本文转发来自:网络 | HTTPS 完整流程 - Cor - 博客园

一、握手过程

1.1 TLS 完整握手过程

1.2 单项认证数据

TLSv1.2  571 Client Hello
TLSv1.2 150 Server Hello
TLSv1.2 895 Certificate
TLSv1.2 392 Server Key Exchange
TLSv1.2 63  Server Hello Done
TLSv1.2 180 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
TLSv1.2 60  Change Cipher Spec
TLSv1.2 99  Encrypted Handshake Message
TLSv1.2 406 Application Data
TLSv1.2 328 Application Data

1.3 双向认证数据

TLSv1.2  358 Client Hello
TLSv1.2 996 Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done
TLSv1.2 534 Certificate
TLSv1.2 332 Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message
TLSv1.2 60  Change Cipher Spec
TLSv1.2 99  Encrypted Handshake Message
TLSv1.2 115 Application Data

二、包详细信息(抓包信息 From:WireShark)

1. Client Hello

资源路径:

Source: library/ssl_cli.c;
Func:   ssl_write_client_hello();

握手协议:

Handshake Protocol: Client HelloHandshake Type: Client Hello (1)Length: 295Version: TLS 1.2 (0x0303)Random: 5f2933702428c5b2819c30feb9fc52b3483feedd7faf64c2…GMT Unix Time: Aug  4, 2020 18:07:44.000000000 CSTRandom Bytes: 2428c5b2819c30feb9fc52b3483feedd7faf64c22162e198…Session ID Length: 0Cipher Suites Length: 160Cipher Suites (80 suites)Compression Methods Length: 1Compression Methods (1 method)Extensions Length: 94Extension: server_name (len=18)Extension: signature_algorithms (len=22)Extension: supported_groups (len=24)Extension: ec_point_formats (len=2)Extension: encrypt_then_mac (len=0)Extension: extended_master_secret (len=0)Extension: session_ticket (len=0)

函数说明:

Version: TLS 版本信息;
Random: 前四位:时间戳,后28位:随机数;
Cipher Suites: 客户端支持的组件;

2. Server Hello

资源路径:

Source: library/ssl_cli.c;
Func:   ssl_parse_server_hello();

握手协议:

Handshake Protocol: Server HelloHandshake Type: Server Hello (2)Length: 81Version: TLS 1.2 (0x0303)Random: 5f29336af1104faf18544577413080cb7f8932fd5c4d2249…GMT Unix Time: Aug  4, 2020 18:07:38.000000000 CSTRandom Bytes: f1104faf18544577413080cb7f8932fd5c4d2249fb8db872…Session ID Length: 32Session ID: 5f29336a02f78561926108084594d22cd6804819da2d9bd9…Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)Compression Method: null (0)Extensions Length: 9Extension: renegotiation_info (len=1)Type: renegotiation_info (65281)Length: 1Renegotiation Info extensionExtension: extended_master_secret (len=0)Type: extended_master_secret (23)Length: 0

函数说明:

Version:      TLS 版本信息;
Random:       随机数序列,前四位:时间戳,后28位:随机数;
Cipher Suite: 服务端与客户端协商之后的密码套件;

3. Certificate

资源路径:

Source: library/ssl_cli.c;
Func:   mbedtls_ssl_parse_certificate();

握手协议:

Handshake Protocol: CertificateHandshake Type: Certificate (11)Length: 484Certificates Length: 481Certificates (481 bytes)Certificate Length: 478Certificate: 308201da30820180021475bda3ed4a9e4fcba43686b12069… (id-at-commonName=svr.example.iwall.com,id-at-organizationalUnitName=SERVER,id-at-organizationName=IWall,id-at-localityName=HaiDian,id-at-stateOrProvinceName=BeiJing,id-at-cosignedCertificatealgorithmIdentifier (ecdsa-with-SHA256)Padding: 0encrypted: 30450221009499d98c1ea5963eaba85216b98de2ff45f5af…

函数说明:

Version:      TLS 版本信息;
Certificates: 证书信息;

4. Server Key Exchange

资源路径:

Source: library/ssl_cli.c;
Func:   ssl_parse_server_key_exchange();

握手协议:

Handshake Protocol: Server Key ExchangeHandshake Type: Server Key Exchange (12)Length: 211EC Diffie-Hellman Server ParamsCurve Type: named_curve (0x03)Named Curve: secp521r1 (0x0019)Pubkey Length: 133Pubkey: 04010a9d9275a1702a5eb822432c2f728e18613768c4818a…Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)Signature Hash Algorithm Hash: SHA512 (6)Signature Hash Algorithm Signature: ECDSA (3)Signature Length: 70Signature: 3044022031c64f7e6fe642e6729bdf1822e1345e24858e13…

函数说明:

EC Diffie-Hellman Server Params
Pubkey: 若使用 ECDH,客户端使用证书中的服务器公钥,服务端不发送 Server Key Exchange。若使用 ECDHE,服务器将通过 Server Key Exchange 消息告之客户端临时 ECDH 公钥,并使用服务器私钥            对该临时公钥进行签名。
Signature Algorithm: 签名算法
Signature:           服务器私钥签名

5. Certificate Request

资源路径:

Source: library/ssl_cli.c;
Func:   ssl_parse_certificate_request();

握手协议:

Handshake Protocol: Certificate RequestHandshake Type: Certificate Request (13)Length: 141Certificate types count: 3Certificate types (3 types)Certificate type: RSA Sign (1)Certificate type: DSS Sign (2)Certificate type: ECDSA Sign (64)Signature Hash Algorithms Length: 20Signature Hash Algorithms (10 algorithms)Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)Signature Algorithm: rsa_pkcs1_sha512 (0x0601)Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)Signature Algorithm: rsa_pkcs1_sha384 (0x0501)Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)Signature Algorithm: rsa_pkcs1_sha256 (0x0401)Signature Algorithm: SHA256 DSA (0x0402)Signature Algorithm: ecdsa_sha1 (0x0203)Signature Algorithm: rsa_pkcs1_sha1 (0x0201)Signature Algorithm: SHA1 DSA (0x0202)Distinguished Names Length: 113Distinguished Names (113 bytes)Distinguished Name Length: 111Distinguished Name: (id-at-commonName=ca.example.iwall.com,id-at-organizationalUnitName=CA,id-at-organizationName=IWall,id-at-localityName=HaiDian,id-at-stateOrProvinceName=BeiJing,id-at-countryName=CN)

6. Server Hello Done

资源路径:

Source: library/ssl_cli.c;
Func:   ssl_parse_server_hello_done();

握手协议:

Transport Layer SecurityTLSv1.2 Record Layer: Handshake Protocol: Server Hello DoneContent Type: Handshake (22)Version: TLS 1.2 (0x0303)Length: 4Handshake Protocol: Server Hello DoneHandshake Type: Server Hello Done (14)Length: 0

7. Certificate

资源路径:

Source: library/ssl_cli.c;
Func:   mbedtls_ssl_write_certificate();

握手协议:

TLSv1.2 Record Layer: Handshake Protocol: CertificateContent Type: Handshake (22)Version: TLS 1.2 (0x0303)Length: 475Handshake Protocol: CertificateHandshake Type: Certificate (11)Length: 471Certificates Length: 468Certificates (468 bytes)Certificate Length: 465Certificate: 308201cd30820172021475bda3ed4a9e4fcba43686b12069… (id-at-commonName=Android,id-at-organizationalUnitName=CLIENT,id-at-organizationName=IWall,id-at-localityName=HaiDian,id-at-stateOrProvinceName=BeiJing,id-at-countryName=CN)signedCertificatealgorithmIdentifier (ecdsa-with-SHA256)Padding: 0encrypted: 3046022100d2ff654bad8f8c917bce6e61c7c0767c661cbf…

8. Client Key Exchange

资源路径:

Source: library/ssl_cli.c;
Func:   ssl_write_client_key_exchange();

握手协议:

TLSv1.2 Record Layer: Handshake Protocol: Client Key ExchangeContent Type: Handshake (22)Version: TLS 1.2 (0x0303)Length: 70Handshake Protocol: Client Key ExchangeHandshake Type: Client Key Exchange (16)Length: 66EC Diffie-Hellman Client ParamsPubkey Length: 65Pubkey: 047b18a25c26f22f7cea0307b89dcb483167a9d3bdb21929…

9. Certificate Verify

资源路径:

Source: library/ssl_cli.c;
Func:   ssl_write_certificate_verify();

握手协议:

TLSv1.2 Record Layer: Handshake Protocol: Certificate VerifyContent Type: Handshake (22)Version: TLS 1.2 (0x0303)Length: 79Handshake Protocol: Certificate VerifyHandshake Type: Certificate Verify (15)Length: 75Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)Signature Hash Algorithm Hash: SHA384 (5)Signature Hash Algorithm Signature: ECDSA (3)Signature length: 71Signature: 3045022100c6a116675a6b42fef04d673fe305a6f961ff1e…

函数说明:

Signature: 签名,使用客户端私钥对协议内容签名。

10. Change Cipher Spec

资源路径:

Source: library/ssl_cli.c;
Func:   mbedtls_ssl_write_change_cipher_spec();

协议报文:

Transport Layer SecurityTLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher SpecContent Type: Change Cipher Spec (20)Version: TLS 1.2 (0x0303)Length: 1Change Cipher Spec Message

函数说明:

Change Cipher Spec Message: 客户端发送 ChangeCipherSpec 消息,表示客户端期望变更密码套件。TLS1.3 内已经移除。

11. Encrypted Handshake Message (Finished)

资源路径:

Source: library/ssl_cli.c;
Func:   mbedtls_ssl_write_finished();

协议报文:

Transport Layer SecurityTLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake MessageContent Type: Handshake (22)Version: TLS 1.2 (0x0303)Length: 40Handshake Protocol: Encrypted Handshake Message

函数说明:

客户端发送 Finished 消息,表示握手过程已经完成。

12. Change Cipher Spec

资源路径:

Source: library/ssl_cli.c;
Func:   mbedtls_ssl_parse_change_cipher_spec();

协议报文:

TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher SpecContent Type: Change Cipher Spec (20)Version: TLS 1.2 (0x0303)Length: 1Change Cipher Spec Message

函数说明:

服务器发送 Change Cipher Spec 消息,表示服务器期望切换密码套件。

13. Encrypted Handshake Message (Finished)

资源路径:

Source: library/ssl_cli.c;
Func:   mbedtls_ssl_parse_finished();

协议报文:

TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake MessageContent Type: Handshake (22)Version: TLS 1.2 (0x0303)Length: 40Handshake Protocol: Encrypted Handshake Message

函数说明:

服务器发送 Finish 消息,表示握手过程已经完成。

14. 消息报文

Transport Layer SecurityTLSv1.3 Record Layer: Application Data Protocol: http-over-tlsOpaque Type: Application Data (23)Version: TLS 1.2 (0x0303)Length: 3172Encrypted Application Data: 3358e1ab02e292ef8a2734a7648250ec251dcc04c8a95504…

mbedtls库ssl/tls握手相关推荐

  1. 使用wireshark观察SSL/TLS握手过程--双向认证/单向认证

    SSL/TLS握手过程可以分成两种类型: 1)SSL/TLS 双向认证,就是双方都会互相认证,也就是两者之间将会交换证书. 2)SSL/TLS 单向认证,客户端会认证服务器端身份,而服务器端不会去对客 ...

  2. 例说图解TCP/IP协议族--TLS篇(1)抓包分析SSL/TLS握手

    SSL是Secure Sockets Layer (安全套接层)的简写,SSL协议是为网络通信提供安全的一种安全协议,继任者为TLS,即 Transport Layer Security传输层安全. ...

  3. 深入解析:如何修复SSL / TLS握手失败错误(上)

    接下来的三篇内容我们来讨论SSL / TLS握手失败错误及其修复方法. 针对互联网用户和网站所有者的SSL / TLS握手失败错误修复程序 像许多SSL错误消息一样,SSL握手错误可以从客户端和服务器 ...

  4. 深入解析:如何修复SSL / TLS握手失败错误(中)

    上篇内容我们首先介绍什么是SSL / TLS握手的概念和简单的流程概述,为的就是让有的童鞋们能够更好地理解.那么接下来呢我们将介绍SSL/ TLS握手失败和错误(SSL握手错误)的所有可能原因以及谁可 ...

  5. SSL/TLS握手过程

    1.握手与密钥协商过程 基于RSA握手和密钥交换的客户端验证服务器为示例详解TLS/SSL握手过程 再看一张手绘时序图 (1).client_hello     客户端发起请求,以明文传输请求信息,包 ...

  6. 如何解决SSL/TLS握手过程中失败的错误?

    Fixes for the SSL/TLS Handshake Failed error for both internet users and site owners It's time for a ...

  7. SSL/TLS(4): TLS连接握手过程详细分析

    SSL/TLS(1):基本概念通俗解释 SSL/TLS (2):通俗解释SSL/TLS为什么安全 SSL/TLS(3): CA证书解释 前言 在前面的文章中,我们讲述了SSL/TLS相关概念和CA证书 ...

  8. 【网络编程开发系列】好端端的MQTT-broker重新部署后居然出现TLS握手失败了

    摘要:本文通过一次真实的现网案例复盘,深度还原TLS握手问题的排查思路和方法,希望对广大读者有所启发和帮助. 文章目录 1 写在前面 2 问题描述 2.1 项目背景 2.2 现场问题 3 场景复现 3 ...

  9. SSL/TLS捕包分析

    一.基本概念 SSL:(Secure Socket Layer,安全套接字层),位于可靠的面向连接的网络层协议和应用层协议之间的一种协议层.SSL通过互相认证.使用数字签名确保完整性.使用加密确保私密 ...

  10. 开源项目SMSS发开指南(四)——SSL/TLS加密通信详解

    本文将详细介绍如何在Java端.C++端和NodeJs端实现基于SSL/TLS的加密通信,重点分析Java端利用SocketChannel和SSLEngine从握手到数据发送/接收的完整过程.本文也涵 ...

最新文章

  1. 炼个BERT别人花几分钟你花了快1天?谷歌:我这是4810亿参数的巨型BERT
  2. 程序员能成为设计师吗
  3. SQL语句技巧:查询时巧用OR实现逻辑判断
  4. ValueError: Masked arrays must be 1-D
  5. 76. 最小覆盖子串
  6. 响应json数据之过滤静态资源
  7. Java IO流读取/写入/修改某个字符串(通用)
  8. KDB支持单步调试功能(ARM架构)
  9. java 线程加载类_java JVM-线程上下类加载器
  10. github 学习笔记【一】
  11. QGhappy小组第三次作业第二天完成情况
  12. 升级nodejs的方法(3)
  13. php foreach 不等于_PHP性能优化小技巧
  14. Ubuntu虚拟机使用桥接模式设置IP
  15. 如何让两个div处于一行
  16. ORB_SLAM2新增稠密建图代码笔记
  17. 基于蓝牙协议的无线网络化传感器设计
  18. xcode升级到14后出现error build
  19. 10、乐趣国学—践行《弟子规》的“谨”懂得从容之道(下篇)
  20. 群晖5.2php核心设置_求救!群晖dsm系统如何才能找到并设置php.ini文件

热门文章

  1. 微软称暂时无意起诉抄袭XP界面的雨林木风
  2. Dell 笔记本触摸板网页双指滑动黑屏
  3. 《组合数学引论》第二章部分习题解答
  4. java毕业设计——基于java+Spring+SSH的CRM客户关系管理系统设计与实现(毕业论文+程序源码)——CRM客户关系管理系统
  5. sw工程图导出bom_solidworks怎么导出带缩略图的BOM材料明细表?
  6. bom树形结构 表设计_按树型显示BOM的结构
  7. 【ENSP模拟器】ENSP问题:Cloud绑定信息只有UDP一个
  8. ZUCC_计算机网络实验_实验11 Wireshark抓包软件高级
  9. 记一次被200G流量 DDOS攻击的处理经验
  10. win10系统QQ音乐安装包无法打开解决方法!