如何从服务器检查协商的TLS握手? [英] How do you check the Negotiated TLS Handshake from the Server?

问题描述

如果我有十二个端点，并且我的WebAPI服务配置为TLS 1.1和TLS 1.2，如何检查每个传入的端点请求以查看协商了哪个版本?

If I have a dozen endpoints, and my WebAPI Service is configured for TLS 1.1 and TLS 1.2, how do I check each incoming endpoint request to see which version was negotiated?

因此，如果我的端点的使用者当前仅支持TLS 1.0和TLS 1.1，则他们(显然吗?)将协商TLS 1.1握手.但是，如果其他使用者支持TLS 1.2和TLS 1.3，他们(显然吗?)将协商TLS 1.2握手.

So if a consumer of my endpoints currently only supports TLS 1.0 and TLS 1.1, they'll (obviously?) negotiate a TLS 1.1 handshake. But if a different consumer supports TLS 1.2 and TLS 1.3, they'll (obviously?) negotiate a TLS 1.2 handshake.

我想跟踪我所有的消费者，以了解正在协商哪些握手.我该如何执行每个请求?

I want to track all of my consumers to see what handshakes are being negotiated. How do I do that per-request?

推荐答案

如果您使用的是IIS，则可以将一些扩展日志记录添加到IIS日志中.

If you are using IIS it looks like you can add some extended logging to your IIS logs.

pla窃... er ...引述后代:

plagiarizing ... er ... quoting for posterity:

要启用此新功能，这四个服务器变量需要 被配置为IIS中的自定义字段的源 applicationHost.config.可以在以下任一位置上配置自定义日志记录 服务器级别或站点级别.这是一个示例站点级配置:

To enable this new functionality, these four server variables need to be configured as the sources of the custom fields in IIS applicationHost.config. The custom logging can be configured on either server level or site level. Here is a sample site-level configuration:

<site name="Default Web Site" id="1" serverAutoStart="true">
 <application path="/">
 <virtualDirectory path="/" physicalPath="C:\inetpub\wwwroot" />
 </application>
 <bindings>
 <binding protocol="https" bindingInformation="*:443:" />
 </bindings>
 <logFile>
 <customFields>
 <clear />
<add logFieldName="crypt-protocol" sourceName="CRYPT_PROTOCOL" sourceType="ServerVariable" />
<add logFieldName="crypt-cipher" sourceName="CRYPT_CIPHER_ALG_ID" sourceType="ServerVariable" />
<add logFieldName="crypt-hash" sourceName="CRYPT_HASH_ALG_ID" sourceType="ServerVariable" />
<add logFieldName="crypt-keyexchange" sourceName="CRYPT_KEYEXCHANGE_ALG_ID" sourceType="ServerVariable" />
 </customFields>
 </logFile>
 </site>

每个SSL信息字段是一个十六进制数字，它映射到 安全协议版本或密码套件算法.对于HTTP 纯文本请求，所有四个字段都将记录为-".

Each SSL info field is a hexadecimal number that maps to either a secure protocol version or cipher suite algorithm. For an HTTP plain-text request, all four fields will be logged as ‘-‘.

又是我:

在IIS文本日志中，对于TLS1.2，看来CRYPT_PROTOCOL可以是400，对于TLS 1.0可以是40，对于SSLv3可以是10.

It looks like CRYPT_PROTOCOL can be 400 for TLS1.2, 40 for TLS 1.0, 10 for SSLv3 in the IIS Text logs.

从示例中看，如果您想尝试将自定义日志包含在自定义日志中，则该请求可能会在ServerRequest上包含ServerVariable值，而自定义日志比IIS日志本身更容易自定义.

From the examples, it looks like there might be ServerVariable values on each Request if you want to try to include in custom logs that are a bit easier to customize than the IIS log itself.

好问题！我可能有机会亲自使用这个答案.

Great Question! and I may have a chance to use this answer m'self.

所以...看来您可以从WebAPI获取ServerVariables，但只是以一种意外的方式.请参见下面的代码段.看来，如果枚举集合或调用Keys属性，您得到的仅仅是变量的一些子集.但是，如果您在任何这些操作之前明确请求CRYPT_ *变量，则您可以can indeed从控制器中获取它们.我在WebAPI 5.2.6上对此进行了尝试，该WebAPI定位在IIS下作为Azure经典云服务运行的.net 4.6.2.我建议尝试一下，看看是否适合您.如果您有关于服务器变量的最新参考，请编辑此答案并替换

So ... it looks like you CAN get the ServerVariables from WebAPI but only in an unexpected way. See the snippet below. It seems if you enumerate the collection or call the Keys property all you get is some subset of variables. But if you explicitly request the CRYPT_* variables before any of those actions then you can indeed get them from your controller. I tried this on WebAPI 5.2.6 targeting .net 4.6.2 running under IIS as an Azure Classic Cloud Service. I suggest trying this and seeing if it works for you. If you have a more recent reference for Server Variables, please edit this answer and replace https://docs.microsoft.com/en-us/iis/web-dev-reference/server-variables with your link.

以下在列出的环境撰写本文之日为我工作.将来可能会改变.对于生产，我肯定会将其转换为辅助方法.

Below worked for me on date of writing for environment listed. It may change in the future. For production I would definitely move this into a helper method.

if (Request.Properties.TryGetValue("MS_HttpContext", out object context))
 {
 if (context is HttpContextWrapper wrapper)
  {
  var v = wrapper.Request?.ServerVariables;
  if (v != null)
   {
   var headers = response.Headers;
   const string CRYPT_PROTOCOL = nameof(CRYPT_PROTOCOL);
   try
    {
    headers.Add($"SV_{CRYPT_PROTOCOL}", $"[{v[CRYPT_PROTOCOL].Replace("\r", "0x0D").Replace("\n", "0x0A")}]");
    }
    catch (Exception ex)
    {
       headers.Add($"SV_{CRYPT_PROTOCOL}", ex.Message);
    }
    foreach (string key in v.AllKeys)
      {
      headers.Add($"SV_{key}", v[key].Replace("\r", "0x0D").Replace("\n", "0x0A"));
      }
     headers.Add($"SV_DONE", "All Server Variables Replaced");
     }
  }

这篇关于如何从服务器检查协商的TLS握手?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！