一、HTTPS 握手過程
1.1 TLS 完整握手過程
1.2 單項認證數據
TLSv1.2 571 Client Hello
TLSv1.2 150 Server Hello
TLSv1.2 895 Certificate
TLSv1.2 392 Server Key Exchange
TLSv1.2 63 Server Hello Done
TLSv1.2 180 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
TLSv1.2 60 Change Cipher Spec
TLSv1.2 99 Encrypted Handshake Message
TLSv1.2 406 Application Data
TLSv1.2 328 Application Data
1.3 雙向認證數據
TLSv1.2 358 Client Hello
TLSv1.2 996 Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done
TLSv1.2 534 Certificate
TLSv1.2 332 Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message
TLSv1.2 60 Change Cipher Spec
TLSv1.2 99 Encrypted Handshake Message
TLSv1.2 115 Application Data
二、包詳細信息(抓包信息 From:WireShark)
1. Client Hello
資源路徑:
Source: library/ssl_cli.c;
Func: ssl_write_client_hello();
握手協議:
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 295
Version: TLS 1.2 (0x0303)
Random: 5f2933702428c5b2819c30feb9fc52b3483feedd7faf64c2…
GMT Unix Time: Aug 4, 2020 18:07:44.000000000 CST
Random Bytes: 2428c5b2819c30feb9fc52b3483feedd7faf64c22162e198…
Session ID Length: 0
Cipher Suites Length: 160
Cipher Suites (80 suites)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 94
Extension: server_name (len=18)
Extension: signature_algorithms (len=22)
Extension: supported_groups (len=24)
Extension: ec_point_formats (len=2)
Extension: encrypt_then_mac (len=0)
Extension: extended_master_secret (len=0)
Extension: session_ticket (len=0)
函數說明:
Version: TLS 版本信息;
Random: 前四位:時間戳,后28位:隨機數;
Cipher Suites: 客戶端支持的組件;
2. Server Hello
資源路徑:
Source: library/ssl_cli.c;
Func: ssl_parse_server_hello();
握手協議:
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 81
Version: TLS 1.2 (0x0303)
Random: 5f29336af1104faf18544577413080cb7f8932fd5c4d2249…
GMT Unix Time: Aug 4, 2020 18:07:38.000000000 CST
Random Bytes: f1104faf18544577413080cb7f8932fd5c4d2249fb8db872…
Session ID Length: 32
Session ID: 5f29336a02f78561926108084594d22cd6804819da2d9bd9…
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Compression Method: null (0)
Extensions Length: 9
Extension: renegotiation_info (len=1)
Type: renegotiation_info (65281)
Length: 1
Renegotiation Info extension
Extension: extended_master_secret (len=0)
Type: extended_master_secret (23)
Length: 0
函數說明:
Version: TLS 版本信息;
Random: 隨機數序列,前四位:時間戳,后28位:隨機數;
Cipher Suite: 服務端與客戶端協商之后的密碼套件;
3. Certificate
資源路徑:
Source: library/ssl_cli.c;
Func: mbedtls_ssl_parse_certificate();
握手協議:
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 484
Certificates Length: 481
Certificates (481 bytes)
Certificate Length: 478
Certificate: 308201da30820180021475bda3ed4a9e4fcba43686b12069… (id-at-commonName=svr.example.iwall.com,id-at-organizationalUnitName=SERVER,id-at-organizationName=IWall,id-at-localityName=HaiDian,id-at-stateOrProvinceName=BeiJing,id-at-co
signedCertificate
algorithmIdentifier (ecdsa-with-SHA256)
Padding: 0
encrypted: 30450221009499d98c1ea5963eaba85216b98de2ff45f5af…
函數說明:
Version: TLS 版本信息;
Certificates: 證書信息;
4. Server Key Exchange
資源路徑:
Source: library/ssl_cli.c;
Func: ssl_parse_server_key_exchange();
握手協議:
Handshake Protocol: Server Key Exchange
Handshake Type: Server Key Exchange (12)
Length: 211
EC Diffie-Hellman Server Params
Curve Type: named_curve (0x03)
Named Curve: secp521r1 (0x0019)
Pubkey Length: 133
Pubkey: 04010a9d9275a1702a5eb822432c2f728e18613768c4818a…
Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Length: 70
Signature: 3044022031c64f7e6fe642e6729bdf1822e1345e24858e13…
函數說明:
EC Diffie-Hellman Server Params
Pubkey: 若使用 ECDH,客戶端使用證書中的服務器公鑰,服務端不發送 Server Key Exchange。
若使用 ECDHE,服務器將通過 Server Key Exchange 消息告之客戶端臨時 ECDH 公鑰,並使用服務器私鑰 對該臨時公鑰進行簽名。
Signature Algorithm: 簽名算法
Signature: 服務器私鑰簽名
5. Certificate Request
資源路徑:
Source: library/ssl_cli.c;
Func: ssl_parse_certificate_request();
握手協議:
Handshake Protocol: Certificate Request
Handshake Type: Certificate Request (13)
Length: 141
Certificate types count: 3
Certificate types (3 types)
Certificate type: RSA Sign (1)
Certificate type: DSS Sign (2)
Certificate type: ECDSA Sign (64)
Signature Hash Algorithms Length: 20
Signature Hash Algorithms (10 algorithms)
Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
Signature Algorithm: SHA256 DSA (0x0402)
Signature Algorithm: ecdsa_sha1 (0x0203)
Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
Signature Algorithm: SHA1 DSA (0x0202)
Distinguished Names Length: 113
Distinguished Names (113 bytes)
Distinguished Name Length: 111
Distinguished Name: (id-at-commonName=ca.example.iwall.com,id-at-organizationalUnitName=CA,id-at-organizationName=IWall,id-at-localityName=HaiDian,id-at-stateOrProvinceName=BeiJing,id-at-countryName=CN)
6. Server Hello Done
資源路徑:
Source: library/ssl_cli.c;
Func: ssl_parse_server_hello_done();
握手協議:
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 4
Handshake Protocol: Server Hello Done
Handshake Type: Server Hello Done (14)
Length: 0
7. Certificate
資源路徑:
Source: library/ssl_cli.c;
Func: mbedtls_ssl_write_certificate();
握手協議:
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 475
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 471
Certificates Length: 468
Certificates (468 bytes)
Certificate Length: 465
Certificate: 308201cd30820172021475bda3ed4a9e4fcba43686b12069… (id-at-commonName=Android,id-at-organizationalUnitName=CLIENT,id-at-organizationName=IWall,id-at-localityName=HaiDian,id-at-stateOrProvinceName=BeiJing,id-at-countryName=CN)
signedCertificate
algorithmIdentifier (ecdsa-with-SHA256)
Padding: 0
encrypted: 3046022100d2ff654bad8f8c917bce6e61c7c0767c661cbf…
8. Client Key Exchange
資源路徑:
Source: library/ssl_cli.c;
Func: ssl_write_client_key_exchange();
握手協議:
TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 70
Handshake Protocol: Client Key Exchange
Handshake Type: Client Key Exchange (16)
Length: 66
EC Diffie-Hellman Client Params
Pubkey Length: 65
Pubkey: 047b18a25c26f22f7cea0307b89dcb483167a9d3bdb21929…
9. Certificate Verify
資源路徑:
Source: library/ssl_cli.c;
Func: ssl_write_certificate_verify();
握手協議:
TLSv1.2 Record Layer: Handshake Protocol: Certificate Verify
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 79
Handshake Protocol: Certificate Verify
Handshake Type: Certificate Verify (15)
Length: 75
Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: ECDSA (3)
Signature length: 71
Signature: 3045022100c6a116675a6b42fef04d673fe305a6f961ff1e…
函數說明:
Signature: 簽名,使用客戶端私鑰對協議內容簽名。
10. Change Cipher Spec
資源路徑:
Source: library/ssl_cli.c;
Func: mbedtls_ssl_write_change_cipher_spec();
協議報文:
Transport Layer Security
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: TLS 1.2 (0x0303)
Length: 1
Change Cipher Spec Message
函數說明:
Change Cipher Spec Message: 客戶端發送 ChangeCipherSpec 消息,表示客戶端期望變更密碼套件。
TLS1.3 內已經移除。
11. Encrypted Handshake Message (Finished)
資源路徑:
Source: library/ssl_cli.c;
Func: mbedtls_ssl_write_finished();
協議報文:
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 40
Handshake Protocol: Encrypted Handshake Message
函數說明:
客戶端發送 Finished 消息,表示握手過程已經完成。
12. Change Cipher Spec
資源路徑:
Source: library/ssl_cli.c;
Func: mbedtls_ssl_parse_change_cipher_spec();
協議報文:
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: TLS 1.2 (0x0303)
Length: 1
Change Cipher Spec Message
函數說明:
服務器發送 Change Cipher Spec 消息,表示服務器期望切換密碼套件。
13. Encrypted Handshake Message (Finished)
資源路徑:
Source: library/ssl_cli.c;
Func: mbedtls_ssl_parse_finished();
協議報文:
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 40
Handshake Protocol: Encrypted Handshake Message
函數說明:
服務器發送 Finish 消息,表示握手過程已經完成。
14. 消息報文
Transport Layer Security
TLSv1.3 Record Layer: Application Data Protocol: http-over-tls
Opaque Type: Application Data (23)
Version: TLS 1.2 (0x0303)
Length: 3172
Encrypted Application Data: 3358e1ab02e292ef8a2734a7648250ec251dcc04c8a95504…