KDOC 222: curlでTLSのバージョン制限を確認する

この文書のステータス

  • 作成
    • 2024-08-22 貴島
  • レビュー
    • 2024-08-26 貴島

概要

セキュリティ上の理由で、サーバ側でTLSの古いバージョンのリクエストを受け付けなくすることがある。設定後、curlで確かめる方法を確認する。 

curl -v --tls-max 1.2 https://www.fsa.go.jp/ -I

% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Host www.fsa.go.jp:443 was resolved.
* IPv6: (none)
* IPv4: 3.166.244.76, 3.166.244.80, 3.166.244.77, 3.166.244.84
*   Trying 3.166.244.76:443...
* Connected to www.fsa.go.jp (3.166.244.76) port 443
* found 158 certificates in /home/orange/.guix-profile/etc/ssl/certs/ca-certificates.crt
* found 474 certificates in /home/orange/.guix-profile/etc/ssl/certs
* GnuTLS ciphers: NORMAL:-ARCFOUR-128:-CTYPE-ALL:+CTYPE-X509:-VERS-SSL3.0:-VERS-TLS-ALL:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0
* ALPN: curl offers h2,http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
*   server certificate verification OK
*   server certificate status verification SKIPPED
*   common name: www.fsa.go.jp (matched)
*   server certificate expiration date OK
*   server certificate activation date OK
*   certificate public key: RSA
*   certificate version: #3
*   subject: C=JP,ST=Tokyo-to,L=Chiyoda-ku,O=Financial Services Agency,CN=www.fsa.go.jp
*   start date: Wed, 05 Jun 2024 06:40:28 GMT
*   expire date: Sat, 28 Jun 2025 14:59:59 GMT
*   issuer: C=JP,O=SECOM Trust Systems CO.\,LTD.,CN=SECOM Passport for Web SR 3.0 CA
* ALPN: server accepted h2
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://www.fsa.go.jp/
* [HTTP/2] [1] [:method: HEAD]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: www.fsa.go.jp]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.5.0]
* [HTTP/2] [1] [accept: */*]
> HEAD / HTTP/2
> Host: www.fsa.go.jp
> User-Agent: curl/8.5.0
> Accept: */*
>
< HTTP/2 200
< content-type: text/html
< content-length: 16891
< date: Tue, 20 Aug 2024 09:21:14 GMT
< server: Apache
< last-modified: Mon, 29 Jul 2024 04:09:01 GMT
< accept-ranges: bytes
< x-frame-options: SAMEORIGIN
< x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
< vary: Accept-Encoding
< x-cache: Hit from cloudfront
< via: 1.1 f93e179d1b1a552c89c83ee369ac624a.cloudfront.net (CloudFront)
< x-amz-cf-pop: NRT20-P6
< x-amz-cf-id: YPb7msF24vcjjbBzuprNX6kKyClkEE0wj0Mk2QcZnOCPFB2HhbzWhg==
< age: 107044
<
0 16891    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Connection #0 to host www.fsa.go.jp left intact
[ Babel evaluation exited with code 0 ]

curl -v --tls-max 1.0 https://www.fsa.go.jp/ -I

% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Host www.fsa.go.jp:443 was resolved.
* IPv6: (none)
* IPv4: 3.166.244.80, 3.166.244.76, 3.166.244.77, 3.166.244.84
*   Trying 3.166.244.80:443...
* Connected to www.fsa.go.jp (3.166.244.80) port 443
* found 158 certificates in /home/orange/.guix-profile/etc/ssl/certs/ca-certificates.crt
* found 474 certificates in /home/orange/.guix-profile/etc/ssl/certs
* GnuTLS ciphers: ,NORMAL:-ARCFOUR-128:-CTYPE-ALL:+CTYPE-X509:-VERS-SSL3.0:-VERS-TLS-ALL:+VERS-TLS1.0
* ALPN: curl offers h2,http/1.1
* gnutls_handshake() failed: Error in protocol version
0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection
curl: (35) gnutls_handshake() failed: Error in protocol version
[ Babel evaluation exited with code 35 ]

参考

関連

なし。