4

我的服务器配置为接受 SSLv3 和 TLS1.0 协议。但是一些客户端正在发送以下握手参数,并且在服务器打招呼之后,客户端断开连接并发送“handshare failure(40)”警报,不确定是客户端故障还是服务器故障。

这是初始的客户端问候数据包:

Secure Socket Layer
  SSLv3 Record Layer: Client Hello
  Content Type: Handshake (22)
    Version: SSL 3.0 (0x0300) <-----------------
    Length: 103
    Handshake Protocol: Client Hello
        Handshake Type: Client Hello (1)
        Length: 78
        Version: TLS 1.0 (0x0301) <-------------
        Random
        Session ID Length: 0
        Cipher Suites Length: 18
        Cipher Suites (9 suites)

记录层是 SSL 3.0,但内部握手协议是 TLS 1.0。我的问题是,这是正确的做法,即为每一层使用不同的版本吗?如果是什么方法呢?我在任何地方都找不到它,我查看了 RFC,但找不到任何参考。另外,我怎样才能产生这样的请求?

编辑:我对故障排除和解决问题不感兴趣,我只想知道如何发送这样的数据包?有什么命令吗?我应该给这个方法起什么名字?即我可以使用 curl 或 openssl 来使用 ssl3 或 tls1 但这会在记录层和握手层发送相同的版本:

curl -v -ssl3 https://www.mywebserver.com

上面的 curl 命令将在 wireshark 上查看:

线鲨

EDIT2:这甚至合法吗?我一直在谷歌搜索,找不到任何例子。它是否违反任何 rfc 标准?

谢谢

4

2 回答 2

4

是的,这是合法的(至少在最近的 TLS 规范中已经阐明)。

您可以在rfc5246 (TLS 1.2) 或rfc6101 (SSL 3.0) 或其他有关 SSL/TLS 的 rfc 中查找此内容。问题在于记录协议的初始版本和握手协议:

RFC5246:

   Earlier versions of the TLS specification were not fully clear on
   what the record layer version number (TLSPlaintext.version) should
   contain when sending ClientHello (i.e., before it is known which
   version of the protocol will be employed).  Thus, TLS servers
   compliant with this specification MUST accept any value {03,XX} as
   the record layer version number for ClientHello.

   TLS clients that wish to negotiate with older servers MAY send any
   value {03,XX} as the record layer version number.  Typical values
   would be {03,00}, the lowest version number supported by the client,
   and the value of ClientHello.client_version.

关于握手协议,客户端将协商它已经实现的最高版本:

client_version: The version of the TLS protocol by which the client wishes to
      communicate during this session.  This SHOULD be the latest
      (highest valued) version supported by the client
于 2013-09-05T16:38:02.767 回答
1

I just want to know how can I send such packets? Any command?

openssl s_client -connect www.myserver.com:443 -no_ssl2

should produce something similar to the trace you provided.

于 2012-03-12T12:12:03.927 回答