如何用OpenSSL查看SSL握手過程

要使用OpenSSL查看SSL握手過程，您可以使用以下命令：

openssl s_client -connect example.com:443 -debug

將example.com替換為您要查看SSL握手過程的服務器域名或IP地址，將443替換為相應的端口號（如果使用的是非標準端口）。

這個命令會啟動一個OpenSSL客戶端，連接到指定的服務器和端口，并顯示SSL握手過程中的詳細信息。輸出中包含了諸如協議版本、密碼套件、證書信息等。

例如，運行此命令后，您可能會看到如下輸出：

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=27:certificate not trusted
verify return:1
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:CN = example.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIEb9zLjANBgkqhkiG9w0BAQsFADBzMQswCQYDVQQGEwJV
...
-----END CERTIFICATE-----
subject=CN = example.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3544 bytes and written 434 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---

在這個例子中，我們可以看到服務器證書的詳細信息，以及使用的加密套件（TLS_AES_256_GCM_SHA384）。同時，我們還可以看到握手過程中的一些其他信息，如協議版本和密鑰交換算法。