关于fallback_scsv的学习记录

1. 该参数的作用

如果ClientHello.cipher_suites中出现TLS_FALLBACK_SCSV,并且服务器支持的最高协议版本高于ClientHello.client_version中指示的版本,则服务器必须以致命的illegal_fallback警报作出响应(除非它由于致命的protocol_version警报而响应)。
否则服务器将照常进行握手。

听着有点绕,看个例子吧。
 

2.验证

1.测试环境:

server(支持SSLv3:TLSv1:TLSv11:TLSv12:TLSv13:SM2v11)

client(openssl,支持SSLv3:TLSv1:TLSv11:TLSv12:TLSv13,通过参数指定来确定client hello中的版本号)

2.测试步骤

1.客户端不携带参数,指定tls1发起连接:

root@array-virtual-machine:/opt/bx/cert1# openssl s_client -connect 192.168.121.29:443  -tls1
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = ch, ST = shanxi, L = xian, O = qa, OU = qa, OU = q, OU = q, CN = v1, emailAddress = c
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = ch, ST = shanxi, L = xian, O = qa, OU = qa, OU = q, OU = q, CN = v1, emailAddress = c
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = ch, ST = shanxi, L = xian, O = qa, OU = qa, OU = q, OU = q, CN = v1, emailAddress = c
verify return:1
---
Certificate chain
 0 s:C = ch, ST = shanxi, L = xian, O = qa, OU = qa, OU = q, OU = q, CN = v1, emailAddress = c
   i:C = CN, ST = Beijing, L = Beijing, O = "INFOSEC Technologies, Inc", CN = INFOSEC Technologies, emailAddress = support@infosec.com.cn
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDFTCCAn6gAwIBAgIEaM3ZeDANBgkqhkiG9w0BAQsFADCBmzELMAkGA1UEBhMC
Q04xEDAOBgNVBAgMB0JlaWppbmcxEDAOBgNVBAcMB0JlaWppbmcxIjAgBgNVBAoM
GUlORk9TRUMgVGVjaG5vbG9naWVzLCBJbmMxHTAbBgNVBAMMFElORk9TRUMgVGVj
aG5vbG9naWVzMSUwIwYJKoZIhvcNAQkBFhZzdXBwb3J0QGluZm9zZWMuY29tLmNu
MB4XDTIzMTEyMDA1MzM1MFoXDTMyMDIwNjA1MzM1MFowfjELMAkGA1UEBhMCY2gx
DzANBgNVBAgMBnNoYW54aTENMAsGA1UEBwwEeGlhbjELMAkGA1UECgwCcWExCzAJ
BgNVBAsMAnFhMQowCAYDVQQLDAFxMQowCAYDVQQLDAFxMQswCQYDVQQDDAJ2MTEQ
MA4GCSqGSIb3DQEJARYBYzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKMuvVl6NFvYbzNhFPfLWYAWtJQT9pPBt/ePzMU3YOljVEwb+B75Z9rwp8wOq6Zn
75aAuv/fGLiLu5GFk4Pkf9qgfoPcDYk+aXzdQjQBbNzpKvRCI536WpZ8GflZdxaN
mGBRrngrjxzIyJThAbtwh0hu8PtKW2DlZ3JdiZaMT7TNJbU0QaOkDkwP51jx/dDC
JApvx3A7X/aNfApbTUI2YF4CQzwFnMMOq5zIleXT0ivb5jLBdH+PRffTx7adcGvt
9Y+lvxSEM89oK8CL3+xzDrlJq8ssUTyyvcsbDCbQh4M8eC+fPZa4d3knz/xMNmSb
CqAuLSRHgkGlLLDRozkFkLMCAwEAATANBgkqhkiG9w0BAQsFAAOBgQAbGc/VPWZT
yqKszLOh6kE88LtQnh3oXiMvePiyqAksv6R7XI874M4WyinvjMlH8+sAqw1WIQvp
v4nkOvkrrec1OeZ+8B+AlDkAnUwgCBbZG3Z3wsNEg2qgR5joW4BZVM9Ur+i8IlxZ
BSO/7KSODNnomnk8IZcxsAXqECT3PMoo8A==
-----END CERTIFICATE-----
subject=C = ch, ST = shanxi, L = xian, O = qa, OU = qa, OU = q, OU = q, CN = v1, emailAddress = c

issuer=C = CN, ST = Beijing, L = Beijing, O = "INFOSEC Technologies, Inc", CN = INFOSEC Technologies, emailAddress = support@infosec.com.cn

---
Acceptable client certificate CA names
C = CN, O = testCA1.com.cn, CN = testCA1_rootCA
C = CN, ST = shanxi, O = array, OU = qa, OU = qax, CN = ZSRSA, emailAddress = zhangsun@arraynetworks.com.cn, L = xian
C = CN, ST = shaanxi, O = array, OU = qa, CN = zlm, emailAddress = zhanglm@arraynetworks.com.cn
Client Certificate Types: RSA sign, ECDSA sign
---
SSL handshake has read 1325 bytes and written 442 bytes
Verification error: unable to verify the first certificate
---
New, SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: EB1AAC5106E9623EE91B302F46EDE37DB766AA060929354F64132B4CE264655F
    Session-ID-ctx:
    Master-Key: B6D172DB738F79E9CE98949B8FC562268E8B477D7888F7F6038341A2925AD5F621D7E2D43A9977415B7354BD258965B0
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1701363604
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: yes
---
^C
root@array-virtual-machine:/opt/bx/cert1# 

可以看到,握手成功了。

2.客户端携带参数,指定tls1发起连接:

root@array-virtual-machine:/opt/bx/cert1# openssl s_client -connect 192.168.121.29:443 -fallback_scsv -tls1
CONNECTED(00000003)
140169594119488:error:1409443E:SSL routines:ssl3_read_bytes:tlsv1 alert inappropriate fallback:ssl/record/rec_layer_s3.c:1543:SSL alert number 86
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 106 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1701364057
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
root@array-virtual-machine:/opt/bx/cert1# 

可以看到,握手失败。

3.验证(抓包结果)

这是一次没有指定参数,握手成功的抓包结果:

client发送的cipher中不包含fallback_scsv

当client指定fallback_scsv时:

client hello中包含了fallback_scsv参数,且指定的协议tls1低于服务器支持的最高tls1.3版本,因此握手失败,服务端回复alert断开连接:

指定tls1.2时也会失败:

指定tls1.3时,和服务端支持的最高版本一致,握手成功:

  • 17
    点赞
  • 19
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值