mirror of
https://github.com/guanzhi/GmSSL.git
synced 2026-05-29 19:56:16 +08:00
203 lines
9.5 KiB
C
203 lines
9.5 KiB
C
"\n"
|
|
" -cipher_suite options\n"
|
|
" TLS_SM4_GCM_SM3 TLS 1.3\n"
|
|
" TLS_AES_128_GCM_SHA256 TLS 1.3\n"
|
|
" TLS_ECC_SM4_CBC_SM3 TLCP\n"
|
|
" TLS_ECDHE_SM4_CBC_SM3 TLCP TLS 1.2\n"
|
|
" TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS 1.2\n"
|
|
"\n"
|
|
" -supported_group options\n"
|
|
" sm2p256v1\n"
|
|
" prime256v1\n"
|
|
"\n"
|
|
" -sig_alg options\n"
|
|
" sm2sig_sm3\n"
|
|
" ecdsa_secp256r1_sha256\n"
|
|
"\n"
|
|
"Generate SM2 certificates\n"
|
|
"\n"
|
|
" gmssl sm2keygen -pass 1234 -out sm2rootcakey.pem\n"
|
|
" gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 \\\n"
|
|
" -key sm2rootcakey.pem -pass 1234 -out sm2rootcacert.pem \\\n"
|
|
" -key_usage keyCertSign -key_usage cRLSign -ca\n"
|
|
"\n"
|
|
" gmssl sm2keygen -pass 1234 -out sm2cakey.pem\n"
|
|
" gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN \"Sub CA\" \\\n"
|
|
" -key sm2cakey.pem -pass 1234 -out sm2careq.pem\n"
|
|
" gmssl reqsign -in sm2careq.pem -days 365 -key_usage keyCertSign \\\n"
|
|
" -cacert sm2rootcacert.pem -key sm2rootcakey.pem -pass 1234 \\\n"
|
|
" -ca -path_len_constraint 0 \\\n"
|
|
" -out sm2cacert.pem\n"
|
|
"\n"
|
|
" gmssl sm2keygen -pass 1234 -out sm2signkey.pem\n"
|
|
" gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost \\\n"
|
|
" -key sm2signkey.pem -pass 1234 -out sm2signreq.pem\n"
|
|
" gmssl reqsign -in sm2signreq.pem -days 365 -key_usage digitalSignature \\\n"
|
|
" -cacert sm2cacert.pem -key sm2cakey.pem -pass 1234 \\\n"
|
|
" -out sm2signcert.pem\n"
|
|
"\n"
|
|
" cat sm2signcert.pem > sm2certs.pem\n"
|
|
" cat sm2cacert.pem >> sm2certs.pem\n"
|
|
"\n"
|
|
"TLS 1.3 with TLS_SM4_GCM_SM3 cipher suite\n"
|
|
"\n"
|
|
" gmssl tls13_server -port 4430 -cert sm2certs.pem -key sm2signkey.pem -pass 1234 \\\n"
|
|
" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3\n"
|
|
"\n"
|
|
" gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert sm2rootcacert.pem \\\n"
|
|
" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3\n"
|
|
"\n"
|
|
"Generate P-256 certificates\n"
|
|
"\n"
|
|
" gmssl p256keygen -pass 1234 -out p256rootcakey.pem -export p256rootcakey.exp\n"
|
|
" gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN P256ROOTCA -days 3650 \\\n"
|
|
" -key p256rootcakey.pem -pass 1234 -out p256rootcacert.pem \\\n"
|
|
" -key_usage keyCertSign -key_usage cRLSign -ca\n"
|
|
"\n"
|
|
" gmssl p256keygen -pass 1234 -out p256cakey.pem -export p256cakey.exp\n"
|
|
" gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN \"P256 Sub CA\" \\\n"
|
|
" -key p256cakey.pem -pass 1234 -out p256careq.pem\n"
|
|
" gmssl reqsign -in p256careq.pem -days 365 -key_usage keyCertSign \\\n"
|
|
" -cacert p256rootcacert.pem -key p256rootcakey.pem -pass 1234 \\\n"
|
|
" -ca -path_len_constraint 0 \\\n"
|
|
" -out p256cacert.pem\n"
|
|
"\n"
|
|
" gmssl p256keygen -pass 1234 -out p256signkey.pem -export p256signkey.exp\n"
|
|
" gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN 127.0.0.1 \\\n"
|
|
" -key p256signkey.pem -pass 1234 -out p256signreq.pem\n"
|
|
" gmssl reqsign -in p256signreq.pem -days 365 -key_usage digitalSignature \\\n"
|
|
" -cacert p256cacert.pem -key p256cakey.pem -pass 1234 \\\n"
|
|
" -subject_dns_name 127.0.0.1 \\\n"
|
|
" -out p256signcert.pem\n"
|
|
"\n"
|
|
" cat p256signcert.pem > p256certs.pem\n"
|
|
" cat p256cacert.pem >> p256certs.pem\n"
|
|
"\n"
|
|
" cat sm2rootcacert.pem > rootcacerts.pem\n"
|
|
" cat p256rootcacert.pem >> rootcacerts.pem\n"
|
|
"\n"
|
|
"TLS 1.3 with TLS_AES_128_GCM_SHA256\n"
|
|
" gmssl tls13_server -port 4430 \\\n"
|
|
" -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 \\\n"
|
|
" -cert p256certs.pem -key p256signkey.pem -pass 1234\n"
|
|
"\n"
|
|
" gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert rootcacerts.pem \\\n"
|
|
" -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256\n"
|
|
"\n"
|
|
" add `SSL_CTX_clear_options(ctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);` to openssl apps/s_server.c\n"
|
|
" add `SSL_CTX_clear_options(ctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);` to openssl apps/s_client.c\n"
|
|
"\n"
|
|
" /usr/local/bin/openssl s_server -accept 4430 -cert p256signcert.pem -cert_chain p256cacert.pem -key p256signkey.exp \\\n"
|
|
" -tls1_3 -ciphersuites TLS_AES_128_GCM_SHA256 -named_curve prime256v1 \\\n"
|
|
" -trace\n"
|
|
"\n"
|
|
" /usr/local/bin/openssl s_client -connect 127.0.0.1:4430 -tls1_3 -CAfile p256rootcacert.pem -groups prime256v1 -trace\n"
|
|
"\n"
|
|
"TLS 1.3 SNI\n"
|
|
"\n"
|
|
" gmssl tls13_server -port 4430 \\\n"
|
|
" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n"
|
|
" -cert sm2certs.pem -key sm2signkey.pem -pass 1234 \\\n"
|
|
" -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256\n"
|
|
" -cert p256certs.pem -key p256signkey.pem -pass 1234 \\\n"
|
|
"\n"
|
|
" gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert rootcacerts.pem \\\n"
|
|
" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n"
|
|
" -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256\n"
|
|
" -server_name\n"
|
|
"\n"
|
|
"HelloRetryRequest\n"
|
|
"\n"
|
|
" gmssl tls13_server -port 4430 \\\n"
|
|
" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n"
|
|
" -cert sm2certs.pem -key sm2signkey.pem -pass 1234\n"
|
|
"\n"
|
|
" gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert rootcacerts.pem \\\n"
|
|
" -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 \\\n"
|
|
" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n"
|
|
" -max_key_exchanges 1 # or -max_key_exchanges 0 \n"
|
|
"\n"
|
|
"ClientHello with OCSP request, CT, and other extensions\n"
|
|
"\n"
|
|
" gmssl tls13_server -port 4430 \\\n"
|
|
" -cipher_suite TLS_SM4_GCM_SM3 -cipher_suite TLS_AES_128_GCM_SHA256 \\\n"
|
|
" -supported_group sm2p256v1 -supported_group prime256v1 \\\n"
|
|
" -sig_alg sm2sig_sm3 -sig_alg ecdsa_secp256r1_sha256 \\\n"
|
|
" -cert sm2certs.pem -key sm2signkey.pem -pass 1234\n"
|
|
"\n"
|
|
" gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert rootcacerts.pem \\\n"
|
|
" -cipher_suite TLS_SM4_GCM_SM3 -cipher_suite TLS_AES_128_GCM_SHA256 \\\n"
|
|
" -supported_group sm2p256v1 -supported_group prime256v1 \\\n"
|
|
" -sig_alg sm2sig_sm3 -sig_alg ecdsa_secp256r1_sha256 \\\n"
|
|
" -max_key_exchanges 2 \\\n"
|
|
" -server_name \\\n"
|
|
" -signature_algorithms_cert \\\n"
|
|
" -status_request \\\n"
|
|
" -post_handshake_auth \\\n"
|
|
" -ct\n"
|
|
"\n"
|
|
"NewSessionTicket\n"
|
|
"\n"
|
|
" TICKET_KEY=11223344556677881122334455667788\n"
|
|
"\n"
|
|
" gmssl tls13_server -port 4430 -cert sm2certs.pem -key sm2signkey.pem -pass 1234 \\\n"
|
|
" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n"
|
|
" -new_session_ticket 2 -ticket_key $TICKET_KEY\n"
|
|
"\n"
|
|
" gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert rootcacerts.pem \\\n"
|
|
" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n"
|
|
" -sess_out session.bin\n"
|
|
"\n"
|
|
"PSK-DHE from session ticket\n"
|
|
"\n"
|
|
" gmssl tls13_server -port 4430 -cert sm2certs.pem -key sm2signkey.pem -pass 1234 \\\n"
|
|
" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 \\\n"
|
|
" -psk_dhe_ke -ticket_key $TICKET_KEY\n"
|
|
"\n"
|
|
" gmssl tls13_client -host 127.0.0.1 -port 4430 \\\n"
|
|
" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 \\\n"
|
|
" -psk_dhe_ke -sess_in session.bin\n"
|
|
"\n"
|
|
"PSK-DHE/PSK from external\n"
|
|
"\n"
|
|
" PSK=1122334455667788112233445566778811223344556677881122334455667788\n"
|
|
"\n"
|
|
" gmssl tls13_server -port 4430 -cipher_suite TLS_SM4_GCM_SM3 \\\n"
|
|
" -supported_group sm2p256v1 -psk_dhe_ke \\\n"
|
|
" -psk_identity 001 -psk_cipher_suite TLS_SM4_GCM_SM3 -psk_key $PSK\n"
|
|
"\n"
|
|
" gmssl tls13_client -host 127.0.0.1 -port 4430 -cipher_suite TLS_SM4_GCM_SM3 \\\n"
|
|
" -supported_group sm2p256v1 -psk_dhe_ke \\\n"
|
|
" -psk_identity 001 -psk_cipher_suite TLS_SM4_GCM_SM3 -psk_key $PSK\n"
|
|
"\n"
|
|
" gmssl tls13_server -port 4430 -cipher_suite TLS_SM4_GCM_SM3 \\\n"
|
|
" -psk_ke -psk_identity 001 -psk_cipher_suite TLS_SM4_GCM_SM3 -psk_key $PSK\n"
|
|
"\n"
|
|
" gmssl tls13_client -host 127.0.0.1 -port 4430 -cipher_suite TLS_SM4_GCM_SM3 \\\n"
|
|
" -psk_ke -psk_identity 001 -psk_cipher_suite TLS_SM4_GCM_SM3 -psk_key $PSK\n"
|
|
"\n"
|
|
"EarlyData (0-RTT)\n"
|
|
"\n"
|
|
" gmssl tls13_server -port 4430 -cipher_suite TLS_SM4_GCM_SM3 \\\n"
|
|
" -psk_ke -psk_identity 001 -psk_cipher_suite TLS_SM4_GCM_SM3 -psk_key $PSK \\\n"
|
|
" -early_data\n"
|
|
"\n"
|
|
" gmssl tls13_client -host 127.0.0.1 -port 4430 -cipher_suite TLS_SM4_GCM_SM3 \\\n"
|
|
" -psk_ke -psk_identity 001 -psk_cipher_suite TLS_SM4_GCM_SM3 -psk_key $PSK \\\n"
|
|
" -early_data early_data.txt\n"
|
|
"\n"
|
|
"CertificateRequest\n"
|
|
"\n"
|
|
" gmssl tls13_server -port 4430 -cert sm2certs.pem -key sm2signkey.pem -pass 1234 \\\n"
|
|
" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n"
|
|
" -cert_request -cacert sm2rootcacert.pem\n"
|
|
"\n"
|
|
" gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert sm2rootcacert.pem \\\n"
|
|
" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n"
|
|
" -cert sm2certs.pem -key sm2signkey.pem -pass 1234\n"
|
|
"\n"
|
|
"CertificateRequest without CertificateVerify\n"
|
|
"\n"
|
|
" gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert sm2rootcacert.pem \\\n"
|
|
" -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3\n"
|