双向认证测试(需要根证书,客户证书,服务器证书以及各自的私钥)
可以使用test.mosquitto.org服务器来测试
测试命令:
openssl s_client -connect test.mosquitto.org:8884 -key test/mosquitto-client.key -cert test/mosquitto-client.crt -CAfile mosquitto.org.crt -showcerts
其中mosquitto-client.key 自己生成,mosquitto-client.crt在mosquitto的网站上签发. 可以参考这篇文章https://const.net.cn/151.html,
运行结果:
Acceptable client certificate CA names
C = GB, ST = United Kingdom, L = Derby, O = Mosquitto, OU = CA, CN = mosquitto.org, emailAddress = roger@atchoo.org
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
...
SSL handshake has read 2741 bytes and written 2690 bytes
Verification: OK
...
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 904A1381D17A1C4432A0DE5EE0D7564C1E4AD4A3E46B7EE173E61B1034A95EB1
Session-ID-ctx:
Resumption PSK: AC27C990D68B5EE27235A5A659EA25CD2D4DE28D233175DFD7ECD09A6FFB4BE418B8C4F1FB87DDF6E666E82EC2A0BC0A
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - eb 13 3c cb 1b 08 5a 65-79 37 75 92 30 fd 47 46 ..<...Zey7u.0.GF
0010 - e8 09 6a 31 83 91 16 f8-29 9c a8 cc d3 e6 00 ad ..j1....).......
Start Time: 1626417683
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
使用自签名证书,自己搭建服务器的话
openssl s_server -accept 8888 -key server.key -cert server.crt -CAfile ca.crt -Verify 1
verify depth is 1, must return a certificate
Using default temp DH parameters
openssl s_client -connect localhost:8883 -key client.key -cert client.crt -CAfile ca.crt
...
Start Time: 1626418308
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
...