1. 首頁
  2. 問答
  3. SNI(服務器名稱指示)可與TLS 1.2,但通過服務器上TLS 1.0

SNI(服務器名稱指示)可與TLS 1.2,但通過服務器上TLS 1.0

2017-01-23 209 views
0

拒絕下面是Wireshark的輸出:SNI(服務器名稱指示)可與TLS 1.2,但通過服務器上TLS 1.0

1)TLS V1.0,服務器引發不支持的擴展(110)警報:

TLSv1 Record Layer: Handshake Protocol: Client Hello 
     Content Type: Handshake (22) 
     Version: TLS 1.0 (0x0301) 
     Length: 78 
     Handshake Protocol: Client Hello 
      Handshake Type: Client Hello (1) 
      Length: 74 
      Version: TLS 1.0 (0x0301) 
      Random 
      Session ID Length: 0 
      Cipher Suites Length: 8 
      Cipher Suites (4 suites) 
       Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) 
       Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) 
       Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 
       Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) 
      Compression Methods Length: 1 
      Compression Methods (1 method) 
       Compression Method: null (0) 
      Extensions Length: 25 
      Extension: server_name 
       Type: server_name (0x0000) 
       Length: 21 
       Server Name Indication extension 
        Server Name list length: 19 
        Server Name Type: host_name (0) 
        Server Name length: 16 
        Server Name: www.google.co.uk 

    TLSv1 Record Layer: Handshake Protocol: Server Hello 
     Content Type: Handshake (22) 
     Version: TLS 1.0 (0x0301) 
     Length: 85 
     Handshake Protocol: Server Hello 
      Handshake Type: Server Hello (2) 
      Length: 81 
      Version: TLS 1.0 (0x0301) 
      Random 
      Session ID Length: 32 
      Session ID: 56b1b6faae75e76baecb8a5727480a2b7687315baaeceb06... 
      Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 
      Compression Method: null (0) 
      Extensions Length: 9 
      Extension: renegotiation_info 
       Type: renegotiation_info (0xff01) 
       Length: 1 
       Renegotiation Info extension 
      Extension: server_name 
       Type: server_name (0x0000) 
       Length: 0 

    TLSv1 Record Layer: Handshake Protocol: Server Hello Done 
     Content Type: Handshake (22) 
     Version: TLS 1.0 (0x0301) 
     Length: 4 
     Handshake Protocol: Server Hello Done 
      Handshake Type: Server Hello Done (14) 
      Length: 0 

TLSv1 Record Layer: Alert (Level: Fatal, Description: Unsupported Extension) 
    Content Type: Alert (21) 
    Version: TLS 1.0 (0x0301) 
    Length: 2 
    Alert Message 
     Level: Fatal (2) 
     Description: Unsupported Extension (110)

2)TLS 1.2版工作正常,符合市場預期:

TLSv1.2 Record Layer: Handshake Protocol: Client Hello 
    Content Type: Handshake (22) 
    Version: TLS 1.2 (0x0303) 
    Length: 78 
    Handshake Protocol: Client Hello 
     Handshake Type: Client Hello (1) 
     Length: 74 
     Version: TLS 1.2 (0x0303) 
     Random 
     Session ID Length: 0 
     Cipher Suites Length: 8 
     Cipher Suites (4 suites) 
      Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) 
      Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) 
      Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 
      Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) 
     Compression Methods Length: 1 
     Compression Methods (1 method) 
      Compression Method: null (0) 
     Extensions Length: 25 
     Extension: server_name 
      Type: server_name (0x0000) 
      Length: 21 
      Server Name Indication extension 
       Server Name list length: 19 
       Server Name Type: host_name (0) 
       Server Name length: 16 
       Server Name: www.google.co.uk 

TLSv1.2 Record Layer: Handshake Protocol: Server Hello 
    Content Type: Handshake (22) 
    Version: TLS 1.2 (0x0303) 
    Length: 85 
    Handshake Protocol: Server Hello 
     Handshake Type: Server Hello (2) 
     Length: 81 
     Version: TLS 1.2 (0x0303) 
     Random 
     Session ID Length: 32 
     Session ID: c702788e7eaea1da30876968caedd785819c304da7e08bde... 
     Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 
     Compression Method: null (0) 
     Extensions Length: 9 
     Extension: renegotiation_info 
      Type: renegotiation_info (0xff01) 
      Length: 1 
      Renegotiation Info extension 
     Extension: server_name 
      Type: server_name (0x0000) 
      Length: 0 

TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done 
    Content Type: Handshake (22) 
    Version: TLS 1.2 (0x0303) 
    Length: 4 
    Handshake Protocol: Server Hello Done 
     Handshake Type: Server Hello Done (14) 
     Length: 0 

TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange 
    Content Type: Handshake (22) 
    Version: TLS 1.2 (0x0303) 
    Length: 262 
    Handshake Protocol: Client Key Exchange 
     Handshake Type: Client Key Exchange (16) 
     Length: 258 
     RSA Encrypted PreMaster Secret

然後前進到成功完成握手。

我知道SNI是比TLS v.1.0 RFC更早推出的,但是從我讀到的內容來看,它不應該阻止SNI從v1.0開始工作?

[之前有人建議只更新到TLS v1.2 - 會很樂意做到這一點,但受到舊客戶端atm空間/內存的限制。 作爲參考,這是在Windows CE上運行的.NET Compact Framework客戶端。]

來源

2017-01-23 enkod

+1

您確定警報是由服務器而不是客戶端生成的嗎?在服務器問候完成之後以及來自客戶端的任何新消息之前發送此類警報將非常不尋常。除此之外,使用SNI,TLS 1.0和與OpenSSL相同的密碼訪問google.co.uk時,我沒有任何問題。 –

+0

@SteffenUllrich是的OpenSSL工作正常。我會修改TLS客戶端代碼,謝謝你的提示。 這是BouncyCastle的C#端口,BTW – enkod

回答

0

原來是[更舊的] BouncyCastle C#端口中的一個錯誤,在最新的BC版本中修復。 Steffen Ullrich的榮譽

來源

2017-01-24 15:06:02 enkod

+0

這解決了嗎?如果是這樣,請勾選複選標記將其標記爲綠色。 –

相關問題

 相關問題