「HTTPS」- HTTP over Transport Layer Security

  CREATED BY JENKINSBOT

说明

TLS将所有流量包含在不同类型的“记录(record)”中。第一个字节是十六进制字节0x16=22,这意味着这是一个“握手(handshake)”记录。共有以下几种“记录”类型:

	* change_cipher_spec(20, 0x14)
	* alert(21, 0x15)
	* handshake(22, 0x16)
	* application_data(23, 0x17)
	* ~~(255)~~

括号中的值分别为十进制和十六进制的编码。

“非对称加密”算法用于在握手过程中加密生成的密码;“对称加密算法”用于对真正传输的数据进行加密;“哈希算法”用于验证数据的完整性。

客户端与服务端之间的HTTPS交互流程

命令curl --trace /tmp/trace https://k4nz.com会将请求HTTPS站点k4nz.com的追踪信息输出到/tmp/trace文件中。该文件很好地诠释了如下图示:

为了便于解释问题,对原有的输出作出如下改动:

	* 为了使流程清晰,对输出进行了段落化;
	* 限于篇幅,报文的数据部分只保留了首尾行,省略了中间部分,并对省略内容进行了说明。

交互流程如下:

== Info: Rebuilt URL to: https://k4nz.com/
== Info:   Trying 115.159.122.157...
== Info: TCP_NODELAY set
== Info: Connected to k4nz.com (115.159.122.157) port 443 (#0)
== Info: ALPN, offering h2
== Info: ALPN, offering http/1.1
== Info: Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
== Info: successfully set certificate verify locations:
== Info:   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
== Info: TLSv1.2 (OUT), TLS header, Certificate Status (22):

#1 Client Hello( Client => Server )

客户端发送Hello报文、TLS版本号:

=> Send SSL data, 5 bytes (0x5)
0000: 16 03 01 02 00                                  .....
== Info: TLSv1.2 (OUT), TLS handshake, Client hello (1):

时间戳、随机值、会话ID、加密套件、服务器名扩展:

=> Send SSL data, 512 bytes (0x200)
0000: 01 00 01 fc 03 03 cf 2c b0 28 fc 93 93 f0 1a da .......,.(......
0010: c5 11 1f 6f 06 b1 f8 84 87 a5 64 25 79 d5 72 b2 ...o......d%y.r.
0020: 05 42 8b 4f c9 fa 00 00 8c c0 30 c0 2c c0 28 c0 .B.O......0.,.(.
0030: 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00 $.............k.
0040: 6a 00 69 00 68 00 39 00 38 00 37 00 36 00 88 00 j.i.h.9.8.7.6...
0050: 87 00 86 00 85 c0 32 c0 2e c0 2a c0 26 c0 0f c0 ......2...*.&...
0060: 05 00 9d 00 3d 00 35 00 84 c0 2f c0 2b c0 27 c0 ....=.5.../.+.'.
0070: 23 c0 13 c0 09 00 a4 00 a2 00 a0 00 9e 00 67 00 #.............g.
0080: 40 00 3f 00 3e 00 33 00 32 00 31 00 30 00 9a 00 @.?.>.3.2.1.0...
0090: 99 00 98 00 97 00 45 00 44 00 43 00 42 c0 31 c0 ......E.D.C.B.1.
00a0: 2d c0 29 c0 25 c0 0e c0 04 00 9c 00 3c 00 2f 00 -.).%.......<./.
00b0: 96 00 41 00 ff 01 00 01 47 00 00 00 0d 00 0b 00 ..A.....G.......
00c0: 00 08 6b 34 6e 7a 2e 63 6f 6d 00 0b 00 04 03 00 ..k4nz.com......
00d0: 01 02 00 0a 00 1c 00 1a 00 17 00 19 00 1c 00 1b ................
00e0: 00 18 00 1a 00 16 00 0e 00 0d 00 0b 00 0c 00 09 ................
00f0: 00 0a 00 0d 00 20 00 1e 06 01 06 02 06 03 05 01 ..... ..........
0100: 05 02 05 03 04 01 04 02 04 03 03 01 03 02 03 03 ................
0110: 02 01 02 02 02 03 00 0f 00 01 01 33 74 00 00 00 ...........3t...
0120: 10 00 0e 00 0c 02 68 32 08 68 74 74 70 2f 31 2e ......h2.http/1.
0130: 31 00 15 00 cb 00 00 00 00 00 00 00 00 00 00 00 1...............
0140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

#2 Server Hello( Client <= Server )

服务端的Hello报文、TLS版本号:

<= Recv SSL data, 5 bytes (0x5)
0000: 16 03 03 00 6b                                  ....k
== Info: TLSv1.2 (IN), TLS handshake, Server hello (2):

服务器时间、随机数、会话ID、服务器选择的加密方法:

<= Recv SSL data, 107 bytes (0x6b)
0000: 02 00 00 67 03 03 0c f4 1d 2d bc 93 e5 b9 df f3 ...g.....-......
0010: 3a 24 33 1e 73 6d d7 58 5b 7d 9b e6 07 c7 cf 82 :$3.sm.X[}......
0020: 0f 30 e4 f8 fd b1 20 cb a4 6d 75 05 3c 49 fc 61 .0.... ..mu.<I.a
0030: f2 fc 80 1e 04 84 9a 82 5d 88 1a 0e 80 7a ba 64 ........]....z.d
0040: aa a2 e9 d1 20 d4 09 c0 2f 00 00 1f ff 01 00 01 .... .../.......
0050: 00 00 0b 00 04 03 00 01 02 00 0f 00 01 01 33 74 ..............3t
0060: 00 09 08 68 74 74 70 2f 31 2e 31                ...http/1.1
== Info: NPN, negotiated HTTP1.1
<= Recv SSL data, 5 bytes (0x5)
0000: 16 03 03 0a 4e                                  ....N
== Info: TLSv1.2 (IN), TLS handshake, Certificate (11):

服务器的证书信息:

<= Recv SSL data, 2638 bytes (0xa4e)
0000: 0b 00 0a 4a 00 0a 47 00 05 8f 30 82 05 8b 30 82 ...J..G...0...0.
# ......(省略部分数据)
0a40: 78 ca 3a 5d 15 3d 07 89 f9 57 22 58 46 61       x.:].=...W"XFa
<= Recv SSL data, 5 bytes (0x5)
0000: 16 03 03 01 4d                                  ....M
== Info: TLSv1.2 (IN), TLS handshake, Server key exchange (12):
<= Recv SSL data, 333 bytes (0x14d)
0000: 0c 00 01 49 03 00 17 41 04 51 c7 9d 0d 4c 13 88 ...I...A.Q...L..
0010: d6 86 6f 7b 99 19 8c 73 fe 03 d8 49 50 55 52 f9 ..o{...s...IPUR.
0020: 60 68 70 50 5b b0 db 42 16 d5 23 16 89 88 e9 20 `hpP[..B..#....
0030: 6d 99 95 46 8f 55 c0 96 38 55 56 9b be d6 bf 86 m..F.U..8UV.....
0040: 9f 87 57 49 e8 d0 63 e3 a7 06 01 01 00 8a b8 9b ..WI..c.........
0050: 12 87 4c 05 c1 48 f4 86 fb f3 19 b3 79 1f 40 1a ..L..H......y.@.
0060: 6b 4e 8e 5a 6a a2 77 3a d4 7f 9e 2a 21 f3 08 dd kN.Zj.w:..*!...
0070: ed a4 c6 85 40 6d af c4 3e d5 c6 84 67 d0 a8 b6 ....@m..>...g...
0080: 10 dc 8e ec 21 ea 6d 45 48 45 95 ba ec 0c ab 9d ....!.mEHE......
0090: 8a e3 f1 25 db 1d d1 22 20 d5 0c 50 19 29 3e c7 ...%..." ..P.)>.
00a0: c8 6e 5b 29 0a 72 ba f7 c1 6e 4f b8 eb 48 28 98 .n[).r...nO..H(.
00b0: 34 7e 86 c2 2f 80 bd 67 84 3a fd 15 14 14 c5 f2 4~../..g.:......
00c0: 13 09 88 0d ba 7e 07 0b fd ec 59 60 35 58 28 e2 .....~....Y`5X(.
00d0: a7 4b 49 bd 5c 24 e5 bc df e3 53 24 b1 c8 63 e3 .KI.\$....S$..c.
00e0: cb 7a db ef 82 00 8f e6 38 98 ad 1f b2 14 5f 2e .z......8....._.
00f0: 94 7c c3 84 bf 47 17 3a fe dd 52 78 2f a7 cc 55 .|...G.:..Rx/..U
0100: 55 12 32 38 08 20 1e bd c3 5d b1 71 2f 6a 15 f7 U.28. ...].q/j..
0110: 4b 58 d5 db 26 40 a4 b3 c0 dc 08 da 31 a7 3d 14 KX..&@......1.=.
0120: 69 e9 42 53 df 05 af 84 3a a1 90 4f 85 d8 d7 f0 i.BS....:..O....
0130: 62 aa 7d 04 fc 2f e1 c6 ca 6b 69 a2 f6 32 7b 17 b.}../...ki..2{.
0140: 9d ae b4 6a 44 c7 38 da d2 25 12 0d 38          ...jD.8..%..8
<= Recv SSL data, 5 bytes (0x5)
0000: 16 03 03 00 04                                  .....
== Info: TLSv1.2 (IN), TLS handshake, Server finished (14):

服务端的Hello结束:

<= Recv SSL data, 4 bytes (0x4)
0000: 0e 00 00 00                                     ....

#3 Client Key Exchange( Client => Server )

=> Send SSL data, 5 bytes (0x5)
0000: 16 03 03 00 46                                  ....F
== Info: TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
=> Send SSL data, 70 bytes (0x46)
0000: 10 00 00 42 41 04 4b 39 88 7c ce 41 00 37 2a 29 ...BA.K9.|.A.7*)
0010: 23 f0 18 9e ab 75 97 53 2c 91 fb ed 44 11 6d e8 #....u.S,...D.m.
0020: 50 22 b4 5c 45 4f 7a 1c 75 d0 c4 f7 ed cc 65 7e P".\EOz.u.....e~
0030: 26 58 89 97 e1 0c d4 11 0f 04 5d 05 39 46 58 65 &X........].9FXe
0040: f4 b8 d4 39 22 6b                               ...9"k

#4 Change Cipher Spec( Client => Server )

=> Send SSL data, 5 bytes (0x5)
0000: 14 03 03 00 01                                  .....
== Info: TLSv1.2 (OUT), TLS change cipher, Client hello (1):
=> Send SSL data, 1 bytes (0x1)
0000: 01                                              .
=> Send SSL data, 5 bytes (0x5)
0000: 16 03 03 00 3c                                  ....<
== Info: TLSv1.2 (OUT), TLS handshake, Unknown (67):
=> Send SSL data, 36 bytes (0x24)
0000: 43 00 00 20 08 68 74 74 70 2f 31 2e 31 16 00 00 C.. .http/1.1...
0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0020: 00 00 00 00                                     ....
=> Send SSL data, 5 bytes (0x5)
0000: 16 03 03 00 28                                  ....(
== Info: TLSv1.2 (OUT), TLS handshake, Finished (20):
=> Send SSL data, 16 bytes (0x10)
0000: 14 00 00 0c a8 40 f5 02 d3 65 af f4 ca 3a e6 ee .....@...e...:..

#5 Change Cipher Spec( Client <= Server )

<= Recv SSL data, 5 bytes (0x5)
0000: 14 03 03 00 01                                  .....
== Info: TLSv1.2 (IN), TLS change cipher, Client hello (1):
<= Recv SSL data, 1 bytes (0x1)
0000: 01                                              .
<= Recv SSL data, 5 bytes (0x5)
0000: 16 03 03 00 28                                  ....(
== Info: TLSv1.2 (IN), TLS handshake, Finished (20):
<= Recv SSL data, 16 bytes (0x10)
0000: 14 00 00 0c 6f 31 df 33 f3 eb 21 34 b0 03 2e 8c ....o1.3..!4....
== Info: SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
== Info: ALPN, server did not agree to a protocol
== Info: Server certificate:
== Info:  subject: CN=k4nz.com
== Info:  start date: Apr 12 00:00:00 2018 GMT
== Info:  expire date: Apr 12 12:00:00 2019 GMT
== Info:  subjectAltName: host "k4nz.com" matched cert's "k4nz.com"
== Info:  issuer: C=CN; O=TrustAsia Technologies, Inc.; OU=Domain Validated SSL; CN=TrustAsia TLS RSA CA
== Info:  SSL certificate verify ok.
=> Send SSL data, 5 bytes (0x5)
0000: 17 03 03 00 60                                  ....`

# Application Data Encrypted( Client <=> Server )

=> Send header, 72 bytes (0x48)
0000: 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a GET / HTTP/1.1..
# ......(省略部分HTTP数据)
26f0: 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a .</html>...0....
== Info: Curl_http_done: called premature == 0
== Info: Connection #0 to host k4nz.com left intact

注意事项

Secure HTTP(S-HTTP)并不是HTTPS,有关S-HTTP的内容参考「RFC2660」。

RFC 2818: HTTP Over TLS
RFC 5246: The Transport Layer Security Protocol 1.2
RFC 6101: The Secure Sockets Layer (SSL) Protocol Version 3.0

参考文献

https原理通俗了解」、「也许,这样理解HTTPS更容易
Wikipedia/HTTPS
The First Few Milliseconds of an HTTPS Connection