在过去的一个小时里,我读过很多不同的博客文章和文章,但没有一篇能帮助我理解为什么这个命令没有-starttls:
openssl s_client -crlf -connect mail.example.org:993
结果是:
CONNECTED(00000003)
depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=mail.example.org
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFXDCCBESgAwIBAgISA6BCMzfycJZwD95pvt+RnRZ7MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDEwMDYwOTU3MDRaFw0y
MTAxMDQwOTU3MDRaMB0xGzAZBgNVBAMTEm1haWwuc21hcnRsdTYzLm9yZzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO0ZmXuFsh5dqlsefcS7r/u6wwvF
YzGOiiQYP7LVWiMj1LOPtu3HULXHW6OaxUKARhguXCdp5LP23wrViX/pKbGXJPTS
+0mRNfFqmnoo6haCGPNH13JZJc9YlYBFQOd6KiiZ8jVBzN+pFZQO2YYh/JazJKy6
vmEpT5x+P5+MxFZqG6l71lCOY0YrxCElV5TJCezRdULc9h8SJwKPAst7nTZK8KA2
gmA8S6OEFJfP0BUV937gol0aPL8vMOvfkNWL3dmkjGmWERC4J4TAm5l0No/L+U67
jqb+Mjd7dpPFo0P6g6ug/IL4HpdMxF5QVY7/axLFTI6YzdBt5ffmMfnwRmkCAwEA
AaOCAmcwggJjMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUW7Lmg7fju54qwQlS/M6i
FWUE2C8wHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUH
AQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5
cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5
cHQub3JnLzAdBgNVHREEFjAUghJtYWlsLnNtYXJ0bHU2My5vcmcwTAYDVR0gBEUw
QzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDov
L2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgBE
lGUusO7Or8RAB9io/ijA2uaCvtjLMbU/0zOWtbaBqAAAAXT9jr8uAAAEAwBHMEUC
IQCc6wmv/LUsEFfK//Ap+36tCPPggYdSHdWbLcoJqQshHQIgbQFkBHePl3H3F+8m
T9rgVzra9njr4ZUjWfTb4KtAfFAAdgD2XJQv0XcwIhRUGAgwlFaO400TGTO/3wwv
IAvMTvFk4wAAAXT9jr8lAAAEAwBHMEUCIHON5YkbmUoa8vt3I14M4GtES63E1N4v
puoNDhBwz6oaAiEAy6Sasqsu5D/jTxNgT8OXACaH5+C4Zg1nzm+j3KdNI5AwDQYJ
KoZIhvcNAQELBQADggEBAIGKw4w+Mfji2KNKGCO/K7BVVX3zueBgSt/EHlecI/s2
4z5BFmd5bOuylH4lBSZgt12RrqPO1tz5IJbtfoiXRMstYEOAOhZHFDIhzMAYdS9K
sbAKcisJiDmro51Rt7slu1gRPipwWUfKIeRXU3HrYudctLZCLyVe8M/VaG9elFay
lDcvMsd0PH/EN8obxNSPyb2wradgx3maVT6UmS6DXmQIO24KZLppOk6K+8Jxbyfh
B1aMeqcyxhOQjLVwahaq56z+XzVP1QiyQFzsyRMKxTUyJpwWIZpImrM8+F5dxDVa
cK6XksCoGAoohgSX6zF6Aw2Gl4qTZN7xvRiI6FOg8u4=
-----END CERTIFICATE-----
subject=/CN=mail.example.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 4020 bytes and written 712 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: C1697F148A98513C69BA6D10E28E5B094BD80ADAF05C480658F294D71BD15AD7
Session-ID-ctx:
Master-Key: 4626C9E4F276AB077457DB574C181F3779207A228779204E325BF747AC6E487CFD0D79847CFD5B7E07DFB02C67DC4165
Key-Arg : None
Start Time: 1602799379
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Debian) ready.
但是这个命令带有starttls:
openssl s_client -starttls imap -crlf -connect mail.example.org:993
结果仅为:
CONNECTED(00000003)
然后就挂起了,似乎没有办法与 imap 进行交互。
如何正确测试端口 993 以确定 1) 我是否有显式或隐式 TLS?2) 如果设置为显式,确定 STARTTLS 是否已启用并正常工作?
答案1
端口 993 是定义作为 IMAP over TLS,即隐式 TLS。此端口必须始终使用 TLS 握手进行应答。STARTTLS 可用于未加密的端口 143,但最佳做法是根本不提供此端口服务。 看RFC 8314以获取更多相关信息。
答案2
您已经正确测试过了!一切都如预期的那样:
- 测试
openssl s_client -crlf -connect mail.example.org:993隐式 TLS定义于RFC 8314,3。此操作成功,因此在端口上使用隐式 TLS993。 - 对 进行
openssl s_client -starttls imap -crlf -connect mail.example.org:993with测试。测试失败,因为端口 上未使用 STARTTLS 。-starttls imapSTARTTLS993
STARTTLS 可能用于端口143,如 Michael Hampton 的回答所述。然而,这违反了RFC 8314。