devbox
从前慢现在也慢
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

gmssl使用双证书双向认证的gmtl协议报错crypto/sm2/sm2_sign.c 510: sm2_do_verifySSL3 alert write:fatal:decrypt error_error:1417b07b:ssl routines:tls_process_cert_verif

作者:从前慢现在也慢 | 2024-04-05 03:50:01

error:1417b07b:ssl routines:tls_process_cert_verify:bad signature

报错内容

  1. crypto/sm2/sm2_sign.c 510: sm2_do_verify
  2. SSL3 alert write:fatal:decrypt error
  3. SSL_accept:error in error
  4. ERROR
  5. 140655864152064:error:1417B07B:SSL routines:tls_process_cert_verify:bad signature:ssl/statem/statem_srvr.c:2941:

相关内容

  • 版本:GmSSL 2.5.4 - OpenSSL 1.1.0d  19 Jun 2019 
  • 工作路径:/home/chy-cpabe/GMSSL_certificate/sm2Certs 
  • 证书:根据江南天安的自动化脚本生成的根证书、服务端和客户端的私钥、签名和加密证书,共9个文件

服务端

  • 执行命令
  • gmssl s_server -gmtls -accept 44330 -key SS.key.pem -cert SS.cert.pem  -dkey SE.key.pem -dcert SE.cert.pem -CAfile CA.cert.pem -state -verify 1
  • -gmtls    协议类型
  • -accept  监听端口
  • -key       签名私钥
  • -cert       签名证书
  • -dkey      加密私钥
  • -dcert      加密证书
  • -CAfile    CA证书路径
  • -state     状态信息
  • -verify     开启国密双证书双向认证
  • 1             验证深度,分析源码可知,这个数只是接收并输出,并无关键性影响
  1. chy-cpabe@ubuntu:~/GMSSL_certificate/sm2Certs$ gmssl s_server -gmtls -accept 44330 -key SS.key.pem -cert SS.cert.pem  -dkey SE.key.pem -dcert SE.cert.pem -CAfile CA.cert.pem -state -verify 1
  2. verify depth is 1
  3. Using default temp DH parameters
  4. [GMTLS_DEBUG] set sm2 signing certificate
  5. [GMTLS_DEBUG] set sm2 signing private key
  6. [GMTLS_DEBUG] set sm2 encryption certificate
  7. [GMTLS_DEBUG] set sm2 decryption private key
  8. ACCEPT
  9. SSL_accept:before SSL initialization
  10. SSL_accept:before SSL initialization
  11. SSL_accept:SSLv3/TLS read client hello
  12. SSL_accept:SSLv3/TLS write server hello
  13. SSL_accept:SSLv3/TLS write certificate
  14. SSL_accept:SSLv3/TLS write key exchange
  15. SSL_accept:SSLv3/TLS write certificate request
  16. SSL_accept:SSLv3/TLS write server done
  17. SSL_accept:SSLv3/TLS write server done
  18. depth=1 C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = SORB of TASS, CN = Test CA (SM2)
  19. verify return:1
  20. depth=0 C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = BSRC of TASS, CN = client sign (SM2)
  21. verify return:1
  22. SSL_accept:SSLv3/TLS read client certificate
  23. ssl_get_algorithm2=fe8b700008x
  24. SSL_accept:SSLv3/TLS read client key exchange
  25. crypto/sm2/sm2_sign.c 510: sm2_do_verify
  26. SSL3 alert write:fatal:decrypt error
  27. SSL_accept:error in error
  28. ERROR
  29. 140655864152064:error:1417B07B:SSL routines:tls_process_cert_verify:bad signature:ssl/statem/statem_srvr.c:2941:
  30. shutting down SSL
  31. CONNECTION CLOSED
  32. ACCEPT

客户端

  • gmssl s_client -connect localhost:44330 -key CS.key.pem -cert CS.cert.pem -dkey CE.key.pem -dcert CE.cert.pem -CAfile CA.cert.pem -gmtls -showcerts
  • -connect   对应服务端的IP地址
  • :44330      端口号
  • -showcerts 打印证书信息
  1. chy-cpabe@ubuntu:~/GMSSL_certificate/sm2Certs$ gmssl s_client -connect localhost:44330 -key CS.key.pem -cert CS.cert.pem -dkey CE.key.pem -dcert CE.cert.pem -CAfile CA.cert.pem -gmtls -showcerts
  2. [GMTLS_DEBUG] set sm2 signing certificate
  3. [GMTLS_DEBUG] set sm2 signing private key
  4. [GMTLS_DEBUG] set sm2 encryption certificate
  5. [GMTLS_DEBUG] set sm2 decryption private key
  6. CONNECTED(00000003)
  7. depth=1 C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = SORB of TASS, CN = Test CA (SM2)
  8. verify return:1
  9. depth=0 C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = BSRC of TASS, CN = server sign (SM2)
  10. verify return:1
  11. Z=BCDCCB61AADD790C076DAC60ED09DDD5285A906A4025DD748DA2FB5816464C58
  12. C=00021E3082021A308201C0A0030201020209008563C7E770648765300A06082A811CCF55018375308182310B300906035504061302434E310B300906035504080C02424A3110300E06035504070C074861694469616E31253023060355040A0C1C4265696A696E67204A4E544120546563686E6F6C6F6779204C54442E31153013060355040B0C0C534F5242206F6620544153533116301406035504030C0D546573742043412028534D3229301E170D3230303632303130313832365A170D3234303732393130313832365A308185310B300906035504061302434E310B300906035504080C02424A3110300E06035504070C074861694469616E31253023060355040A0C1C4265696A696E67204A4E544120546563686E6F6C6F6779204C54442E31153013060355040B0C0C42535243206F6620544153533119301706035504030C1073657276657220656E632028534D32293059301306072A8648CE3D020106082A811CCF5501822D03420004B999853302F02CC522CC4CCA287019E86B901FC24E3CCF9A61B93BB177B28C2CE8E23C5C522DF73C23F7AC36FF688CB2E685A3FA4770103F7C99EFC32D06C11FA31A301830090603551D1304023000300B0603551D0F040403020338300A06082A811CCF550183750348003045022100EC4368F400870BED441817AF4D359BDC61A9EDFDDEE54AB0C185084B450C46B902206E0C3A08BC584590046DC85603CD4E8A51F97D9669B1ACA3E2A3627BE61D49A2
  13. ssl_get_algorithm2=e678500008x
  14. 140024100052992:error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:ssl/record/rec_layer_s3.c:1385:SSL alert number 51
  15. ---
  16. Certificate chain
  17.  0 s:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=BSRC of TASS/CN=server sign (SM2)
  18.    i:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
  19. -----BEGIN CERTIFICATE-----
  20. MIICGjCCAcGgAwIBAgIJAIVjx+dwZIdkMAoGCCqBHM9VAYN1MIGCMQswCQYDVQQG
  21. EwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJl
  22. aWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDFNPUkIgb2YgVEFT
  23. UzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAeFw0yMDA2MjAxMDE4MjVaFw0yNDA3
  24. MjkxMDE4MjVaMIGGMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
  25. B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
  26. FTATBgNVBAsMDEJTUkMgb2YgVEFTUzEaMBgGA1UEAwwRc2VydmVyIHNpZ24gKFNN
  27. MikwWTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAAS0lHzt7CkOzCtyf6VwCqoT2PYD
  28. CL/AJrCsHa+6lE8wDZ7DShI2bvfmrpavndEW67CHQOlO0q6/aoEB0PoAgpopoxow
  29. GDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIGwDAKBggqgRzPVQGDdQNHADBEAiB06JWp
  30. uxFbGBfvG9juhe2Umu/auI1H2XeMdvDjbOtfuQIgMXT8jewkzq9TR3OPzRTkZCRH
  31. 3H+xKEb8r8JsEEStwaU=
  32. -----END CERTIFICATE-----
  33.  1 s:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=BSRC of TASS/CN=server enc (SM2)
  34.    i:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
  35. -----BEGIN CERTIFICATE-----
  36. MIICGjCCAcCgAwIBAgIJAIVjx+dwZIdlMAoGCCqBHM9VAYN1MIGCMQswCQYDVQQG
  37. EwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJl
  38. aWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDFNPUkIgb2YgVEFT
  39. UzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAeFw0yMDA2MjAxMDE4MjZaFw0yNDA3
  40. MjkxMDE4MjZaMIGFMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
  41. B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
  42. FTATBgNVBAsMDEJTUkMgb2YgVEFTUzEZMBcGA1UEAwwQc2VydmVyIGVuYyAoU00y
  43. KTBZMBMGByqGSM49AgEGCCqBHM9VAYItA0IABLmZhTMC8CzFIsxMyihwGehrkB/C
  44. TjzPmmG5O7F3sows6OI8XFIt9zwj96w2/2iMsuaFo/pHcBA/fJnvwy0GwR+jGjAY
  45. MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgM4MAoGCCqBHM9VAYN1A0gAMEUCIQDsQ2j0
  46. AIcL7UQYF69NNZvcYant/d7lSrDBhQhLRQxGuQIgbgw6CLxYRZAEbchWA81OilH5
  47. fZZpsayj4qNie+YdSaI=
  48. -----END CERTIFICATE-----
  49.  2 s:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
  50.    i:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
  51. -----BEGIN CERTIFICATE-----
  52. MIICWjCCAgCgAwIBAgIJAP5W2mLaOWq5MAoGCCqBHM9VAYN1MIGCMQswCQYDVQQG
  53. EwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJl
  54. aWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDFNPUkIgb2YgVEFT
  55. UzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAeFw0yMDA2MjAxMDE4MjVaFw0yNDA3
  56. MjkxMDE4MjVaMIGCMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
  57. B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
  58. FTATBgNVBAsMDFNPUkIgb2YgVEFTUzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTBZ
  59. MBMGByqGSM49AgEGCCqBHM9VAYItA0IABArjN7ag+H8D12eqXJpMeTOR9m3sB2RC
  60. ojH7fZPB77SDfHZb9g1lcqUhrug0nw2F8wBMsLfjvsK3wQn/ryi3YvSjXTBbMB0G
  61. A1UdDgQWBBRCcBGiEpd09qSpUlkiGkZ+q+CFbDAfBgNVHSMEGDAWgBRCcBGiEpd0
  62. 9qSpUlkiGkZ+q+CFbDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAKBggqgRzP
  63. VQGDdQNIADBFAiBjdylWVsUoTRcHu9DoMHv4lgtYJMf2xHAGLoJUjmbizAIhAOFD
  64. i3EmFVUgGVdgbnztFZcBLxtBzIAh/Q4Q3dm3/MFu
  65. -----END CERTIFICATE-----
  66. ---
  67. Server certificate
  68. subject=/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=BSRC of TASS/CN=server sign (SM2)
  69. issuer=/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
  70. ---
  71. Acceptable client certificate CA names
  72. /C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
  73. Client Certificate Types: RSA sign, DSA sign
  74. ---
  75. SSL handshake has read 2036 bytes and written 2116 bytes
  76. Verification: OK
  77. ---
  78. New, GMTLSv1.1, Cipher is SM2-WITH-SMS4-SM3
  79. Server public key is 256 bit
  80. Secure Renegotiation IS NOT supported
  81. Compression: NONE
  82. Expansion: NONE
  83. No ALPN negotiated
  84. SSL-Session:
  85.     Protocol  : GMTLSv1.1
  86.     Cipher    : SM2-WITH-SMS4-SM3
  87.     Session-ID: E16755CE6A883D7046C7B0F3B8A01868FBD2E5B758CF014F137C5FE3249A741E
  88.     Session-ID-ctx: 
  89.     Master-Key: 7AED44218C8CD96DA572A25767CAAB92CFCF34AFA61D08CA5FB9899134568788CAF38F31BE32C6ECB777A2A96597376B
  90.     PSK identity: None
  91.     PSK identity hint: None
  92.     SRP username: None
  93.     Start Time: 1663992362
  94.     Timeout   : 7200 (sec)
  95.     Verify return code: 0 (ok)
  96.     Extended master secret: no
  97. ---

 报错原因

  • tls_construct_client_verify方法中,pkey = s->cert->key->privatekey,而在使用SM2双证时s->cert->key不指向&s->cert->pkeys[SSL_PKEY_SM2]而是指向&s->cert->pkeys[SSL_PKEY_SM2_ENC],导致签名密钥与服务端验签时使用的公钥不匹配
  • 追查源代码 :
  •     [-] GmSSL-master\ssl\statem\statem_clnt.c  的  tls_construct_client_verify 函数

解决措施

  • 在 tls_construct_client_verify 的 p = ssl_handshake_start(s); 和 pkey = s->cert->key->privatekey; 之间 添加如下代码
  1. /* 这是新添加的 */
  2. #ifndef OPENSSL_NO_GMTLS
  3. if (SSL_IS_GMTLS(s) && s->cert->pkeys[SSL_PKEY_SM2].privatekey)
  4. pkey = s->cert->pkeys[SSL_PKEY_SM2].privatekey;
  5. else
  6. #endif
  7. /* 新添加的结束 */
  • 最后的结构(代码不全) 
  1. int tls_construct_client_verify(SSL *s)
  2. {
  3.     unsigned char *p;
  4.     EVP_PKEY *pkey;
  5.     const EVP_MD *md = s->s3->tmp.md[s->cert->key - s->cert->pkeys];
  6.     EVP_MD_CTX *mctx;
  7.     unsigned u = 0;
  8.     unsigned long n = 0;
  9.     long hdatalen = 0;
  10.     void *hdata;
  11.     mctx = EVP_MD_CTX_new();
  12.  
  13.     if (mctx == NULL) {
  14.         SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_MALLOC_FAILURE);
  15.         goto err;
  16.     }
  17.  
  18.     p = ssl_handshake_start(s);
  19.  
  20. /* 这是新添加的 */
  21. #ifndef OPENSSL_NO_GMTLS
  22. if (SSL_IS_GMTLS(s) && s->cert->pkeys[SSL_PKEY_SM2].privatekey)
  23. pkey = s->cert->pkeys[SSL_PKEY_SM2].privatekey;
  24. else
  25. #endif
  26. /* 新添加的结束 */
  27.  
  28.     pkey = s->cert->key->privatekey;

成果演示

服务端

  • gmssl s_server -gmtls -accept 44330 -key SS.key.pem -cert SS.cert.pem  -dkey SE.key.pem -dcert SE.cert.pem -CAfile CA.cert.pem -state -verify 1
  1. chy-cpabe@ubuntu:~/GMSSL_certificate/sm2Certs$ gmssl s_server -gmtls -accept 44330 -key SS.key.pem -cert SS.cert.pem  -dkey SE.key.pem -dcert SE.cert.pem -CAfile CA.cert.pem -state -verify 1
  2. verify depth is 1
  3. Using default temp DH parameters
  4. [GMTLS_DEBUG] set sm2 signing certificate
  5. [GMTLS_DEBUG] set sm2 signing private key
  6. [GMTLS_DEBUG] set sm2 encryption certificate
  7. [GMTLS_DEBUG] set sm2 decryption private key
  8. ACCEPT
  9. SSL_accept:before SSL initialization
  10. SSL_accept:before SSL initialization
  11. SSL_accept:SSLv3/TLS read client hello
  12. SSL_accept:SSLv3/TLS write server hello
  13. SSL_accept:SSLv3/TLS write certificate
  14. SSL_accept:SSLv3/TLS write key exchange
  15. SSL_accept:SSLv3/TLS write certificate request
  16. SSL_accept:SSLv3/TLS write server done
  17. SSL_accept:SSLv3/TLS write server done
  18. depth=1 C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = SORB of TASS, CN = Test CA (SM2)
  19. verify return:1
  20. depth=0 C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = BSRC of TASS, CN = client sign (SM2)
  21. verify return:1
  22. SSL_accept:SSLv3/TLS read client certificate
  23. ssl_get_algorithm2=10f9400008x
  24. SSL_accept:SSLv3/TLS read client key exchange
  25. SSL_accept:SSLv3/TLS read certificate verify
  26. SSL_accept:SSLv3/TLS read change cipher spec
  27. SSL_accept:SSLv3/TLS read finished
  28. SSL_accept:SSLv3/TLS write change cipher spec
  29. SSL_accept:SSLv3/TLS write finished
  30. -----BEGIN SSL SESSION PARAMETERS-----
  31. MIICmAIBAQICAQEEAuATBCD1YV5LF0CkDevOy4+6Laja+3JuUVSLZpvi/JIHfGqA
  32. 9wQwwEeDRT3secQJVmyLk0s0nRpcCCPKz18bH8LBH5UwfAKlWM8EDIhSzL4L5Mie
  33. mf4CoQYCBGMuiwiiBAICHCCjggIfMIICGzCCAcGgAwIBAgIJAIVjx+dwZIdmMAoG
  34. CCqBHM9VAYN1MIGCMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
  35. B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
  36. FTATBgNVBAsMDFNPUkIgb2YgVEFTUzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAe
  37. Fw0yMDA2MjAxMDE4MjZaFw0yNDA3MjkxMDE4MjZaMIGGMQswCQYDVQQGEwJDTjEL
  38. MAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcg
  39. Sk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDEJTUkMgb2YgVEFTUzEaMBgG
  40. A1UEAwwRY2xpZW50IHNpZ24gKFNNMikwWTATBgcqhkjOPQIBBggqgRzPVQGCLQNC
  41. AARV/eII1n2NVqYjwt9r9A5Eh6Z0iG+WUpsw4sGxhfKL0vr0OKcur6DZqjqLDSCr
  42. ZEhU6yuntNtaW+pexPblqXAroxowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIGwDAK
  43. BggqgRzPVQGDdQNIADBFAiEAiX+PoCNW/n9SDbv6/o+NyCCV/7kBgunc7w5b7xGm
  44. 4RICIBMDlLjPZE2ACYhu1Wjqph23PfMPMgae4+Gtd7wzFz2UpAYEBAEAAAA=
  45. -----END SSL SESSION PARAMETERS-----
  46. Client certificate
  47. -----BEGIN CERTIFICATE-----
  48. MIICGzCCAcGgAwIBAgIJAIVjx+dwZIdmMAoGCCqBHM9VAYN1MIGCMQswCQYDVQQG
  49. EwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJl
  50. aWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDFNPUkIgb2YgVEFT
  51. UzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAeFw0yMDA2MjAxMDE4MjZaFw0yNDA3
  52. MjkxMDE4MjZaMIGGMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
  53. B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
  54. FTATBgNVBAsMDEJTUkMgb2YgVEFTUzEaMBgGA1UEAwwRY2xpZW50IHNpZ24gKFNN
  55. MikwWTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAARV/eII1n2NVqYjwt9r9A5Eh6Z0
  56. iG+WUpsw4sGxhfKL0vr0OKcur6DZqjqLDSCrZEhU6yuntNtaW+pexPblqXAroxow
  57. GDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIGwDAKBggqgRzPVQGDdQNIADBFAiEAiX+P
  58. oCNW/n9SDbv6/o+NyCCV/7kBgunc7w5b7xGm4RICIBMDlLjPZE2ACYhu1Wjqph23
  59. PfMPMgae4+Gtd7wzFz2U
  60. -----END CERTIFICATE-----
  61. subject=/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=BSRC of TASS/CN=client sign (SM2)
  62. issuer=/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
  63. Shared ciphers:SM9-WITH-SMS4-SM3:SM9DHE-WITH-SMS4-SM3:SM2-WITH-SMS4-SM3:SM2DHE-WITH-SMS4-SM3:RSA-WITH-SMS4-SHA1:RSA-WITH-SMS4-SM3
  64. CIPHER is SM2-WITH-SMS4-SM3
  65. Secure Renegotiation IS supported

客户端

  • gmssl s_client -connect localhost:44330 -key CS.key.pem -cert CS.cert.pem -dkey CE.key.pem -dcert CE.cert.pem -CAfile CA.cert.pem -gmtls -showcerts
  1. chy-cpabe@ubuntu:~/GMSSL_certificate/sm2Certs$ gmssl s_client -connect localhost:44330 -key CS.key.pem -cert CS.cert.pem -dkey CE.key.pem -dcert CE.cert.pem -CAfile CA.cert.pem -gmtls -showcerts
  2. [GMTLS_DEBUG] set sm2 signing certificate
  3. [GMTLS_DEBUG] set sm2 signing private key
  4. [GMTLS_DEBUG] set sm2 encryption certificate
  5. [GMTLS_DEBUG] set sm2 decryption private key
  6. CONNECTED(00000003)
  7. depth=1 C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = SORB of TASS, CN = Test CA (SM2)
  8. verify return:1
  9. depth=0 C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = BSRC of TASS, CN = server sign (SM2)
  10. verify return:1
  11. Z=BCDCCB61AADD790C076DAC60ED09DDD5285A906A4025DD748DA2FB5816464C58
  12. C=00021E3082021A308201C0A0030201020209008563C7E770648765300A06082A811CCF55018375308182310B300906035504061302434E310B300906035504080C02424A3110300E06035504070C074861694469616E31253023060355040A0C1C4265696A696E67204A4E544120546563686E6F6C6F6779204C54442E31153013060355040B0C0C534F5242206F6620544153533116301406035504030C0D546573742043412028534D3229301E170D3230303632303130313832365A170D3234303732393130313832365A308185310B300906035504061302434E310B300906035504080C02424A3110300E06035504070C074861694469616E31253023060355040A0C1C4265696A696E67204A4E544120546563686E6F6C6F6779204C54442E31153013060355040B0C0C42535243206F6620544153533119301706035504030C1073657276657220656E632028534D32293059301306072A8648CE3D020106082A811CCF5501822D03420004B999853302F02CC522CC4CCA287019E86B901FC24E3CCF9A61B93BB177B28C2CE8E23C5C522DF73C23F7AC36FF688CB2E685A3FA4770103F7C99EFC32D06C11FA31A301830090603551D1304023000300B0603551D0F040403020338300A06082A811CCF550183750348003045022100EC4368F400870BED441817AF4D359BDC61A9EDFDDEE54AB0C185084B450C46B902206E0C3A08BC584590046DC85603CD4E8A51F97D9669B1ACA3E2A3627BE61D49A2
  13. ssl_get_algorithm2=8193900008x
  14. ---
  15. Certificate chain
  16.  0 s:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=BSRC of TASS/CN=server sign (SM2)
  17.    i:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
  18. -----BEGIN CERTIFICATE-----
  19. MIICGjCCAcGgAwIBAgIJAIVjx+dwZIdkMAoGCCqBHM9VAYN1MIGCMQswCQYDVQQG
  20. EwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJl
  21. aWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDFNPUkIgb2YgVEFT
  22. UzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAeFw0yMDA2MjAxMDE4MjVaFw0yNDA3
  23. MjkxMDE4MjVaMIGGMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
  24. B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
  25. FTATBgNVBAsMDEJTUkMgb2YgVEFTUzEaMBgGA1UEAwwRc2VydmVyIHNpZ24gKFNN
  26. MikwWTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAAS0lHzt7CkOzCtyf6VwCqoT2PYD
  27. CL/AJrCsHa+6lE8wDZ7DShI2bvfmrpavndEW67CHQOlO0q6/aoEB0PoAgpopoxow
  28. GDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIGwDAKBggqgRzPVQGDdQNHADBEAiB06JWp
  29. uxFbGBfvG9juhe2Umu/auI1H2XeMdvDjbOtfuQIgMXT8jewkzq9TR3OPzRTkZCRH
  30. 3H+xKEb8r8JsEEStwaU=
  31. -----END CERTIFICATE-----
  32.  1 s:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=BSRC of TASS/CN=server enc (SM2)
  33.    i:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
  34. -----BEGIN CERTIFICATE-----
  35. MIICGjCCAcCgAwIBAgIJAIVjx+dwZIdlMAoGCCqBHM9VAYN1MIGCMQswCQYDVQQG
  36. EwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJl
  37. aWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDFNPUkIgb2YgVEFT
  38. UzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAeFw0yMDA2MjAxMDE4MjZaFw0yNDA3
  39. MjkxMDE4MjZaMIGFMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
  40. B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
  41. FTATBgNVBAsMDEJTUkMgb2YgVEFTUzEZMBcGA1UEAwwQc2VydmVyIGVuYyAoU00y
  42. KTBZMBMGByqGSM49AgEGCCqBHM9VAYItA0IABLmZhTMC8CzFIsxMyihwGehrkB/C
  43. TjzPmmG5O7F3sows6OI8XFIt9zwj96w2/2iMsuaFo/pHcBA/fJnvwy0GwR+jGjAY
  44. MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgM4MAoGCCqBHM9VAYN1A0gAMEUCIQDsQ2j0
  45. AIcL7UQYF69NNZvcYant/d7lSrDBhQhLRQxGuQIgbgw6CLxYRZAEbchWA81OilH5
  46. fZZpsayj4qNie+YdSaI=
  47. -----END CERTIFICATE-----
  48.  2 s:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
  49.    i:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
  50. -----BEGIN CERTIFICATE-----
  51. MIICWjCCAgCgAwIBAgIJAP5W2mLaOWq5MAoGCCqBHM9VAYN1MIGCMQswCQYDVQQG
  52. EwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJl
  53. aWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDFNPUkIgb2YgVEFT
  54. UzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAeFw0yMDA2MjAxMDE4MjVaFw0yNDA3
  55. MjkxMDE4MjVaMIGCMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
  56. B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
  57. FTATBgNVBAsMDFNPUkIgb2YgVEFTUzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTBZ
  58. MBMGByqGSM49AgEGCCqBHM9VAYItA0IABArjN7ag+H8D12eqXJpMeTOR9m3sB2RC
  59. ojH7fZPB77SDfHZb9g1lcqUhrug0nw2F8wBMsLfjvsK3wQn/ryi3YvSjXTBbMB0G
  60. A1UdDgQWBBRCcBGiEpd09qSpUlkiGkZ+q+CFbDAfBgNVHSMEGDAWgBRCcBGiEpd0
  61. 9qSpUlkiGkZ+q+CFbDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAKBggqgRzP
  62. VQGDdQNIADBFAiBjdylWVsUoTRcHu9DoMHv4lgtYJMf2xHAGLoJUjmbizAIhAOFD
  63. i3EmFVUgGVdgbnztFZcBLxtBzIAh/Q4Q3dm3/MFu
  64. -----END CERTIFICATE-----
  65. ---
  66. Server certificate
  67. subject=/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=BSRC of TASS/CN=server sign (SM2)
  68. issuer=/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
  69. ---
  70. Acceptable client certificate CA names
  71. /C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
  72. Client Certificate Types: RSA sign, DSA sign
  73. ---
  74. SSL handshake has read 2121 bytes and written 2116 bytes
  75. Verification: OK
  76. ---
  77. New, GMTLSv1.1, Cipher is SM2-WITH-SMS4-SM3
  78. Server public key is 256 bit
  79. Secure Renegotiation IS NOT supported
  80. Compression: NONE
  81. Expansion: NONE
  82. No ALPN negotiated
  83. SSL-Session:
  84.     Protocol  : GMTLSv1.1
  85.     Cipher    : SM2-WITH-SMS4-SM3
  86.     Session-ID: F5615E4B1740A40DEBCECB8FBA2DA8DAFB726E51548B669BE2FC92077C6A80F7
  87.     Session-ID-ctx: 
  88.     Master-Key: C04783453DEC79C409566C8B934B349D1A5C0823CACF5F1B1FC2C11F95307C02A558CF040C8852CCBE0BE4C89E99FE02
  89.     PSK identity: None
  90.     PSK identity hint: None
  91.     SRP username: None
  92.     Start Time: 1663994632
  93.     Timeout   : 7200 (sec)
  94.     Verify return code: 0 (ok)
  95.     Extended master secret: no
  96. ---

抓包验证

参考链接

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/从前慢现在也慢/article/detail/363148
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号