建立 TLS/LDAP 或 TLS/HTTP 连接时,线路上会发生什么? [英] What happens on the wire when a TLS / LDAP or TLS / HTTP connection is set up?
问题描述
我正在重新措辞我的问题,希望我能得到更好的答复.我在 serverfault here,并且认为一个适当且有效的 TLS 服务器是一个期望STARTTLS"的服务器.命令.
I'm rewording my question so hopefully I can get a better response. I asked a similar question on serverfault here, and think that a proper and valid TLS server is one that expects the "STARTTLS" command.
STARTTLS 是否可以发送到正确配置的 LDAP 或 HTTP TLS 服务器而不需要额外的端口?我知道从 SMTP 的角度来看这是正确的,但不确定我可以将这些经验应用到其他协议的范围.
Is it true that STARTTLS can be issued to a properly configured LDAP or HTTP TLS server without needing an extra port? I know that this is true from an SMTP perspective, but aren't sure how broadly I can apply those experiences to other protocols.
我花时间阅读(但没有完全掌握)
I've spent time reading (but not fully grasping)
问:在 TLS over LDAP 或 HTTP 会话建立之前,线路上会发生什么?由于这是基于 TCP 的,我可以简单地 telnet 到该端口并发出一些命令来验证它是否正常工作(到那时为止)?
Q: What happens on the wire right before the TLS over LDAP or HTTP session is set up? Since this is TCP based can I simply telnet to that port and issue some command to verify it's working (up to that point)?
推荐答案
SSL 和 TLS 在使用方式上几乎没有区别.然而,SSL/TLS 的预先建立与使用诸如 STARTTLS 之类的命令之间存在根本区别.有时,TLS"用于与SSL"相反的意思是使用 STARTTLS 模式".但这是不正确的.
There are very few differences between SSL and TLS in the way they are used. There is, however, a fundamental difference between up-front establishment of SSL/TLS and the use of a command such as STARTTLS. Sometimes, "TLS" is used in contrast to "SSL", to mean "using a STARTTLS mode" but this is incorrect.
在这种情况下,客户端首先启动 TLS/SSL 连接,因此首先发生 SSL/TLS 握手.一旦安全套接字启动,使用它的应用程序就可以开始为 TLS 之上的协议发送各种命令(例如 HTTP、此模式下的 LDAP、SMTP).
In this case, the client initiates the TLS/SSL connection before anything else, so SSL/TLS handshake happens first. Once the secure socket is up, the application using it can start sending the various commands for the protocol above TLS (e.g. HTTP, LDAP in this mode, SMTP).
在这种模式下,SSL/TLS 版本必须在与普通版本不同的端口上运行,例如:HTTPS 在端口 443,LDAPS 在端口 636,IMAPS 在端口 993,而不是分别为 80、389、143.
In this mode, the SSL/TLS versions have to run on a different port from their plain counterparts, for example: HTTPS on port 443, LDAPS on port 636, IMAPS on port 993, instead of 80, 389, 143 respectively.
实现这些应用协议的层几乎不需要知道它们是在 TLS/SSL 之上运行的.有时,它们只是在 sslwrap 等工具中进行隧道化.
The layers implementing these application protocols barely need to know they're running on top of TLS/SSL. Sometimes, they're simply tunneled in tools such as sslwrap.
TLS 规范允许在任何时间进行握手,包括在通过同一 TCP 连接以纯 TCP 交换某些数据之后.
The TLS specification allows for the handshake to happen at any time, including after having exchanged some data in plain TCP over the same TCP connection.
包括 LDAP 在内的一些协议包含一个命令来告诉应用程序协议将进行升级.本质上,LDAP 通信的第一部分以纯文本形式发生,然后发送 STARTTLS 消息(仍以纯文本形式),这表明当前 TCP 连接将被重用,但下一个命令将包裹在 TLS/SSL 层中.在这个阶段,发生 TLS/SSL 握手并且通信被升级".到 TLS/SSL.只有在此之后,通信才能通过 TLS/SSL 进行保护,并且客户端和服务器都知道他们必须从 TLS 层打包/解包他们的命令(通常在 TCP 层和应用程序层之间添加一个 TLS 库).
Some protocols, including LDAP, incorporate a command to tell the application protocol there will be an upgrade. Essentially, the first part of the LDAP communication happens in plain text, then a STARTTLS message is sent (still in plain text), which indicates that the current TCP connection will be reused but that the next commands will be wrapped within a TLS/SSL layer. At this stage, the TLS/SSL handshake happens and the communication is "upgraded" to TLS/SSL. Only after this the communication is secured via TLS/SSL, and both the client and servers know that they have to wrap/unwrap their commands from the TLS layer (typically adding a TLS library between the TCP layer and the application layer).
STARTTLS在每个协议中如何实现的细节因协议而异(因为这必须在一定程度上与使用它的协议兼容).
The details of how STARTTLS is implemented within each protocol vary depending on the protocol (because this has to be compatible with the protocol using it to some extent).
甚至 HTTP 也有使用这种机制的变体,尽管它几乎从未被支持:RFC 2817 升级到HTTP/1.1 中的 TLS.这与 HTTPS 的工作方式(RFC 2818)完全不同,后者启动 TLS/SSL 优先.
Even HTTP has a variant using this mechanism, although it's mostly never supported: RFC 2817 Upgrading to TLS Within HTTP/1.1. This is completely different from the way HTTPS works (RFC 2818), which initiates TLS/SSL first.
STARTTLS 方法的优点是您可以在同一个端口上运行安全变体和普通变体,缺点是其后果,特别是潜在的降级攻击或配置中可能的错误.
The advantages of the STARTTLS approach is that you can run both secured and plain variants on the same port, the disadvantages are the consequences of that, in particular potential downgrade attacks or possible mistakes in the configuration.
(编辑:正如@GregS 指出的那样,我删除了一个不正确的句子,谢谢.)
(EDIT: I've removed an incorrect sentence, as @GregS pointed out, thanks.)
(编辑:我还在 ServerFault 上的这个答案.)
这篇关于建立 TLS/LDAP 或 TLS/HTTP 连接时,线路上会发生什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
