Тестирование OpenSSL
Материал из Rosalab Wiki
Версия от 23:49, 8 апреля 2014; PastorDi (обсуждение | вклад)
Содержание
- 1 Требования
- 2 Методика тестирования
- 2.1 Запуск программы
- 2.2 Проверка списка шифров
- 2.3 Проверка скорости работы
- 2.4 Проверка производительности сетевого соединения =
- 2.5 Генерация самоподписанного сертификата
- 2.6 Проверка самоподписанного сертификата =
- 2.7 Экспорт и импорт сертификата PKCS#12
- 2.8 hhh5
- 2.9 hhh6
- 2.10 hhh7
- 2.11 hhh8
- 2.12 hhh9
- 2.13 hhh10
Требования
- Запуск программы
- Проверка списка шифров
- Проверка скорости работы
- Проверка шифорвани/дешифрования
Методика тестирования
Запуск программы
openssl help
Будет что-то типа этого:
Standard commands asn1parse ca ciphers cms crl crl2pkcs7 dgst dh dhparam dsa dsaparam ec ecparam enc engine errstr gendh gendsa genpkey genrsa nseq ocsp passwd pkcs12 pkcs7 pkcs8 pkey pkeyparam pkeyutl prime rand req rsa rsautl s_client s_server s_time sess_id smime speed spkac srp ts verify version x509 Message Digest commands (see the `dgst' command for more details) md4 md5 mdc2 rmd160 sha sha1 Cipher commands (see the `enc' command for more details) aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb base64 bf bf-cbc bf-cfb bf-ecb bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb camellia-256-cbc camellia-256-ecb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40 seed seed-cbc seed-cfb seed-ecb seed-ofb zlib
Проверка списка шифров
openssl ciphers -v
Должен быть вывод типа этого:
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 SRP-DSS-AES-256-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=AES(256) Mac=SHA1 SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256 DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1 DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1 ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384 .... и т.д.
Проверка скорости работы
Проверка скорости всех шифров
openssl speed
Должен быть вывод типа этого:
Doing mdc2 for 3s on 16 size blocks: 3203104 mdc2's in 3.00s Doing mdc2 for 3s on 64 size blocks: 870480 mdc2's in 2.99s Doing mdc2 for 3s on 256 size blocks: 221549 mdc2's in 3.00s Doing mdc2 for 3s on 1024 size blocks: 55868 mdc2's in 3.00s Doing mdc2 for 3s on 8192 size blocks: 6989 mdc2's in 3.00s Doing md4 for 3s on 16 size blocks: 16443886 md4's in 3.00s Doing md4 for 3s on 64 size blocks: 12977338 md4's in 2.99s и т.д. в конце будет: OpenSSL 1.0.1g 7 Apr 2014 built on: Tue Apr 8 08:12:11 UTC 2014 options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O2 -Wa,--compress-debug-sections -gdwarf-4 -fvar-tracking-assignments -frecord-gcc-switches -Wstrict-aliasing=2 -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fPIC -Wa,--noexecstack -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes md2 0.00 0.00 0.00 0.00 0.00 mdc2 17083.22k 18632.35k 18905.51k 19069.61k 19084.63k md4 87700.73k 277775.80k 666977.11k 1036371.29k 1234001.92k md5 65450.45k 195258.07k 437420.12k 633808.21k 722823.85k hmac(md5) 52915.47k 166665.45k 399380.05k 612077.23k 726097.92k sha1 75226.38k 214932.27k 467843.24k 666501.80k 790941.71k rmd160 44840.98k 109123.02k 201458.43k 257328.81k 278315.01k rc4 476106.36k 759786.49k 856876.29k 893728.77k 893610.67k des cbc 76239.62k 78657.66k 79191.38k 79768.92k 79684.32k des ede3 29658.66k 29988.91k 30131.71k 30309.72k 30362.46k idea cbc 0.00 0.00 0.00 0.00 0.00 seed cbc 84688.63k 84874.62k 84379.90k 84440.06k 84497.75k rc2 cbc 51093.28k 52310.58k 52247.38k 52355.75k 52371.46k rc5-32/12 cbc 0.00 0.00 0.00 0.00 0.00 blowfish cbc 128812.61k 141237.34k 143156.48k 144067.24k 144293.89k cast cbc 118788.45k 126648.62k 127602.09k 127636.82k 127956.31k aes-128 cbc 136747.89k 149776.55k 152540.33k 154374.14k 155165.80k aes-192 cbc 116154.55k 125157.33k 127230.55k 128775.02k 128871.08k aes-256 cbc 101846.26k 107468.86k 108819.37k 110071.78k 110354.43k camellia-128 cbc 107505.78k 162412.20k 184006.40k 190420.16k 192378.20k camellia-192 cbc 92936.50k 126664.81k 138734.85k 143406.92k 144069.97k и т.д.
Проверка скорости одного шифра используя 2 ядра
openssl speed rsa -multi 2
где rsa - метод шифрования (выбирайте любой)
где 2 - количество используемых ядер вашего процессора
Должен быть вывод типа этого:
Forked child 0
Forked child 1
+DTP:512:private:rsa:10
+DTP:512:private:rsa:10
+R1:208476:512:10.00
+DTP:512:public:rsa:10
+R1:209377:512:10.00
+DTP:512:public:rsa:10
+R2:2406972:512:10.00
+R2:2414246:512:10.00
+DTP:1024:private:rsa:10
+DTP:1024:private:rsa:10
+R1:66278:1024:10.00
и т.д.
в конце:
sign verify sign/s verify/s
rsa 512 bits 0.000024s 0.000002s 41666.7 500000.0
rsa 1024 bits 0.000076s 0.000005s 13245.0 181818.2
rsa 2048 bits 0.000555s 0.000017s 1800.2 57142.9
rsa 4096 bits 0.004003s 0.000063s 249.8 15748.0
Проверка производительности сетевого соединения =
openssl s_time -connect remote.host:443
Где remote.host - может быть любой mail сервер. Например mail.rosalab.ru или mail.google.com
Должен быть вывод типа этого c mail.rosalab.ru:
openssl s_time -connect mail.rosalab.ru:443 Вывод: No CIPHER specified Collecting connection statistics for 30 seconds ttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttt 543 connections in 0.99s; 548.48 connections/user sec, bytes read 0 543 connections in 31 real seconds, 0 bytes read per connection Now timing with session id reuse. starting rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr 1267 connections in 0.48s; 2639.58 connections/user sec, bytes read 0 1267 connections in 31 real seconds, 0 bytes read per connection
Аналогично протестируем , только используя SSLv3 и сильное шифрование.
openssl s_time -connect mail.rosalab.ru:443 -ssl3 -cipher HIGH
Вывод будет примерно таким:
Collecting connection statistics for 30 seconds 3333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333 646 connections in 1.01s; 639.60 connections/user sec, bytes read 0 646 connections in 31 real seconds, 0 bytes read per connection Now timing with session id reuse. starting rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr 1371 connections in 0.28s; 4896.43 connections/user sec, bytes read 0 1371 connections in 31 real seconds, 0 bytes read per connection
Генерация самоподписанного сертификата
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mykey.pem -out mycert.pem
Надо будет ответить на несколько вопросов.
Должен быть вывод типа этого:
Generating a 1024 bit RSA private key ....................................................++++++ ................................................................++++++ writing new private key to 'mykey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:ru State or Province Name (full name) [Default Province]: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]:MyHome Organizational Unit Name (eg, section) []:HomeMy Common Name (e.g. server FQDN or YOUR name) []:DiDiDi Email Address []:pppppppppprrrrrrr@gmail.com
Проверка самоподписанного сертификата =
openssl x509 -text -in mycert.pem
Должен быть вывод типа этого:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10238835739306285545 (0x8e17a6db72ecd9e9)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ru, ST=Default Province, L=Default City, O=MyHome, OU=HomeMy, CN=DiDi/emailAddress=pppppppppp@gmail.com
Validity
Not Before: Apr 8 20:31:15 2014 GMT
Not After : Apr 8 20:31:15 2015 GMT
Subject: C=ru, ST=Default Province, L=Default City, O=MyHome, OU=HomeMy, CN=DiDi/emailAddress=pppppppppp@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c3:c0:59:e8:9e:1c:67:c5:75:26:1c:57:db:ba:
a1:b7:f4:8e:a0:88:db:3d:0c:c8:cb:39:57:6b:01:
89:b1:38:fa:84:e1:5a:fe:c1:d0:b8:c0:dd:b8:21:
c9:f3:b2:6a:aa:6c:d9:04:8b:fb:ff:7c:8d:d7:17:
2a:62:3c:8d:a6:70:4d:20:31:41:05:6e:61:f9:fc:
c6:b3:5d:97:37:72:e9:f7:22:1a:19:4e:11:07:db:
15:e8:53:43:7b:04:36:b9:26:87:13:fe:82:a8:bc:
b2:37:26:07:72:e5:0f:21:a0:03:32:4b:9f:dd:5b:
be:34:ea:15:36:da:28:59:3d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
68:D5:A7:CC:79:2A:9B:15:49:DF:9D:E3:5A:C0:55:C4:7B:F3:8B:BB
X509v3 Authority Key Identifier:
keyid:68:D5:A7:CC:79:2A:9B:15:49:DF:9D:E3:5A:C0:55:C4:7B:F3:8B:BB
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
6d:c8:8e:a0:8c:06:72:7a:7c:43:ee:d0:93:0f:99:fd:6a:62:
4b:0d:59:50:7f:a6:58:93:c6:66:62:89:10:89:7b:0b:e7:e2:
c5:ac:40:01:29:57:b4:d5:c7:c3:a6:89:ad:28:0b:fd:e4:5f:
cb:0c:78:6e:65:31:ef:ab:f3:8d:17:8d:f4:35:40:b5:1c:4a:
cf:01:3f:a1:3d:cd:83:06:f9:35:6f:c9:a1:7a:92:3b:5f:bc:
45:12:4f:d1:c9:1c:af:2f:e9:58:54:a5:a0:f2:cc:44:8a:73:
ee:18:4d:fe:0a:c2:87:ca:ef:1e:8b:93:43:0c:34:5a:6d:dd:
41:46
-----BEGIN CERTIFICATE-----
MIIC+jCCAmOgAwIBAgIJAI4Xptty7NnpMA0GCSqGSIb3DQEBBQUAMIGVMQswCQYD
VQQGEwJydTEZMBcGA1UECAwQRGVmYXVsdCBQcm92aW5jZTEVMBMGA1UEBwwMRGVm
YXVsdCBDaXR5MQ8wDQYDVQQKDAZNeUhvbWUxDzANBgNVBAsMBkhvbWVNeTENMAsG
A1UEAwwERGlEaTEjMCEGCSqGSIb3DQEJARYUcHBwcHBwcHBwcEBnbWFpbC5jb20w
и т.д.
.......
Экспорт и импорт сертификата PKCS#12
openssl pkcs12 -export -out mycert.pfx -in mycert.pem -inkey mykey.pem -name "My Certificate"
Надо будет ввести любой пароль (придумать).
Должен быть вывод типа этого:
# openssl pkcs12 -export -out mycert.pfx -in mycert.pem -inkey mykey.pem -name "My Certificate" Enter Export Password: Verifying - Enter Export Password:
У вас должен появится файл mycert.pfx.
Чтобы импортировать сертификат PKCS#12 сделаем следующее:
openssl pkcs12 -in mycert.pfx -out mycert1.pem
надо будет ввести пароль, созданный при экспроте.
Примерный вывод будет таким:
# openssl pkcs12 -in mycert.pfx -out mycert1.pem Enter Import Password: MAC verified OK Enter PEM pass phrase:
hhh5
openssl ciphers -v
Должен быть вывод типа этого:
hhh6
openssl ciphers -v
Должен быть вывод типа этого:
hhh7
openssl ciphers -v
Должен быть вывод типа этого:
hhh8
openssl ciphers -v
Должен быть вывод типа этого:
hhh9
openssl ciphers -v
Должен быть вывод типа этого:
hhh10
openssl ciphers -v
Должен быть вывод типа этого:
