使用openssl检查服务器安全协议 [英] Check Server security protocol using openssl

问题描述

我有一个框架应用程序，根据它的使用方式连接到不同的服务器。对于https连接，使用openssl。我的问题是，我需要知道，我连接到的服务器是使用SSL还是TLS，所以我可以创建正确的SSL上下文。目前，如果我使用错误的上下文尝试建立连接超时。

对于TLS，我使用：

  SSL_CTX * sslContext = SSL_CTX_new TLSv1_client_method（））; 
  

对于SSL，我使用：

  SSL_CTX * sslContext = SSL_CTX_new（SSLv23_client_method（））;因此，有一种方法可以知道在建立连接之前服务器正在运行哪个协议？
 
 > 
 
 
编辑：因为我理解现在它应该工作，因为 SSLv23_client_method（）也包含TLS协议。所以问题是为什么不呢？什么可能是超时的一个客户端方法，但不是其他的原因？ 
解决方案
 
 对于SSL我使​​用：
 SSL_CTX * sslContext = SSL_CTX_new（SSLv23_client_method （））; 
  
 TLS只是前SSL协议的当前名称，即TLS1.0实际上是SSL3.1  SSLv23_client_method 实际上是建立SSL / TLS连接的最兼容的方式，并将使用可用的最佳协议。这意味着如果服务器支持TLS1.2连接，它也将创建TLS1.2连接。另见 SSL_CTX_new 的文档：
 
 
 SSLv23_method（void），SSLv23_server_method（void），SSLv23_client_method（void）
 
 
 
方法可以了解SSLv2，SSLv3，TLSv1，TLSv1.1和TLSv1.2协议。
 
 
 
 ...客户端将发送TLSv1客户端hello消息表明它也了解TLSv1.1，TLSv1.2并允许回退到SSLv3。服务器将支持SSLv3，TLSv1，TLSv1.1和TLSv1.2协议。 
 
 
您不需要的任何协议（如SSL3.0），您可以禁用与 SSL_OP_NO_SSLv3 等并使用 SSL_CTX_set_options 。
 
 
目前如果我使用错误的上下文尝试建立连接超时。
 
 
然后服务器或代码被打破。如果服务器获得与协议的连接，它不知道它应该返回未知协议警报。其他服务器只是关闭连接。超时通常只会发生在损坏的伺服器或中间件，例如旧的 F5 Big IP负载平衡器。
 
I have an framework application which connects to different servers depending on how it is used. For https connections openssl is used. My problem is, that I need to know if the server I am connecting to is using SSL or TLS, so I can create the right SSL context. Currently if I use the wrong context trying to establish a connection times out. 

For TLS I use:
SSL_CTX *sslContext = SSL_CTX_new(TLSv1_client_method());
For SSL I use:
SSL_CTX *sslContext = SSL_CTX_new(SSLv23_client_method());
So is there a way to know which protocol a server is running before establishing a connection?

Edit: So as I understand it now it should work either way, since the SSLv23_client_method() also contains the TLS protocol. So the question is why does it not? What could be the reason for a timeout with one client method but not the other?  
解决方案
For SSL I use:
SSL_CTX *sslContext = SSL_CTX_new(SSLv23_client_method());
TLS is just the current name for the former SSL protocol, i.e. TLS1.0 is actually SSL3.1 etc. SSLv23_client_method is actually the most compatible way to establish SSL/TLS connections and will use the best protocol available. That means it will also create TLS1.2 connections if the server supports that. See also in the documentation of SSL_CTX_new:

  
SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)
  
  
A TLS/SSL connection established with these methods may understand the SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.
  
  
... a client will send out TLSv1 client hello messages including extensions and will indicate that it also understands TLSv1.1, TLSv1.2 and permits a fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. This is the best choice when compatibility is a concern.
Any protocols you don't want (like SSL3.0) you can disable with SSL_OP_NO_SSLv3 etc and using SSL_CTX_set_options.

  
Currently if I use the wrong context trying to establish a connection times out.
Then either the server or your code is broken. If a server gets a connection with a protocol it does not understand it should return "unknown protocol" alert. Other servers simply close the connection. Timeout will usually only happen with a broken server or  middlebox like an old F5  Big IP load balancer.

                        
这篇关于使用openssl检查服务器安全协议的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！