基于HTTPS通信是当前互联网最通用便捷的通信方式,简单理解来看可以视为HTTP协议 + SSL/TLS协议,通过一个curl的示例阐述一下HTTPS协议。
特性:
- 信息加密传输,防止窃听风险
- 具有校验机制,防止篡改风险
- 配备身份证书,防止冒充风险
版本变更
- SSL1.0 1994年,未发布
- SSL2.0 1995年,有严重漏洞
- SSL3.0 1996年,大规模应用,有风险现在不建议
- TLS1.0 1999年(别称SSL3.1)
- TLS1.1 2006年(别称SSL3.2)
- TLS1.2 2008年,2011年修订(别称SSL3.3)
原理
公钥放在数字证书,验证证书可信,即公钥可信,采用公钥加密,服务器收到后,私钥解密,考虑到加密计算量,公钥将对话密钥加密,而其他的信息则采用对话密钥进行对称加密,尽量提升性能。
- 客户端向服务端索要并验证公钥
- 双方生成“对话密钥”
- 双方采用对话密钥加密通信
curl分析HTTPS请求时间
HTTPs耗时 = TCP握手 + SSL握手, 因为涉及到一些加密,及多了几次握手交互,可以看到的时要多于平常时间的3-5倍,当然这个和机器性能相关。
curl -w "TCP handshake: %{time_connect}, SSL handshake: %{time_appconnect}\n" -so /dev/null https://www.baidu.com
TCP handshake: 0.005, SSL handshake: 0.026
curl分析HTTPS请求过程
curl –trace 命令 可以记录请求的详情,我们就用它来了解一下https整个过程,命令如下:
curl -kv -1 --trace temp.txt 'https://www.baidu.com'
- 客户端请求ClientHello
客户端主要向服务器提供以下信息:
1. 支持的协议版本,比如TLS 1.0版。
2. 一个客户端生成的随机数,稍后用于生成”对话密钥”。
3. 支持的加密方法,比如RSA公钥加密。
4. 支持的压缩方法。
curl第一步请求如下
== Info: SSLv3, TLS handshake, Client hello (1):
<= Send SSL data, 84 bytes (0x54)
0000: 01 00 00 50 03 01 5a 39 c4 54 cc f0 0c ed a6 7f ...P..Z9.T.....
0010: 0d a1 ee 69 13 cd dc 09 c8 e6 c6 89 1e 63 b2 8b ...i.........c..
0020: 3e d5 52 a2 be 4e 00 00 28 00 39 00 38 00 35 00 >.R..N..(.9.8.5.
0030: 16 00 13 00 0a 00 33 00 32 00 2f 00 05 00 04 00 ......3.2./.....
0040: 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ................
0050: ff 02 01 00
- 服务端响应SeverHello
服务器的回应包含以下内容:
1. 确认使用的加密通信协议版本,比如TLS 1.0版本。如果浏览器与服务器支持的版本不一致,服务器关闭加密通信。
2. 一个服务器生成的随机数,稍后用于生成”对话密钥”。
3. 确认使用的加密方法,比如RSA公钥加密。
4. 服务器证书。
还有一种形式是服务端会校验客户端的证书,比如金融类一般金融机构以前网银key即包含一张客户端证书
== Info: SSLv3, TLS handshake, Server hello (2):
<= Recv SSL data, 81 bytes (0x51)
0000: 02 00 00 4d 03 01 5a 39 c4 54 98 71 18 90 44 44 ...M..Z9.T.q..DD
0010: 19 6b c1 12 cd 3e f4 a1 b7 a3 e3 51 44 02 b2 19 .k...>.....QD...
0020: 88 3a 9d 24 54 77 20 13 39 83 14 88 a7 15 3e eb .:.$Tw .9.....>.
0030: b3 06 09 b4 30 cb cb 7e 30 73 67 1c 8b e5 d4 31 ....0..~0sg....1
0040: ed a3 01 d1 bf ef ac 00 2f 00 00 05 ff 01 00 01 ......../.......
0050: 00 .
== Info: SSLv3, TLS handshake, CERT (11):
<= Recv SSL data, 4760 bytes (0x1298)
0000: 0b 00 12 94 00 12 91 00 08 78 30 82 08 74 30 82 .........x0..t0.
......省略部分内容
1290: ba c9 8e 12 7e c6 bd ff ....~...
== Info: SSLv3, TLS handshake, Server finished (14):
<= Recv SSL data, 4 bytes (0x4)
0000: 0e 00 00 00 ....
== Info: SSLv3, TLS handshake, Client key exchange (16):
<= Send SSL data, 262 bytes (0x106)
0000: 10 00 01 02 01 00 c6 9c 69 60 5d 34 76 a1 3b 64 ........i`]4v.;d
0010: a6 15 84 88 94 12 ae d5 7d 12 22 7b 03 57 dd bf ........}."{.W..
......省略部分内容
00e0: 95 8d 2a 30 68 34 12 8b ab e7 f1 08 db 06 2a 6f ..*0h4........*o
00f0: 2c d7 d8 e2 55 6a 74 f3 47 a7 68 cb 69 f4 c5 2d ,...Ujt.G.h.i..-
0100: 72 4e 83 fe b1 7d rN...}
- 客户端回应
- 一个随机数。该随机数用服务器公钥加密,防止被窃听。
- 编码改变通知,表示随后的信息都将用双方商定的加密方法和密钥发送。
- 客户端握手结束通知,表示客户端的握手阶段已经结束。这一项同时也是前面发送的所有内容的hash值,用来供服务器校验。
三个随机数,生成会话密钥。 此外,如果前一步,服务器要求客户端证书,客户端会在这一步发送证书及相关信息。
== Info: SSLv3, TLS change cipher, Client hello (1):
<= Send SSL data, 1 bytes (0x1)
0000: 01 .
== Info: SSLv3, TLS handshake, Finished (20):
<= Send SSL data, 16 bytes (0x10)
0000: 14 00 00 0c eb 56 cc 54 85 f8 b4 18 ac db 65 d1 .....V.T......e.
- 服务器的最后回应
- 编码改变通知,表示随后的信息都将用双方商定的加密方法和密钥发送。
- 服务器握手结束通知,表示服务器的握手阶段已经结束。这一项同时也是前面发送的所有内容的hash值,用来供客户端校验。
== Info: SSLv3, TLS handshake, Finished (20):
<= Recv SSL data, 16 bytes (0x10)
0000: 14 00 00 0c 6b f7 be 86 e4 b1 3a 06 47 37 bd ae ....k.....:.G7..
== Info: SSL connection using AES128-SHA
== Info: Server certificate:
== Info: subject: /C=CN/ST=beijing/L=beijing/O=BeiJing Baidu Netcom Science Technology Co., Ltd/OU=service operation department./CN=baidu.com
== Info: start date: 2017-06-29 00:00:00 GMT
== Info: expire date: 2018-08-17 23:59:59 GMT
== Info: subjectAltName: www.baidu.com matched
== Info: issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
== Info: SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
curl整个请求过程:
== Info: About to connect() to www.baidu.com port 443
== Info: Trying 220.181.112.244... == Info: connected
== Info: Connected to www.baidu.com (220.181.112.244) port 443
== Info: successfully set certificate verify locations:
== Info: CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
== Info: SSLv3, TLS handshake, Client hello (1):
<= Send SSL data, 84 bytes (0x54)
0000: 01 00 00 50 03 01 5a 39 c4 54 cc f0 0c ed a6 7f ...P..Z9.T.....
0010: 0d a1 ee 69 13 cd dc 09 c8 e6 c6 89 1e 63 b2 8b ...i.........c..
0020: 3e d5 52 a2 be 4e 00 00 28 00 39 00 38 00 35 00 >.R..N..(.9.8.5.
0030: 16 00 13 00 0a 00 33 00 32 00 2f 00 05 00 04 00 ......3.2./.....
0040: 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ................
0050: ff 02 01 00 ....
== Info: SSLv3, TLS handshake, Server hello (2):
<= Recv SSL data, 81 bytes (0x51)
0000: 02 00 00 4d 03 01 5a 39 c4 54 98 71 18 90 44 44 ...M..Z9.T.q..DD
0010: 19 6b c1 12 cd 3e f4 a1 b7 a3 e3 51 44 02 b2 19 .k...>.....QD...
0020: 88 3a 9d 24 54 77 20 13 39 83 14 88 a7 15 3e eb .:.$Tw .9.....>.
0030: b3 06 09 b4 30 cb cb 7e 30 73 67 1c 8b e5 d4 31 ....0..~0sg....1
0040: ed a3 01 d1 bf ef ac 00 2f 00 00 05 ff 01 00 01 ......../.......
0050: 00 .
== Info: SSLv3, TLS handshake, CERT (11):
<= Recv SSL data, 4760 bytes (0x1298)
0000: 0b 00 12 94 00 12 91 00 08 78 30 82 08 74 30 82 .........x0..t0.
......省略部分内容
1290: ba c9 8e 12 7e c6 bd ff ....~...
== Info: SSLv3, TLS handshake, Server finished (14):
<= Recv SSL data, 4 bytes (0x4)
0000: 0e 00 00 00 ....
== Info: SSLv3, TLS handshake, Client key exchange (16):
<= Send SSL data, 262 bytes (0x106)
0000: 10 00 01 02 01 00 c6 9c 69 60 5d 34 76 a1 3b 64 ........i`]4v.;d
0010: a6 15 84 88 94 12 ae d5 7d 12 22 7b 03 57 dd bf ........}."{.W..
......省略部分内容
00e0: 95 8d 2a 30 68 34 12 8b ab e7 f1 08 db 06 2a 6f ..*0h4........*o
00f0: 2c d7 d8 e2 55 6a 74 f3 47 a7 68 cb 69 f4 c5 2d ,...Ujt.G.h.i..-
0100: 72 4e 83 fe b1 7d rN...}
== Info: SSLv3, TLS change cipher, Client hello (1):
<= Send SSL data, 1 bytes (0x1)
0000: 01 .
== Info: SSLv3, TLS handshake, Finished (20):
<= Send SSL data, 16 bytes (0x10)
0000: 14 00 00 0c eb 56 cc 54 85 f8 b4 18 ac db 65 d1 .....V.T......e.
== Info: SSLv3, TLS change cipher, Client hello (1):
<= Recv SSL data, 1 bytes (0x1)
0000: 01 .
== Info: SSLv3, TLS handshake, Finished (20):
<= Recv SSL data, 16 bytes (0x10)
0000: 14 00 00 0c 6b f7 be 86 e4 b1 3a 06 47 37 bd ae ....k.....:.G7..
== Info: SSL connection using AES128-SHA
== Info: Server certificate:
== Info: subject: /C=CN/ST=beijing/L=beijing/O=BeiJing Baidu Netcom Science Technology Co., Ltd/OU=service operation department./CN=baidu.com
== Info: start date: 2017-06-29 00:00:00 GMT
== Info: expire date: 2018-08-17 23:59:59 GMT
== Info: subjectAltName: www.baidu.com matched
== Info: issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
== Info: SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
=> Send header, 157 bytes (0x9d)
0000: 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a GET / HTTP/1.1..
0010: 55 73 65 72 2d 41 67 65 6e 74 3a 20 63 75 72 6c User-Agent: curl
0020: 2f 37 2e 31 35 2e 35 20 28 78 38 36 5f 36 34 2d /7.15.5 (x86_64-
0030: 72 65 64 68 61 74 2d 6c 69 6e 75 78 2d 67 6e 75 redhat-linux-gnu
0040: 29 20 6c 69 62 63 75 72 6c 2f 37 2e 31 35 2e 35 ) libcurl/7.15.5
0050: 20 4f 70 65 6e 53 53 4c 2f 30 2e 39 2e 38 62 20 OpenSSL/0.9.8b
0060: 7a 6c 69 62 2f 31 2e 32 2e 33 20 6c 69 62 69 64 zlib/1.2.3 libid
0070: 6e 2f 30 2e 36 2e 35 0d 0a 48 6f 73 74 3a 20 77 n/0.6.5..Host: w
0080: 77 77 2e 62 61 69 64 75 2e 63 6f 6d 0d 0a 41 63 ww.baidu.com..Ac
0090: 63 65 70 74 3a 20 2a 2f 2a 0d 0a 0d 0a cept: */*....
<= Recv header, 17 bytes (0x11)
0000: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK.
0010: 0a .
<= Recv header, 22 bytes (0x16)
0000: 41 63 63 65 70 74 2d 52 61 6e 67 65 73 3a 20 62 Accept-Ranges: b
0010: 79 74 65 73 0d 0a ytes..
<= Recv header, 76 bytes (0x4c)
0000: 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 Cache-Control: p
0010: 72 69 76 61 74 65 2c 20 6e 6f 2d 63 61 63 68 65 rivate, no-cache
0020: 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 70 72 6f 78 , no-store, prox
0030: 79 2d 72 65 76 61 6c 69 64 61 74 65 2c 20 6e 6f y-revalidate, no
0040: 2d 74 72 61 6e 73 66 6f 72 6d 0d 0a -transform..
<= Recv header, 24 bytes (0x18)
0000: 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 Connection: Keep
0010: 2d 41 6c 69 76 65 0d 0a -Alive..
<= Recv header, 22 bytes (0x16)
0000: 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 Content-Length:
0010: 32 34 34 33 0d 0a 2443..
<= Recv header, 25 bytes (0x19)
0000: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 Content-Type: te
0010: 78 74 2f 68 74 6d 6c 0d 0a xt/html..
<= Recv header, 37 bytes (0x25)
0000: 44 61 74 65 3a 20 57 65 64 2c 20 32 30 20 44 65 Date: Wed, 20 De
0010: 63 20 32 30 31 37 20 30 32 3a 30 30 3a 35 32 20 c 2017 02:00:52
0020: 47 4d 54 0d 0a GMT..
<= Recv header, 22 bytes (0x16)
0000: 45 74 61 67 3a 20 22 35 38 38 36 30 33 65 63 2d Etag: "588603ec-
0010: 39 38 62 22 0d 0a 98b"..
<= Recv header, 46 bytes (0x2e)
0000: 4c 61 73 74 2d 4d 6f 64 69 66 69 65 64 3a 20 4d Last-Modified: M
0010: 6f 6e 2c 20 32 33 20 4a 61 6e 20 32 30 31 37 20 on, 23 Jan 2017
0020: 31 33 3a 32 33 3a 35 36 20 47 4d 54 0d 0a 13:23:56 GMT..
<= Recv header, 18 bytes (0x12)
0000: 50 72 61 67 6d 61 3a 20 6e 6f 2d 63 61 63 68 65 Pragma: no-cache
0010: 0d 0a ..
<= Recv header, 22 bytes (0x16)
0000: 53 65 72 76 65 72 3a 20 62 66 65 2f 31 2e 30 2e Server: bfe/1.0.
0010: 38 2e 31 38 0d 0a 8.18..
<= Recv header, 67 bytes (0x43)
0000: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 42 44 4f 52 Set-Cookie: BDOR
0010: 5a 3d 32 37 33 31 35 3b 20 6d 61 78 2d 61 67 65 Z=27315; max-age
0020: 3d 38 36 34 30 30 3b 20 64 6f 6d 61 69 6e 3d 2e =86400; domain=.
0030: 62 61 69 64 75 2e 63 6f 6d 3b 20 70 61 74 68 3d baidu.com; path=
0040: 2f 0d 0a /..
<= Recv data, 1040 bytes (0x410)
0000: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d <!DOCTYPE html>.
0010: 0a 3c 21 2d 2d 53 54 41 54 55 53 20 4f 4b 2d 2d .<!--STATUS OK--
0020: 3e 3c 68 74 6d 6c 3e 20 3c 68 65 61 64 3e 3c 6d ><html> <head><m
......省略部分内容
0400: 3c 69 6e 70 75 74 20 74 79 70 65 3d 73 75 62 6d <input type=subm
<= Recv data, 1 bytes (0x1)
0000: 69 i
<= Recv data, 1402 bytes (0x57a)
0000: 74 20 69 64 3d 73 75 20 76 61 6c 75 65 3d e7 99 t id=su value=..
0010: be e5 ba a6 e4 b8 80 e4 b8 8b 20 63 6c 61 73 73 .......... class
......省略部分内容
0560: 3e 20 3c 2f 64 69 76 3e 20 3c 2f 62 6f 64 79 3e > </div> </body>
0570: 20 3c 2f 68 74 6d 6c 3e 0d 0a </html>..
== Info: Connection #0 to host www.baidu.com left intact
== Info: Closing connection #0
== Info: SSLv3, TLS alert, Client hello (1):
<= Send SSL data, 2 bytes (0x2)
0000: 01 00 ..
参考:SSL/TLS协议运行机制的概述