TLSv1.2

参考版本：TLS v1.2，因为该版本应用较多。部分参考v1.3

简介

SSL，Secure Socker Layer，1995年发布3.0版本，但2014年发现有Poodle安全漏洞（CVE-2014-3566）。

TLS，Transport Layer Security，TLS 1.0相当于SSL 3.1，由IETF设计。相关文档RFC 2246: TLS Version 1.0 ，更新历史：

• RFC 4346: TLS Version 1.1 ，增加CBC攻击防御对策、AES；
• RFC 5246: TLS Version 1.2，增加GCM, CCM HMAC-SHA256, 删除IDEA和DES，伪随机函数改用SHA256实现；
• RFC 8446: TLS Version 1.3，握手协议相比1.2，精简了步骤，减少了风险。

每个版本的更新内容都可以在1.2小节里查看。双方通信时需要先商议使用哪个TLS版本。目前TLS 1.2应用较多，毕竟十年后才发布了1.3。

SSL可以承载各种协议，如发送邮件的SMTP和接收邮件的POP3，应用最广泛的就是HTTPS，HTTP over SecureSocket Layer，相当于HTTP+TLS，文档RFC 2818: HTTP Over TLS。

The protocol is composed of two layers:

• the TLS Record Protocol
  • The connection is private - Symmetric cryptography
  • The connection is reliable - keyed MAC
• the TLS Handshake Protocol
  • Authentication: The server side of the channel is always authenticated; the client side is optionally authenticated.
  • Confidentiality
  • Integrity

6. The TLS Record Protocol

V1.2: The TLS Record Protocol is used for encapsulation of various higher- level protocols.

V1.3: The record protocol uses the parameters established by the handshake protocol to protect traffic between the communicating peers.

The TLS Record Protocol is a layered protocol.

At each layer, messages may include

• fields for length
• description
• and content.

The Record Protocol takes messages to

• be transmitted
• fragments the data into manageable blocks
• optionally compresses the data
• applies a MAC
• encrypts
• and transmits the result.

Received data is

• decrypted
• verified
• decompressed
• reassembled
• and then delivered to higher-level clients.

Four protocols that use the record protocol are described in this document:

• the handshake protocol
• the alert protocol
• the change cipher spec protocol
• and the application data protocol.

6.1. Connection States

struct {
    ConnectionEnd entity;
    PRFAlgorithm prf_algorithm;
    BulkCipherAlgorithm bulk_cipher_algorithm;
    CipherType cipher_type;
    uint8 enc_key_length;
    uint8 block_length;
    uint8 fixed_iv_length;
    uint8 record_iv_length;
    MACAlgorithm mac_algorithm;
    uint8 mac_length;
    uint8 mac_key_length;
    CompressionMethod compression_algorithm;
    opaque master_secret[48];
    opaque client_random[32];
    opaque server_random[32];
 } SecurityParameters;

The record layer will use the security parameters to generate the following six items (some of which are not required by all ciphers, and are thus empty):

• client write MAC key
• server write MAC key
• client write encryption key
• server write encryption key
• client write IV
• server write IV

6.2. Record Layer

The TLS record layer receives uninterpreted data from higher layers in non-empty blocks of arbitrary size.

这一部分涉及多个结构，需要时再查。

6.3. Key Calculation

The Record Protocol requires an algorithm to generate keys required by the current connection state (see Appendix A.6) from the security parameters provided by the handshake protocol.

7. The TLS Handshaking Protocols

The Handshake Protocol is responsible for negotiating a session, which consists of the following items:

• session identifier
• peer certificate: X509v3 [PKIX]
• compression method
• cipher spec
  • the pseudorandom function (PRF)
  • data encryption algorithm
  • MAC algorithm (and mac_length)
• 48-byte master secret
• is resumable

---

证书就是带有CA数字签名的公钥。

X.509规范：RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile

7.1. Change Cipher Spec Protocol

struct {
    enum { 
        change_cipher_spec(1), 
        (255) 
    } type;
} ChangeCipherSpec;

7.2. Alert Protocol

enum {
    warning(1), 
    fatal(2), 
    (255) 
}AlertLevel;
enum {
    close_notify(0),
    unexpected_message(10),
    bad_record_mac(20),
    decryption_failed_RESERVED(21),
    record_overflow(22),
    decompression_failure(30),
    handshake_failure(40),
    no_certificate_RESERVED(41),
    bad_certificate(42),
    unsupported_certificate(43),
    certificate_revoked(44),
    certificate_expired(45),
    certificate_unknown(46),
    illegal_parameter(47),
    unknown_ca(48),
    access_denied(49),
    decode_error(50),
    decrypt_error(51),
    export_restriction_RESERVED(60),
    protocol_version(70),
    insufficient_security(71),
    internal_error(80),
    user_canceled(90),
    no_renegotiation(100),
    unsupported_extension(110),
    (255)
 } AlertDescription;
 
 struct {
    AlertLevel level;
    AlertDescription description;
 } Alert;

7.3. Handshake Protocol Overview

When a TLS client and server first start communicating, they

• agree on a protocol version
• select cryptographic algorithms,
• optionally authenticate each other,
• use public-key encryption techniques to generate shared secrets.

Steps:

1. Exchange hello messages
2. Exchange the necessary cryptographic parameters to agree on a premaster secret.
3. Exchange certificates and cryptographic information
4. Generate a master secret from the premaster secret and exchanged random values.
5. Provide security parameters to the record layer
6. Allow the client and server to verify that their peer has calculated the same security parameters and that the handshake occurred without tampering by an attacker.

注意，以上步骤并不能防止中间人攻击。

The ClientHello and ServerHello establish the following attributes:

• Protocol Version
• Session ID, Cipher Suite
• Compression Method
• exchange: ClientHello.random and ServerHello.random.

The actual key exchange uses up to four messages:

• the server Certificate
• the ServerKeyExchange
• the client Certificate
• the ClientKeyExchange

星号代表可选。

ChangeCipherSpec并不是握手协议，而是一个单独的TLS子协议。

如果双方要续用之前的会话，则握手如下：

7.4. Handshake Protocol

这一部分这列出消息类型，至于每种消息的格式，这里就不搬运了。

 enum {
    hello_request(0), client_hello(1), server_hello(2),
    certificate(11), server_key_exchange (12),
    certificate_request(13), server_hello_done(14),
    certificate_verify(15), client_key_exchange(16),
    finished(20), (255)
 } HandshakeType;
 struct {
    HandshakeType msg_type; /* handshake type */
    uint24 length; /* bytes in message */
    select (HandshakeType) {
        case hello_request: HelloRequest;
        case client_hello: ClientHello;
        case server_hello: ServerHello;
        case certificate: Certificate;
        case server_key_exchange: ServerKeyExchange;
        case certificate_request: CertificateRequest;
        case server_hello_done: ServerHelloDone;
        case certificate_verify: CertificateVerify;
        case client_key_exchange: ClientKeyExchange;
        case finished: Finished;
    } body;
 } Handshake;

10. Application Data Protocol

Application data messages are carried by the record layer and are fragmented, compressed, and encrypted based on the current connection state.

The messages are treated as transparent data to the record layer.

Appendix A. Protocol Data Structures and Constant Values

附录A定义了各个子协议的枚举类型，抓包分析时可以对照一下，当然wireshark都自动标注了。

A.1. Record Layer

A.2. Change Cipher Specs Message

A.3. Alert Messages

A.4. Handshake Protocol

A.5. The Cipher Suite

A.6. The Security Parameters

OpenSSL示例

https://github.com/C0deStarr/TestOpenSSL/tree/master/tls

参考资料

RFC 5246: TLS Version 1.2

RFC 8446: TLS Version 1.3