[openssl][nginx] 使用openssl模拟ssl/tls客户端测试nginx stream

一 server的配置

nginx

# cat conf/nginx.conf
daemon off;
events {
        debug_connection 0.0.0.0/0;
}
stream {
        upstream test {
                server 127.0.0.1:50001;
        }
        server {
                listen 444 ssl;
                ssl_certificate /data/sni/sni_test1.cer;
                ssl_certificate_key /data/sni/sni_test1.key;
                proxy_pass test;
        }
}

backend 服务

[root@T9 ~]# nc -l 127.0.0.1 50001

二 client

客户端是openssl模拟链接

┬─[tong@T7:~/Src/thirdparty/nginx.git]─[10:48:40 AM]
╰─>$ openssl s_client -connect t9:444 -CAfile ~/Keys/https/root/root.cer
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 C = CN, ST = BeiJing, L = BeiJing, O = Tartaglia, CN = TTTrust, emailAddress = ca@tartaglia.org
verify return:1
depth=0 C = CN, ST = BeiJing, L = BeiJing, O = tong.com, OU = tong, CN = caotong_test1, emailAddress = tong@local
verify return:1
---
Certificate chain
 0 s:C = CN, ST = BeiJing, L = BeiJing, O = tong.com, OU = tong, CN = caotong_test1, emailAddress = tong@local
   i:C = CN, ST = BeiJing, L = BeiJing, O = Tartaglia, CN = TTTrust, emailAddress = ca@tartaglia.org
---
Server certificate
-----BEGIN CERTIFICATE-----
wPPQSnUlyNwsbAJLpynb
-----END CERTIFICATE-----
subject=C = CN, ST = BeiJing, L = BeiJing, O = tong.com, OU = tong, CN = caotong_test1, emailAddress = tong@local

issuer=C = CN, ST = BeiJing, L = BeiJing, O = Tartaglia, CN = TTTrust, emailAddress = ca@tartaglia.org

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1630 bytes and written 419 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: AD51CAE512036C290A3BA8E5F6CE1EA37F7C15B9735B66B832E1708AF34C50B4
    Session-ID-ctx: 
    Master-Key: 3CCECD6ABCA047228626ED57CFE77AB2C1BAFB106FAB44B7C7AE71E0A918F43412359A2EAAEA367694E617B7BF7191A0
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
。。。
    Start Time: 1569379721
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

三 总结

客户端到nginx是tls，nginx到nc是tcp。

[author: classic_tong, date: 20190925]