美文网首页
tls握手的过程

tls握手的过程

作者: 安安爸Chris | 来源:发表于2021-04-17 01:48 被阅读0次

TLS握手的过程参考文档 https://www.ibm.com/docs/en/ibm-mq/9.0?topic=tls-overview-ssltls-handshake

  1. The TLS client sends a client hello message that lists cryptographic information such as the TLS version and, in the client's order of preference, the CipherSuites supported by the client. The message also contains a random byte string that is used in subsequent computations. The protocol allows for the client hello to include the data compression methods supported by the client.

TLS客户端发送client hello,里面包含了加密的信息,如TLS version, client支持的加密方式,客户端随机字符串,如下图所示

client hello
  1. The TLS server responds with a server hello message that contains the CipherSuite chosen by the server from the list provided by the client, the session ID, and another random byte string. The server also sends its digital certificate. If the server requires a digital certificate for client authentication, the server sends a client certificate request that includes a list of the types of certificates supported and the Distinguished Names of acceptable Certification Authorities (CAs).

TLS服务端响应server hello消息,包含了服务端选择的加密方式, session ID, 以及服务器端随机字符串。 服务器同时发送certificate给Client。 如果服务端要求客户端做证书验证,服务端会发起一个client certificate request(客户端证书验证请求),包含支持的加密方式和可接收的CA。
客户端验证不是必须的,它从另一层保证了client的真实有效性,避免了一些非法用户的攻击行为,但是同时也增加了服务器的资源开销。

server hello certificate消息和Server Hello Done消息
  1. The TLS client verifies the server's digital certificate. For more information, see How TLS provides identification, authentication, confidentiality, and integrity.

client验证server的certificate

  1. The TLS client sends the random byte string that enables both the client and the server to compute the secret key to be used for encrypting subsequent message data. The random byte string itself is encrypted with the server's public key.

TLS client根据客户端和服务端的信息生成secret key,使用服务器证书的public key加密,然后发送给Server。后续的通信将采用该secret key做对称加密。

Client Key Exchange
  1. If the TLS server sent a client certificate request, the client sends a random byte string encrypted with the client's private key, together with the client's digital certificate, or a no digital certificate alert. This alert is only a warning, but with some implementations the handshake fails if client authentication is mandatory.

如果Serve要求client certificate request,那么client会发送client的certificate,同时使用client的certifcate私钥机密的随机字符串;如果客户端没有certificate,那么会给一个无证书的通告。这个通告仅仅是个告警,但是有些强制要求client验证的实现会导致tls握手失败。

  1. The TLS server verifies the client's certificate. For more information, see How TLS provides identification, authentication, confidentiality, and integrity.

如果收到client certificate,Server会验证client‘s certificate

  1. The TLS client sends the server a finished message, which is encrypted with the secret key, indicating that the client part of the handshake is complete.

TLS client发送包含secret key的finished消息,表示client端TLS握手完成

  1. The TLS server sends the client a finished message, which is encrypted with the secret key, indicating that the server part of the handshake is complete.

TLS server发送finished消息,表示server端TLS握手完成

  1. For the duration of the TLS session, the server and client can now exchange messages that are symmetrically encrypted with the shared secret key.

握手完成后,整个session对话过程Server和Client可以使用协商好的secret key用对称加密方式通信了。

TLS handshake

相关文章

  • 什么是SSL/TLS握手

    TLS的工作原理–前所未有的简化了SSL / TLS握手过程 伴随所有握手,SSL / TLS握手是一切开始的地方...

  • TLS 握手过程

    TLS 握手过程,主要目的是为了协商对称加密的密钥,因为在最终的通信链路上使用对称加解密会更快。 我们知道,生成最...

  • tls握手的过程

    TLS握手的过程参考文档 https://www.ibm.com/docs/en/ibm-mq/9.0?topic...

  • Moya,KingFisher中使用自签名证书发起HTTPS请求

    HTTPS握手 先说声https握手,发送 HTTPS 请求首先要进行 SSL/TLS 握手,握手过程大致如下: ...

  • 阿里云环境中TLS/SSL握手失败的场景分析

    TLS/SSL握手是一个相对复杂的过程,在阿里云环境中结合产品,安全等特性,可能会让TLS/SSL握手过程的不定性...

  • SSL/TLS握手协议

    根据理解整理的握手协议原理图如下: 参考文章:SSL/TLS协议详解SSL / TLS 工作原理和详细握手过程SS...

  • https与tls

    1.tls1.2的握手过程2.tls1.3的握手过程3.如何防范中间人攻击4.http2中的加密5.CA签名的作用...

  • TLS/SSL握手过程

    1、握手与密钥协商过程基于RSA握手和密钥交换的客户端验证服务器为示例详解TLS/SSL握手过程。 (1).cli...

  • Moya,KingFisher中使用自签名证书发起HTTPS请求

    Moya信任自签名证书 问题 先说说HTTPS握手, 发送HTTPS请求首先要进行SSL/TLS握手,握手过程大致...

  • HTTPS 请求大致过程

    发送 HTTPS 请求首先要进行 SSL/TLS 握手,握手过程大致如下: 1、客户端发起握手请求,携带随机数、支...

网友评论

      本文标题:tls握手的过程

      本文链接:https://www.haomeiwen.com/subject/pzzylltx.html