平文通信でSSLサーバと通信を行う方法

SSLでは、クライアント−サーバ間の通信は共通鍵暗号を使用して暗号化が行われますが、SSLサーバで暗号化せずに通信を行う設定になっている場合、クライアント−サーバ間の通信を平文で行うことができます。
平文で通信が行われるため、通信内容は盗聴により閲覧することが可能です。

▼平文通信での接続例

# openssl s_client -connect 10.100.0.160:443 -cipher NULL-SHA
CONNECTED(00000003)
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify return:1



-

Certificate chain
 0 s:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
   i:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain



-

Server certificate
 -----BEGIN CERTIFICATE-----
MIIEDDCCA3WgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBuzELMAkGA1UEBhMCLS0x
〜　省略　〜
hzzEg+cieOT7XFqzVi9WEaKwQU9Fv2U1GCl9Wf7amSI=
 -----END CERTIFICATE-----
subject=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
issuer=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain



-

No client certificate CA names sent



-

SSL handshake has read 1190 bytes and written 232 bytes



-

New, TLSv1/SSLv3, Cipher is NULL-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : NULL-SHA
    Session-ID: A564E3DC37E2FC93FF0FD0493EE854FD6D07FA4C77BCC4B720078EFA1224B3B5
    Session-ID-ctx:
    Master-Key: 42FA7BE7A0E945B9E58BFBE965E453D9AF44E72E2A008370AA15B44ACF9632C16667D170C73012F74FFCCECD4BE31F3D
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1224230441
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)



-

HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Fri, 17 Oct 2008 08:00:45 GMT
Server: Apache/2.0.52 (CentOS)
Last-Modified: Fri, 04 Jul 2008 11:17:49 GMT
ETag: "1492f-1c7-e039b140"
Accept-Ranges: bytes
Content-Length: 455
Connection: close
Content-Type: text/html; charset=UTF-8

closed

▼パケット盗聴結果

IP 10.100.0.110.53230 > 10.100.0.160.https: P 233:274(41) ack 1191 win 1016 
  E..]..@.@.uA.d.n
  .d.......k......
  ....T=........L.
  ..4}....$HEAD./.
  HTTP/1.0.J.0.v..
  ~6.%.v.......
IP 10.100.0.160.https > 10.100.0.110.53230: . ack 274 win 1716 
  E..46;@.@....d..
  .d.n.........k..
  ..............@.
  ..L.
IP 10.100.0.110.53230 > 10.100.0.160.https: P 274:300(26) ack 1191 win 1016 
  E..N..@.@.uO.d.n
  .d.......k......
  ..............M.
  ..@.......dr..0.
  .'.?....P.(w..
IP 10.100.0.160.https > 10.100.0.110.53230: . ack 300 win 1716 
  E..46=@.@....d..
  .d.n.........k..
  ...../........Ao
  ..M.
IP 10.100.0.160.https > 10.100.0.110.53230: P 1191:1480(289) ack 300 win 1716 
  E..U6?@.@....d..
  .d.n.........k..
  ..............At
  ..M......HTTP/1.
  1.200.OK..Date:.
  Fri,.17.Oct.2008
  .08:00:45.GMT..S
  erver:.Apache/2.
  0.52.(CentOS)..L
  ast-Modified:.Fr
  i,.04.Jul.2008.1
  1:17:49.GMT..ETa
  g:."1492f-1c7-e0
  39b140"..Accept-
  Ranges:.bytes..C
  ontent-Length:.4
  55..Connection:.
  close..Content-T
  ype:.text/html;.
  charset=UTF-8...
  ....3F.......?{.
  .A\~.

▼平文通信が有効な設定ファイル（ssl.conf）例

SSLCipherSuite ALL:COMPLEMENTOFALL

▼平文通信が無効な設定ファイル（ssl.conf）例

SSLCipherSuite ALL:!COMPLEMENTOFALL