Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/ssl/3.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Https SSLv3记录层内的TLS握手_Https_Ssl_Handshake - Fatal编程技术网
Fatal编程技术网
  • https/
  • Https SSLv3记录层内的TLS握手

Https SSLv3记录层内的TLS握手

https ssl

Https SSLv3记录层内的TLS握手,https,ssl,handshake,Https,Ssl,Handshake,我的服务器配置为同时接受SSLv3和TLS1.0协议。但有几个客户端发送的握手参数低于此值,在服务器hello之后,客户端会断开连接并发送“握手失败(40)”警报,不确定是客户端故障还是服务器故障 以下是初始的客户端hello数据包: Secure Socket Layer SSLv3 Record Layer: Client Hello Content Type: Handshake (22) Version: SSL 3.0 (0x0300) <------------

我的服务器配置为同时接受SSLv3和TLS1.0协议。但有几个客户端发送的握手参数低于此值,在服务器hello之后,客户端会断开连接并发送“握手失败(40)”警报,不确定是客户端故障还是服务器故障

以下是初始的客户端hello数据包:

Secure Socket Layer
  SSLv3 Record Layer: Client Hello
  Content Type: Handshake (22)
    Version: SSL 3.0 (0x0300) <-----------------
    Length: 103
    Handshake Protocol: Client Hello
        Handshake Type: Client Hello (1)
        Length: 78
        Version: TLS 1.0 (0x0301) <-------------
        Random
        Session ID Length: 0
        Cipher Suites Length: 18
        Cipher Suites (9 suites)
上面的curl命令将在wireshark上显示:

EDIT2:这合法吗?我一直在谷歌搜索,找不到任何例子。是否违反任何rfc标准

谢谢

我只是想知道我怎样才能发送这样的数据包?有命令吗

应该生成与您提供的跟踪类似的内容。

是的,这是合法的(至少在最近的TLS规范中对此进行了澄清)

您可以在(TLS 1.2)或(SSL 3.0)或其他有关SSL/TLS的rfc中查找此信息。问题在于记录协议的初始版本和握手协议:

rfc5246:

   Earlier versions of the TLS specification were not fully clear on
   what the record layer version number (TLSPlaintext.version) should
   contain when sending ClientHello (i.e., before it is known which
   version of the protocol will be employed).  Thus, TLS servers
   compliant with this specification MUST accept any value {03,XX} as
   the record layer version number for ClientHello.

   TLS clients that wish to negotiate with older servers MAY send any
   value {03,XX} as the record layer version number.  Typical values
   would be {03,00}, the lowest version number supported by the client,
   and the value of ClientHello.client_version.
关于握手协议,客户端将协商其已实现的最高版本:

client_version: The version of the TLS protocol by which the client wishes to
      communicate during this session.  This SHOULD be the latest
      (highest valued) version supported by the client
到目前为止,你发布的跟踪没有问题。这是与TLS谈判的正常方式。您需要提供有关警报的更多数据。很可能客户端不信任服务器证书。@Mardanian:使用SSL代理或类似WireShark的东西来深入研究SSL协议。虽然这些工具不是最容易使用的,但大多数时候你都能看到哪里出了问题。不过,正如EJP建议的那样,验证服务器证书是否可信应该是可行的。这在记录层和握手层上使用ssl3,类似于上图。 
   Earlier versions of the TLS specification were not fully clear on
   what the record layer version number (TLSPlaintext.version) should
   contain when sending ClientHello (i.e., before it is known which
   version of the protocol will be employed).  Thus, TLS servers
   compliant with this specification MUST accept any value {03,XX} as
   the record layer version number for ClientHello.

   TLS clients that wish to negotiate with older servers MAY send any
   value {03,XX} as the record layer version number.  Typical values
   would be {03,00}, the lowest version number supported by the client,
   and the value of ClientHello.client_version.

client_version: The version of the TLS protocol by which the client wishes to
      communicate during this session.  This SHOULD be the latest
      (highest valued) version supported by the client