OpenSSL
提供: セキュリティ
スポンサーリンク
OpenSSLは、SSLプロトコル・TLSプロトコルのオープンソースの実装です。
読み方 おーぷんえすえすえる
概要
OpenSSLは、SSLプロトコル・TLSプロトコルのオープンソースの実装です。 暗号化関数やツールを提供しています。
インストール
- FreeBSD では、デフォルトでインストールされています。
使い方
暗号スイートの一覧表示
SSL/TLSで使用できる暗号スイート一覧を表示する方法は、以下の通りです。 oepnssl ciphers
% openssl ciphers -v DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1 DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1 CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1 DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1 CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
SSL/TLS でサーバに接続
% openssl s_client -connect google.com:443 CONNECTED(00000004) depth=1 /C=US/O=Google Inc/CN=Google Internet Authority verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com i:/C=US/O=Google Inc/CN=Google Internet Authority 1 s:/C=US/O=Google Inc/CN=Google Internet Authority i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIF/DCCBWWgAwIBAgIKGIvRAgAAAAB3jzANBgkqhkiG9w0BAQUFADBGMQswCQYD 省略 si+tAo/VJDvoI61TzsqgyrJJtOq0gzyQ6GXWl3dX6qai9sOfB/p4HnQrcgWXaDf6 -----END CERTIFICATE----- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com issuer=/C=US/O=Google Inc/CN=Google Internet Authority --- No client certificate CA names sent --- SSL handshake has read 2388 bytes and written 325 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA Session-ID: 689C4F8028D93C1F1350086145641B36593FAE0032BC1A0DAE5F35B2FBC35934 Session-ID-ctx: Master-Key: FB2C1A4486171F4386B0507169D2009A29C52B0B0AEB1842D95828ADC154A7D7 8C1E608BDC87789596891B65AD583B44 Key-Arg : None Start Time: 1358525542 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) ---
この状態では、入力待ちになります。ここで、終わらせてよければ、C-d を押します。
ここで、HTTPリクエストをタイプします。
GET / HTTP/1.0
HTTP リクエストをタイプして、Enterを2回押すと、リクエストが送信され、サーバからレスポンスが返ってきます。
--- GET / HTTP/1.0 HTTP/1.0 302 Found Location: https://www.google.co.jp/ Cache-Control: private Content-Type: text/html; charset=UTF-8 Set-Cookie: PREF=ID=09c87f28f4622827:FF=0:TM=1358525980:LM=1358525980:S=t-wBwz-uG-gDr-5y; expires=Sun, 18-Jan-2015 16:19:40 GMT; path=/; domain=.google.com Set-Cookie: NID=67=g8nsPGaG3o7zArGCN-OZ5AU-A4pRCxwwvL3doRhaBUML4Ty0XMZoJJEF73lNlRBMdHmShk0nM-tQJL8yDgl2XJ6G4LHqm95q8uavATsvUdp2LfVi1-WNc40NEcrh15jm; expires=Sat, 20-Jul-2013 16:19:40 GMT; path=/; domain=.google.com; HttpOnly P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info." Date: Fri, 18 Jan 2013 16:19:40 GMT Server: gws Content-Length: 222 X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="https://www.google.co.jp/">here</A>. </BODY></HTML>read:errno=0
アルゴリズムのベンチマーク
AES256 CBC のみのベンチマークの例。
% openssl speed aes-256-cbc To get the most accurate results, try to run this program when this computer is idle. Doing aes-256 cbc for 3s on 16 size blocks: 26644419 aes-256 cbc's in 3.00s Doing aes-256 cbc for 3s on 64 size blocks: 6817974 aes-256 cbc's in 3.00s Doing aes-256 cbc for 3s on 256 size blocks: 1747901 aes-256 cbc's in 3.00s Doing aes-256 cbc for 3s on 1024 size blocks: 438119 aes-256 cbc's in 3.00s Doing aes-256 cbc for 3s on 8192 size blocks: 54924 aes-256 cbc's in 3.00s OpenSSL 0.9.8q 2 Dec 2010 built on: date not available options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,16,int) aes(partial) blowfish(idx) compiler: cc available timing options: USE_TOD HZ=128 [sysconf value] timing function used: getrusage The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256 cbc 141934.24k 145357.23k 149058.18k 149499.12k 149933.11k
複数コアでベンチマークするには、 -multi オプションを利用します。
2コアでベンチマークする例。
% openssl speed aes-256-cbc -multi 2 Forked child 0 Forked child 1 +DT:aes-256 cbc:3:16 +DT:aes-256 cbc:3:16 省略 Got: +H:16:64:256:1024:8192 from 0 Got: +F:18:aes-256 cbc:142927729.47:146718336.51:149192498.57:149494545.48:149924508.21 from 0 Got: +H:16:64:256:1024:8192 from 1 Got: +F:18:aes-256 cbc:142314800.64:145849564.52:149016131.98:149251262.67:149751893.71 from 1 OpenSSL 0.9.8q 2 Dec 2010 built on: date not available options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,16,int) aes(partial) blowfish(idx) compiler: cc available timing options: USE_TOD HZ=128 [sysconf value] timing function used: aes-256 cbc 285242.53k 292567.90k 298208.63k 298745.81k 299676.40k
4コアでベンチマークする例。
% openssl speed aes-256-cbc -multi 4 Forked child 0 Forked child 1 Forked child 2 Forked child 3 +DT:aes-256 cbc:3:16 +DT:aes-256 cbc:3:16 +DT:aes-256 cbc:3:16 +DT:aes-256 cbc:3:16 省略 Got: +H:16:64:256:1024:8192 from 0 Got: +F:18:aes-256 cbc:142448708.50:146151125.69:148574372.19:148713525.93:14876 4852.36 from 0 Got: +H:16:64:256:1024:8192 from 1 Got: +F:18:aes-256 cbc:142336001.45:146838464.42:149228172.59:148385577.78:14870 6505.63 from 1 Got: +H:16:64:256:1024:8192 from 2 Got: +F:18:aes-256 cbc:142373567.22:145615575.87:148375546.06:149543690.71:14997 9884.12 from 2 Got: +H:16:64:256:1024:8192 from 3 Got: +F:18:aes-256 cbc:142207526.24:145817908.91:147647012.58:149520545.13:14995 4244.09 from 3 OpenSSL 0.9.8q 2 Dec 2010 built on: date not available options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,16,int) aes(partial) blowfi sh(idx) compiler: cc available timing options: USE_TOD HZ=128 [sysconf value] timing function used: aes-256 cbc 569365.80k 584423.07k 593825.10k 596163.34k 597405.49k
コア数が1,2,4の場合のAES256 CBCのベンチマークの結果は、以下の通りです。 コア数によって、スケールしています。
1 aes-256 cbc 141934.24k 145357.23k 149058.18k 149499.12k 149933.11k 2 aes-256 cbc 285242.53k 292567.90k 298208.63k 298745.81k 299676.40k 4 aes-256 cbc 569365.80k 584423.07k 593825.10k 596163.34k 597405.49k
AES と DESのベンチマーク。 AES/DESの中では、AES128が一番速いことがわかります。
% openssl speed des aes To get the most accurate results, try to run this program when this computer is idle. Doing des cbc for 3s on 16 size blocks: 14092418 des cbc's in 3.00s Doing des cbc for 3s on 64 size blocks: 3643765 des cbc's in 3.00s Doing des cbc for 3s on 256 size blocks: 922499 des cbc's in 3.00s Doing des cbc for 3s on 1024 size blocks: 231401 des cbc's in 3.00s Doing des cbc for 3s on 8192 size blocks: 28959 des cbc's in 3.00s Doing des ede3 for 3s on 16 size blocks: 5485953 des ede3's in 3.00s Doing des ede3 for 3s on 64 size blocks: 1395227 des ede3's in 3.00s Doing des ede3 for 3s on 256 size blocks: 350945 des ede3's in 3.00s Doing des ede3 for 3s on 1024 size blocks: 87872 des ede3's in 3.00s Doing des ede3 for 3s on 8192 size blocks: 10989 des ede3's in 3.00s Doing aes-128 cbc for 3s on 16 size blocks: 33019235 aes-128 cbc's in 3.00s Doing aes-128 cbc for 3s on 64 size blocks: 8527441 aes-128 cbc's in 3.00s Doing aes-128 cbc for 3s on 256 size blocks: 2178696 aes-128 cbc's in 3.00s Doing aes-128 cbc for 3s on 1024 size blocks: 546011 aes-128 cbc's in 3.00s Doing aes-128 cbc for 3s on 8192 size blocks: 68902 aes-128 cbc's in 3.00s Doing aes-192 cbc for 3s on 16 size blocks: 29581370 aes-192 cbc's in 3.00s Doing aes-192 cbc for 3s on 64 size blocks: 7658872 aes-192 cbc's in 3.00s Doing aes-192 cbc for 3s on 256 size blocks: 1948313 aes-192 cbc's in 3.00s Doing aes-192 cbc for 3s on 1024 size blocks: 488291 aes-192 cbc's in 3.00s Doing aes-192 cbc for 3s on 8192 size blocks: 61234 aes-192 cbc's in 3.00s Doing aes-256 cbc for 3s on 16 size blocks: 26695719 aes-256 cbc's in 3.00s Doing aes-256 cbc for 3s on 64 size blocks: 6887725 aes-256 cbc's in 3.00s Doing aes-256 cbc for 3s on 256 size blocks: 1747932 aes-256 cbc's in 3.00s Doing aes-256 cbc for 3s on 1024 size blocks: 438203 aes-256 cbc's in 3.00s Doing aes-256 cbc for 3s on 8192 size blocks: 54925 aes-256 cbc's in 3.00s OpenSSL 0.9.8q 2 Dec 2010 built on: date not available options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,16,int) aes(partial) blowfi sh(idx) compiler: cc available timing options: USE_TOD HZ=128 [sysconf value] timing function used: getrusage The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes des cbc 75073.95k 77684.01k 78669.33k 78934.20k 79025.72k des ede3 29240.03k 29745.69k 29928.10k 29974.21k 29987.16k aes-128 cbc 175996.34k 181801.96k 185796.23k 186251.99k 188025.30k aes-192 cbc 157721.41k 163338.74k 166204.52k 166618.29k 167156.88k aes-256 cbc 142333.85k 146892.55k 149110.69k 149526.79k 149932.79k
関連項目
ツイート
スポンサーリンク