Тестирование OpenSSL

Материал из Rosalab Wiki
Перейти к: навигация, поиск

Требования

  • Запуск программы
  • Проверка списка шифров
  • Проверка скорости работы
  • Проверка шифорвани/дешифрования

Методика тестирования

Запуск программы

openssl help

Будет что-то типа этого:

Standard commands
asn1parse         ca                ciphers           cms               
crl               crl2pkcs7         dgst              dh                
dhparam           dsa               dsaparam          ec                
ecparam           enc               engine            errstr            
gendh             gendsa            genpkey           genrsa            
nseq              ocsp              passwd            pkcs12            
pkcs7             pkcs8             pkey              pkeyparam         
pkeyutl           prime             rand              req               
rsa               rsautl            s_client          s_server          
s_time            sess_id           smime             speed             
spkac             srp               ts                verify            
version           x509              

Message Digest commands (see the `dgst' command for more details)
md4               md5               mdc2              rmd160            
sha               sha1              

Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb       
aes-256-cbc       aes-256-ecb       base64            bf                
bf-cbc            bf-cfb            bf-ecb            bf-ofb            
camellia-128-cbc  camellia-128-ecb  camellia-192-cbc  camellia-192-ecb  
camellia-256-cbc  camellia-256-ecb  cast              cast-cbc          
cast5-cbc         cast5-cfb         cast5-ecb         cast5-ofb         
des               des-cbc           des-cfb           des-ecb           
des-ede           des-ede-cbc       des-ede-cfb       des-ede-ofb       
des-ede3          des-ede3-cbc      des-ede3-cfb      des-ede3-ofb      
des-ofb           des3              desx              rc2               
rc2-40-cbc        rc2-64-cbc        rc2-cbc           rc2-cfb           
rc2-ecb           rc2-ofb           rc4               rc4-40            
seed              seed-cbc          seed-cfb          seed-ecb          
seed-ofb          zlib              


Проверка списка шифров

openssl ciphers -v

Должен быть вывод типа этого:

ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
SRP-DSS-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=AES(256)  Mac=SHA1
SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA384
....
и т.д.

Проверка скорости работы

Проверка скорости всех шифров

openssl speed

Должен быть вывод типа этого:

Doing mdc2 for 3s on 16 size blocks: 3203104 mdc2's in 3.00s
Doing mdc2 for 3s on 64 size blocks: 870480 mdc2's in 2.99s
Doing mdc2 for 3s on 256 size blocks: 221549 mdc2's in 3.00s
Doing mdc2 for 3s on 1024 size blocks: 55868 mdc2's in 3.00s
Doing mdc2 for 3s on 8192 size blocks: 6989 mdc2's in 3.00s
Doing md4 for 3s on 16 size blocks: 16443886 md4's in 3.00s
Doing md4 for 3s on 64 size blocks: 12977338 md4's in 2.99s
и т.д.
в конце будет:
OpenSSL 1.0.1g 7 Apr 2014
built on: Tue Apr  8 08:12:11 UTC 2014
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) blowfish(idx) 
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O2 -Wa,--compress-debug-sections -gdwarf-4 -fvar-tracking-assignments -frecord-gcc-switches -Wstrict-aliasing=2 -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fPIC -Wa,--noexecstack -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
md2                  0.00         0.00         0.00         0.00         0.00 
mdc2             17083.22k    18632.35k    18905.51k    19069.61k    19084.63k
md4              87700.73k   277775.80k   666977.11k  1036371.29k  1234001.92k
md5              65450.45k   195258.07k   437420.12k   633808.21k   722823.85k
hmac(md5)        52915.47k   166665.45k   399380.05k   612077.23k   726097.92k
sha1             75226.38k   214932.27k   467843.24k   666501.80k   790941.71k
rmd160           44840.98k   109123.02k   201458.43k   257328.81k   278315.01k
rc4             476106.36k   759786.49k   856876.29k   893728.77k   893610.67k
des cbc          76239.62k    78657.66k    79191.38k    79768.92k    79684.32k
des ede3         29658.66k    29988.91k    30131.71k    30309.72k    30362.46k
idea cbc             0.00         0.00         0.00         0.00         0.00 
seed cbc         84688.63k    84874.62k    84379.90k    84440.06k    84497.75k
rc2 cbc          51093.28k    52310.58k    52247.38k    52355.75k    52371.46k
rc5-32/12 cbc        0.00         0.00         0.00         0.00         0.00 
blowfish cbc    128812.61k   141237.34k   143156.48k   144067.24k   144293.89k
cast cbc        118788.45k   126648.62k   127602.09k   127636.82k   127956.31k
aes-128 cbc     136747.89k   149776.55k   152540.33k   154374.14k   155165.80k
aes-192 cbc     116154.55k   125157.33k   127230.55k   128775.02k   128871.08k
aes-256 cbc     101846.26k   107468.86k   108819.37k   110071.78k   110354.43k
camellia-128 cbc   107505.78k   162412.20k   184006.40k   190420.16k   192378.20k
camellia-192 cbc    92936.50k   126664.81k   138734.85k   143406.92k   144069.97k
и т.д.

Проверка скорости одного шифра используя 2 ядра

openssl speed rsa -multi 2

где rsa - метод шифрования (выбирайте любой)

где 2 - количество используемых ядер вашего процессора

Должен быть вывод типа этого:

Forked child 0
Forked child 1
+DTP:512:private:rsa:10
+DTP:512:private:rsa:10
+R1:208476:512:10.00
+DTP:512:public:rsa:10
+R1:209377:512:10.00
+DTP:512:public:rsa:10
+R2:2406972:512:10.00
+R2:2414246:512:10.00
+DTP:1024:private:rsa:10
+DTP:1024:private:rsa:10
+R1:66278:1024:10.00
и т.д.
в конце:
                  sign    verify    sign/s verify/s
rsa  512 bits 0.000024s 0.000002s  41666.7 500000.0
rsa 1024 bits 0.000076s 0.000005s  13245.0 181818.2
rsa 2048 bits 0.000555s 0.000017s   1800.2  57142.9
rsa 4096 bits 0.004003s 0.000063s    249.8  15748.0

Проверка производительности сетевого соединения =

openssl s_time -connect remote.host:443

Где remote.host - может быть любой mail сервер. Например mail.rosalab.ru или mail.google.com

Должен быть вывод типа этого c mail.rosalab.ru:

openssl s_time -connect mail.rosalab.ru:443

Вывод:

No CIPHER specified
Collecting connection statistics for 30 seconds
ttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttt

543 connections in 0.99s; 548.48 connections/user sec, bytes read 0
543 connections in 31 real seconds, 0 bytes read per connection


Now timing with session id reuse.
starting
rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr

1267 connections in 0.48s; 2639.58 connections/user sec, bytes read 0
1267 connections in 31 real seconds, 0 bytes read per connection

Аналогично протестируем , только используя SSLv3 и сильное шифрование.

openssl s_time -connect mail.rosalab.ru:443 -ssl3 -cipher HIGH

Вывод будет примерно таким:

Collecting connection statistics for 30 seconds
3333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333

646 connections in 1.01s; 639.60 connections/user sec, bytes read 0
646 connections in 31 real seconds, 0 bytes read per connection


Now timing with session id reuse.
starting
rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr

1371 connections in 0.28s; 4896.43 connections/user sec, bytes read 0
1371 connections in 31 real seconds, 0 bytes read per connection

Генерация самоподписанного сертификата

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mykey.pem -out mycert.pem

Надо будет ответить на несколько вопросов.

Должен быть вывод типа этого:

Generating a 1024 bit RSA private key
....................................................++++++
................................................................++++++
writing new private key to 'mykey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ru
State or Province Name (full name) [Default Province]:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:MyHome
Organizational Unit Name (eg, section) []:HomeMy
Common Name (e.g. server FQDN or YOUR name) []:DiDiDi
Email Address []:pppppppppprrrrrrr@gmail.com

Проверка самоподписанного сертификата =

openssl x509 -text -in mycert.pem

Должен быть вывод типа этого:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 10238835739306285545 (0x8e17a6db72ecd9e9)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=ru, ST=Default Province, L=Default City, O=MyHome, OU=HomeMy, CN=DiDi/emailAddress=pppppppppp@gmail.com
        Validity
            Not Before: Apr  8 20:31:15 2014 GMT
            Not After : Apr  8 20:31:15 2015 GMT
        Subject: C=ru, ST=Default Province, L=Default City, O=MyHome, OU=HomeMy, CN=DiDi/emailAddress=pppppppppp@gmail.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:c3:c0:59:e8:9e:1c:67:c5:75:26:1c:57:db:ba:
                    a1:b7:f4:8e:a0:88:db:3d:0c:c8:cb:39:57:6b:01:
                    89:b1:38:fa:84:e1:5a:fe:c1:d0:b8:c0:dd:b8:21:
                    c9:f3:b2:6a:aa:6c:d9:04:8b:fb:ff:7c:8d:d7:17:
                    2a:62:3c:8d:a6:70:4d:20:31:41:05:6e:61:f9:fc:
                    c6:b3:5d:97:37:72:e9:f7:22:1a:19:4e:11:07:db:
                    15:e8:53:43:7b:04:36:b9:26:87:13:fe:82:a8:bc:
                    b2:37:26:07:72:e5:0f:21:a0:03:32:4b:9f:dd:5b:
                    be:34:ea:15:36:da:28:59:3d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                68:D5:A7:CC:79:2A:9B:15:49:DF:9D:E3:5A:C0:55:C4:7B:F3:8B:BB
            X509v3 Authority Key Identifier: 
                keyid:68:D5:A7:CC:79:2A:9B:15:49:DF:9D:E3:5A:C0:55:C4:7B:F3:8B:BB

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
         6d:c8:8e:a0:8c:06:72:7a:7c:43:ee:d0:93:0f:99:fd:6a:62:
         4b:0d:59:50:7f:a6:58:93:c6:66:62:89:10:89:7b:0b:e7:e2:
         c5:ac:40:01:29:57:b4:d5:c7:c3:a6:89:ad:28:0b:fd:e4:5f:
         cb:0c:78:6e:65:31:ef:ab:f3:8d:17:8d:f4:35:40:b5:1c:4a:
         cf:01:3f:a1:3d:cd:83:06:f9:35:6f:c9:a1:7a:92:3b:5f:bc:
         45:12:4f:d1:c9:1c:af:2f:e9:58:54:a5:a0:f2:cc:44:8a:73:
         ee:18:4d:fe:0a:c2:87:ca:ef:1e:8b:93:43:0c:34:5a:6d:dd:
         41:46
-----BEGIN CERTIFICATE-----
MIIC+jCCAmOgAwIBAgIJAI4Xptty7NnpMA0GCSqGSIb3DQEBBQUAMIGVMQswCQYD
VQQGEwJydTEZMBcGA1UECAwQRGVmYXVsdCBQcm92aW5jZTEVMBMGA1UEBwwMRGVm
YXVsdCBDaXR5MQ8wDQYDVQQKDAZNeUhvbWUxDzANBgNVBAsMBkhvbWVNeTENMAsG
A1UEAwwERGlEaTEjMCEGCSqGSIb3DQEJARYUcHBwcHBwcHBwcEBnbWFpbC5jb20w
и т.д.
.......

Экспорт и импорт сертификата PKCS#12

openssl pkcs12 -export -out mycert.pfx -in mycert.pem -inkey mykey.pem -name "My Certificate"

Надо будет ввести любой пароль (придумать).

Должен быть вывод типа этого:

# openssl pkcs12 -export -out mycert.pfx -in mycert.pem -inkey mykey.pem -name "My Certificate"
Enter Export Password:
Verifying - Enter Export Password:

У вас должен появится файл mycert.pfx.

Чтобы импортировать сертификат PKCS#12 сделаем следующее:

openssl pkcs12 -in mycert.pfx -out mycert1.pem

надо будет ввести пароль, созданный при экспроте.

Примерный вывод будет таким:

# openssl pkcs12 -in mycert.pfx -out mycert1.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:

hhh5

openssl ciphers -v

Должен быть вывод типа этого:


hhh6

openssl ciphers -v

Должен быть вывод типа этого:


hhh7

openssl ciphers -v

Должен быть вывод типа этого:


hhh8

openssl ciphers -v

Должен быть вывод типа этого:


hhh9

openssl ciphers -v

Должен быть вывод типа этого:


hhh10

openssl ciphers -v

Должен быть вывод типа этого: