search

jntass / TASSL

此仓库已停止维护,请移步https://github.com/jntass/TASSL-1.1.1
http://www.tass.com.cn
Other
291 stars 106 forks source link

怀疑问题:Client Hello extension #39

Closed liclicli closed 2 years ago

liclicli commented 6 years ago

使用TASSL的s_client时 ./openssl s_client -connect 127.0.0.1:8443 -msg -debug -cntls 发出的client_hello为

>>> TLS 1.1 Handshake [length 00ca], ClientHello
    01 00 00 c6 01 01 6a 6a 89 cb 10 5d 12 e2 04 c7
    db db d4 74 05 8d d8 ec d6 00 94 fd 0e 11 a1 e7
    5f aa 31 47 18 25 00 00 6a c0 14 c0 0a 00 39 00
    38 00 37 00 36 00 88 00 87 00 86 00 85 00 81 00
    80 c0 0f c0 05 00 35 00 84 c0 13 c0 09 00 33 00
    32 00 31 00 30 e0 13 00 9a 00 99 00 98 00 97 00
    45 00 44 00 43 00 42 c0 0e c0 04 00 2f 00 96 00
    41 00 07 c0 11 c0 07 c0 0c c0 02 00 05 00 04 c0
    12 c0 08 00 16 00 13 00 10 00 0d c0 0d c0 03 00
    0a 00 ff 01 00 00 33 00 0b 00 04 03 00 01 02 00
    0a 00 1e 00 1c 00 1d 00 17 00 19 00 1c 00 1b 00
    18 00 1a 00 16 00 0e 00 0d 00 0b 00 0c 00 09 00
    0a 00 23 00 00 00 0f 00 01 01

扩展为

    00 33   //length
    00 0b 00 04 // type 11
        03 00 01 02 

    00 0a 00 1e //type 10
    00 1c 00 1d 00 17 00 19 00 1c 00 1b 00 18 00 1a 00 16 00 0e 00 0d 00 0b 00 0c 00 09 00 0a

    00 23 00 00 
    00 0f 00 01
        01

0a扩展根据rfc4492实际限定了客户端使用的ECC曲线;如果携带该扩展理论上服务端是不能使用指定曲线外的曲线的,从而无法使用SM2完成握手。 是否考虑应在使用国密协议时禁止该扩展? @jntass

jntass commented 6 years ago

嗯,一是可以考录禁止该扩展, 二是考虑增加上sm2曲线的标识到该扩展字段中。目前应该是没有做这方面的处理。