我可以检测到浏览器支持的SSL版本吗? [英] Can I detect the SSL version that a browser supports?
问题描述
我想向浏览器的最高加密级别是SSLv3的客户显示一条消息.我可以将SSLv3及更低版本的浏览器设置作为目标吗?客户端还是服务器代码?我们将允许较低版本的SSL在一定宽限期内使用我们的网站.在此宽限期内,我们只想向浏览器设置为SSL3或更低的那些用户显示一条消息.
I would like to display a message to customers who's browser's highest level of encryption is SSLv3. Is it possible for me to target browser settings of SSLv3 and lower? Client or Server code? We will be allowing lower versions of SSL to use our site during a certain grace period. During this grace period, we would like to display a message only to those users that have browser settings of SSL3 or lower.
推荐答案
首先,如今,您通常会忘记那些至少不支持SSLv3的客户端. SSLv3已经广泛使用了多年.
Firstly, nowadays, you can generally forget about clients that don't support at least SSLv3. SSLv3 has been widely available for many years.
TLS Client Hello 消息,当连接为由浏览器启动的,应包含其支持的最高TLS版本:
The TLS Client Hello message, sent when the connection is initiated by the browser, should contain the highest TLS version it supports:
client_version
The version of the TLS protocol by which the client wishes to
communicate during this session. This SHOULD be the latest
(highest valued) version supported by the client. For this
version of the specification, the version will be 3.3 (see
Appendix E for details about backward compatibility).
附录E 当然值得一看.
(Client Hello消息还将包含客户端支持的密码套件列表,这可能与您的问题的总体思路有关.)
(The Client Hello message will also contain the list of cipher suites the client supports, which is possibly relevant for the general idea of your question.)
当然,此规范只是"SHOULD",因此支持TLS 1.2的客户端仍可以发送TLS 1.1的Client Hello,但这有什么意义呢?这样一来,就永远没有机会使用TLS 1.2.它可能是一个已关闭的首选项框,但实际上会使它成为不支持最高版本的客户端. (如果您想要更微妙的内容,则需要建立一个已知用户代理的数据库,该数据库在某种程度上是不可靠的,并且您需要分析整个用户代理字符串以了解有关该平台的所有信息.)
Of course, this specification is just a "SHOULD", so a client supporting TLS 1.2 could still send a Client Hello for TLS 1.1, but what would be the point? By doing so it would have no chance ever to use TLS 1.2 anyway. It could be a preference box that is turned off, but that would effectively make it a client that doesn't support the highest version anyway. (If you want anything more subtle, you'd need to build a database of known user agents, which will be partly unreliable, and for which you'd need to analyse the full user agent string to know everything possible about the platform.)
现在,如何将Client Hello消息的内容传达给应用程序是另一回事,并且在很大程度上取决于您使用哪个SSL/TLS堆栈.如果不修改该SSL/TLS库或您使用的服务器,甚至可能无法直接实现.
Now, how to convey the content of the Client Hello message to your application is another matter, and depends very much on which SSL/TLS stack you use. It might not even be directly possible without modifying that SSL/TLS library or the server you're using.
话虽如此,通常您可以很容易地在当前会话期间获得协商的TLS版本.由于该版本是客户端在客户端建议的较低版本的"较低版本您好,服务器支持的最高级别" (即"min(max(client), max(server))").如果您的服务器支持SSLv3,TLS 1.0,TLS 1.1和TLS 1.2,并且无论如何最新版本都是TLS 1.2,那么在当前连接期间您将获得的最大价值也将是客户端当前所支持的最大值.只要您的服务器支持最新版本,您就应该能够从任何实时连接中最多了解客户端所支持的内容.
This being said, you can generally get the negotiated TLS version during the current session quite easily. Since that version is the "lower of that suggested by the client in the client hello and the highest supported by the server" (i.e. "min(max(client), max(server))"). If your server supports SSLv3, TLS 1.0, TLS 1.1 and TLS 1.2, and since the latest version is TLS 1.2 anyway, what you'll get during your current connection will also be the max currently supported by the client. As long as your server supports the latest version, you should be able to know what the client supports at best from any live connection.
如果您落后于 Apache HTTP服务器的mod_ssl ,您应该能够从SSL_PROTOCOL环境变量中获得该信息.您还应该能够从Java中的SSLSession获取协议.
If you're behind Apache HTTP server's mod_ssl, you should be able to get that from the SSL_PROTOCOL environment variable. You should also be able to get the protocol from the SSLSession in Java.
(如果您愿意编写更多定制服务,则可以将更多细节(例如密码套件)直接传递给您的应用程序,例如
(If you are willing to write a more bespoke service, you could pass further details like the cipher suites more directly to your application, like this service from Qualys SSL Labs does, although I'm not sure if it's meant to be widely available or just a test service.)
这篇关于我可以检测到浏览器支持的SSL版本吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
