这将是一个高级问题,所以请忽略不太高级的细节。我有协议问题而不是如何解决它,但我需要提供一些背景知识。
背景:
- .NET/Windows 默认禁用 SSLv3。有注册表问题和代码问题。无论出于何种原因,我都无法激活SSLv3,但没关系,它可以保持这种状态。TLS+ 应该可以正常工作。
- 以上是使用 OpenSSL 客户端或 .NET 客户端以及 .NET 服务器进行测试的。SSL3客户端无法正常工作,这没关系。
- 我有一个定制的蜂窝模块,可以通过TCP,SSL加密进行连接。
下面是发送的客户端问候消息的示例:
0x16 [0x03 0x00] 0x00 0x65 0x01 0x00 0x00 0x61 [0x03 0x03] 0x36 0xF4 0x42 0x51 0x6D 0xE8 0x84 0xA2 0xDA 0xD0 0x09 0x45 0xB5 0xA1 0x12 0x8A 0x6B 0x43 0x24 0x14 0xD7 0x86 0x48 0x28 0xAE 0x0D 0x90 0x50 0x5C 0x1B 0x20 0xA1 0x00 0x00 0x2A 0x00 0x6B 0x00 0x6A 0x00 0x3D 0x00 0x67 0x00 0x40 0x00 0x3C 0x00 0x39 0x00 0x38 0x00 0x35 0x00 0x33 0x00 0x32 0x00 0x2F 0x00 0x16 0x00 0x13 0x00 0x0A 0x00 0x05 0x00 0x04 0x00 0x15 0x00 0x12 0x00 0x09 0x00 0xFF 0x01 0x00 0x00 0x0E 0x00 0x0D 0x00 0x0A 0x00 0x08 0x04 0x01 0x02 0x01 0x04 0x02 0x02 0x02
如您所见,如果您知道要查看哪些字节: 1. 记录格式为 SSL 3.0 (0x0300) 版 2. 客户端 Hello 协议版本为 TLS 1.2 (0x0303)
换句话说,即使整个消息不是扩展的TLS格式,加密请求也是TLS 1.2
我本来假设 windows/.NET 允许这样做,因为加密级别仍然是安全的,并且只有客户端 hello 格式未扩展。我不明白为什么它仍然会被拒绝。
问题:
- 蜂窝模块发送 TLS1.2 的加密级别但使用未扩展的 SSLv3 格式是否有意义?
- 如何使窗口允许这样做,但不允许SSLv3加密?看来你不能简单地有这个中间立场。
在此示例中,我模拟了客户端消息,并将其返回给 ssl 服务器以进行测试。未扩展协议(原始 ssl3)最终具有算法不匹配,而扩展协议即使我手动将其记录层版本更改为 SSL3 也能正常工作。
此操作失败:
System.Net.Sockets Verbose: 0 : [4240] Exiting TcpClient#59817589::GetStream() -> NetworkStream#48209832
System.Net Information: 0 : [4240] SecureChannel#5773521::.ctor(hostname=?124, #clientCertificates=0, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [4240] Enumerating security packages:
System.Net Information: 0 : [4240] Negotiate
System.Net Information: 0 : [4240] NegoExtender
System.Net Information: 0 : [4240] Kerberos
System.Net Information: 0 : [4240] NTLM
System.Net Information: 0 : [4240] TSSSP
System.Net Information: 0 : [4240] pku2u
System.Net Information: 0 : [4240] WDigest
System.Net Information: 0 : [4240] Schannel
System.Net Information: 0 : [4240] Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [4240] CREDSSP
System.Net.Sockets Verbose: 0 : [4240] Socket#6044116::BeginReceive()
System.Net.Sockets Verbose: 0 : [4240] Exiting Socket#6044116::BeginReceive() -> OverlappedAsyncResult#63094882
System.Net.Sockets Verbose: 0 : [8360] Data from Socket#6044116::PostCompletion
System.Net.Sockets Verbose: 0 : [8360] 00000000 : 16 03 00 00 39 : ....9
System.Net.Sockets Verbose: 0 : [8360] Socket#6044116::EndReceive(OverlappedAsyncResult#63094882)
System.Net.Sockets Verbose: 0 : [8360] Exiting Socket#6044116::EndReceive() -> Int32#5
System.Net.Sockets Verbose: 0 : [8360] Socket#6044116::BeginReceive()
System.Net.Sockets Verbose: 0 : [8360] Exiting Socket#6044116::BeginReceive() -> OverlappedAsyncResult#62476613
System.Net.Sockets Verbose: 0 : [10888] Data from Socket#6044116::PostCompletion
System.Net.Sockets Verbose: 0 : [10888] 00000000 : 01 00 00 35 03 03 5A 53-AD A7 80 91 4D 9C FD 1F : ...5..ZS....M...
System.Net.Sockets Verbose: 0 : [10888] 00000010 : AB 5B FA CD 1B 42 BF EA-26 52 77 D8 18 19 9E E3 : .[...B..&Rw.....
System.Net.Sockets Verbose: 0 : [10888] 00000020 : C8 92 D2 63 7D 74 00 00-0E 00 0A 00 13 00 62 00 : ...c}t........b.
System.Net.Sockets Verbose: 0 : [10888] 00000030 : 09 00 63 00 12 00 FF 01-00 : ..c......
System.Net.Sockets Verbose: 0 : [10888] Socket#6044116::EndReceive(OverlappedAsyncResult#62476613)
System.Net.Sockets Verbose: 0 : [10888] Exiting Socket#6044116::EndReceive() -> Int32#57
System.Net Information: 0 : [10888] SecureChannel#5773521 - Locating the private key for the certificate: [Version]
V3
[Subject]
CN=Test Labs (CA)
Simple Name: Test Labs (CA)
DNS Name: Test Labs (CA)
[Issuer]
CN=Test Labs (CA)
Simple Name: Test Labs (CA)
DNS Name: Test Labs (CA)
[Serial Number]
3120C1CCC8D477974B311D82A9B7881E
[Not Before]
11/9/2016 1:10:37 PM
[Not After]
12/31/2039 6:59:59 PM
[Thumbprint]
EA7091EE4171B38C04DC210BFDEF0DBAE5289D8B
[Signature Algorithm]
sha256RSA(1.2.840.113549.1.1.11)
[Public Key]
Algorithm: RSA
Length: 2048
Key Blob: 30 82 01 0a 02 82 01 01 00 af 67 80 80 31 64 a2 6b a1 b1 36 ce 9e 16 ef 61 e3 26 25 e9 49 a9 cc 80 2c 3d d6 0e 60 01 65 78 cd ce a9 e9 cc a6 ac 3f 99 7d 02 df cd d3 ff 78 fe 1f cb 73 f5 26 70 db 30 70 f6 8d 8f 92 d2 77 1c ea 84 53 3c 43 e8 48 cc 52 d3 26 07 5f b3 33 b7 4e d6 fc 00 e4 32 82 76 11 f5 c9 df 98 3e af d8 da 5f 21 74 b2 64 38 f9 d1 b1 96 0c c3 81 12 f8 49 a6 54 42 0e 7d 89 13 f7 9f 45 1e 04 1f 7d 41 7c 44 f3 30 14 79 ee 7c 78 b0 d4 e2 e4 d6 cc 85 2d b1 94 95 fb 30 47 9a 86 90 6f 50 c8 ....
System.Net Information: 0 : [10888] SecureChannel#5773521 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [10888] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Inbound, scc = System.Net.SecureCredential)
System.Net Information: 0 : [10888] AcceptSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, AcceptStream)
System.Net Information: 0 : [10888] AcceptSecurityContext(In-Buffer length=62, Out-Buffer length=0, returned code=AlgorithmMismatch).
System.Net.Sockets Verbose: 0 : [4240] Socket#6044116::Dispose()
System.Net.Sockets Verbose: 0 : [4240] TcpClient#59817589::Close()
System.Net.Sockets Verbose: 0 : [4240] TcpClient#59817589::Dispose()
System.Net.Sockets Verbose: 0 : [4240] Exiting TcpClient#59817589::Dispose()
System.Net.Sockets Verbose: 0 : [4240] Exiting TcpClient#59817589::Close()
System.Net.Sockets Verbose: 0 : [4240] TcpListener#21950498::AcceptTcpClient()
System.Net.Sockets Verbose: 0 : [4240] Socket#37614147::Accept()
此操作成功:
System.Net.Sockets Information: 0 : [8344] Socket#6044116 - Accepted connection from 192.168.3.106:55907 to 192.168.3.106:7001.
System.Net.Sockets Verbose: 0 : [8344] Exiting Socket#37614147::Accept() -> Socket#6044116
System.Net.Sockets Verbose: 0 : [8344] TcpClient#59817589::TcpClient(Socket#6044116)
System.Net.Sockets Verbose: 0 : [8344] Exiting TcpClient#59817589::TcpClient()
System.Net.Sockets Verbose: 0 : [8344] Exiting TcpListener#21950498::AcceptTcpClient() -> TcpClient#59817589
System.Net.Sockets Verbose: 0 : [8344] TcpClient#59817589::GetStream()
System.Net.Sockets Verbose: 0 : [8344] Exiting TcpClient#59817589::GetStream() -> NetworkStream#48209832
System.Net Information: 0 : [8344] SecureChannel#5773521::.ctor(hostname=?124, #clientCertificates=0, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [8344] Enumerating security packages:
System.Net Information: 0 : [8344] Negotiate
System.Net Information: 0 : [8344] NegoExtender
System.Net Information: 0 : [8344] Kerberos
System.Net Information: 0 : [8344] NTLM
System.Net Information: 0 : [8344] TSSSP
System.Net Information: 0 : [8344] pku2u
System.Net Information: 0 : [8344] WDigest
System.Net Information: 0 : [8344] Schannel
System.Net Information: 0 : [8344] Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [8344] CREDSSP
System.Net.Sockets Verbose: 0 : [8344] Socket#6044116::BeginReceive()
System.Net.Sockets Verbose: 0 : [8344] Exiting Socket#6044116::BeginReceive() -> OverlappedAsyncResult#63094882
System.Net.Sockets Verbose: 0 : [14296] Data from Socket#6044116::PostCompletion
System.Net.Sockets Verbose: 0 : [14296] 00000000 : 16 03 00 00 A7 : .....
System.Net.Sockets Verbose: 0 : [14296] Socket#6044116::EndReceive(OverlappedAsyncResult#63094882)
System.Net.Sockets Verbose: 0 : [14296] Exiting Socket#6044116::EndReceive() -> Int32#5
System.Net.Sockets Verbose: 0 : [14296] Socket#6044116::BeginReceive()
System.Net.Sockets Verbose: 0 : [14296] Exiting Socket#6044116::BeginReceive() -> OverlappedAsyncResult#62476613
System.Net.Sockets Verbose: 0 : [13340] Data from Socket#6044116::PostCompletion
System.Net.Sockets Verbose: 0 : [13340] 00000000 : 01 00 00 A3 03 03 5A 53-AD 98 78 ED 38 1B 06 57 : ......ZS..x.8..W
System.Net.Sockets Verbose: 0 : [13340] 00000010 : 52 BF E5 61 58 A2 37 A3-AC 6E 18 83 AE 2E 25 EF : R..aX.7..n....%.
System.Net.Sockets Verbose: 0 : [13340] 00000020 : 60 32 67 A3 BF D4 00 00-38 C0 30 C0 2F C0 28 C0 : `2g.....8.0./.(.
System.Net.Sockets Verbose: 0 : [13340] 00000030 : 27 C0 14 C0 13 C0 2C C0-2B C0 24 C0 23 C0 0A C0 : '.....,.+.$.#...
System.Net.Sockets Verbose: 0 : [13340] 00000040 : 09 00 9D 00 9C 00 3D 00-3C 00 35 00 2F 00 0A 00 : ......=.<.5./...
System.Net.Sockets Verbose: 0 : [13340] 00000050 : 9F 00 9E 00 39 00 33 00-6A 00 40 00 38 00 32 00 : ....9.3.j.@.8.2.
System.Net.Sockets Verbose: 0 : [13340] 00000060 : 13 01 00 00 42 00 00 00-09 00 07 00 00 04 3F 31 : ....B.........?1
System.Net.Sockets Verbose: 0 : [13340] 00000070 : 32 34 00 0A 00 06 00 04-00 17 00 18 00 0B 00 02 : 24..............
System.Net.Sockets Verbose: 0 : [13340] 00000080 : 01 00 00 0D 00 14 00 12-06 01 06 03 04 01 05 01 : ................
System.Net.Sockets Verbose: 0 : [13340] 00000090 : 02 01 04 03 05 03 02 03-02 02 00 23 00 00 00 17 : ...........#....
System.Net.Sockets Verbose: 0 : [13340] 000000A0 : 00 00 FF 01 00 01 00 : .......
System.Net.Sockets Verbose: 0 : [13340] Socket#6044116::EndReceive(OverlappedAsyncResult#62476613)
System.Net.Sockets Verbose: 0 : [13340] Exiting Socket#6044116::EndReceive() -> Int32#167
System.Net Information: 0 : [13340] SecureChannel#5773521 - Locating the private key for the certificate: [Version]
V3
[Subject]
CN=Test Labs (CA)
Simple Name: Test Labs (CA)
DNS Name: Test Labs (CA)
[Issuer]
CN=Test Labs (CA)
Simple Name: Test Labs (CA)
DNS Name: Test Labs (CA)
[Serial Number]
3120C1CCC8D477974B311D82A9B7881E
[Not Before]
11/9/2016 1:10:37 PM
[Not After]
12/31/2039 6:59:59 PM
[Thumbprint]
EA7091EE4171B38C04DC210BFDEF0DBAE5289D8B
[Signature Algorithm]
sha256RSA(1.2.840.113549.1.1.11)
[Public Key]
Algorithm: RSA
Length: 2048
Key Blob: 30 82 01 0a 02 82 01 01 00 af 67 80 80 31 64 a2 6b a1 b1 36 ce 9e 16 ef 61 e3 26 25 e9 49 a9 cc 80 2c 3d d6 0e 60 01 65 78 cd ce a9 e9 cc a6 ac 3f 99 7d 02 df cd d3 ff 78 fe 1f cb 73 f5 26 70 db 30 70 f6 8d 8f 92 d2 77 1c ea 84 53 3c 43 e8 48 cc 52 d3 26 07 5f b3 33 b7 4e d6 fc 00 e4 32 82 76 11 f5 c9 df 98 3e af d8 da 5f 21 74 b2 64 38 f9 d1 b1 96 0c c3 81 12 f8 49 a6 54 42 0e 7d 89 13 f7 9f 45 1e 04 1f 7d 41 7c 44 f3 30 14 79 ee 7c 78 b0 d4 e2 e4 d6 cc 85 2d b1 94 95 fb 30 47 9a 86 90 6f 50 c8 ....
System.Net Information: 0 : [13340] SecureChannel#5773521 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [13340] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Inbound, scc = System.Net.SecureCredential)
System.Net Information: 0 : [13340] AcceptSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, AcceptStream)
System.Net Information: 0 : [13340] AcceptSecurityContext(In-Buffer length=172, Out-Buffer length=1236, returned code=ContinueNeeded).
System.Net.Sockets Verbose: 0 : [13340] Socket#6044116::BeginSend()
System.Net.Sockets Verbose: 0 : [13340] Exiting Socket#6044116::BeginSend() -> OverlappedAsyncResult#45653674
System.Net.Sockets Verbose: 0 : [8396] Data from Socket#6044116::PostCompletion