ssl 握手过程【收藏】
收藏几篇关于ssl handshake的好文
http://www.slashroot.in/comment/1242
SSL protocol, does its fantastic job of securing communication over the wire, with the help of multiple layers of protocols, above TCP(And After Application Layer).
Always keep in mind that, although HTTP protocol is the protocol, which highly makes use of SSL, to secure communication. SSL is an application layer independent protocol.So you can use that with any application layer Protocol.
There are different versions and types of encryption and authentication algorithms out there. SSL can make use of, most of them out there. But a major point to note here is that, both the server and client must first agree on the same algorithm, that they are going to use in their communication.
As the client is the first person to begin the communication, the first step that the client does is to tell server, about the cipher suits and MAC(Message Authentication code, this is made in record Layer.Read Record Layer Protocol in SSL) hash algorithm's it supports.
This is done by sending a CLIENT-HELLO message. The client's Hello message consists of the following contents.
SSL version that the client supports
In what order the client prefer the versions
The ciphersuits(Cryptographic Algo's) supported by the client
Compression methods supported if any
Random Number
Keep in mind that, during the SSL initial handshake, nothing is encrypted. So anybody can sniff, and see whats going on. Encryption, starts only after the master secret(which will be used to encrypt and decrypt data as well as MAC calculation) is send by the client
Client Hello message content in SSL/TLS
SSL VERSION NUMBER : the client sends a list of ssl version it supports. And priority is given to the highest version it supports
Random Data Number : Its made up of 32 bytes. 4 byte number made up from client's date & time plus 28 byte randomly generated number(this will be used with server's random value made of date & time for generating the "master secret", from which encryption key will be derived).
SESSION ID: In order to enable client's resuming capabilities this session ID is included.
CIPHER SUITS: RSA algorithm is used for the initial key exchange which will be done using public key cryptography. And SHA is used for MAC and hashing. And also sends the encrption algo's supported by the client like DES for example.
Compression Algorithm: this will include compression algorithms details, if used.
After the client has sent, its client-hello message, its the job of the server to send back a server-hello message. Which will contain the below information.
Server Hello message in SSL/TLS
Version Number: Server selects an ssl version thats supported by both the server and the client, and is the highest version supported by both of them
Random Data: the server also generates a random value using the server's date and time plus a random number of 28bytes. Client will use this random value and its own random value to generate the "master key"
Sesssion ID: There are three possiblities, with regard to the session id. It all depends on the type of client-hello message. If the client requires to resume a previously created session, then both the client and server will use the same session ID. But, if the client is initiating a new session, the server will send a new session ID. Sometimes a null session ID is also used, where server will never support resuming the session, so no session id's are used at all.
Cipher Suits: Similar to the version number selected by the server, the server will select the best cipher suite version supported by both of them.
Certificate:The server also sends a certificate, which is signed and verified by a Certificate Authority, along with the public key(Content encrypted with public key can only be opened with a corresponding private key. In this case, only the server can unlock it because, the server has the private key for its public key).
A certificate signed by a certificate authority(a trusted third party), consists the complete information about the company using that certificate. The certificate identity of many well known certificate authority is made avialable to the web browser. Whenever a certificate is recieved by the client's browser, it is verified with the one it has from the certificate authority. So this proves that, that the server which claims, that it is "example.com" is infact correct.
Server Key Exchange: this step is taken by the server, only when there is no public key shared along with the certificate. If this key is used, this will be used to encrypt the "Client Key Exchange Method"
Client Certificate request: This is seldom used, because this is only used, when the client also needs to get authenticated, by a client certificate.
Server Hello Done: this message from the server will tell the client, that the server has finished sending its hello message, and is waiting for a response from the client.
Response from the client to server's hello message:
Client Certificate: The client sends a client certificate back to the server. This step is only used when a client certificate is requested by the server(through the server hello message).
Client Key Exchange: This message is only sent, after the client calculates, the premaster secret with the help of the random values of both the server and the client(Which was shared by both the server and the client through the hello message).
"Client Key exchange" message, is sent by encrypting it with the server's public key, which was shared through the hello message. This message can only be decrypted with the server's private key. If successful, the server is authenticated.
the client will also send the ssl protocol version once again along with the "client key exchange" method, so that the server can verify, this version with the previous one send, so as to prevent a man in the middle from changing the protocol version.
相关文章
- objection绕过SSL Pinning
- Docker容器访问SQL Server 抛异常:SSL Provider, error: 31 - Encryption(ssl/tls) handshake failed
- 宝塔安装腾讯云ssl证书_宝塔 泛域名
- SSL证书干货速递第一期:解放双手,自动续费!
- 利用acme.sh快速获取SSL证书 - wuuconix's blog
- 你的站点需要SSL证书的6个原因
- Tomcat 服务器安装 SSL证书,实现 HTTP 自动跳转 HTTPS
- ssl连接的过程,ssl是什么?
- MySQL Error number: MY-011304; Symbol: ER_XPLUGIN_SSL_HANDSHAKE_WITH_SERVER_FAILED; SQLSTATE: HY000 报错 故障修复 远程处理
- ssl证书类型详解程序员
- MySQL Status Mysqlx_ssl_cipher_list 数据库状态作用意思及如何正确
- MySQL禁用SSL安全协议(mysql关闭ssl)
- Linux安装SSL证书:快速、简便、安全(linux安装ssl)
- 忙中出错:Heartbleed漏洞补丁引发SSL链接bug
- Google Chrome 正式宣布将不再信任赛门铁克所有 SSL 证书
- Oracle安全加固之SSL配置(oracle配置ssl)
- Linux 开启 SSL:安全至上(linux开启ssl)
- 探索Linux世界:查看SSL版本(linux查看ssl版本)
- 深入了解MySQL中SSL连接的必要性和配置方法(mysql中 ssl连接)
- MySQL如何关闭SSL连接(mysql中ssl关闭)
- MySQL中SSL的配置和使用方法(mysql 中ssl)
- 了解MySQL SSL加密使用方法,保障数据库数据传输安全(mysql_ssl)