以下是调用openssl建立tls1连接过程中,openssl内部对握手阶段的处理过程,可以对照抓包观察
以下服务端和客户端是并行进行的,只是需要接收对端消息时才会进入等待状态.为方面理解,所以将客户端和服务端的处理按顺序排好.
具体的状态转换代码请见:
server端 /ssl/s3_srvr.c的ssl3_accept方法 client端 /ssl/s3_clnt.c的ssl3_connect方法
client: SSL_ST_OK | SSL_ST_CONNECT //为ssl字段赋初始值
server: SSL_ST_OK | SSL_ST_CONNECT //为ssl字段赋初始值
client: SSL3_ST_CW_CLNT_HELLO_A //发送client_hello
server: SSL3_ST_SR_CLNT_HELLO_A //ssl3_get_client_hello(实际运行时是server运行到这里后进入等待
client_hello状态,在client BIO_flush后收到消息继续处理)
server: SSL3_ST_SW_SRVR_HELLO_A //ssl3_send_server_hello//组装server_hello
server: SSL3_ST_SW_KEY_EXCH_A //ssl3_send_server_key_exchange
server: SSL3_ST_SW_CERT_REQ_A //ssl3_send_certificate_request//请求客户端证书
server: SSL3_ST_SW_FLUSH //BIO_flush 将如上待发送的消息全部发送出去,客户端将接收消息继续处理
server: SSL3_ST_SR_CERT_A //ssl3_get_client_certificate进入等待接收客户端证书的状态
client: SSL3_ST_CR_SRVR_HELLO_A //ssl3_get_server_hello(实际运行时是client运行到这里后进入等待
server_hello状态,在server BIO_flush后收到消息继续处理)
client: SSL3_ST_CR_CERT_A //ssl3_get_server_certificate
client: SSL3_ST_CR_KEY_EXCH_A //ssl3_get_key_exchange
client: SSL3_ST_CR_CERT_REQ_A //ssl3_get_certificate_request
client: SSL3_ST_CR_SRVR_DONE_A //ssl3_get_server_done
client: SSL3_ST_CW_CERT_A //ssl3_send_client_certificate
client: SSL3_ST_CW_KEY_EXCH_A //ssl3_send_client_key_exchange
client: SSL3_ST_CW_CERT_VRFY_A //ssl_send_client_verify
client: SSL3_ST_CW_CHANGE_A //ssl3_send_change_cipher_spec通知启动对称加密的消息
client: SSL3_ST_CW_FINISHED_A //ssl3_send_finished
client: SSL3_ST_CW_FLUSH //BIO_flush
client: SSL3_ST_CR_SESSION_TICKET_A //ssl3_get_new_session_ticket 进入等待接收消息状态//
server: SSL3_ST_SR_KEY_EXCH_A //ssl3_get_client_key_exchange
server: SSL3_ST_SR_CERT_VRFY_A //ssl3_get_cert_verify
server: SSL3_ST_SR_FINISHED_A //ssl3_get_finished
server: SSL3_ST_SW_SESSION_TICKET_A //ssl3_send_newsession_ticket
server: SSL3_ST_SW_CHANGE_A //ssl3_send_change_cipher_spec通知启动对称加密的消息
server: SSL3_ST_SW_FINISHED_A //ssl3_send_finished
server: SSL3_ST_SW_FLUSH //BIO_flush
server: SSL3_ST_OK //ssl3_cleanup_key_block ssl_update_cache等等,至此服务端完成所有握手
client: SSL3_ST_CR_SESSION_TICKET_A //ssl3_get_new_session_ticket 继续处理
client: SSL3_ST_CR_FINISHED_A //ssl3_get_finished
client: SSL_ST_OK //ssl3_cleanup_key_block ssl_update_cache等等
连接已建立,开始对称密钥加密的通信