一、HTTPS 握手过程
1.1 TLS 完整握手过程
1.2 单项认证数据
TLSv1.2 571 Client Hello
TLSv1.2 150 Server Hello
TLSv1.2 895 Certificate
TLSv1.2 392 Server Key Exchange
TLSv1.2 63 Server Hello Done
TLSv1.2 180 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
TLSv1.2 60 Change Cipher Spec
TLSv1.2 99 Encrypted Handshake Message
TLSv1.2 406 Application Data
TLSv1.2 328 Application Data
1.3 双向认证数据
TLSv1.2 358 Client Hello
TLSv1.2 996 Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done
TLSv1.2 534 Certificate
TLSv1.2 332 Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message
TLSv1.2 60 Change Cipher Spec
TLSv1.2 99 Encrypted Handshake Message
TLSv1.2 115 Application Data
二、包详细信息(抓包信息 From:WireShark)
1. Client Hello
资源路径:
Source: library/ssl_cli.c;
Func: ssl_write_client_hello();
握手协议:
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 295
Version: TLS 1.2 (0x0303)
Random: 5f2933702428c5b2819c30feb9fc52b3483feedd7faf64c2…
GMT Unix Time: Aug 4, 2020 18:07:44.000000000 CST
Random Bytes: 2428c5b2819c30feb9fc52b3483feedd7faf64c22162e198…
Session ID Length: 0
Cipher Suites Length: 160
Cipher Suites (80 suites)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 94
Extension: server_name (len=18)
Extension: signature_algorithms (len=22)
Extension: supported_groups (len=24)
Extension: ec_point_formats (len=2)
Extension: encrypt_then_mac (len=0)
Extension: extended_master_secret (len=0)
Extension: session_ticket (len=0)
函数说明:
Version: TLS 版本信息;
Random: 前四位:时间戳,后28位:随机数;
Cipher Suites: 客户端支持的组件;
2. Server Hello
资源路径:
Source: library/ssl_cli.c;
Func: ssl_parse_server_hello();
握手协议:
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 81
Version: TLS 1.2 (0x0303)
Random: 5f29336af1104faf18544577413080cb7f8932fd5c4d2249…
GMT Unix Time: Aug 4, 2020 18:07:38.000000000 CST
Random Bytes: f1104faf18544577413080cb7f8932fd5c4d2249fb8db872…
Session ID Length: 32
Session ID: 5f29336a02f78561926108084594d22cd6804819da2d9bd9…
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Compression Method: null (0)
Extensions Length: 9
Extension: renegotiation_info (len=1)
Type: renegotiation_info (65281)
Length: 1
Renegotiation Info extension
Extension: extended_master_secret (len=0)
Type: extended_master_secret (23)
Length: 0
函数说明:
Version: TLS 版本信息;
Random: 随机数序列,前四位:时间戳,后28位:随机数;
Cipher Suite: 服务端与客户端协商之后的密码套件;
3. Certificate
资源路径:
Source: library/ssl_cli.c;
Func: mbedtls_ssl_parse_certificate();
握手协议:
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 484
Certificates Length: 481
Certificates (481 bytes)
Certificate Length: 478
Certificate: 308201da30820180021475bda3ed4a9e4fcba43686b12069… (id-at-commonName=svr.example.iwall.com,id-at-organizationalUnitName=SERVER,id-at-organizationName=IWall,id-at-localityName=HaiDian,id-at-stateOrProvinceName=BeiJing,id-at-co
signedCertificate
algorithmIdentifier (ecdsa-with-SHA256)
Padding: 0
encrypted: 30450221009499d98c1ea5963eaba85216b98de2ff45f5af…
函数说明:
Version: TLS 版本信息;
Certificates: 证书信息;
4. Server Key Exchange
资源路径:
Source: library/ssl_cli.c;
Func: ssl_parse_server_key_exchange();
握手协议:
Handshake Protocol: Server Key Exchange
Handshake Type: Server Key Exchange (12)
Length: 211
EC Diffie-Hellman Server Params
Curve Type: named_curve (0x03)
Named Curve: secp521r1 (0x0019)
Pubkey Length: 133
Pubkey: 04010a9d9275a1702a5eb822432c2f728e18613768c4818a…
Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Length: 70
Signature: 3044022031c64f7e6fe642e6729bdf1822e1345e24858e13…
函数说明:
EC Diffie-Hellman Server Params
Pubkey: 若使用 ECDH,客户端使用证书中的服务器公钥,服务端不发送 Server Key Exchange。
若使用 ECDHE,服务器将通过 Server Key Exchange 消息告之客户端临时 ECDH 公钥,并使用服务器私钥 对该临时公钥进行签名。
Signature Algorithm: 签名算法
Signature: 服务器私钥签名
5. Certificate Request
资源路径:
Source: library/ssl_cli.c;
Func: ssl_parse_certificate_request();
握手协议:
Handshake Protocol: Certificate Request
Handshake Type: Certificate Request (13)
Length: 141
Certificate types count: 3
Certificate types (3 types)
Certificate type: RSA Sign (1)
Certificate type: DSS Sign (2)
Certificate type: ECDSA Sign (64)
Signature Hash Algorithms Length: 20
Signature Hash Algorithms (10 algorithms)
Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
Signature Algorithm: SHA256 DSA (0x0402)
Signature Algorithm: ecdsa_sha1 (0x0203)
Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
Signature Algorithm: SHA1 DSA (0x0202)
Distinguished Names Length: 113
Distinguished Names (113 bytes)
Distinguished Name Length: 111
Distinguished Name: (id-at-commonName=ca.example.iwall.com,id-at-organizationalUnitName=CA,id-at-organizationName=IWall,id-at-localityName=HaiDian,id-at-stateOrProvinceName=BeiJing,id-at-countryName=CN)
6. Server Hello Done
资源路径:
Source: library/ssl_cli.c;
Func: ssl_parse_server_hello_done();
握手协议:
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 4
Handshake Protocol: Server Hello Done
Handshake Type: Server Hello Done (14)
Length: 0
7. Certificate
资源路径:
Source: library/ssl_cli.c;
Func: mbedtls_ssl_write_certificate();
握手协议:
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 475
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 471
Certificates Length: 468
Certificates (468 bytes)
Certificate Length: 465
Certificate: 308201cd30820172021475bda3ed4a9e4fcba43686b12069… (id-at-commonName=Android,id-at-organizationalUnitName=CLIENT,id-at-organizationName=IWall,id-at-localityName=HaiDian,id-at-stateOrProvinceName=BeiJing,id-at-countryName=CN)
signedCertificate
algorithmIdentifier (ecdsa-with-SHA256)
Padding: 0
encrypted: 3046022100d2ff654bad8f8c917bce6e61c7c0767c661cbf…
8. Client Key Exchange
资源路径:
Source: library/ssl_cli.c;
Func: ssl_write_client_key_exchange();
握手协议:
TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 70
Handshake Protocol: Client Key Exchange
Handshake Type: Client Key Exchange (16)
Length: 66
EC Diffie-Hellman Client Params
Pubkey Length: 65
Pubkey: 047b18a25c26f22f7cea0307b89dcb483167a9d3bdb21929…
9. Certificate Verify
资源路径:
Source: library/ssl_cli.c;
Func: ssl_write_certificate_verify();
握手协议:
TLSv1.2 Record Layer: Handshake Protocol: Certificate Verify
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 79
Handshake Protocol: Certificate Verify
Handshake Type: Certificate Verify (15)
Length: 75
Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: ECDSA (3)
Signature length: 71
Signature: 3045022100c6a116675a6b42fef04d673fe305a6f961ff1e…
函数说明:
Signature: 签名,使用客户端私钥对协议内容签名。
10. Change Cipher Spec
资源路径:
Source: library/ssl_cli.c;
Func: mbedtls_ssl_write_change_cipher_spec();
协议报文:
Transport Layer Security
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: TLS 1.2 (0x0303)
Length: 1
Change Cipher Spec Message
函数说明:
Change Cipher Spec Message: 客户端发送 ChangeCipherSpec 消息,表示客户端期望变更密码套件。
TLS1.3 内已经移除。
11. Encrypted Handshake Message (Finished)
资源路径:
Source: library/ssl_cli.c;
Func: mbedtls_ssl_write_finished();
协议报文:
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 40
Handshake Protocol: Encrypted Handshake Message
函数说明:
客户端发送 Finished 消息,表示握手过程已经完成。
12. Change Cipher Spec
资源路径:
Source: library/ssl_cli.c;
Func: mbedtls_ssl_parse_change_cipher_spec();
协议报文:
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: TLS 1.2 (0x0303)
Length: 1
Change Cipher Spec Message
函数说明:
服务器发送 Change Cipher Spec 消息,表示服务器期望切换密码套件。
13. Encrypted Handshake Message (Finished)
资源路径:
Source: library/ssl_cli.c;
Func: mbedtls_ssl_parse_finished();
协议报文:
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 40
Handshake Protocol: Encrypted Handshake Message
函数说明:
服务器发送 Finish 消息,表示握手过程已经完成。
14. 消息报文
Transport Layer Security
TLSv1.3 Record Layer: Application Data Protocol: http-over-tls
Opaque Type: Application Data (23)
Version: TLS 1.2 (0x0303)
Length: 3172
Encrypted Application Data: 3358e1ab02e292ef8a2734a7648250ec251dcc04c8a95504…