我的服务器配置为接受SSLv3和TLS1.0协议。但是一些客户端正在发送握手参数以下,并且在服务器问候之后,客户端丢弃连接并发送'handshare failure(40)警报,不确定它是客户端故障还是服务器。
这是初始客户端hello数据包:
Secure Socket Layer
SSLv3 Record Layer: Client Hello
Content Type: Handshake (22)
Version: SSL 3.0 (0x0300) <-----------------
Length: 103
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 78
Version: TLS 1.0 (0x0301) <-------------
Random
Session ID Length: 0
Cipher Suites Length: 18
Cipher Suites (9 suites)
Record层是SSL 3.0,但内部握手协议是TLS 1.0。我的问题是,这是正确的做法,即为每一层使用不同的版本吗?如果它是什么方法呢?我无法在任何地方找到它,我查看了RFC但找不到任何参考。另外,我怎样才能提出这样的要求?
编辑:我对故障排除和修复问题不感兴趣,我只是想知道如何发送此类数据包?任何命令?我该怎么命名这种方法? 即我可以使用curl或openssl来使用ssl3或tls1,但这会在记录层和握手层中发送相同的版本:
curl -v -ssl3 https://www.mywebserver.com
上面的curl命令会查看wireshark:
EDIT2:这是否合法?我一直在谷歌上搜索,找不到任何例子。它违反了任何rfc标准吗?
谢谢
答案 0 :(得分:3)
是的,这是合法的(至少在最近的TLS规范中已经澄清)。
您可以在rfc5246(TLS 1.2)或rfc6101(SSL 3.0)或其他与SSL / TLS相关的rfc中查找。问题在于记录协议的初始版本和握手协议:
rfc5246:
Earlier versions of the TLS specification were not fully clear on
what the record layer version number (TLSPlaintext.version) should
contain when sending ClientHello (i.e., before it is known which
version of the protocol will be employed). Thus, TLS servers
compliant with this specification MUST accept any value {03,XX} as
the record layer version number for ClientHello.
TLS clients that wish to negotiate with older servers MAY send any
value {03,XX} as the record layer version number. Typical values
would be {03,00}, the lowest version number supported by the client,
and the value of ClientHello.client_version.
关于握手协议,客户端将协商它已实现的最高版本:
client_version: The version of the TLS protocol by which the client wishes to
communicate during this session. This SHOULD be the latest
(highest valued) version supported by the client
答案 1 :(得分:1)
我只想知道如何发送此类数据包?任何命令?
openssl s_client -connect www.myserver.com:443 -no_ssl2
应该产生类似于你提供的痕迹的东西。