【问题标题】:TLS1.3 OpenSSL tls alert unrecognized_name do not appearTLS1.3 OpenSSL tls alert unrecognized_name 不出现
【发布时间】:2021-07-28 22:44:12
【问题描述】:

尝试使用 OpenSSL 为 TLS1.3 引发 TLS 警报 unrecognized_name,但它没有出现。 对于 TLS1.2,它可以工作。有谁明白为什么?以下是命令示例:

openssl s_server -accept 9443 -key signed-pem.key -cert signed-pem.cert -tls1_2 -key2 anydesk.com.key -cert2 anydesk.com.cert -servername anydesk.com -cipher ALL:COMPLEMENTOFALL
Setting secondary ctx parameters
Using default temp DH parameters
ACCEPT

openssl s_client -connect 10.10.10.55:9443  -CAfile signed-pem.cert -tls1_2  -cipher DHE-RSA
-AES128-SHA -state -servername desk.com
CONNECTED(00000005)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL3 alert read:warning:unrecognized name
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello

对于 TLS1.3:

openssl s_server -accept 9443 -key signed-pem.key -cert signed-pem.cert -tls1_3 -key2 anydesk.com.key -cert2 anydesk.com.cert -servername anydesk.com -cipher ALL:COMPLEMENTOFALL
Setting secondary ctx parameters
Using default temp DH parameters
ACCEPT

openssl s_client -connect 10.10.10.55:9443  -CAfile signed-pem.cert -tls1_3  -ciphersuites TLS_AES_128_GCM_SHA256 -state -servername desk.com
CONNECTED(00000005)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
SSL_connect:TLSv1.3 read encrypted extensions
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:TLSv1.3 read server certificate verify
SSL_connect:SSLv3/TLS read finished
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished

【问题讨论】:

    标签: openssl tls1.2 tls1.3


    【解决方案1】:

    这是由于 OpenSSL 中的这段代码:

    https://github.com/openssl/openssl/blob/a65c8d8f737fe4e67d0b37e2b20dc1adccd93112/ssl/statem/extensions.c#L994-L997

        case SSL_TLSEXT_ERR_ALERT_WARNING:
            /* TLSv1.3 doesn't have warning alerts so we suppress this */
            if (!SSL_IS_TLS13(s))
                ssl3_send_alert(s, SSL3_AL_WARNING, altmp);
    

    您会在 TLSv1.2 输出中看到警报是警告:

    SSL3 alert read:warning:unrecognized name
    

    TLSv1.3 不使用警报中的“严重性”指示。所有错误警报都被认为是致命的。因此 OpenSSL 不会发送此警报,因为它在上下文中不是致命的。

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 1970-01-01
      • 2021-09-27
      • 1970-01-01
      • 2019-06-27
      • 2019-08-16
      • 2015-04-03
      相关资源
      最近更新 更多