基于HTTPS通信是当前互联网最通用便捷的通信方式,简单理解来看可以视为HTTP协议 + SSL/TLS协议,通过一个curl的示例阐述一下HTTPS协议。
特性:
- 信息加密传输,防止窃听风险
- 具有校验机制,防止篡改风险
- 配备身份证书,防止冒充风险
版本变更
- SSL1.0 1994年,未发布
- SSL2.0 1995年,有严重漏洞
- SSL3.0 1996年,大规模应用,有风险现在不建议
- TLS1.0 1999年(别称SSL3.1)
- TLS1.1 2006年(别称SSL3.2)
- TLS1.2 2008年,2011年修订(别称SSL3.3)
原理
公钥放在数字证书,验证证书可信,即公钥可信,采用公钥加密,服务器收到后,私钥解密,考虑到加密计算量,公钥将对话**加密,而其他的信息则采用对话**进行对称加密,尽量提升性能。
- 客户端向服务端索要并验证公钥
- 双方生成“对话**”
- 双方采用对话**加密通信
curl分析HTTPS请求时间
HTTPs耗时 = TCP握手 + SSL握手, 因为涉及到一些加密,及多了几次握手交互,可以看到的时要多于平常时间的3-5倍,当然这个和机器性能相关。
1
2
3
|
curl -w "TCP handshake: %{time_connect}, SSL handshake: %{time_appconnect}\n" -so /dev/null https://www.baidu.com
TCP handshake: 0.005, SSL handshake: 0.026
|
curl分析HTTPS请求过程
curl –trace 命令 可以记录请求的详情,我们就用它来了解一下https整个过程,命令如下:
1
2
|
curl -kv -1 --trace temp.txt 'https://www.baidu.com' 忽略ssl解析
curl -v -1 --trace temp.txt 'https://www.baidu.com' 不忽略ssl解析
|
- 客户端请求ClientHello
客户端主要向服务器提供以下信息:
1. 支持的协议版本,比如TLS 1.0版。
2. 一个客户端生成的随机数,稍后用于生成”对话**”。
3. 支持的加密方法,比如RSA公钥加密。
4. 支持的压缩方法。
curl第一步请求如下
1
2
3
4
5
6
7
8
9
|
== Info: SSLv3, TLS handshake, Client hello (1):
<= Send SSL data, 84 bytes (0x54)
0000: 01 00 00 50 03 01 5a 39 c4 54 cc f0 0c ed a6 7f ...P..Z9.T.....
0010: 0d a1 ee 69 13 cd dc 09 c8 e6 c6 89 1e 63 b2 8b ...i.........c..
0020: 3e d5 52 a2 be 4e 00 00 28 00 39 00 38 00 35 00 >.R..N..(.9.8.5.
0030: 16 00 13 00 0a 00 33 00 32 00 2f 00 05 00 04 00 ......3.2./.....
0040: 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ................
0050: ff 02 01 00
|
- 服务端响应SeverHello
服务器的回应包含以下内容:
1. 确认使用的加密通信协议版本,比如TLS 1.0版本。如果浏览器与服务器支持的版本不一致,服务器关闭加密通信。
2. 一个服务器生成的随机数,稍后用于生成”对话**”。
3. 确认使用的加密方法,比如RSA公钥加密。
4. 服务器证书。
还有一种形式是服务端会校验客户端的证书,比如金融类一般金融机构以前网银key即包含一张客户端证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
== Info: SSLv3, TLS handshake, Server hello (2):
<= Recv SSL data, 81 bytes (0x51)
0000: 02 00 00 4d 03 01 5a 39 c4 54 98 71 18 90 44 44 ...M..Z9.T.q..DD
0010: 19 6b c1 12 cd 3e f4 a1 b7 a3 e3 51 44 02 b2 19 .k...>.....QD...
0020: 88 3a 9d 24 54 77 20 13 39 83 14 88 a7 15 3e eb .:.$Tw .9.....>.
0030: b3 06 09 b4 30 cb cb 7e 30 73 67 1c 8b e5 d4 31 ....0..~0sg....1
0040: ed a3 01 d1 bf ef ac 00 2f 00 00 05 ff 01 00 01 ......../.......
0050: 00 .
== Info: SSLv3, TLS handshake, CERT (11):
<= Recv SSL data, 4760 bytes (0x1298)
0000: 0b 00 12 94 00 12 91 00 08 78 30 82 08 74 30 82 .........x0..t0.
......省略部分内容
1290: ba c9 8e 12 7e c6 bd ff ....~...
== Info: SSLv3, TLS handshake, Server finished (14):
<= Recv SSL data, 4 bytes (0x4)
0000: 0e 00 00 00 ....
== Info: SSLv3, TLS handshake, Client key exchange (16):
<= Send SSL data, 262 bytes (0x106)
0000: 10 00 01 02 01 00 c6 9c 69 60 5d 34 76 a1 3b 64 ........i`]4v.;d
0010: a6 15 84 88 94 12 ae d5 7d 12 22 7b 03 57 dd bf ........}."{.W..
......省略部分内容
00e0: 95 8d 2a 30 68 34 12 8b ab e7 f1 08 db 06 2a 6f ..*0h4........*o
00f0: 2c d7 d8 e2 55 6a 74 f3 47 a7 68 cb 69 f4 c5 2d ,...Ujt.G.h.i..-
0100: 72 4e 83 fe b1 7d rN...}
|
- 客户端回应
- 一个随机数。该随机数用服务器公钥加密,防止被窃听。
- 编码改变通知,表示随后的信息都将用双方商定的加密方法和**发送。
- 客户端握手结束通知,表示客户端的握手阶段已经结束。这一项同时也是前面发送的所有内容的hash值,用来供服务器校验。
三个随机数,生成会话**。 此外,如果前一步,服务器要求客户端证书,客户端会在这一步发送证书及相关信息。
1
2
3
4
5
6
7
|
== Info: SSLv3, TLS change cipher, Client hello (1):
<= Send SSL data, 1 bytes (0x1)
0000: 01 .
== Info: SSLv3, TLS handshake, Finished (20):
<= Send SSL data, 16 bytes (0x10)
0000: 14 00 00 0c eb 56 cc 54 85 f8 b4 18 ac db 65 d1 .....V.T......e.
|
- 服务器的最后回应
- 编码改变通知,表示随后的信息都将用双方商定的加密方法和**发送。
- 服务器握手结束通知,表示服务器的握手阶段已经结束。这一项同时也是前面发送的所有内容的hash值,用来供客户端校验。
1
2
3
4
5
6
7
8
9
10
11
12
|
== Info: SSLv3, TLS handshake, Finished (20):
<= Recv SSL data, 16 bytes (0x10)
0000: 14 00 00 0c 6b f7 be 86 e4 b1 3a 06 47 37 bd ae ....k.....:.G7..
== Info: SSL connection using AES128-SHA
== Info: Server certificate:
== Info: subject: /C=CN/ST=beijing/L=beijing/O=BeiJing Baidu Netcom Science Technology Co., Ltd/OU=service operation department./CN=baidu.com
== Info: start date: 2017-06-29 00:00:00 GMT
== Info: expire date: 2018-08-17 23:59:59 GMT
== Info: subjectAltName: www.baidu.com matched
== Info: issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
== Info: SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
|
curl整个请求过程:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
== Info: About to connect() to www.baidu.com port 443
== Info: Trying 220.181.112.244... == Info: connected
== Info: Connected to www.baidu.com (220.181.112.244) port 443
== Info: successfully set certificate verify locations:
== Info: CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
== Info: SSLv3, TLS handshake, Client hello (1):
<= Send SSL data, 84 bytes (0x54)
0000: 01 00 00 50 03 01 5a 39 c4 54 cc f0 0c ed a6 7f ...P..Z9.T.....
0010: 0d a1 ee 69 13 cd dc 09 c8 e6 c6 89 1e 63 b2 8b ...i.........c..
0020: 3e d5 52 a2 be 4e 00 00 28 00 39 00 38 00 35 00 >.R..N..(.9.8.5.
0030: 16 00 13 00 0a 00 33 00 32 00 2f 00 05 00 04 00 ......3.2./.....
0040: 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ................
0050: ff 02 01 00 ....
== Info: SSLv3, TLS handshake, Server hello (2):
<= Recv SSL data, 81 bytes (0x51)
0000: 02 00 00 4d 03 01 5a 39 c4 54 98 71 18 90 44 44 ...M..Z9.T.q..DD
0010: 19 6b c1 12 cd 3e f4 a1 b7 a3 e3 51 44 02 b2 19 .k...>.....QD...
0020: 88 3a 9d 24 54 77 20 13 39 83 14 88 a7 15 3e eb .:.$Tw .9.....>.
0030: b3 06 09 b4 30 cb cb 7e 30 73 67 1c 8b e5 d4 31 ....0..~0sg....1
0040: ed a3 01 d1 bf ef ac 00 2f 00 00 05 ff 01 00 01 ......../.......
0050: 00 .
== Info: SSLv3, TLS handshake, CERT (11):
<= Recv SSL data, 4760 bytes (0x1298)
0000: 0b 00 12 94 00 12 91 00 08 78 30 82 08 74 30 82 .........x0..t0.
......省略部分内容
1290: ba c9 8e 12 7e c6 bd ff ....~...
== Info: SSLv3, TLS handshake, Server finished (14):
<= Recv SSL data, 4 bytes (0x4)
0000: 0e 00 00 00 ....
== Info: SSLv3, TLS handshake, Client key exchange (16):
<= Send SSL data, 262 bytes (0x106)
0000: 10 00 01 02 01 00 c6 9c 69 60 5d 34 76 a1 3b 64 ........i`]4v.;d
0010: a6 15 84 88 94 12 ae d5 7d 12 22 7b 03 57 dd bf ........}."{.W..
......省略部分内容
00e0: 95 8d 2a 30 68 34 12 8b ab e7 f1 08 db 06 2a 6f ..*0h4........*o
00f0: 2c d7 d8 e2 55 6a 74 f3 47 a7 68 cb 69 f4 c5 2d ,...Ujt.G.h.i..-
0100: 72 4e 83 fe b1 7d rN...}
== Info: SSLv3, TLS change cipher, Client hello (1):
<= Send SSL data, 1 bytes (0x1)
0000: 01 .
== Info: SSLv3, TLS handshake, Finished (20):
<= Send SSL data, 16 bytes (0x10)
0000: 14 00 00 0c eb 56 cc 54 85 f8 b4 18 ac db 65 d1 .....V.T......e.
== Info: SSLv3, TLS change cipher, Client hello (1):
<= Recv SSL data, 1 bytes (0x1)
0000: 01 .
== Info: SSLv3, TLS handshake, Finished (20):
<= Recv SSL data, 16 bytes (0x10)
0000: 14 00 00 0c 6b f7 be 86 e4 b1 3a 06 47 37 bd ae ....k.....:.G7..
== Info: SSL connection using AES128-SHA
== Info: Server certificate:
== Info: subject: /C=CN/ST=beijing/L=beijing/O=BeiJing Baidu Netcom Science Technology Co., Ltd/OU=service operation department./CN=baidu.com
== Info: start date: 2017-06-29 00:00:00 GMT
== Info: expire date: 2018-08-17 23:59:59 GMT
== Info: subjectAltName: www.baidu.com matched
== Info: issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
== Info: SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
=> Send header, 157 bytes (0x9d)
0000: 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a GET / HTTP/1.1..
0010: 55 73 65 72 2d 41 67 65 6e 74 3a 20 63 75 72 6c User-Agent: curl
0020: 2f 37 2e 31 35 2e 35 20 28 78 38 36 5f 36 34 2d /7.15.5 (x86_64-
0030: 72 65 64 68 61 74 2d 6c 69 6e 75 78 2d 67 6e 75 redhat-linux-gnu
0040: 29 20 6c 69 62 63 75 72 6c 2f 37 2e 31 35 2e 35 ) libcurl/7.15.5
0050: 20 4f 70 65 6e 53 53 4c 2f 30 2e 39 2e 38 62 20 OpenSSL/0.9.8b
0060: 7a 6c 69 62 2f 31 2e 32 2e 33 20 6c 69 62 69 64 zlib/1.2.3 libid
0070: 6e 2f 30 2e 36 2e 35 0d 0a 48 6f 73 74 3a 20 77 n/0.6.5..Host: w
0080: 77 77 2e 62 61 69 64 75 2e 63 6f 6d 0d 0a 41 63 ww.baidu.com..Ac
0090: 63 65 70 74 3a 20 2a 2f 2a 0d 0a 0d 0a cept: */*....
<= Recv header, 17 bytes (0x11)
0000: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK.
0010: 0a .
<= Recv header, 22 bytes (0x16)
0000: 41 63 63 65 70 74 2d 52 61 6e 67 65 73 3a 20 62 Accept-Ranges: b
0010: 79 74 65 73 0d 0a ytes..
<= Recv header, 76 bytes (0x4c)
0000: 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 Cache-Control: p
0010: 72 69 76 61 74 65 2c 20 6e 6f 2d 63 61 63 68 65 rivate, no-cache
0020: 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 70 72 6f 78 , no-store, prox
0030: 79 2d 72 65 76 61 6c 69 64 61 74 65 2c 20 6e 6f y-revalidate, no
0040: 2d 74 72 61 6e 73 66 6f 72 6d 0d 0a -transform..
<= Recv header, 24 bytes (0x18)
0000: 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 Connection: Keep
0010: 2d 41 6c 69 76 65 0d 0a -Alive..
<= Recv header, 22 bytes (0x16)
0000: 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 Content-Length:
0010: 32 34 34 33 0d 0a 2443..
<= Recv header, 25 bytes (0x19)
0000: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 Content-Type: te
0010: 78 74 2f 68 74 6d 6c 0d 0a xt/html..
<= Recv header, 37 bytes (0x25)
0000: 44 61 74 65 3a 20 57 65 64 2c 20 32 30 20 44 65 Date: Wed, 20 De
0010: 63 20 32 30 31 37 20 30 32 3a 30 30 3a 35 32 20 c 2017 02:00:52
0020: 47 4d 54 0d 0a GMT..
<= Recv header, 22 bytes (0x16)
0000: 45 74 61 67 3a 20 22 35 38 38 36 30 33 65 63 2d Etag: "588603ec-
0010: 39 38 62 22 0d 0a 98b"..
<= Recv header, 46 bytes (0x2e)
0000: 4c 61 73 74 2d 4d 6f 64 69 66 69 65 64 3a 20 4d Last-Modified: M
0010: 6f 6e 2c 20 32 33 20 4a 61 6e 20 32 30 31 37 20 on, 23 Jan 2017
0020: 31 33 3a 32 33 3a 35 36 20 47 4d 54 0d 0a 13:23:56 GMT..
<= Recv header, 18 bytes (0x12)
0000: 50 72 61 67 6d 61 3a 20 6e 6f 2d 63 61 63 68 65 Pragma: no-cache
0010: 0d 0a ..
<= Recv header, 22 bytes (0x16)
0000: 53 65 72 76 65 72 3a 20 62 66 65 2f 31 2e 30 2e Server: bfe/1.0.
0010: 38 2e 31 38 0d 0a 8.18..
<= Recv header, 67 bytes (0x43)
0000: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 42 44 4f 52 Set-Cookie: BDOR
0010: 5a 3d 32 37 33 31 35 3b 20 6d 61 78 2d 61 67 65 Z=27315; max-age
0020: 3d 38 36 34 30 30 3b 20 64 6f 6d 61 69 6e 3d 2e =86400; domain=.
0030: 62 61 69 64 75 2e 63 6f 6d 3b 20 70 61 74 68 3d baidu.com; path=
0040: 2f 0d 0a /..
<= Recv data, 1040 bytes (0x410)
0000: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d <!DOCTYPE html>.
0010: 0a 3c 21 2d 2d 53 54 41 54 55 53 20 4f 4b 2d 2d .<!--STATUS OK--
0020: 3e 3c 68 74 6d 6c 3e 20 3c 68 65 61 64 3e 3c 6d ><html> <head><m
......省略部分内容
0400: 3c 69 6e 70 75 74 20 74 79 70 65 3d 73 75 62 6d <input type=subm
<= Recv data, 1 bytes (0x1)
0000: 69 i
<= Recv data, 1402 bytes (0x57a)
0000: 74 20 69 64 3d 73 75 20 76 61 6c 75 65 3d e7 99 t id=su value=..
0010: be e5 ba a6 e4 b8 80 e4 b8 8b 20 63 6c 61 73 73 .......... class
......省略部分内容
0560: 3e 20 3c 2f 64 69 76 3e 20 3c 2f 62 6f 64 79 3e > </div> </body>
0570: 20 3c 2f 68 74 6d 6c 3e 0d 0a </html>..
== Info: Connection #0 to host www.baidu.com left intact
== Info: Closing connection #0
== Info: SSLv3, TLS alert, Client hello (1):
<= Send SSL data, 2 bytes (0x2)
0000: 01 00 ..
|