PQC 工具組設定指南

此指南適用於 PQC 工具組。如需有關設定 DigiCert PQC 工具組的指示,請參閱 PQC Docker 化工具組指南

介紹

DigiCert 的後量子加密 (PQC) 工具組含有建立混合式 TLS 憑證所需的一切。此混合式憑證使用與傳統加密演算法結合的後量子加密演算法。可讓您在測試部署後量子混合式 TLS 的可行性時,同時保有向後相容性。

關於此第一個反覆項目,後量子加密演算法與橢圓曲線加密演算法配對。

此設定指南讓您完全瞭解使用 DigiCert PQC 工具組可以:

  • 套用 ISARA PQC Patch 到 OpenSSL 資源檔案。
  • 編譯您的修改的 OpenSSL 程式。
  • 產生後量子加密金鑰。。
  • 建立完整的混合式憑證鏈,包括根、中繼和伺服器憑證。
  • 使用 OpenSSL 的 s_servers_client 公用桯式測試憑證。

DigiCert PQC 工具組可下載用於所有的 Secure Site Pro 客戶。進一步瞭解使用每種 Secure Site Pro 憑證加入的內容

PQC 工具組內容

DigiCert PQC 工具組包含這些檔案:

  • ISARA Catalyst OpenSSL Connector
  • 修改 openssl.cfg
  • 憑證組態檔案
  • 範例混合式憑證鏈

先決條件

使用此指南前,請確定符合這些先決條件:

  • 存取 DigiCert PQC 工具組資源檔案
  • 64-bit Ubuntu 16.04 或更新版本 (本指南用 Ubuntu 18.04 LTS 編寫)
  • 有 sudo 存取權限的非根使用者

若要阻止您的系統或生產環境發行,建議您遵照這些使用沙箱或虛擬環境的步驟進行:

準備您的環境

下載修補檔案前,請準備您的環境。

首先,請安裝必需的依存性和工具。

bash
sudo apt-get -y update
sudo apt-get -y upgrade
sudo apt-get -y install curl unzip make cmake gcc wget zlib1g-dev libjansson-dev

接著,建立您將下載和編輯資源檔案與工具組資源所在的目錄結構。

bash
mkdir -p /app/digicert-pqc/connector
mkdir -p /app/digicert-pqc/certs/configs
mkdir /app/resources

下載和解壓縮工具組

現在,下載 DigiCert PQC 工具組並解壓縮其內容。

下載 PQC 工具組

  1. 登入您的 CertCentral 帳戶。

  2. 在資訊看板功能表中,按一下憑證 > 訂單

  3. 在「訂單」頁面上,尋找您的 Sucure Site Pro 憑證訂單,然後按其訂單編號。

  4. 在憑證的訂單詳細資料頁面上,按一下 PQC 工具組

  5. 在「後量子加密 (PQC)」頁面上,按一下下載 ISARA PQC 工具組,然後將工具組儲存到 /app/resources 目錄中。

解壓縮 PQC 工具組檔案。

接著,從工具組中解壓縮內容。

bash
cd /app/resources
unzip ./DigiCert_PQC_Toolkit.zip

PQC 工具組包含 ISARA OpenSSL Connector 封存。將此解壓縮到 /app/digicert-pqc/connector

bash
cd /app/digicert-pqc/connector
tar xzvf /app/resources/digicert-pqc-toolkit_2019-07-26/openssl_connector-Linux-2019-05-27.tgz

修補和編譯 OpenSSL

在您設定環境和解壓縮所有檔案後,修補和編譯 OpenSSL。

若要開始,請下載 1.0.2r 版 OpenSSL 到 /app/resources 目錄。

bash
cd /app/resources
wget https://www.openssl.org/source/old/1.0.2/openssl-1.0.2r.tar.gz

接著,請將來源檔案解壓縮到 /app/digicert-pqc 目錄。

bash
cd /app/digicert-pqc
tar xzvf /app/resources/openssl-1.0.2r.tar.gz

現在,套用 ISARA OpenSSL 補丁到解壓縮的來源檔案中。這會對 OpenSSL 做所有必需的修改,以產生和解譯對量子安全的加密演算法。

bash
cd openssl-1.0.2r/
patch -p2 < ../connector/OpenSSL_1_0_2r_ISARA.patch

在修補完成後,用工具組的經過修改的版本取代現有的 openssl.cnf 檔案。經過修改的組態檔案包含一個動態引擎項目,指向 ISARA OpenSSL IQREngine。

bash
cp /app/resources/digicert-pqc-toolkit_2019-07-26/openssl.cnf ./apps

現在您需要編輯經過修改的組態檔案,這樣它會指向 ISARA OpenSSL IQREngine 的位置。

  1. 在您喜好的文字編輯中,開啟複製的 openssl.cnf 檔案。

bash
vi ./apps/openssl.cnf
  1. 找到第 32 行的 dynamic_path 項目。

  2. 將項目變更為此:

bash
dynamic_path = /app/digicert-pqc/connector/lib/libiqre_engine.so
  1. 儲存並關閉檔案。

由於您正在建立共用的 OpenSSL 程式庫,您將需要在編譯來源檔案前設定非標準的路徑。

bash
./config --prefix=/app/digicert-pqc/pqpki-openssl-1.0.2r --openssldir=/app/digicert-pqc/pqpki-openssl-1.0.2r shared

接著,執行以下的每個命令,一次一個,以編譯經過修改的來源檔案。

bash
make depend
make all
sudo make install

成功編譯經過修改的 OpenSSL 來源後,使用 LD_LIBRARY_PATH 變數指定兩個動態程式庫位置。這告訴您尋找您的經過修改的 OpenSSL 共用桯式庫,以及用於處理對量子安全的加密演算法的 ISARA PQC 引擎所在。

bash
export LD_LIBRARY_PATH=/app/digicert-pqc/pqpki-openssl-1.0.2r:/app/digicert-pqc/connector/lib

如果您的系統已經使用 LD_LIBRARY_PATH 變數,您可以附加 :$LD_LIBRARY_PATH 到上述命令中,非破壞性的新增新路徑。

建立混合式憑證鏈

現在,您擁有可以產生和解碼對量子安全的加密演算法的 OpenSSL 程式。您已準備好建立完整的混合式憑證鏈 (根、中繼和伺服器憑證),因此您可以測試其功能。

首先,複製納入到 PQC 工具組中的憑證組態檔案到 /app/digicert-pqc/certs 目錄中。這些組態檔案包含產生每個憑證要求和憑證所需的所有資料。

bash
cd /app/digicert-pqc/certs
cp /app/resources/digicert-pqc-toolkit_2019-07-26/certificates/root_req.cfg ./configs
cp /app/resources/digicert-pqc-toolkit_2019-07-26/certificates/intermediate_req.cfg ./configs
cp /app/resources/digicert-pqc-toolkit_2019-07-26/certificates/server_req.cfg ./configs

產生私密和公用金鑰

接著,為為憑證鏈中的每份憑證產生對量子安全的私密金鑰,確定使用經過修改的 OpenSSL 程式和 IQREngine。

根私密金鑰:

bash
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl genpkey -engine IQREngine -algorithm xmss -pkeyopt tree_height:10 -pkeyopt strategy:cpu_constrained -pkeyopt state_filename:xmss_catalyst_mixed_chain_root_private_key_state.bin -out xmss_catalyst_mixed_chain_root_private_key.pem

中繼私密金鑰:

bash
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl genpkey -engine IQREngine -algorithm dilithium -pkeyopt parameter_set:A -out dilithium_catalyst_mixed_chain_intermediate_private_key.pem

伺服器私密金鑰:

bash
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl genpkey -engine IQREngine -algorithm rainbow -pkeyopt parameter_set:A -out rainbow_catalyst_mixed_chain_private_key.pem

您一產生每份憑證的私密金鑰後,立刻解壓縮他們的公用金鑰。

根公用金鑰:

bash
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl pkey -engine IQREngine -in xmss_catalyst_mixed_chain_root_private_key.pem -pubout -out xmss_catalyst_mixed_chain_root_public_key.pem

中繼公用金鑰:

bash
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl pkey -engine IQREngine -in dilithium_catalyst_mixed_chain_intermediate_private_key.pem -pubout -out dilithium_catalyst_mixed_chain_intermediate_public_key.pem

伺服器公用金鑰:

bash
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl pkey -engine IQREngine -in rainbow_catalyst_mixed_chain_private_key.pem -pubout -out rainbow_catalyst_mixed_chain_public_key.pem

選擇 ECC 混合鏈憑證的曲線。

bash
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl ecparam -out ecdsa_catalyst_mixed_chain_parameters.pem -name secp384r1

建立 CSR 和產生憑證

產生所有加密金鑰後,您已準備好建立鏈中的每份憑證的 CSR 和產生根、中繼與伺服器憑證。

首先,建立使用於根發行者的 CSR。

bash
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl req -new -newkey ec:ecdsa_catalyst_mixed_chain_parameters.pem -keyout ecdsa_without_xmss_catalyst_mixed_chain_root_private_key.pem -out ecdsa_without_xmss_x509_catalyst_mixed_chain_root_req.pem -config ./configs/root_req.cfg -nodes

接著您需要建立用於根的自我簽署 X509 憑證。

bash
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl x509 -req -set_serial 8026 -extfile ./configs/root_req.cfg -in ecdsa_without_xmss_x509_catalyst_mixed_chain_root_req.pem -signkey ecdsa_without_xmss_catalyst_mixed_chain_root_private_key.pem -out ecdsa_without_xmss_x509_catalyst_mixed_chain_root_certificate.pem

在那之後,將根憑證延伸到混合式根憑證。

bash
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl x509QSDirectExtend -engine /app/digicert-pqc/connector/lib/libiqre_engine.so -x509in ecdsa_without_xmss_x509_catalyst_mixed_chain_root_certificate.pem -x509out xmss_ecdsa_x509_catalyst_mixed_chain_root_certificate.pem -privin ecdsa_without_xmss_catalyst_mixed_chain_root_private_key.pem -pubqs xmss_catalyst_mixed_chain_root_public_key.pem -privqs xmss_catalyst_mixed_chain_root_private_key.pem::xmss_catalyst_mixed_chain_root_private_key_state.bin -privqs_engine

現在您可以建立用於中繼憑證的 CSR。

bash
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl req -new -newkey ec:ecdsa_catalyst_mixed_chain_parameters.pem -keyout ecdsa_without_dilithium_catalyst_mixed_chain_intermediate_private_key.pem -out ecdsa_without_dilithium_x509_catalyst_mixed_chain_intermediate_req.pem -config ./configs/intermediate_req.cfg -nodes

將中繼憑證 CSR 延伸到混合式 CSR 中。

bash
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl reqQSExtend -engine /app/digicert-pqc/connector/lib/libiqre_engine.so -reqin ecdsa_without_dilithium_x509_catalyst_mixed_chain_intermediate_req.pem -reqout dilithium_ecdsa_x509_catalyst_mixed_chain_intermediate_req.pem -privin ecdsa_without_dilithium_catalyst_mixed_chain_intermediate_private_key.pem -pubqs dilithium_catalyst_mixed_chain_intermediate_public_key.pem -privqs dilithium_catalyst_mixed_chain_intermediate_private_key.pem

接著產生中繼憑證。

bash
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl x509 -req -set_serial 8014 -extfile ./configs/intermediate_req.cfg -in dilithium_ecdsa_x509_catalyst_mixed_chain_intermediate_req.pem -CA xmss_ecdsa_x509_catalyst_mixed_chain_root_certificate.pem -CAkey ecdsa_without_xmss_catalyst_mixed_chain_root_private_key.pem -out ecdsa_without_dilithium_x509_catalyst_mixed_chain_intermediate_certificate.pem

將中繼憑證延伸到混合式中繼憑證中。

bash
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl x509QSExtend -engine /app/digicert-pqc/connector/lib/libiqre_engine.so -x509in ecdsa_without_dilithium_x509_catalyst_mixed_chain_intermediate_certificate.pem -x509out dilithium_ecdsa_x509_catalyst_mixed_chain_intermediate_certificate.pem -reqin dilithium_ecdsa_x509_catalyst_mixed_chain_intermediate_req.pem -privqs xmss_catalyst_mixed_chain_root_private_key.pem::xmss_catalyst_mixed_chain_root_private_key_state.bin -privqs_engine

現在根和中繼憑證都已產生,下一步是產生伺服器憑證。

首先您需要建立用於伺服器憑證的 CSR。

bash
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl req -new -newkey ec:ecdsa_catalyst_mixed_chain_parameters.pem -keyout ecdsa_without_rainbow_catalyst_mixed_chain_private_key.pem -out ecdsa_without_rainbow_x509_catalyst_mixed_chain_req.pem -config ./configs/server_req.cfg -nodes

然後將伺服器憑證 CSR 延伸到混合式 CSR 中。

bash
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl reqQSExtend -engine /app/digicert-pqc/connector/lib/libiqre_engine.so -reqin ecdsa_without_rainbow_x509_catalyst_mixed_chain_req.pem -reqout rainbow_ecdsa_x509_catalyst_mixed_chain_server_req.pem -privin ecdsa_without_rainbow_catalyst_mixed_chain_private_key.pem -pubqs rainbow_catalyst_mixed_chain_public_key.pem -privqs rainbow_catalyst_mixed_chain_private_key.pem

在那之後,您可以產生伺服器憑證。

bash
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl x509 -req -set_serial 8015 -req -extfile ./configs/server_req.cfg -in rainbow_ecdsa_x509_catalyst_mixed_chain_server_req.pem -CA dilithium_ecdsa_x509_catalyst_mixed_chain_intermediate_certificate.pem -CAkey ecdsa_without_dilithium_catalyst_mixed_chain_intermediate_private_key.pem -out ecdsa_without_rainbow_x509_catalyst_mixed_chain_certificate.pem

最後,將伺服器憑證延伸到混合式伺服器憑證中。

bash
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl x509QSExtend -engine /app/digicert-pqc/connector/lib/libiqre_engine.so -x509in ecdsa_without_rainbow_x509_catalyst_mixed_chain_certificate.pem -x509out rainbow_ecdsa_x509_catalyst_mixed_chain_server_certificate.pem -reqin rainbow_ecdsa_x509_catalyst_mixed_chain_server_req.pem -privqs dilithium_catalyst_mixed_chain_intermediate_private_key.pem

確認憑證鏈

建立所有憑證後,表示您已準備好確認您有功能性混合式憑證鏈。

首先,確認混合鏈使用舊密碼運作。

bash
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl verify -engine IQREngine -verbose -CAfile xmss_ecdsa_x509_catalyst_mixed_chain_root_certificate.pem -untrusted dilithium_ecdsa_x509_catalyst_mixed_chain_intermediate_certificate.pem rainbow_ecdsa_x509_catalyst_mixed_chain_server_certificate.pem

您應該看到此輸出:

bash
engine "IQREngine" set.
rainbow_ecdsa_x509_catalyst_mixed_chain_server_certificate.pem: OK

接著,確認混合式憑證鏈使用量子安全加密運作。

bash
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl x509QSVerify -engine /app/digicert-pqc/connector/lib/libiqre_engine.so -root xmss_ecdsa_x509_catalyst_mixed_chain_root_certificate.pem -untrusted dilithium_ecdsa_x509_catalyst_mixed_chain_intermediate_certificate.pem -cert rainbow_ecdsa_x509_catalyst_mixed_chain_server_certificate.pem

哪一個應提供此輸出:

bash
engine "IQREngine" set.
2 : ok : /C=US/ST=Utah/L=Lehi/O=DigiCert, Inc./OU=DigiCert PQC/CN=DigiCert PQC Root
1 : ok : /C=US/ST=Utah/L=Lehi/O=DigiCert, Inc./OU=DigiCert PQC/CN=DigiCert PQC Test Intermediate CA
0 : ok : /C=US/ST=Utah/L=Lehi/O=DigiCert, Inc./OU=DigiCert PQC/CN=digicert.pqc
Success!!

確認已建立所有檔案後,執行 ls 命令。如果成功,應該看到像這樣的輸出:

bash
configs
dilithium_catalyst_mixed_chain_intermediate_private_key.pem
dilithium_catalyst_mixed_chain_intermediate_public_key.pem
dilithium_ecdsa_x509_catalyst_mixed_chain_intermediate_certificate.pem
dilithium_ecdsa_x509_catalyst_mixed_chain_intermediate_req.pem
ecdsa_catalyst_mixed_chain_parameters.pem
ecdsa_without_dilithium_catalyst_mixed_chain_intermediate_private_key.pem
ecdsa_without_dilithium_x509_catalyst_mixed_chain_intermediate_certificate.pem
ecdsa_without_dilithium_x509_catalyst_mixed_chain_intermediate_req.pem
ecdsa_without_rainbow_catalyst_mixed_chain_private_key.pem
ecdsa_without_rainbow_x509_catalyst_mixed_chain_certificate.pem
ecdsa_without_rainbow_x509_catalyst_mixed_chain_req.pem
ecdsa_without_xmss_catalyst_mixed_chain_root_private_key.pem
ecdsa_without_xmss_x509_catalyst_mixed_chain_root_certificate.pem
ecdsa_without_xmss_x509_catalyst_mixed_chain_root_req.pem
rainbow_catalyst_mixed_chain_private_key.pem
rainbow_catalyst_mixed_chain_public_key.pem
rainbow_ecdsa_x509_catalyst_mixed_chain_server_certificate.pem
rainbow_ecdsa_x509_catalyst_mixed_chain_server_req.pem
xmss_catalyst_mixed_chain_root_private_key.pem
xmss_catalyst_mixed_chain_root_private_key_state.bin
xmss_catalyst_mixed_chain_root_public_key.pem
xmss_ecdsa_x509_catalyst_mixed_chain_root_certificate.pem

使用 s_server 和 s_client 測試您的憑證鏈。

若要測試您的對量子安全的混合式憑證鏈,請使用 OpenSSL 的 s_servers_client 公用程式。若要同時使用這兩種公用程式,請開啟兩個終端工作階段,一個用於伺服器,一個用於用戶端。

首先,加入伺服器憑證的 CN 值到您的主機檔案中。

bash
echo "$(hostname -I) digicert.pqc" | sudo tee -a /etc/hosts

接著,確定您在 /app/digicert-pqc/certs 目錄中。

bash
cd /app/digicert-pqc/certs

然後,在您開啟的其中一個終端中,啟動伺服器。

bash
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl s_server -engine IQREngine -cert dilithium_ecdsa_x509_catalyst_mixed_chain_intermediate_certificate.pem -certform PEM -key dilithium_catalyst_mixed_chain_intermediate_private_key.pem -keyform PEM -debug -tls1_2

執行上述的命令後,您應該會看到此輸出:

bash
engine "IQREngine" set.
Using default temp DH parameters
ACCEPT

接著,切換到第二個終端視窗,確定您在 /app/digicert-pqc/certs 目錄中。

bash
cd /app/digicert-pqc/certs

然後使用 s_client 公用程式連線到執行中的伺服器。

bash
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl s_client -engine IQREngine -CAfile xmss_ecdsa_x509_catalyst_mixed_chain_root_certificate.pem -showcerts -tls1_2 -cipher 'ECDHE-NHDH-DILM-AES256-GCM-SHA384'

如果一切設定正確,在執行 s_client 公用程式的終端視窗中,您應該會看到此輸出:

bash
engine "IQREngine" set.
CONNECTED(00000003)
depth=1 C = US, ST = Utah, L = Lehi, O = "DigiCert, Inc.", OU = DigiCert PQC, CN = DigiCert PQC Root
verify return:1
depth=0 C = US, ST = Utah, L = Lehi, O = "DigiCert, Inc.", OU = DigiCert PQC, CN = DigiCert PQC Test Intermediate CA
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Utah/L=Lehi/O=DigiCert, Inc./OU=DigiCert PQC/CN=DigiCert PQC Test Intermediate CA
   i:/C=US/ST=Utah/L=Lehi/O=DigiCert, Inc./OU=DigiCert PQC/CN=DigiCert PQC Root
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Utah/L=Lehi/O=DigiCert, Inc./OU=DigiCert PQC/CN=DigiCert PQC Test Intermediate CA
issuer=/C=US/ST=Utah/L=Lehi/O=DigiCert, Inc./OU=DigiCert PQC/CN=DigiCert PQC Root
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 9868 bytes and written 2331 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-NHDH-DILM-AES256-GCM-SHA384
Server public key is 521 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-NHDH-DILM-AES256-GCM-SHA384
    Session-ID: {{Session-ID}}
    Session-ID-ctx: 
    Master-Key: {{Master-Key}}
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    [...]


    Start Time: 1563994600
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

在執行 s_server 公用程式的終端視窗中,您應該會看到此輸出:

bash
read from 0x5581e0750b80 [0x5581e07656f3] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 96                                    .....
read from 0x5581e0750b80 [0x5581e07656f8] (150 bytes => 150 (0x96))
0000 - 01 00 00 92 03 03 d9 c0-5a 73 35 d0 4e f2 31 f6   ........Zs5.N.1.
[...]
write to 0x5581e0750b80 [0x5581e076e100] (71 bytes => 71 (0x47))
0000 - 16 03 03 00 42 02 00 00-3e 03 03 c2 3b df 2f 01   ....B...>...;./.
[...]
write to 0x5581e0750b80 [0x5581e0769c43] (4953 bytes => 4953 (0x1359))
0000 - 16 03 03 13 54 0b 00 13-50 00 13 4d 00 13 4a 30   ....T...P..M..J0
[...]
write to 0x5581e0750b80 [0x5581e0769c43] (4609 bytes => 4609 (0x1201))
0000 - 16 03 03 11 fc 0c 00 11-f8 03 00 17 41 04 0d 97   ............A...
[...]
write to 0x5581e0750b80 [0x5581e076e100] (9 bytes => 9 (0x9))
0000 - 16 03 03 00 04 0e 00 00-00                        .........
read from 0x5581e0750b80 [0x5581e07656f3] (5 bytes => 5 (0x5))
0000 - 16 03 03 08 48                                    ....H
read from 0x5581e0750b80 [0x5581e07656f8] (2120 bytes => 2120 (0x848))
0000 - 10 00 08 44 41 04 29 0a-07 84 0c f3 a4 e4 3e d1   ...DA.).......>.
[...]
read from 0x5581e0750b80 [0x5581e07656f3] (5 bytes => 5 (0x5))
0000 - 14 03 03 00 01                                    .....
read from 0x5581e0750b80 [0x5581e07656f8] (1 bytes => 1 (0x1))
0000 - 01                                                .
read from 0x5581e0750b80 [0x5581e07656f3] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 28                                    ....(
read from 0x5581e0750b80 [0x5581e07656f8] (40 bytes => 40 (0x28))
0000 - e1 d7 30 8b 12 ef d1 dc-31 90 97 d0 0e 54 9c aa   ..0.....1....T..
[...]
write to 0x5581e0750b80 [0x5581e076e100] (175 bytes => 175 (0xAF))
0000 - 16 03 03 00 aa 04 00 00-a6 00 00 1c 20 00 a0 02   ............ ...
[...]
write to 0x5581e0750b80 [0x5581e076e100] (6 bytes => 6 (0x6))
0000 - 14 03 03 00 01 01                                 ......
write to 0x5581e0750b80 [0x5581e076e100] (45 bytes => 45 (0x2D))
0000 - 16 03 03 00 28 d0 99 97-94 6d a1 5c f8 b0 c0 65   ....(....m.\...e
[...]
-----BEGIN SSL SESSION PARAMETERS-----
[...]
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-NHDH-DILM-AES256-GCM-SHA384:ECDHE-NHDH-SIDH-DILM-AES256-GCM-SHA384
Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1:HSS+SHA512:XMSS+SHA512:XMSSmt+SHA512:DILITHIUM+SHA512:DILITHIUM+SHA512:0xE0+SHA512
Shared Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1:HSS+SHA512:DILITHIUM+SHA512:DILITHIUM+SHA512
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported Elliptic Curves: P-256:P-521:brainpoolP512r1:brainpoolP384r1:P-384:brainpoolP256r1:secp256k1:B-571:K-571:K-409:B-409:K-283:B-283:0xFE01
Shared Elliptic curves: P-256:P-521:brainpoolP512r1:brainpoolP384r1:P-384:brainpoolP256r1:secp256k1:B-571:K-571:K-409:B-409:K-283:B-283:UNDEF
CIPHER is ECDHE-NHDH-DILM-AES256-GCM-SHA384
Secure Renegotiation IS supported

恭喜!您已使用 DigiCert 的 PQC 工具組和 ISARA Catalyst OpenSSL Connector 引擎成功建立對量子安全的混合式憑證鏈。