TLS SNI测试

最新推荐文章于 2024-06-07 08:02:41 发布
最新推荐文章于 2024-06-07 08:02:41 发布
阅读量2.2k 收藏 4
点赞数 1
分类专栏: Network
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/u011354817/article/details/105275754
版权

文章目录

概述

服务器名称指示(Server Name Indication,缩写:SNI)是TLS的一个扩展协议,首次发布在openssl 0.9.8f版本。

在该协议下,在握手过程开始时客户端告诉它正在连接的服务器要连接的主机名称。这允许服务器在相同的IP地址和TCP端口号上呈现多个证书,并且因此允许在相同的IP地址上提供多个安全(HTTPS)网站(或其他任何基于TLS的服务),而不需要所有这些站点使用相同的证书。它与HTTP/1.1基于名称的虚拟主机的概念相同,但是用于HTTPS。所需的主机名未加密,因此窃听者可以查看请求的网站。

测试

openssl测试环境的搭建参见:centos下搭建openssl测试环境

以上的基础上,再创建一个服务器证书和服务器CA认证请求文件(指定Common Name,例如Bu2),并通过CA认证:req3.pem、sslservercert2.pem、sslserverkey2.pem。

启动服务器

指定servername为Bu2。

# openssl s_server -tlsextdebug -state -serverpref -cert sslservercert.pem -key sslserverkey.pem -servername Bu2 -cert2 sslservercert2.pem -key2 sslserverkey2.pem -CAfile cacert.pem
Enter pass phrase for sslserverkey.pem:
Enter pass phrase for sslserverkey2.pem:
Setting secondary ctx parameters
Using default temp DH parameters
ACCEPT

客户端发起连接,不指定servername

$ openssl s_client -tlsextdebug -state -CAfile cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
TLS server extension "renegotiation info" (id=65281), len=1
0001 - <SPACES/NULS>
TLS server extension "EC point formats" (id=11), len=4
0000 - 03 00 01 02                                       ....
TLS server extension "session ticket" (id=35), len=0
TLS server extension "heartbeat" (id=15), len=1
0000 - 01                                                .
SSL_connect:SSLv3 read server hello A
depth=1 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = CA
verify return:1
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = BUPT
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=BUPT
   i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=CA
 1 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=CA
   i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDIDCCAgigAwIBAgIJALw6A4esvB1yMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQxCzAJBgNVBAMMAkNBMB4XDTIwMDQwMTE1MjcwNFoXDTIx
MDQwMTE1MjcwNFowVDELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDENMAsGA1UEAwwEQlVQ
VDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtgnZu6ho9B4KeQTPKfw8KuZ7
SPiIpvN7bDQb7yEH8lXdcw0NB+VB/iZuT/cwwAWlXJNW0qokAxFn6lt8QMtubnUs
vRjY31Tg7cTmcxArwP8kBXF4M4GGXqR9wEI9hvbTJfuwqRB5vkNfvSjBH0hdzgp9
YM7mUbcFNt5W0z+0CzUCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0E
HxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFK1ioXQA
hnLUJAM+8Z1RkHsRQwEAMB8GA1UdIwQYMBaAFOdla/T+Y5c4EQQqbXYITYFVIA1r
MA0GCSqGSIb3DQEBCwUAA4IBAQA7631/iAO/poTvnkNzUKxW/WOQoo6AavZoEN1s
MlYpIKp2dzHB/b/TFBEC0PIK5EpRifSXS4t+v1IGVZecqYExsy4yX0U/jPXcQbmO
NYwrgFvMG3k0/5qBuZNuYw7KYLtAIstl+V8/LcRK3c76znrAb29stU6g5hEgmVUY
/k7K7JG8AprC5fU1pRaourhykbFCx7LxFyMzv2cwNoNkYmaU45SZGo8QBa0WWZuy
tAHWCflq2RqEaccFu1i3PSrkCaOUCXTbOvoM0pqjLgraU1gS/6bsseYd4aiOpfhz
b9pdF+0n3FU1LG7LoQphpDXCH/mergr8+J5MF1PdqbdIki53
-----END CERTIFICATE-----
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=BUPT
issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2229 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: DC99116895F8D855B735CABAB93FA657D17C28757622608E633F9E94D0283838
    Session-ID-ctx:
    Master-Key: 7D0E0914F93B4EB9253BC766EEC58156C207E26E855BF937185F0633A59F4C1A8F3CEEAC477FA1E07CCE9CD7B288A618
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 17 44 73 28 91 e6 50 a9-0b 35 fa e6 5d 16 cf 25   .Ds(..P..5..]..%
    0010 - 15 8b 47 f3 ef 59 48 81-9a 80 65 92 6c c2 99 62   ..G..YH...e.l..b
    0020 - de d0 f3 04 32 2b 1e b0-a9 64 86 2f 46 25 e3 9a   ....2+...d./F%..
    0030 - e9 4c 4a d7 3c b4 dd ea-04 c9 ef 46 a7 a6 de 7d   .LJ.<......F...}
    0040 - 38 b7 0f 19 e5 b5 fa 5e-6f 07 55 78 ea 21 74 6b   8......^o.Ux.!tk
    0050 - 56 4e bc 7d 02 39 e4 02-e6 e3 e4 99 8e 5d a2 bd   VN.}.9.......]..
    0060 - 34 d4 c3 d1 98 58 87 ac-dc f9 e4 4d 77 f1 7e bd   4....X.....Mw.~.
    0070 - 65 33 75 a8 68 93 31 eb-1d 3d 72 eb 76 85 7f 09   e3u.h.1..=r.v...
    0080 - 2a a3 ca 37 07 0e fe 33-82 13 c3 9b db 63 86 3b   *..7...3.....c.;
    0090 - d9 94 e3 de 56 07 94 46-b3 5b 09 a6 05 5e 1d c9   ....V..F.[...^..

    Start Time: 1585822450
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

如上,认证时服务器会使用默认的BUPT对应的证书。

服务器端打印如下:

SSL_accept:before/accept initialization
TLS client extension "EC point formats" (id=11), len=4
0000 - 03 00 01 02                                       ....
TLS client extension "elliptic curves" (id=10), len=10
0000 - 00 08 00 17 00 19 00 18-00 16                     ..........
TLS client extension "session ticket" (id=35), len=0
TLS client extension "signature algorithms" (id=13), len=32
0000 - 00 1e 06 01 06 02 06 03-05 01 05 02 05 03 04 01   ................
0010 - 04 02 04 03 03 01 03 02-03 03 02 01 02 02 02 03   ................
TLS client extension "heartbeat" (id=15), len=1
0000 - 01                                                .
SSL_accept:SSLv3 read client hello A
SSL_accept:SSLv3 write server hello A
SSL_accept:SSLv3 write certificate A
SSL_accept:SSLv3 write key exchange A
SSL_accept:SSLv3 write server done A
SSL_accept:SSLv3 flush data
SSL_accept:SSLv3 read client certificate A
SSL_accept:SSLv3 read client key exchange A
SSL_accept:SSLv3 read certificate verify A
SSL_accept:SSLv3 read finished A
SSL_accept:SSLv3 write session ticket A
SSL_accept:SSLv3 write change cipher spec A
SSL_accept:SSLv3 write finished A
SSL_accept:SSLv3 flush data
-----BEGIN SSL SESSION PARAMETERS-----
MFUCAQECAgMDBALAMAQABDB9DgkU+TtOuSU7x2buxYFWwgfiboVb+TcYXwYzpZ9M
Go887qxHf6HgfM6c17KIphihBgIEXoW68qIEAgIBLKQGBAQBAAAA
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5
Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported Elliptic Curves: P-256:P-521:P-384:secp256k1
Shared Elliptic curves: P-256:P-521:P-384:secp256k1
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported

客户端发起连接,指定servername

如下,多了SNI相关的打印:TLS server extension “server name” (id=0), len=0等等。

$ openssl s_client -tlsextdebug -state -servername Bu2 -CAfile cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
TLS server extension "server name" (id=0), len=0
TLS server extension "renegotiation info" (id=65281), len=1
0001 - <SPACES/NULS>
TLS server extension "EC point formats" (id=11), len=4
0000 - 03 00 01 02                                       ....
TLS server extension "session ticket" (id=35), len=0
TLS server extension "heartbeat" (id=15), len=1
0000 - 01                                                .
SSL_connect:SSLv3 read server hello A
depth=1 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = CA
verify return:1
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = Bu2
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=Bu2
   i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=CA
 1 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=CA
   i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDHzCCAgegAwIBAgIJALw6A4esvB10MA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQxCzAJBgNVBAMMAkNBMB4XDTIwMDQwMjA4MjIwNFoXDTIx
MDQwMjA4MjIwNFowUzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UEAwwDQnUy
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdhzCUvJ5VJT6iMT+zEkES7PXj
Myw5yEtjA0ttl9VwEBChYO5GckmFkQWJzzNX8GVpMNvTezj9diA/uScNJW1n0uGE
4E3kz3drZspb2oVymMh/swG6LqDhkJ9oChoIZRSKXJrjeg8SzeAQFteW5o5dsbV5
ZgKHYI+3w+iljDl76wIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQf
Fh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUfRmXVtsi
DruMhqb8WTMwnpGd2P8wHwYDVR0jBBgwFoAU52Vr9P5jlzgRBCptdghNgVUgDWsw
DQYJKoZIhvcNAQELBQADggEBAE6em9pbkNEEGvDfJlefyRk/tXY2U8781stJH0BM
MMI2W1zYqHQOw1pc40JEJ6+QUQd3/7rVfiAC/bop5kmT3kRhfLiPI9+TBqqhzk5a
9hnmz2KqOFUo/twCJSaQ7tFDOVns4LW7b3+OfXQkOe/4LVYoynpxaEbSEa4iOnX5
mEAyPg9peJvZRNFuPqyY36/8bcrFfyccklPN4O61xUKtmxY8uJWYgYT1yvwlMS1e
BcHVC/V/Vm/oFybqUGgRDJScLFgTnq0FaGZ1eAF4yd9E/G53fRknJRXFonH2rGs9
J6Pt5Kvry9fVgDqIpIpHKQMR3Ftc1cxIubeFrnQWIwxk0fY=
-----END CERTIFICATE-----
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=Bu2
issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2232 bytes and written 427 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: F2F0A9795DB4574F5E135E5096514707614A6326CCA1F97142E20F6852EA1F69
    Session-ID-ctx:
    Master-Key: 531F61C9C7AD2066A2F2132E1F45600BF3A481289080A27991C5896662C2C0D563CB8BED5F51A6B0A0679598CF099537
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 17 44 73 28 91 e6 50 a9-0b 35 fa e6 5d 16 cf 25   .Ds(..P..5..]..%
    0010 - 46 46 44 e8 54 12 8f 6e-5c ce f4 b7 de 91 8d 1f   FFD.T..n\.......
    0020 - db 5c 3a e1 ab c2 e9 07-f3 a5 dd 84 6c 4c 1f eb   .\:.........lL..
    0030 - 84 57 96 85 d0 8d 0b 62-5b d2 6c 40 b5 58 8d 1b   .W.....b[.l@.X..
    0040 - 08 a6 f7 ab 76 87 ea a7-6a 7e 72 74 b1 f8 d2 ba   ....v...j~rt....
    0050 - ac 93 61 8c ff a8 cd ca-f8 17 d6 20 84 32 37 f2   ..a........ .27.
    0060 - 6f 42 64 ce 51 8f 1b 94-32 62 8b 98 ea e3 66 46   oBd.Q...2b....fF
    0070 - f6 65 e7 dd 5d bf 85 05-ae 1d 32 be 13 c7 55 30   .e..].....2...U0
    0080 - c8 73 86 c6 75 ff e2 97-29 64 77 ec f9 51 5e b2   .s..u...)dw..Q^.
    0090 - 9f f0 ce 94 3e df 70 1b-af 01 70 23 cf da 54 a7   ....>.p...p#..T.

    Start Time: 1585822684
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

如上,认证时服务器会使用Bu2对应的证书。

服务器端打印如下:

SSL_accept:before/accept initialization
TLS client extension "server name" (id=0), len=8
0000 - 00 06 00 00 03 42 75 32-                          .....Bu2
TLS client extension "EC point formats" (id=11), len=4
0000 - 03 00 01 02                                       ....
TLS client extension "elliptic curves" (id=10), len=10
0000 - 00 08 00 17 00 19 00 18-00 16                     ..........
TLS client extension "session ticket" (id=35), len=0
TLS client extension "signature algorithms" (id=13), len=32
0000 - 00 1e 06 01 06 02 06 03-05 01 05 02 05 03 04 01   ................
0010 - 04 02 04 03 03 01 03 02-03 03 02 01 02 02 02 03   ................
TLS client extension "heartbeat" (id=15), len=1
0000 - 01                                                .
Hostname in TLS extension: "Bu2"
Switching server context.
SSL_accept:SSLv3 read client hello A
SSL_accept:SSLv3 write server hello A
SSL_accept:SSLv3 write certificate A
SSL_accept:SSLv3 write key exchange A
SSL_accept:SSLv3 write server done A
SSL_accept:SSLv3 flush data
SSL_accept:SSLv3 read client certificate A
SSL_accept:SSLv3 read client key exchange A
SSL_accept:SSLv3 read certificate verify A
SSL_accept:SSLv3 read finished A
SSL_accept:SSLv3 write session ticket A
SSL_accept:SSLv3 write change cipher spec A
SSL_accept:SSLv3 write finished A
SSL_accept:SSLv3 flush data
-----BEGIN SSL SESSION PARAMETERS-----
MFwCAQECAgMDBALAMAQABDBTH2HJx60gZqLyEy4fRWAL86SBKJCAonmRxYlmYsLA
1WPLi+1fUaawoGeVmM8JlTehBgIEXoW73KIEAgIBLKQGBAQBAAAApgUEA0J1Mg==
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5
Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported Elliptic Curves: P-256:P-521:P-384:secp256k1
Shared Elliptic curves: P-256:P-521:P-384:secp256k1
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported

客户端发起连接,指定错误servername

当servername错误时,会有warning:SSL3 alert read⚠️unrecognized name。

# openssl s_client -tlsextdebug -state -servername Bu -CAfile cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL3 alert read:warning:unrecognized name
TLS server extension "server name" (id=0), len=0
TLS server extension "renegotiation info" (id=65281), len=1
0001 - <SPACES/NULS>
TLS server extension "EC point formats" (id=11), len=4
0000 - 03 00 01 02                                       ....
TLS server extension "session ticket" (id=35), len=0
TLS server extension "heartbeat" (id=15), len=1
0000 - 01                                                .
SSL_connect:SSLv3 read server hello A
depth=1 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = CA
verify return:1
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = BUPT
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=BUPT
   i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=CA
 1 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=CA
   i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDIDCCAgigAwIBAgIJALw6A4esvB1yMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQxCzAJBgNVBAMMAkNBMB4XDTIwMDQwMTE1MjcwNFoXDTIx
MDQwMTE1MjcwNFowVDELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDENMAsGA1UEAwwEQlVQ
VDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtgnZu6ho9B4KeQTPKfw8KuZ7
SPiIpvN7bDQb7yEH8lXdcw0NB+VB/iZuT/cwwAWlXJNW0qokAxFn6lt8QMtubnUs
vRjY31Tg7cTmcxArwP8kBXF4M4GGXqR9wEI9hvbTJfuwqRB5vkNfvSjBH0hdzgp9
YM7mUbcFNt5W0z+0CzUCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0E
HxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFK1ioXQA
hnLUJAM+8Z1RkHsRQwEAMB8GA1UdIwQYMBaAFOdla/T+Y5c4EQQqbXYITYFVIA1r
MA0GCSqGSIb3DQEBCwUAA4IBAQA7631/iAO/poTvnkNzUKxW/WOQoo6AavZoEN1s
MlYpIKp2dzHB/b/TFBEC0PIK5EpRifSXS4t+v1IGVZecqYExsy4yX0U/jPXcQbmO
NYwrgFvMG3k0/5qBuZNuYw7KYLtAIstl+V8/LcRK3c76znrAb29stU6g5hEgmVUY
/k7K7JG8AprC5fU1pRaourhykbFCx7LxFyMzv2cwNoNkYmaU45SZGo8QBa0WWZuy
tAHWCflq2RqEaccFu1i3PSrkCaOUCXTbOvoM0pqjLgraU1gS/6bsseYd4aiOpfhz
b9pdF+0n3FU1LG7LoQphpDXCH/mergr8+J5MF1PdqbdIki53
-----END CERTIFICATE-----
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=BUPT
issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2240 bytes and written 426 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 03E39D9FA4B1BC4C7F8E19ACBA540BABF6C8A3CB0537753520997FD71DF642D3
    Session-ID-ctx:
    Master-Key: 4ED8DB83857AF282498942BB775B5177E2D342025F2850ABDDD1A69FD9C22D3C818536A7604AE7EC91FA718C30F425B5
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 17 44 73 28 91 e6 50 a9-0b 35 fa e6 5d 16 cf 25   .Ds(..P..5..]..%
    0010 - c7 8d c4 a0 1a 8a db 67-5a 7e ca 4a 33 d3 c3 12   .......gZ~.J3...
    0020 - 27 f2 87 d9 53 a0 92 cd-9a 9b b1 ba 0e f4 01 5e   '...S..........^
    0030 - cb c8 29 9d 78 e8 ac 77-21 66 50 1e 0c 0b 80 3f   ..).x..w!fP....?
    0040 - 3f bd b5 aa 71 c7 66 68-e2 ee f8 44 4a 47 1b 2f   ?...q.fh...DJG./
    0050 - 5d da 38 54 5a c6 d4 f5-91 a7 85 8e fd 88 f8 41   ].8TZ..........A
    0060 - f8 f1 0b df 74 f0 28 27-c0 b6 80 ff db 97 e0 6a   ....t.('.......j
    0070 - 88 10 76 37 a0 93 89 81-08 5f ff c8 83 00 3d 0b   ..v7....._....=.
    0080 - 34 1c 49 e6 72 e7 fe b0-ee 3f be b4 03 d3 e3 1b   4.I.r....?......
    0090 - 38 65 c5 9f f8 eb 4b 54-94 d4 1b b5 0f 9f 63 80   8e....KT......c.

    Start Time: 1585822998
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

如上,认证时服务器仍会使用默认的BUPT对应的证书。

服务器端打印如下:

SSL_accept:before/accept initialization
TLS client extension "server name" (id=0), len=7
0000 - 00 05 00 00 02 42 75                              .....Bu
TLS client extension "EC point formats" (id=11), len=4
0000 - 03 00 01 02                                       ....
TLS client extension "elliptic curves" (id=10), len=10
0000 - 00 08 00 17 00 19 00 18-00 16                     ..........
TLS client extension "session ticket" (id=35), len=0
TLS client extension "signature algorithms" (id=13), len=32
0000 - 00 1e 06 01 06 02 06 03-05 01 05 02 05 03 04 01   ................
0010 - 04 02 04 03 03 01 03 02-03 03 02 01 02 02 02 03   ................
TLS client extension "heartbeat" (id=15), len=1
0000 - 01                                                .
Hostname in TLS extension: "Bu"
SSL3 alert write:warning:unrecognized name
SSL_accept:SSLv3 read client hello A
SSL_accept:SSLv3 write server hello A
SSL_accept:SSLv3 write certificate A
SSL_accept:SSLv3 write key exchange A
SSL_accept:SSLv3 write server done A
SSL_accept:SSLv3 flush data
SSL_accept:SSLv3 read client certificate A
SSL_accept:SSLv3 read client key exchange A
SSL_accept:SSLv3 read certificate verify A
SSL_accept:SSLv3 read finished A
SSL_accept:SSLv3 write session ticket A
SSL_accept:SSLv3 write change cipher spec A
SSL_accept:SSLv3 write finished A
SSL_accept:SSLv3 flush data
-----BEGIN SSL SESSION PARAMETERS-----
MFsCAQECAgMDBALAMAQABDBO2NuDhXrygkmJQrt3W1F34tNCAl8oUKvd0aaf2cIt
PIGFNqdgSufskfpxjDD0JbWhBgIEXoW9FqIEAgIBLKQGBAQBAAAApgQEAkJ1
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5
Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported Elliptic Curves: P-256:P-521:P-384:secp256k1
Shared Elliptic curves: P-256:P-521:P-384:secp256k1
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
Loong Tu
关注
  • 1
    点赞
  • 4
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
互联网协议 — TLSSNI
烟云的计算
01-20 2978
目录 文章目录目录SNI 的应用场景SNI 的实现原理1. client_hello2. server_hello + server_certificate + sever_hello_done3. 证书校验4. client_key_exchange + change_cipher_spec + encrypted_handshake_message5. change_cipher_spec + encrypted_handshake_message6. 握手结束7. 加密通信 SNI 的应用场景 早期的
深入理解nginx的https sni机制
一个致力于开源代码学习、分析和交流的博客
02-29 1587
本文从ssl上下文的初始化、ssl连接的初始化、sni回调处理,到最后动态证书加载的整个流程说明了nginx sni的实现过程
SSL / TLS协议解析!SNI 识别
chen1415886044的博客
05-01 6665
自Web诞生以来,我们所接触的互联网时代,都有可能存在信息的截断,而SSL协议及其后代TLS提供了加密和安全性,使现代互联网安全成为可能。 这些协议已有将近二十多年的历史,其特点是不断更新,旨在与日趋复杂的攻击者保持同步。 什么是SSL!什么是TLS! SSL代表安全套接字层,该协议是由Netscape于1990年代中期开发的,Netscape是当时最受欢迎的Web浏览器。SSL 1.0从未向公众发布,而SSL 2.0具有严重的缺陷。1996年发布的SSL 3.0进行了彻底的改进,为后续工作奠定了基础。 而
Server Name Indication(SNI),HTTP/TLS握手过程解析
chen1415886044的博客
10-22 2241
Server Name Indication(SNI)是一种TLS扩展,用于在TLS握手过程中传递服务器的域名信息。在未使用SNI之前,客户端在建立TLS连接时只能发送单个IP地址,并且服务器无法知道客户端请求的具体域名。这导致服务器需要使用默认证书进行握手,无法正确选择合适的证书。 使用SNI扩展后,客户端在发送ClientHello消息时会包含所请求的服务器的域名。服务器根据该域名来选择对应的证书进行握手,从而实现了多个域名共享同一个IP地址并使用不同证书的能力。
【BeetleX重构】TLS和多数据类型性能测试
最新发布
dotNET跨平台
06-07 18
上一篇针对组件实现的简单HTTP服务进行了一个压力测试,而这一篇主要针对的是HTTPS和不同序列化组件响应体中的性能测试。通过以上测试看一下组件在添加TLS后对性能的损耗和不同序列化组件在HTTP中使用的效果。这一次的测试逻辑和结构对比之前的相对复杂一些,方法会判断请求响应的类型和数量,具体逻辑代码如下:public class HttpSession : Sesi...
TLS SNITLS Server Name Indication)配置:F5、Nginx和IIS
sysin | SYStem INside
07-28 1967
TLS Server Name Indication (TLS SNI) TLS Server Name Indication (TLS SNI),used when a single virtual IP server needs to host multiple domains. TLS SNI Support 即一个 IP 地址上支持多个域名的 SSL 站点,或者说一个 IP 上支持绑定多个 SSL 证书。 支持 TLS SNI 的浏览器 Browsers/clients with support f
hello-tls:解析TLS ClientHello消息
04-30
TLS具有名为服务器名称标识(SNI)的扩展名,以支持此类应用程序。 client_hello框架包含TLS ClientHello框架中的所有数据,并且可以使用公开可见的成员进行检索。 目前,支持TLS协议是该项目的明确目标。 但是,...
competentum:测试练习
06-15
5. **安全性增强**:增加了对SNI(Server Name Indication)的支持,改进了SSL/TLS处理,以及增强了身份验证和授权机制。 **应用部署流程** 在部署"商店模拟器"应用到Tomcat 8之前,需要先进行以下步骤: 1. **...
mod_tls:将rustls带入Apache服务器
03-19
mod_tls-Apache中TLS的内存安全性该存储库包含mod_tls ,这是Apache httpd的模块,该模块使用提供内存安全的TLS实现... (进行中)一个测试套件,很好地涵盖了受支持的TLS功能。 (进行中)负载测试提供一些性能指标。
thttps:Tiny-HTTPS协议实现(用于实验)。
05-11
大多数组件是从Go版本1.7中派生的tiny-HTTPS不适合在现实世界中使用,但是对于其他试图在代码级别了解TLS的人来说,它可能会很有用,其功能包括: 基本握手,无需扩展(SNI,ALPN,会话票据...) 数据传输并使用MAC...
openbsd-httpd-tls-config:完美的TLS SSL Labs的OpenBSD httpd配置得分A +
03-21
10. **Server Name Indication (SNI)**:启用SNI以支持在同一IP地址下托管多个SSL证书的网站。 在OpenBSD httpd的配置文件中,你需要精确地定义这些参数。`openbsd-httpd-tls-config-main`文件可能包含了实现上述...
HTTPs握手流程抓包解析
热门推荐
曾梦想仗剑走天涯
06-03 1万+
TLS Handshake Flow:以下是访问 https://github.com 的 wireshark 抓包截图: C->S:Client Hello S->C:Server Hello S->C:Certificate, Server Key Exchange, Server Hello Done C->S:Client Key Change C->S:Change Cip
HTTPS那些协议:TLS, SSL, SNI, ALPN, NPN
幻听
06-01 1万+
如今 HTTPS 已经普遍应用了,在带来安全性的同时也确实给 Web 引入了更多复杂的概念。这其中就包括一系列从没见过的网络协议。现在 Harttle 从 HTTPS 的原理出发,尝试以最通俗的方式来解读 HTTPS 涉及的这些协议。作者:佚名来源:harttle.land|2018-03-26 14:19 收藏  分享人工智能+区块链的发展趋势及应用调研报告如今 HTTPS 已经普遍应用了,在带...
Let's encrypt的TLS-SNI安全问题
weixin_34200628的博客
02-01 396
问题 这两天按以前的做法给一个新域名加Let's encrypt证书,如下: certbot run --nginx --email &lt;your_email&gt; -w /&lt;path_to&gt;/challenges -d &lt;your.domain.name&gt; --preferred-challenges tls-sni --renew-by-default --agr...
利用SSL证书的SNI特性建立自己的爬虫ip服务器
weixin_44617651的博客
08-24 936
今天我要和大家分享一个关于自建多域名HTTPS爬虫ip服务器的知识,让你的爬虫ip服务器更加强大!无论是用于数据抓取、反爬虫还是网络调试,自建一个支持多个域名的HTTPS爬虫ip服务器都是非常有价值的。
ssl服务端没有回Server Hello
bytxl的专栏
10-23 6628
用得好好的程序突然问题,https服务提供的网页打不开了。 设置lighttpd,打开访问日志和错误日志,再试,还是打不开,也没有错误原因。 抓包,发现客户端发送了Client Hello,服务端ACK了,然后就没下文了,服务端没有发送Server Hello,竟然也没有报错。 仔细看,发现Client Hello只发送了11个加密套件,以前某个服务的客户端会发送六七十个加密套件,以为是证书
C语言使用openssl库解析TLS报文(SNI和证书)
Chuancey的博客
02-15 7205
项目中需要对TLS报文中SNI和证书部分进行过滤,并且之前并没有接触过这方面的内容,为了解决这一需求,期间学习了不少知识,也走了不少弯路。就写下这篇博客记录分享一下。项目背景:项目是一个类似防火墙的软件,可以过滤特定的TLS流量。实现原理就是通过对TLS数据包流量进行解析,得到想要过滤的字段数据,根据过滤规则决定是否放行该TLS流量。本次需要过滤的TLS数据包主要针对SNI和证书,TLS报文的版本为1.2。使用版本为1.0.2k的openssl库进行C编程。
SSL with Virtual Hosts Using SNI
打杂人
05-28 2607
Summary Using name-based virtual hosts with SSL adds another layer of complication. Without the SNI extension, it's not generally possible (though a subset of virtual host might work). With SNI,
OpenSSL获取 tls sni
05-23
要获取TLS SNI信息,您可以使用OpenSSL库中的回调函数。具体来说,您可以使用SSL_CTX_set_tlsext_servername_callback函数将回调函数注册到SSL上下文中,该函数将在TLS握手期间被调用以获取SNI信息。 以下是一个示例回调函数: ``` int sni_callback(SSL *ssl, int *ad, void *arg) { const char *servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); if (servername) { printf("SNI: %s\n", servername); } return SSL_TLSEXT_ERR_OK; } ``` 您可以将此回调函数注册到SSL上下文中: ``` SSL_CTX *ctx = SSL_CTX_new(TLS_method()); SSL_CTX_set_tlsext_servername_callback(ctx, sni_callback); ``` 然后,通过使用SSL_accept函数启动TLS握手,就可以获取SNI信息了。当客户端发送客户端Hello消息时,回调函数将被调用并打印SNI信息。 请注意,此代码仅适用于服务器端的TLS握手。如果您需要在客户端使用SNI,则可以使用SSL_set_tlsext_host_name函数设置SNI信息。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值