热门标签
热门文章
- 1Vscode搭建开发调试STM32/RISC-V环境IDE(最全面)_vscode stm32
- 2JavaScript 二进制数组(ArrayBuffer、Typed Array、DataView)_js 二进制数组
- 3【华为OD机试真题 python】最大数字【2023 Q1 | 200分】_最大值 od python
- 4Win10控制面板打不开怎么办?_win10控制面板无法打开
- 5DCT如此重要,作者当初竟然不知道?
- 6阿里云堡垒机搭建_云盾堡垒机ssh非默认端口
- 7扑克类游戏斗地主、蜘蛛纸牌源码_开源纸牌小游戏
- 8Python爬虫基础之 Selenium
- 9如何在CentOS6中写systemctl daemon-reload
- 10Leectcode417太平洋大西洋水流问题_med_C++
当前位置: article > 正文
gmssl 国密ssl流程测试
作者:花生_TL007 | 2024-02-20 03:47:00
赞
踩
gmssl
前言
普通ssl/TLS中使用的是单证书,而国密ssl(gmtls)要求的是双证书,即加密证书+签名证书。
gmssl中保留了openssl中ssl、tls的流程,同时也实现了gmtls的流程。
本章将使用gmssl命令行工具,对ssl和gmtls的流程进行测试。
注:本章使用的国密证书在之前的章节中讲了如何生成。
https://blog.csdn.net/qq_39952971/article/details/115168241
一 gmssl ssl流程测试 单证书单向认证
服务端命令:
gmssl s_server -accept 44330 -key gmcrt/2_sign.key -cert gmcrt/2_sign.crt -CAfile gmcrt/ca.crt
- 1
客户端:
gmssl s_client -connect localhost:44330 -key gmcrt/1_sign.key -cert gmcrt/1_sign.crt -CAfile gmcrt/ca.crt
- 1
测试日志(服务端):可以看出ssl的通信流程
Using default temp DH parameters [GMTLS_DEBUG] set sm2 signing certificate [GMTLS_DEBUG] set sm2 signing private key ACCEPT SSL_accept:before SSL initialization SSL_accept:before SSL initialization SSL_accept:SSLv3/TLS read client hello SSL_accept:SSLv3/TLS write server hello SSL_accept:SSLv3/TLS write certificate SSL_accept:SSLv3/TLS write key exchange SSL_accept:SSLv3/TLS write server done SSL_accept:SSLv3/TLS write server done SSL_accept:SSLv3/TLS read client key exchange SSL_accept:SSLv3/TLS read change cipher spec SSL_accept:SSLv3/TLS read finished SSL_accept:SSLv3/TLS write session ticket SSL_accept:SSLv3/TLS write change cipher spec SSL_accept:SSLv3/TLS write finished -----BEGIN SSL SESSION PARAMETERS----- CIPHER is ECDHE-SM2-WITH-SMS4-GCM-SM3 Secure Renegotiation IS supported
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
二 gmssl ssl 流程 单证书 双向认证
服务端命令:
gmssl s_server -verify 1 -accept 44330 -key gmcrt/2_sign.key -cert gmcrt/2_sign.crt -CAfile gmcrt/ca.crt -state
- 1
其中-verify 1 参数表示服务端要对客户端的证书进行验证。默认只是客户端验证服务端的证书。
客户端:
gmssl s_client -connect localhost:44330 -key gmcrt/1_sign.key -cert gmcrt/1_sign.crt -CAfile gmcrt/ca.crt -state
- 1
测试日志-服务端:
verify depth is 1 Using default temp DH parameters [GMTLS_DEBUG] set sm2 signing certificate [GMTLS_DEBUG] set sm2 signing private key ACCEPT SSL_accept:before SSL initialization SSL_accept:before SSL initialization SSL_accept:SSLv3/TLS read client hello SSL_accept:SSLv3/TLS write server hello SSL_accept:SSLv3/TLS write certificate SSL_accept:SSLv3/TLS write key exchange SSL_accept:SSLv3/TLS write certificate request // 服务端发出证书请求 SSL_accept:SSLv3/TLS write server done SSL_accept:SSLv3/TLS write server done verify return:1 SSL_accept:SSLv3/TLS read client certificate SSL_accept:SSLv3/TLS read client key exchange SSL_accept:SSLv3/TLS read certificate verify SSL_accept:SSLv3/TLS read change cipher spec SSL_accept:SSLv3/TLS read finished SSL_accept:SSLv3/TLS write session ticket SSL_accept:SSLv3/TLS write change cipher spec SSL_accept:SSLv3/TLS write finished
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
三 gmssl gmtls 流程 双证书 单向认证
服务端命令:
gmssl s_server -gmtls -accept 44330 -key gmcrt/2_sign.key -cert gmcrt/2_sign.crt -dkey gmcrt/2_enc.key -dcert gmcrt/2_enc.crt -CAfile gmcrt/ca.crt -state
- 1
-state参数表示打印跟多信息,方便调试。
客户端:
gmssl s_client -gmtls -connect localhost:44330 -key gmcrt/1_sign.key -cert gmcrt/1_sign.crt -dkey gmcrt/1_enc.key -dcert gmcrt/1_enc.crt -CAfile gmcrt/ca.crt -state
- 1
日志-客户端:
[GMTLS_DEBUG] set sm2 signing certificate [GMTLS_DEBUG] set sm2 signing private key [GMTLS_DEBUG] set sm2 encryption certificate [GMTLS_DEBUG] set sm2 decryption private key CONNECTED(00000003) SSL_connect:before SSL initialization SSL_connect:SSLv3/TLS write client hello SSL_connect:SSLv3/TLS write client hello SSL_connect:SSLv3/TLS read server hello depth=1 C = CN, ST = Some-State, L = beijing, O = Internet Widgits Pty Ltd, OU = xd, CN = yaomingyue verify return:1 depth=0 C = CN, ST = Some-State, O = Internet Widgits Pty Ltd, OU = xd, CN = yao verify return:1 SSL_connect:SSLv3/TLS read server key exchange SSL_connect:SSLv3/TLS read server done SSL_connect:SSLv3/TLS write client key exchange SSL_connect:SSLv3/TLS write change cipher spec ssl_get_algorithm2=4a58fcd008x SSL_connect:SSLv3/TLS write finished SSL_connect:SSLv3/TLS write finished SSL_connect:SSLv3/TLS read change cipher spec SSL_connect:SSLv3/TLS read finished New, GMTLSv1.1, Cipher is SM2-WITH-SMS4-SM3 SSL-Session: Protocol : GMTLSv1.1 Cipher : SM2-WITH-SMS4-SM3 Session-ID: C59ADB1090F5948375648E1172F299FC6E722D0EF6C94490EE992A5852EEA087 Session-ID-ctx: Master-Key: BF9BCB2B31359649CC4F0EA373B5B8674F462FA24C90147D0A8861F0129FB09E7D7F4E5AE1965A5BA336903BB6608B7C PSK identity: None PSK identity hint: None SRP username: None Start Time: 1616571315 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
可以看出,现在使用的协议已经变成gmtlsv1.1了。
四 gmssl gmtls 流程 双证书 双向认证
服务端命令:
gmssl s_server -verify 1 -gmtls -accept 44330 -key gmcrt/2_sign.key -cert gmcrt/2_sign.crt -dkey gmcrt/2_enc.key -dcert gmcrt/2_enc.crt -CAfile gmcrt/ca.crt
- 1
客户端:
gmssl s_client -gmtls -connect localhost:44330 -key gmcrt/1_sign.key -cert gmcrt/1_sign.crt -dkey gmcrt/1_enc.key -dcert gmcrt/1_enc.crt -CAfile gmcrt/ca.crt -state
- 1
目前运行服务端报错:
crypto/sm2/sm2_sign.c 510: sm2_do_verify
ERROR
139865536943936:error:1417B07B:SSL routines:tls_process_cert_verify:bad signature:ssl/statem/statem_srvr.c:2941:
- 1
- 2
- 3
应该是gmssl的GMTLS的双证书双向验证流程还有问题,需要改gmssl的源码。
总结
在测试的过程中可以进行抓包查看,可以更清晰的看到ssl和gmtls的通信流程:
注:GMTLS协议的抓包查看
因为wireshark目前不支持GMTLS协议解析,所以需要改变下。
用UE将抓包文件打开,找到160101等ssl开头的数据,然后改成160303 ,再用wireshark打开,当做TLS1.3 来看。
参考如下博文:
https://blog.csdn.net/mrpre/article/details/78015580
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/花生_TL007/article/detail/118246
推荐阅读
相关标签
