Open shfshanyue opened 4 years ago
TLS 握手的详细过程可参考下图:
以上图片来自 high-performance-browser
从 wireshark 抓包,也可以看到握手的详细流程,建议抓包加强理解,以下是抓包 https://q.shanyue.tech 时的握手流程
wireshark
https://q.shanyue.tech
通过 curl -vvv --head 来查看握手信息:
curl -vvv --head
$ curl -vvv --head https://q.shanyue.tech * Trying 111.6.180.235... * TCP_NODELAY set * Connected to q.shanyue.tech (111.6.180.235) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=q.shanyue.tech * start date: Dec 2 00:00:00 2019 GMT * expire date: Dec 1 12:00:00 2020 GMT * subjectAltName: host "q.shanyue.tech" matched cert's "q.shanyue.tech" * issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=Encryption Everywhere DV TLS CA - G1 * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x7f95ba80dc00)
在 TLS 1.2 中,握手协议过程需要耗费两个 RTT,过程如下
pre master secret
master secret
Session Keys
Client MAC Key
Client Write Key
Server MAC Key
Server Write Key
注,对于()内容在面试中可以忽略不答
TLS 握手的详细过程可参考下图:
从
wireshark
抓包,也可以看到握手的详细流程,建议抓包加强理解,以下是抓包https://q.shanyue.tech
时的握手流程通过
curl -vvv --head
来查看握手信息:握手过程
在 TLS 1.2 中,握手协议过程需要耗费两个 RTT,过程如下
pre master secret
),使用密钥交换算法(一般是 ECDHE)传递给服务器端。双方根据(Client Random、Server Random、Pre Master Secret)三个随机数生成对称加密中的密钥(master secret
)。(再根据master secret
生成Session Keys
,包括Client MAC Key
、Client Write Key
、Server MAC Key
、Server Write Key
。用以以后对的通信加密。)Client Write Key
加解密,并使用Client MAC Key
进行完整性校验)pre master secret
,并根据三个随机数生成master secret
。相关链接