使用openssl检查服务器安全协议 [英] Check Server security protocol using openssl
问题描述
我有一个框架应用程序,根据它的使用方式连接到不同的服务器。对于https连接,使用openssl。我的问题是,我需要知道,我连接到的服务器是使用SSL还是TLS,所以我可以创建正确的SSL上下文。目前,如果我使用错误的上下文尝试建立连接超时。
对于TLS,我使用:
SSL_CTX * sslContext = SSL_CTX_new TLSv1_client_method());
对于SSL,我使用:
SSL_CTX * sslContext = SSL_CTX_new(SSLv23_client_method());因此,有一种方法可以知道在建立连接之前服务器正在运行哪个协议? >
编辑:因为我理解现在它应该工作,因为 SSLv23_client_method()
也包含TLS协议。所以问题是为什么不呢?什么可能是超时的一个客户端方法,但不是其他的原因?
解决方案
对于SSL我使用:
SSL_CTX * sslContext = SSL_CTX_new(SSLv23_client_method ());
TLS只是前SSL协议的当前名称,即TLS1.0实际上是SSL3.1 SSLv23_client_method
实际上是建立SSL / TLS连接的最兼容的方式,并将使用可用的最佳协议。这意味着如果服务器支持TLS1.2连接,它也将创建TLS1.2连接。另见 SSL_CTX_new 的文档:
SSLv23_method(void),SSLv23_server_method(void),SSLv23_client_method(void)
方法可以了解SSLv2,SSLv3,TLSv1,TLSv1.1和TLSv1.2协议。
...客户端将发送TLSv1客户端hello消息表明它也了解TLSv1.1,TLSv1.2并允许回退到SSLv3。服务器将支持SSLv3,TLSv1,TLSv1.1和TLSv1.2协议。
您不需要的任何协议(如SSL3.0),您可以禁用与 SSL_OP_NO_SSLv3
等并使用 SSL_CTX_set_options
。
目前如果我使用错误的上下文尝试建立连接超时。
然后服务器或代码被打破。如果服务器获得与协议的连接,它不知道它应该返回未知协议警报。其他服务器只是关闭连接。超时通常只会发生在损坏的伺服器或中间件,例如旧的 F5 Big IP负载平衡器。
I have an framework application which connects to different servers depending on how it is used. For https connections openssl is used. My problem is, that I need to know if the server I am connecting to is using SSL or TLS, so I can create the right SSL context. Currently if I use the wrong context trying to establish a connection times out.
For TLS I use:
SSL_CTX *sslContext = SSL_CTX_new(TLSv1_client_method());
For SSL I use:
SSL_CTX *sslContext = SSL_CTX_new(SSLv23_client_method());
So is there a way to know which protocol a server is running before establishing a connection?
Edit: So as I understand it now it should work either way, since the SSLv23_client_method()
also contains the TLS protocol. So the question is why does it not? What could be the reason for a timeout with one client method but not the other?
解决方案 For SSL I use:
SSL_CTX *sslContext = SSL_CTX_new(SSLv23_client_method());
TLS is just the current name for the former SSL protocol, i.e. TLS1.0 is actually SSL3.1 etc. SSLv23_client_method
is actually the most compatible way to establish SSL/TLS connections and will use the best protocol available. That means it will also create TLS1.2 connections if the server supports that. See also in the documentation of SSL_CTX_new:
SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)
A TLS/SSL connection established with these methods may understand the SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.
... a client will send out TLSv1 client hello messages including extensions and will indicate that it also understands TLSv1.1, TLSv1.2 and permits a fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. This is the best choice when compatibility is a concern.
Any protocols you don't want (like SSL3.0) you can disable with SSL_OP_NO_SSLv3
etc and using SSL_CTX_set_options
.
Currently if I use the wrong context trying to establish a connection times out.
Then either the server or your code is broken. If a server gets a connection with a protocol it does not understand it should return "unknown protocol" alert. Other servers simply close the connection. Timeout will usually only happen with a broken server or middlebox like an old F5 Big IP load balancer.
这篇关于使用openssl检查服务器安全协议的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!