 from 1
Got: +F:18:aes-256 cbc:142314800.64:145849564.52:149016131.98:149251262.67:149751893.71 from 1
OpenSSL 0.9.8q 2 Dec 2010
built on: date not available
options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,16,int) aes(partial) blowfish(idx)
compiler: cc
available timing options: USE_TOD HZ=128 [sysconf value]
timing function used:
aes-256 cbc     285242.53k   292567.90k   298208.63k   298745.81k   299676.40k

4コアでベンチマークする例。

% openssl speed aes-256-cbc -multi 4
Forked child 0
Forked child 1
Forked child 2
Forked child 3
+DT:aes-256 cbc:3:16
+DT:aes-256 cbc:3:16
+DT:aes-256 cbc:3:16
+DT:aes-256 cbc:3:16
省略
Got: +H:16:64:256:1024:8192 from 0
Got: +F:18:aes-256 cbc:142448708.50:146151125.69:148574372.19:148713525.93:14876                                                                                                                                                                4852.36 from 0
Got: +H:16:64:256:1024:8192 from 1
Got: +F:18:aes-256 cbc:142336001.45:146838464.42:149228172.59:148385577.78:14870                                                                                                                                                                6505.63 from 1
Got: +H:16:64:256:1024:8192 from 2
Got: +F:18:aes-256 cbc:142373567.22:145615575.87:148375546.06:149543690.71:14997                                                                                                                                                                9884.12 from 2
Got: +H:16:64:256:1024:8192 from 3
Got: +F:18:aes-256 cbc:142207526.24:145817908.91:147647012.58:149520545.13:14995                                                                                                                                                                4244.09 from 3
OpenSSL 0.9.8q 2 Dec 2010
built on: date not available
options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,16,int) aes(partial) blowfi                                                                                                                                                                sh(idx)
compiler: cc
available timing options: USE_TOD HZ=128 [sysconf value]
timing function used:
aes-256 cbc     569365.80k   584423.07k   593825.10k   596163.34k   597405.49k

コア数が1,2,4の場合のAES256 CBCのベンチマークの結果は、以下の通りです。 コア数によって、スケールしています。

1 aes-256 cbc     141934.24k   145357.23k   149058.18k   149499.12k   149933.11k
2 aes-256 cbc     285242.53k   292567.90k   298208.63k   298745.81k   299676.40k
4 aes-256 cbc     569365.80k   584423.07k   593825.10k   596163.34k   597405.49k

AESDESのベンチマーク。 AES/DESの中では、AES128が一番速いことがわかります。

% openssl speed des aes
To get the most accurate results, try to run this
program when this computer is idle.
Doing des cbc for 3s on 16 size blocks: 14092418 des cbc's in 3.00s
Doing des cbc for 3s on 64 size blocks: 3643765 des cbc's in 3.00s
Doing des cbc for 3s on 256 size blocks: 922499 des cbc's in 3.00s
Doing des cbc for 3s on 1024 size blocks: 231401 des cbc's in 3.00s
Doing des cbc for 3s on 8192 size blocks: 28959 des cbc's in 3.00s
Doing des ede3 for 3s on 16 size blocks: 5485953 des ede3's in 3.00s
Doing des ede3 for 3s on 64 size blocks: 1395227 des ede3's in 3.00s
Doing des ede3 for 3s on 256 size blocks: 350945 des ede3's in 3.00s
Doing des ede3 for 3s on 1024 size blocks: 87872 des ede3's in 3.00s
Doing des ede3 for 3s on 8192 size blocks: 10989 des ede3's in 3.00s
Doing aes-128 cbc for 3s on 16 size blocks: 33019235 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 64 size blocks: 8527441 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 256 size blocks: 2178696 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 1024 size blocks: 546011 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 8192 size blocks: 68902 aes-128 cbc's in 3.00s
Doing aes-192 cbc for 3s on 16 size blocks: 29581370 aes-192 cbc's in 3.00s
Doing aes-192 cbc for 3s on 64 size blocks: 7658872 aes-192 cbc's in 3.00s
Doing aes-192 cbc for 3s on 256 size blocks: 1948313 aes-192 cbc's in 3.00s
Doing aes-192 cbc for 3s on 1024 size blocks: 488291 aes-192 cbc's in 3.00s
Doing aes-192 cbc for 3s on 8192 size blocks: 61234 aes-192 cbc's in 3.00s
Doing aes-256 cbc for 3s on 16 size blocks: 26695719 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 64 size blocks: 6887725 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 256 size blocks: 1747932 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 1024 size blocks: 438203 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 8192 size blocks: 54925 aes-256 cbc's in 3.00s
OpenSSL 0.9.8q 2 Dec 2010
built on: date not available
options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,16,int) aes(partial) blowfi                                                                                                                                                                sh(idx)
compiler: cc
available timing options: USE_TOD HZ=128 [sysconf value]
timing function used: getrusage
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
des cbc          75073.95k    77684.01k    78669.33k    78934.20k    79025.72k
des ede3         29240.03k    29745.69k    29928.10k    29974.21k    29987.16k
aes-128 cbc     175996.34k   181801.96k   185796.23k   186251.99k   188025.30k
aes-192 cbc     157721.41k   163338.74k   166204.52k   166618.29k   167156.88k
aes-256 cbc     142333.85k   146892.55k   149110.69k   149526.79k   149932.79k

AES-NIが利用できる場合は、以下のオプションを追加します。

openssl speed -engine aesni -evp aes-256-cbc

関連項目




スポンサーリンク