Question

这将是一个高级问题，所以请忽略不太高级的细节。我有协议问题，而不是如何解决它，但我需要提供一些背景知识。

背景：

.NET / Windows默认禁用SSLv3。有注册事项和代码问题。无论出于何种原因，我无法激活SSLv3，但无关紧要，它可以保持这种状态。 TLS +应该可以正常工作。
使用OpenSSL客户端或.NET客户端以及.NET服务器测试以上内容。 SSL3客户端将无法工作，这没关系。
我有一个定制的Cellular模块，可通过TCP连接，SSL加密。

以下是发送的客户端Hello消息的示例：

0x16 [0x03 0x00] 0x00 0x65 0x01 0x00 0x00 0x61 [0x03 0x03] 0x36 0xF4 0x42 0x51 0x6D 0xE8 0x84 0xA2 0xDA 0xD0 0x09 0x45 0xB5 0xA1 0x12 0x8A 0x6B 0x43 0x24 0x14 0xD7 0x86 0x48 0x28 0xAE 0x0D 0x90 0x50 0x5C 0x1B 0x20 0xA1 0x00 0x00 0x2A 0x00 0x6B 0x00 0x6A 0x00 0x3D 0x00 0x67 0x00 0x40 0x00 0x3C 0x00 0x39 0x00 0x38 0x00 0x35 0x00 0x33 0x00 0x32 0x00 0x2F 0x00 0x16 0x00 0x13 0x00 0x0A 0x00 0x05 0x00 0x04 0x00 0x15 0x00 0x12 0x00 0x09 0x00 0xFF 0x01 0x00 0x00 0x0E 0x00 0x0D 0x00 0x0A 0x00 0x08 0x04 0x01 0x02 0x01 0x04 0x02 0x02 0x02

如您所知，您知道要查看哪些字节： 1.记录格式为SSL 3.0版（0x0300） 2.客户端Hello协议版本为TLS 1.2（0x0303）

换句话说，即使整个邮件不是扩展的TLS格式，加密请求也是TLS 1.2

我原本认为windows / .NET允许这样做，因为加密级别仍然是安全的，只有客户端hello格式是未扩展的。我不明白为什么它仍会被拒绝。

问题：

蜂窝模块是否正在发送TLS1.2的加密级别但是使用未扩展的SSLv3格式是否有意义？
如何让Windows允许这样做，而不是SSLv3加密？看来你不能简单地拥有这个中间地带。

Answer 1

在此示例中，我模拟了客户端消息，并将其返回给ssl服务器以进行测试。非扩展协议（原始ssl3）最终具有AlgorithmMismatch，而扩展协议即使我手动将其记录层版本更改为SSL3也能正常工作。

这是失败的：

System.Net.Sockets Verbose: 0 : [4240] Exiting TcpClient#59817589::GetStream()  -> NetworkStream#48209832
System.Net Information: 0 : [4240] SecureChannel#5773521::.ctor(hostname=?124, #clientCertificates=0, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [4240] Enumerating security packages:
System.Net Information: 0 : [4240]     Negotiate
System.Net Information: 0 : [4240]     NegoExtender
System.Net Information: 0 : [4240]     Kerberos
System.Net Information: 0 : [4240]     NTLM
System.Net Information: 0 : [4240]     TSSSP
System.Net Information: 0 : [4240]     pku2u
System.Net Information: 0 : [4240]     WDigest
System.Net Information: 0 : [4240]     Schannel
System.Net Information: 0 : [4240]     Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [4240]     CREDSSP
System.Net.Sockets Verbose: 0 : [4240] Socket#6044116::BeginReceive()
System.Net.Sockets Verbose: 0 : [4240] Exiting Socket#6044116::BeginReceive()   -> OverlappedAsyncResult#63094882
System.Net.Sockets Verbose: 0 : [8360] Data from Socket#6044116::PostCompletion
System.Net.Sockets Verbose: 0 : [8360] 00000000 : 16 03 00 00 39                                  : ....9
System.Net.Sockets Verbose: 0 : [8360] Socket#6044116::EndReceive(OverlappedAsyncResult#63094882)
System.Net.Sockets Verbose: 0 : [8360] Exiting Socket#6044116::EndReceive()     -> Int32#5
System.Net.Sockets Verbose: 0 : [8360] Socket#6044116::BeginReceive()
System.Net.Sockets Verbose: 0 : [8360] Exiting Socket#6044116::BeginReceive()   -> OverlappedAsyncResult#62476613
System.Net.Sockets Verbose: 0 : [10888] Data from Socket#6044116::PostCompletion
System.Net.Sockets Verbose: 0 : [10888] 00000000 : 01 00 00 35 03 03 5A 53-AD A7 80 91 4D 9C FD 1F : ...5..ZS....M...
System.Net.Sockets Verbose: 0 : [10888] 00000010 : AB 5B FA CD 1B 42 BF EA-26 52 77 D8 18 19 9E E3 : .[...B..&Rw.....
System.Net.Sockets Verbose: 0 : [10888] 00000020 : C8 92 D2 63 7D 74 00 00-0E 00 0A 00 13 00 62 00 : ...c}t........b.
System.Net.Sockets Verbose: 0 : [10888] 00000030 : 09 00 63 00 12 00 FF 01-00                      : ..c......
System.Net.Sockets Verbose: 0 : [10888] Socket#6044116::EndReceive(OverlappedAsyncResult#62476613)
System.Net.Sockets Verbose: 0 : [10888] Exiting Socket#6044116::EndReceive()    -> Int32#57
System.Net Information: 0 : [10888] SecureChannel#5773521 - Locating the private key for the certificate: [Version]
  V3

[Subject]
  CN=Test Labs (CA)
  Simple Name: Test Labs (CA)
  DNS Name: Test Labs (CA)

[Issuer]
  CN=Test Labs (CA)
  Simple Name: Test Labs (CA)
  DNS Name: Test Labs (CA)

[Serial Number]
  3120C1CCC8D477974B311D82A9B7881E

[Not Before]
  11/9/2016 1:10:37 PM

[Not After]
  12/31/2039 6:59:59 PM

[Thumbprint]
  EA7091EE4171B38C04DC210BFDEF0DBAE5289D8B

[Signature Algorithm]
  sha256RSA(1.2.840.113549.1.1.11)

[Public Key]
  Algorithm: RSA
  Length: 2048
  Key Blob: 30 82 01 0a 02 82 01 01 00 af 67 80 80 31 64 a2 6b a1 b1 36 ce 9e 16 ef 61 e3 26 25 e9 49 a9 cc 80 2c 3d d6 0e 60 01 65 78 cd ce a9 e9 cc a6 ac 3f 99 7d 02 df cd d3 ff 78 fe 1f cb 73 f5 26 70 db 30 70 f6 8d 8f 92 d2 77 1c ea 84 53 3c 43 e8 48 cc 52 d3 26 07 5f b3 33 b7 4e d6 fc 00 e4 32 82 76 11 f5 c9 df 98 3e af d8 da 5f 21 74 b2 64 38 f9 d1 b1 96 0c c3 81 12 f8 49 a6 54 42 0e 7d 89 13 f7 9f 45 1e 04 1f 7d 41 7c 44 f3 30 14 79 ee 7c 78 b0 d4 e2 e4 d6 cc 85 2d b1 94 95 fb 30 47 9a 86 90 6f 50 c8 ....
System.Net Information: 0 : [10888] SecureChannel#5773521 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [10888] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Inbound, scc     = System.Net.SecureCredential)
System.Net Information: 0 : [10888] AcceptSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, AcceptStream)
System.Net Information: 0 : [10888] AcceptSecurityContext(In-Buffer length=62, Out-Buffer length=0, returned code=AlgorithmMismatch).
System.Net.Sockets Verbose: 0 : [4240] Socket#6044116::Dispose()
System.Net.Sockets Verbose: 0 : [4240] TcpClient#59817589::Close()
System.Net.Sockets Verbose: 0 : [4240] TcpClient#59817589::Dispose()
System.Net.Sockets Verbose: 0 : [4240] Exiting TcpClient#59817589::Dispose() 
System.Net.Sockets Verbose: 0 : [4240] Exiting TcpClient#59817589::Close() 
System.Net.Sockets Verbose: 0 : [4240] TcpListener#21950498::AcceptTcpClient()
System.Net.Sockets Verbose: 0 : [4240] Socket#37614147::Accept()

这成功了：

System.Net.Sockets Information: 0 : [8344] Socket#6044116 - Accepted connection from 192.168.3.106:55907 to 192.168.3.106:7001.
System.Net.Sockets Verbose: 0 : [8344] Exiting Socket#37614147::Accept()    -> Socket#6044116
System.Net.Sockets Verbose: 0 : [8344] TcpClient#59817589::TcpClient(Socket#6044116)
System.Net.Sockets Verbose: 0 : [8344] Exiting TcpClient#59817589::TcpClient() 
System.Net.Sockets Verbose: 0 : [8344] Exiting TcpListener#21950498::AcceptTcpClient()  -> TcpClient#59817589
System.Net.Sockets Verbose: 0 : [8344] TcpClient#59817589::GetStream()
System.Net.Sockets Verbose: 0 : [8344] Exiting TcpClient#59817589::GetStream()  -> NetworkStream#48209832
System.Net Information: 0 : [8344] SecureChannel#5773521::.ctor(hostname=?124, #clientCertificates=0, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [8344] Enumerating security packages:
System.Net Information: 0 : [8344]     Negotiate
System.Net Information: 0 : [8344]     NegoExtender
System.Net Information: 0 : [8344]     Kerberos
System.Net Information: 0 : [8344]     NTLM
System.Net Information: 0 : [8344]     TSSSP
System.Net Information: 0 : [8344]     pku2u
System.Net Information: 0 : [8344]     WDigest
System.Net Information: 0 : [8344]     Schannel
System.Net Information: 0 : [8344]     Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [8344]     CREDSSP
System.Net.Sockets Verbose: 0 : [8344] Socket#6044116::BeginReceive()
System.Net.Sockets Verbose: 0 : [8344] Exiting Socket#6044116::BeginReceive()   -> OverlappedAsyncResult#63094882
System.Net.Sockets Verbose: 0 : [14296] Data from Socket#6044116::PostCompletion
System.Net.Sockets Verbose: 0 : [14296] 00000000 : 16 03 00 00 A7                                  : .....
System.Net.Sockets Verbose: 0 : [14296] Socket#6044116::EndReceive(OverlappedAsyncResult#63094882)
System.Net.Sockets Verbose: 0 : [14296] Exiting Socket#6044116::EndReceive()    -> Int32#5
System.Net.Sockets Verbose: 0 : [14296] Socket#6044116::BeginReceive()
System.Net.Sockets Verbose: 0 : [14296] Exiting Socket#6044116::BeginReceive()  -> OverlappedAsyncResult#62476613
System.Net.Sockets Verbose: 0 : [13340] Data from Socket#6044116::PostCompletion
System.Net.Sockets Verbose: 0 : [13340] 00000000 : 01 00 00 A3 03 03 5A 53-AD 98 78 ED 38 1B 06 57 : ......ZS..x.8..W
System.Net.Sockets Verbose: 0 : [13340] 00000010 : 52 BF E5 61 58 A2 37 A3-AC 6E 18 83 AE 2E 25 EF : R..aX.7..n....%.
System.Net.Sockets Verbose: 0 : [13340] 00000020 : 60 32 67 A3 BF D4 00 00-38 C0 30 C0 2F C0 28 C0 : `2g.....8.0./.(.
System.Net.Sockets Verbose: 0 : [13340] 00000030 : 27 C0 14 C0 13 C0 2C C0-2B C0 24 C0 23 C0 0A C0 : '.....,.+.$.#...
System.Net.Sockets Verbose: 0 : [13340] 00000040 : 09 00 9D 00 9C 00 3D 00-3C 00 35 00 2F 00 0A 00 : ......=.<.5./...
System.Net.Sockets Verbose: 0 : [13340] 00000050 : 9F 00 9E 00 39 00 33 00-6A 00 40 00 38 00 32 00 : ....9.3.j.@.8.2.
System.Net.Sockets Verbose: 0 : [13340] 00000060 : 13 01 00 00 42 00 00 00-09 00 07 00 00 04 3F 31 : ....B.........?1
System.Net.Sockets Verbose: 0 : [13340] 00000070 : 32 34 00 0A 00 06 00 04-00 17 00 18 00 0B 00 02 : 24..............
System.Net.Sockets Verbose: 0 : [13340] 00000080 : 01 00 00 0D 00 14 00 12-06 01 06 03 04 01 05 01 : ................
System.Net.Sockets Verbose: 0 : [13340] 00000090 : 02 01 04 03 05 03 02 03-02 02 00 23 00 00 00 17 : ...........#....
System.Net.Sockets Verbose: 0 : [13340] 000000A0 : 00 00 FF 01 00 01 00                            : .......
System.Net.Sockets Verbose: 0 : [13340] Socket#6044116::EndReceive(OverlappedAsyncResult#62476613)
System.Net.Sockets Verbose: 0 : [13340] Exiting Socket#6044116::EndReceive()    -> Int32#167
System.Net Information: 0 : [13340] SecureChannel#5773521 - Locating the private key for the certificate: [Version]
  V3

[Subject]
  CN=Test Labs (CA)
  Simple Name: Test Labs (CA)
  DNS Name: Test Labs (CA)

[Issuer]
  CN=Test Labs (CA)
  Simple Name: Test Labs (CA)
  DNS Name: Test Labs (CA)

[Serial Number]
  3120C1CCC8D477974B311D82A9B7881E

[Not Before]
  11/9/2016 1:10:37 PM

[Not After]
  12/31/2039 6:59:59 PM

[Thumbprint]
  EA7091EE4171B38C04DC210BFDEF0DBAE5289D8B

[Signature Algorithm]
  sha256RSA(1.2.840.113549.1.1.11)

[Public Key]
  Algorithm: RSA
  Length: 2048
  Key Blob: 30 82 01 0a 02 82 01 01 00 af 67 80 80 31 64 a2 6b a1 b1 36 ce 9e 16 ef 61 e3 26 25 e9 49 a9 cc 80 2c 3d d6 0e 60 01 65 78 cd ce a9 e9 cc a6 ac 3f 99 7d 02 df cd d3 ff 78 fe 1f cb 73 f5 26 70 db 30 70 f6 8d 8f 92 d2 77 1c ea 84 53 3c 43 e8 48 cc 52 d3 26 07 5f b3 33 b7 4e d6 fc 00 e4 32 82 76 11 f5 c9 df 98 3e af d8 da 5f 21 74 b2 64 38 f9 d1 b1 96 0c c3 81 12 f8 49 a6 54 42 0e 7d 89 13 f7 9f 45 1e 04 1f 7d 41 7c 44 f3 30 14 79 ee 7c 78 b0 d4 e2 e4 d6 cc 85 2d b1 94 95 fb 30 47 9a 86 90 6f 50 c8 ....
System.Net Information: 0 : [13340] SecureChannel#5773521 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [13340] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Inbound, scc     = System.Net.SecureCredential)
System.Net Information: 0 : [13340] AcceptSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, AcceptStream)
System.Net Information: 0 : [13340] AcceptSecurityContext(In-Buffer length=172, Out-Buffer length=1236, returned code=ContinueNeeded).
System.Net.Sockets Verbose: 0 : [13340] Socket#6044116::BeginSend()
System.Net.Sockets Verbose: 0 : [13340] Exiting Socket#6044116::BeginSend()     -> OverlappedAsyncResult#45653674
System.Net.Sockets Verbose: 0 : [8396] Data from Socket#6044116::PostCompletion

SSL协议格式版本兼容性（消息格式versino VS加密版本）

1 个答案: