解决方案
HTTPS(Hypertext Transfer Protocol Secure,超文本传输安全协议),也常称为HTTP over TLS(Hyper Text Transfer Protocol over Transport Layer Security)或HTTP over SSL(Hyper Text Transfer Protocol over Secure Socket Layer),HTTP Secure,是以安全为目标的HTTP通道,简单讲是HTTP的安全版。HTTPS通过HTTP进行通信,并使用SSL/TLS来加密数据;
原理简述
HTTPS在HTTP的基础下加入SSL/TLS层,是使用SSL/TLS加密的HTTP协议。
/Layer_7_-_Application_Layer/HTTPS,_HTTP_over_TLS/pasted_image.png)
特性特征
HTTP协议采用明文传输信息,存在信息窃听、信息篡改和信息劫持的风险,而协议TLS具有身份验证、信息加密和完整性校验的功能,可以避免此类问题发生。
说明
TLS将所有流量包含在不同类型的“记录(record)”中。第一个字节是十六进制字节0x16=22,这意味着这是一个“握手(handshake)”记录。共有以下几种“记录”类型:
- change_cipher_spec(20, 0x14)
- alert(21, 0x15)
- handshake(22, 0x16)
- application_data(23, 0x17)
(255)
括号中的值分别为十进制和十六进制的编码。
“非对称加密”算法用于在握手过程中加密生成的密码;“对称加密算法”用于对真正传输的数据进行加密;“哈希算法”用于验证数据的完整性。
客户端与服务端之间的HTTPS交互流程
命令curl --trace /tmp/trace https://k4nz.com会将请求HTTPS站点k4nz.com的追踪信息输出到/tmp/trace文件中。该文件很好地诠释了如下图示:
/Layer_7_-_Application_Layer/HTTPS,_HTTP_over_TLS/seqdiagram.png)
为了便于解释问题,对原有的输出作出如下改动:
- 为了使流程清晰,对输出进行了段落化;
- 限于篇幅,报文的数据部分只保留了首尾行,省略了中间部分,并对省略内容进行了说明。
交互流程如下:
== Info: Rebuilt URL to: https://k4nz.com/ == Info: Trying 115.159.122.157... == Info: TCP_NODELAY set == Info: Connected to k4nz.com (115.159.122.157) port 443 (#0) == Info: ALPN, offering h2 == Info: ALPN, offering http/1.1 == Info: Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH == Info: successfully set certificate verify locations: == Info: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs == Info: TLSv1.2 (OUT), TLS header, Certificate Status (22):
#1 Client Hello( Client => Server )
客户端发送Hello报文、TLS版本号:
=> Send SSL data, 5 bytes (0x5) 0000: 16 03 01 02 00 ..... == Info: TLSv1.2 (OUT), TLS handshake, Client hello (1):
时间戳、随机值、会话ID、加密套件、服务器名扩展:
=> Send SSL data, 512 bytes (0x200) 0000: 01 00 01 fc 03 03 cf 2c b0 28 fc 93 93 f0 1a da .......,.(...... 0010: c5 11 1f 6f 06 b1 f8 84 87 a5 64 25 79 d5 72 b2 ...o......d%y.r. 0020: 05 42 8b 4f c9 fa 00 00 8c c0 30 c0 2c c0 28 c0 .B.O......0.,.(. 0030: 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00 $.............k. 0040: 6a 00 69 00 68 00 39 00 38 00 37 00 36 00 88 00 j.i.h.9.8.7.6... 0050: 87 00 86 00 85 c0 32 c0 2e c0 2a c0 26 c0 0f c0 ......2...*.&... 0060: 05 00 9d 00 3d 00 35 00 84 c0 2f c0 2b c0 27 c0 ....=.5.../.+.'. 0070: 23 c0 13 c0 09 00 a4 00 a2 00 a0 00 9e 00 67 00 #.............g. 0080: 40 00 3f 00 3e 00 33 00 32 00 31 00 30 00 9a 00 @.?.>.3.2.1.0... 0090: 99 00 98 00 97 00 45 00 44 00 43 00 42 c0 31 c0 ......E.D.C.B.1. 00a0: 2d c0 29 c0 25 c0 0e c0 04 00 9c 00 3c 00 2f 00 -.).%.......<./. 00b0: 96 00 41 00 ff 01 00 01 47 00 00 00 0d 00 0b 00 ..A.....G....... 00c0: 00 08 6b 34 6e 7a 2e 63 6f 6d 00 0b 00 04 03 00 ..k4nz.com...... 00d0: 01 02 00 0a 00 1c 00 1a 00 17 00 19 00 1c 00 1b ................ 00e0: 00 18 00 1a 00 16 00 0e 00 0d 00 0b 00 0c 00 09 ................ 00f0: 00 0a 00 0d 00 20 00 1e 06 01 06 02 06 03 05 01 ..... .......... 0100: 05 02 05 03 04 01 04 02 04 03 03 01 03 02 03 03 ................ 0110: 02 01 02 02 02 03 00 0f 00 01 01 33 74 00 00 00 ...........3t... 0120: 10 00 0e 00 0c 02 68 32 08 68 74 74 70 2f 31 2e ......h2.http/1. 0130: 31 00 15 00 cb 00 00 00 00 00 00 00 00 00 00 00 1............... 0140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
#2 Server Hello( Client <= Server )
服务端的Hello报文、TLS版本号:
<= Recv SSL data, 5 bytes (0x5) 0000: 16 03 03 00 6b ....k == Info: TLSv1.2 (IN), TLS handshake, Server hello (2):
服务器时间、随机数、会话ID、服务器选择的加密方法:
<= Recv SSL data, 107 bytes (0x6b) 0000: 02 00 00 67 03 03 0c f4 1d 2d bc 93 e5 b9 df f3 ...g.....-...... 0010: 3a 24 33 1e 73 6d d7 58 5b 7d 9b e6 07 c7 cf 82 :$3.sm.X[}...... 0020: 0f 30 e4 f8 fd b1 20 cb a4 6d 75 05 3c 49 fc 61 .0.... ..mu.<I.a 0030: f2 fc 80 1e 04 84 9a 82 5d 88 1a 0e 80 7a ba 64 ........]....z.d 0040: aa a2 e9 d1 20 d4 09 c0 2f 00 00 1f ff 01 00 01 .... .../....... 0050: 00 00 0b 00 04 03 00 01 02 00 0f 00 01 01 33 74 ..............3t 0060: 00 09 08 68 74 74 70 2f 31 2e 31 ...http/1.1 == Info: NPN, negotiated HTTP1.1 <= Recv SSL data, 5 bytes (0x5) 0000: 16 03 03 0a 4e ....N == Info: TLSv1.2 (IN), TLS handshake, Certificate (11):
服务器的证书信息:
<= Recv SSL data, 2638 bytes (0xa4e) 0000: 0b 00 0a 4a 00 0a 47 00 05 8f 30 82 05 8b 30 82 ...J..G...0...0. # ......(省略部分数据) 0a40: 78 ca 3a 5d 15 3d 07 89 f9 57 22 58 46 61 x.:].=...W"XFa
<= Recv SSL data, 5 bytes (0x5) 0000: 16 03 03 01 4d ....M == Info: TLSv1.2 (IN), TLS handshake, Server key exchange (12):
<= Recv SSL data, 333 bytes (0x14d)
0000: 0c 00 01 49 03 00 17 41 04 51 c7 9d 0d 4c 13 88 ...I...A.Q...L..
0010: d6 86 6f 7b 99 19 8c 73 fe 03 d8 49 50 55 52 f9 ..o{...s...IPUR.
0020: 60 68 70 50 5b b0 db 42 16 d5 23 16 89 88 e9 20 `hpP[..B..#....
0030: 6d 99 95 46 8f 55 c0 96 38 55 56 9b be d6 bf 86 m..F.U..8UV.....
0040: 9f 87 57 49 e8 d0 63 e3 a7 06 01 01 00 8a b8 9b ..WI..c.........
0050: 12 87 4c 05 c1 48 f4 86 fb f3 19 b3 79 1f 40 1a ..L..H......y.@.
0060: 6b 4e 8e 5a 6a a2 77 3a d4 7f 9e 2a 21 f3 08 dd kN.Zj.w:..*!...
0070: ed a4 c6 85 40 6d af c4 3e d5 c6 84 67 d0 a8 b6 ....@m..>...g...
0080: 10 dc 8e ec 21 ea 6d 45 48 45 95 ba ec 0c ab 9d ....!.mEHE......
0090: 8a e3 f1 25 db 1d d1 22 20 d5 0c 50 19 29 3e c7 ...%..." ..P.)>.
00a0: c8 6e 5b 29 0a 72 ba f7 c1 6e 4f b8 eb 48 28 98 .n[).r...nO..H(.
00b0: 34 7e 86 c2 2f 80 bd 67 84 3a fd 15 14 14 c5 f2 4~../..g.:......
00c0: 13 09 88 0d ba 7e 07 0b fd ec 59 60 35 58 28 e2 .....~....Y`5X(.
00d0: a7 4b 49 bd 5c 24 e5 bc df e3 53 24 b1 c8 63 e3 .KI.\$....S$..c.
00e0: cb 7a db ef 82 00 8f e6 38 98 ad 1f b2 14 5f 2e .z......8....._.
00f0: 94 7c c3 84 bf 47 17 3a fe dd 52 78 2f a7 cc 55 .|...G.:..Rx/..U
0100: 55 12 32 38 08 20 1e bd c3 5d b1 71 2f 6a 15 f7 U.28. ...].q/j..
0110: 4b 58 d5 db 26 40 a4 b3 c0 dc 08 da 31 a7 3d 14 KX..&@......1.=.
0120: 69 e9 42 53 df 05 af 84 3a a1 90 4f 85 d8 d7 f0 i.BS....:..O....
0130: 62 aa 7d 04 fc 2f e1 c6 ca 6b 69 a2 f6 32 7b 17 b.}../...ki..2{.
0140: 9d ae b4 6a 44 c7 38 da d2 25 12 0d 38 ...jD.8..%..8
<= Recv SSL data, 5 bytes (0x5) 0000: 16 03 03 00 04 ..... == Info: TLSv1.2 (IN), TLS handshake, Server finished (14):
服务端的Hello结束:
<= Recv SSL data, 4 bytes (0x4) 0000: 0e 00 00 00 ....
#3 Client Key Exchange( Client => Server )
=> Send SSL data, 5 bytes (0x5) 0000: 16 03 03 00 46 ....F == Info: TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
=> Send SSL data, 70 bytes (0x46) 0000: 10 00 00 42 41 04 4b 39 88 7c ce 41 00 37 2a 29 ...BA.K9.|.A.7*) 0010: 23 f0 18 9e ab 75 97 53 2c 91 fb ed 44 11 6d e8 #....u.S,...D.m. 0020: 50 22 b4 5c 45 4f 7a 1c 75 d0 c4 f7 ed cc 65 7e P".\EOz.u.....e~ 0030: 26 58 89 97 e1 0c d4 11 0f 04 5d 05 39 46 58 65 &X........].9FXe 0040: f4 b8 d4 39 22 6b ...9"k
#4 Change Cipher Spec( Client => Server )
=> Send SSL data, 5 bytes (0x5) 0000: 14 03 03 00 01 ..... == Info: TLSv1.2 (OUT), TLS change cipher, Client hello (1):
=> Send SSL data, 1 bytes (0x1) 0000: 01 . => Send SSL data, 5 bytes (0x5) 0000: 16 03 03 00 3c ....< == Info: TLSv1.2 (OUT), TLS handshake, Unknown (67):
=> Send SSL data, 36 bytes (0x24) 0000: 43 00 00 20 08 68 74 74 70 2f 31 2e 31 16 00 00 C.. .http/1.1... 0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0020: 00 00 00 00 .... => Send SSL data, 5 bytes (0x5) 0000: 16 03 03 00 28 ....( == Info: TLSv1.2 (OUT), TLS handshake, Finished (20):
=> Send SSL data, 16 bytes (0x10) 0000: 14 00 00 0c a8 40 f5 02 d3 65 af f4 ca 3a e6 ee .....@...e...:..
#5 Change Cipher Spec( Client <= Server )
<= Recv SSL data, 5 bytes (0x5) 0000: 14 03 03 00 01 ..... == Info: TLSv1.2 (IN), TLS change cipher, Client hello (1):
<= Recv SSL data, 1 bytes (0x1) 0000: 01 . <= Recv SSL data, 5 bytes (0x5) 0000: 16 03 03 00 28 ....( == Info: TLSv1.2 (IN), TLS handshake, Finished (20): <= Recv SSL data, 16 bytes (0x10) 0000: 14 00 00 0c 6f 31 df 33 f3 eb 21 34 b0 03 2e 8c ....o1.3..!4....
== Info: SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 == Info: ALPN, server did not agree to a protocol == Info: Server certificate: == Info: subject: CN=k4nz.com == Info: start date: Apr 12 00:00:00 2018 GMT == Info: expire date: Apr 12 12:00:00 2019 GMT == Info: subjectAltName: host "k4nz.com" matched cert's "k4nz.com" == Info: issuer: C=CN; O=TrustAsia Technologies, Inc.; OU=Domain Validated SSL; CN=TrustAsia TLS RSA CA == Info: SSL certificate verify ok.
=> Send SSL data, 5 bytes (0x5) 0000: 17 03 03 00 60 ....`
# Application Data Encrypted( Client <=> Server )
=> Send header, 72 bytes (0x48) 0000: 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a GET / HTTP/1.1.. # ......(省略部分HTTP数据) 26f0: 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a .</html>...0.... == Info: Curl_http_done: called premature == 0 == Info: Connection #0 to host k4nz.com left intact
注意事项
Secure HTTP(S-HTTP)并不是HTTPS,有关S-HTTP的内容参考「RFC2660」。
RFC 2818: HTTP Over TLS
RFC 5246: The Transport Layer Security Protocol 1.2
RFC 6101: The Secure Sockets Layer (SSL) Protocol Version 3.0
参考文献
「https原理通俗了解」、「也许,这样理解HTTPS更容易」
Wikipedia/HTTPS
The First Few Milliseconds of an HTTPS Connection