我们来聊一聊Https
Posted IT凯凯
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了我们来聊一聊Https相关的知识,希望对你有一定的参考价值。
最近工作中被Https困惑了好几天,导致查一个问题不是那么顺手。所以决定下决心把这块东西研究一下,来看看这玩意到底是何物来着。
由于这玩意在平时工作中是个冷门,所以也没空去研究。随着微服务的发展,越来越多的系统间交互都是通过http/https协议来进行的,大家都知道http协议,这种协议是明文传输的,这样就显得非常的不安全,所以才有了https。简单来说,https就是在TCP/IP传输层和应用层加了一层安全协议层SSL/TLS,有了这玩意就可以保证数据传输的安全性和站点的可信性。
那怎么来保证数据传输的安全性呢?最简单的办法就是加密;那怎么来确保站点的可信性呢?当然就是签名啦,这些都属于网络安全和密码学的范畴。加密分为对称加密和非对称加密,对称加密是指加密和解密的密钥是同一个,优点是简单并且效率高,缺点是没法保证密钥的安全分发而不至于落到不怀好意的人手里。非对称加密是指加密和解密用的不是同一个密钥,一般用公钥来进行加密,用私钥来进行解密,公钥是对外公开的,私钥是双方各持有一份,用公钥加密,用私钥来解密,理论上只要私钥不被泄露就是安全的。非对称加密优点就是安全性极高,但缺点就是加密的效率不高。签名算法就是要保证单向不可逆,证明A就是A,就好比一个电子签名,类似于人的身份证件。
简单的介绍了一下加密算法和签名,下面来介绍一下这些是怎么用在https协议里面的。我们知道对称加密和非对称加密都有各自的优缺点,把他们结合起来使用才是王道,https正是这么干的,用非对称加密来传输对称加密用的密钥,保证了对称加密密钥的安全分发,用对称加密来保证应用数据传输的安全性,这样既保证了加密的效率又保证了安全性,真是一举两得啊。
下面来介绍一下https协议的交互过程。
1. 第一步,客户端给出协议版本号、一个客户端生成的随机数(Clientrandom),以及客户端支持的加密方法。
2. 第二步,服务器端确认双方使用的加密方法,并给出数字证书、以及一个服务器生成的随机数(Server random)。
3. 第三步,客户端确认数字证书有效,然后生成一个新的随机数(Premastersecret),并使用数字证书中的公钥,加密这个随机数,发给服务器端。
4. 第四步,服务器端使用自己的私钥,获取客户端发来的随机数(即Premastersecret)。
5. 第五步,客户端和服务器端根据约定的加密方法,使用前面的三个随机数,生成"对话密钥"(session key),用来加密接下来的整个对话过程。
总结一下这个流程,非对称加密只用了一次,用来传输对称加密用的随机密码,保证了密钥的安全分发,后续的交互都使用的是对称加密传输,保证了传输效率,想想是不是设计得很巧妙。详细交互及相关算法设计请参考[RFC5246]https://tools.ietf.org/html/rfc5246。
下面来看一个实际的握手示例,将java的javax.net.debug参数设置为”ssl,handshake”即可跟踪https协议的握手情况,比如:
trustStore is: C:\ProgramFiles\Java\jre1.8.0_144\lib\security\cacerts
trustStore type is : jks
trustStore provider is :
inittruststore ###添加可信的证书,由于在代码中没有添加可信证书,所以默认使用的是JDK中保存的可信证书。
adding as trusted cert:
Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc.,C=US
Issuer: CN=Equifax Secure GlobaleBusiness CA-1, O=Equifax Secure Inc., C=US
Algorithm: RSA; Serial number: 0xc3517
Valid from Mon Jun 21 12:00:00 CST 1999 until Mon Jun 22 12:00:00 CST2020
……
……
adding as trusted cert:
Subject: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCertInc, C=US
Issuer: CN=DigiCert Global RootG2, OU=www.digicert.com, O=DigiCert Inc, C=US
Algorithm: RSA; Serial number: 0x33af1e6a711a9a0bb2864b11d09fae5
Valid from Thu Aug 01 20:00:00 CST 2013 until Fri Jan 15 20:00:00 CST2038
keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(0) called
Ignoring unsupported cipher suite:TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello,TLSv1.2 ###看到没,在这里会把客户端支持的加密算法和签名算法一并发送至服务端
RandomCookie: GMT: 1515068280 bytes = { 82, 139, 251, 185,64, 4, 94, 202, 73, 66, 2, 183, 255, 92, 106, 86, 210, 45, 71, 131, 227, 149,36, 190, 170, 127, 189, 156 }
Session ID: {}
Cipher Suites:[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names:{secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1,sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats:[uncompressed]
Extension signature_algorithms,signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA,SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA,SHA1withRSA, SHA1withDSA
***
main,WRITE: TLSv1.2 Handshake, length = 161 ###客户端发送第一次消息
main, READ: TLSv1.2 Handshake, length = 89
***ServerHello, TLSv1.2 ###服务端收到信息后,会选择客户端支持的加密算法和签名算法并且将证书返回到客户端
RandomCookie: GMT: 1452445708 bytes = { 181, 174, 156, 166,95, 124, 156, 43, 45, 15, 222, 177, 11, 255, 78, 104, 178, 216, 237, 67, 99,117, 133, 98, 44, 20, 210, 151 }
Session ID: {85, 177, 158, 149, 117, 40, 119, 134, 246, 81, 255, 153, 55, 241, 156,45, 228, 95, 86, 204, 6, 240, 138, 241, 221, 230, 187, 183, 42, 48, 26, 121}
Cipher Suite:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info,renegotiated_connection: <empty>
Extension ec_point_formats, formats:[uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]
***
%% Initialized: [Session-1,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
** TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
main,READ: TLSv1.2 Handshake, length = 2811 ###客户读取到证书,下面开始验证
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=www.gzssfa.com
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048bits
modulus:26720433941944675822572586410807215868706516035793471618609457282094099589521440356373658227875417164723264224500933984654662407353604002669438816413635377840310361190644986017575157342272044364219025223927592790558487522028877909950167083638174178302870026890349321739697917241333133070352734727860630748697208246029934662320497981100947381840015102810551387832035382910664155609453432027608980109887301262653157268390225996013048414144532725585247093701424266863634834338253388535865139751502316690352509691481310482927232304055620226266843288511194242080908450676299141798529050500271511199047207176390002867518169
public exponent: 65537
Validity: [From: Thu Jun 29 08:00:00 CST 2017,
To: Sat Jun 30 07:59:59 CST2018]
Issuer: CN=Symantec Basic DV SSL CA - G1, OU=Domain Validated SSL,OU=Symantec Trust Network, O=Symantec Corporation, C=US
SerialNumber: [ 7caafbe5f9976236 8bc32fe3 bbb45992]
Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2Criticality=false
Extension unknown: DER encoded OCTET string=
0000: 04 81 F5 04 81 F2 00 F0 00 75 00 DD EB 1D 2B 7A .........u....+z
0010: 0D 4F A6 20 8B 81 AD 81 68 70 7E 2E 8E 9D 01 D5 .O. ....hp......
0020: 5C 88 8D 3D 11 C4 CD B6 EC BE CC 00 00 01 5C F4 \..=..........\.
0030: 56 32 FE 00 00 04 03 00 46 30 44 02 20 3B 8C 55 V2......F0D. ;.U
0040: A7 A3 FB 54 E9 EE 95 18 59 BF 62 0B 03 87 CD 8F ...T....Y.b.....
0050: D7 E5 5A C4 EB 3C 9E D2 B9 7F DE E4 A9 02 20 62 ..Z..<........ b
0060: 1E E2 CB 0A 4B 74 98 67 87 BA E5 05 AE 1E 37 4F ....Kt.g......7O
0070: 4D C8 3B 2D 67 B2 0D 9B 37 23 6E 4F 1C A7 73 00 M.;-g...7#nO..s.
0080: 77 00 A4 B9 09 90 B4 18 58 14 87 BB 13 A2 CC 67 w.......X......g
0090: 70 0A 3C 35 98 04 F9 1B DF B8 E3 77 CD 0E C8 0D p.<5.......w....
00A0: DC 10 00 00 01 5C F4 56 33 14 00 00 04 03 00 48 .....\.V3......H
00B0: 30 46 02 21 00 94 1E 02 F8 B0 07 68 68 6A 11 55 0F.!.......hhj.U
00C0: EE 82 5C 35 FF 93 2A 3A C9 64 59 79 01 D0 17 2E ..\5..*:.dYy....
00D0: A6 7F 2F 7B F3 02 21 00 BB 28 90 B6 6B 04 69 AE ../...!..(..k.i.
00E0: 12 12 8F 0A B2 DF 1F 37 89 D4 6B 44 8E 1A 97 47 .......7..kD...G
00F0: 03 74 E1 8E 4B 64 D3 C6 .t..Kd..
[2]: ObjectId: 1.3.6.1.5.5.7.1.1Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://hc.symcd.com
,
accessMethod: caIssuers
accessLocation: URIName: http://hc.symcb.com/hc.crt
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 5C 61 9E B0 76 41 A9 6A AA 43 0B E1 C7 6E 30 29 \a..vA.j.C...n0)
0010: 6E B1 CD 36 n..6
]
]
[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.23.140.1.2.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 17 68 74 74 70 73 3A 2F 2F 64 2E 73 79 6D 63 ..https://d.symc
0010: 62 2E 63 6F 6D 2F 63 70 73 b.com/cps
], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: 0000: 30 19 0C 17 68 74 74 70 73 3A 2F 2F 64 2E 73 79 0...https://d.sy
0010: 6D 63 62 2E 63 6F 6D 2F 72 70 61 mcb.com/rpa
]] ]
]
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: www.gzssfa.com
DNSName: gzssfa.com
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 34 62 EA D8 5B 59 65 78 A1 8C 20 67 A5 76 43 20 4b..[Yex.. g.vC
0010: 98 82 F2 24 8A D4 C5 F3 FE 17 D1 71 49 21 13 BC ...$.......qI!..
0020: EC 04 84 E3 14 45 37 7D EB F1 A0 97 F5 9F 49 D2 .....E7.......I.
0030: A8 04 CD 0D 62 96 36 C6 38 8E 31 55 1E A2 A5 16 ....b.6.8.1U....
0040: E8 AE 2F 60 23 51 AB B1 54 04 BF 60 FB FD 4D 12 ../`#Q..T..`..M.
0050: 06 5C 10 CB 54 B5 4F 9D C2 4F 29 93 29 D3 FD 8A .\..T.O..O).)...
0060: 74 73 2B 55 81 F6 E7 28 7B 30 54 A8 47 59 F7 33 ts+U...(.0T.GY.3
0070: F7 A4 BB 43 77 44 52 57 E9 EB 13 88 FA 16 68 BF ...CwDRW......h.
0080: 19 FE 2F A3 A9 80 D4 39 7E A9 9E 92 77 D7 32 E3 ../....9....w.2.
0090: 9F C9 95 91 5A 74 CD 7D 1C 06 42 0C 2C E9 F1 31 ....Zt....B.,..1
00A0: 86 0B 25 2A AB ED E6 B5 1C F8 0D 15 50 F7 BF 9B ..%*........P...
00B0: 65 DE 0D 1F C8 7D EC 8B 3C 72 77 4B AB DB 17 9E e.......<rwK....
00C0: 9E F5 43 14 ED DD EE 8F 45 BE 77 39 97 78 D5 67 ..C.....E.w9.x.g
00D0: 9C BC 5B 06 24 96 AA 2F A3 27 81 19 91 9E 13 78 ..[.$../.'.....x
00E0: D8 F6 F1 97 0B 7D 2A 6C AD DA 74 A6 B3 3E E5 C2 ......*l..t..>..
00F0: 9D 06 86 29 35 E9 1C 1F 0A 64 4C 58 4F CA F4 5F ...)5....dLXO.._
]
chain [1] = [
[
Version: V3
Subject: CN=Symantec Basic DV SSL CA - G1, OU=Domain Validated SSL,OU=Symantec Trust Network, O=Symantec Corporation, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048bits
modulus:20730589442093487162926826130531029334031078896427984928089064454802604870382306399692984430396883323005755690357995341427344667917247078652715321928928202867088541621301512373945359916120841361925627124702442044671892277519991021719467948903665525839784057832767938219274601096507505478356163312332263488405890753312212071636913614185385016676146677311043069281284550019484298301746169989899904646881381305473682964554090371773473005651045337456541823048017414595011264202439697003900316775507709509695262846575922888096863384480020422680557771750658090609162490866666411601678894835016296096532567331322081667344897
public exponent: 65537
Validity: [From: Tue Jun 07 08:00:00 CST 2016,
To: Sun Jun 07 07:59:59 CST2026]
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSignTrust Network, O="VeriSign, Inc.", C=US
SerialNumber: [ 4c4cd8a0fc4feaae 1554a87f 090eda87]
Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://s.symcd.com
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 7F D3 65 A7 C2 DD EC BB F0 30 09 F3 43 39 FA 02 ..e......0..C9..
0010: AF 33 31 33 .313
]
]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://s.symcb.com/pca3-g5.crl]
]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.23.140.1.2.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 17 68 74 74 70 73 3A 2F 2F 64 2E 73 79 6D 63 ..https://d.symc
0010: 62 2E 63 6F 6D 2F 63 70 73 b.com/cps
], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: 0000: 30 19 1A 17 68 74 74 70 73 3A 2F 2F 64 2E 73 79 0...https://d.sy
0010: 6D 63 62 2E 63 6F 6D 2F 72 70 61 mcb.com/rpa
]] ]
]
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
CN=SymantecPKI-2-555
]
[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 5C 61 9E B0 76 41 A9 6A AA 43 0B E1 C7 6E 30 29 \a..vA.j.C...n0)
0010: 6E B1 CD 36 n..6
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 61 EA 45 71 2F 8D E1 3F 0A 9B 95 48 F1 F2 3C A2 a.Eq/..?...H..<.
0010: 58 16 CA 96 C4 FF DA E2 AB 97 71 10 91 B3 2F A4 X.........q.../.
0020: 8B 81 0F F2 A4 FB 35 F3 E7 90 4A 20 C5 9B E5 31 ......5...J ...1
0030: CB 47 B1 68 1D B5 36 E9 F5 28 57 6E A0 A7 A9 73 .G.h..6..(Wn...s
0040: C2 C3 9E F9 05 91 F6 AC 42 8D C4 8D F4 09 6A FA ........B.....j.
0050: 53 8E E7 E2 1D A1 4A 76 89 C4 97 9E 03 EC 4A B0 S.....Jv......J.
0060: 0D 55 93 8B FC 78 BB BB C7 04 65 07 08 59 12 C6 .U...x....e..Y..
0070: 0D 14 05 69 0F 76 04 4E 87 A4 1F CE FB 43 36 6B ...i.v.N.....C6k
0080: 67 A1 1D 1B FD D5 83 AB 1D B4 70 D0 E2 2F D4 F3 g.........p../..
0090: BB 32 4E 6C 8C DA 5F 2F 5C E1 88 64 37 75 5A BE .2Nl.._/\..d7uZ.
00A0: 9D A9 E7 B6 16 D0 9F 86 F0 1C 58 C6 EF 87 F2 7A ..........X....z
00B0: B0 13 87 32 AD 15 9F 91 BC 4E 9E A2 53 0B 11 95 ...2.....N..S...
00C0: 8D 73 EC B6 90 28 09 67 94 E8 A2 65 58 61 7B ED .s...(.g...eXa..
00D0: 60 BF 32 41 1C 2D 2D F8 7A F6 D9 81 F0 6A 82 83 `.2A.--.z....j..
00E0: 2E 14 81 D0 5F E0 1A 4C E2 35 0F A9 CB 58 45 9D ...._..L.5...XE.
00F0: EE 0C 10 EB AF CC EC 49 A6 39 F4 FB 04 48 6C 19 .......I.9...Hl.
]
***
Foundtrusted certificate: ###找到了可信证书,证明服务器返回的证书是合法的。
[
[
Version: V3
Subject: CN=VeriSign Class 3 Public Primary Certification Authority -G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048bits
modulus:22109471102059671383796642714942393631149792360856487955190294587841800871022486252652612163196360832938367608763978013876844944237576704237206902072810376180366897841695320192789360300658269712766474225042097261456189264772686300705672328691871464945536513831768596383894122798581104077921511815271705394605095257256954381366139644740877956016759414080557948459417160074173313082409422023967584984099389949088073277478112907997447136173994433125025479812790590943737038696590266840534396683337181295383175344548120097700121250428676269067140626584500149856482388498317203907790209503513966223821253856296202557465877
public exponent: 65537
Validity: [From: Wed Nov 08 08:00:00 CST 2006,
To: Thu Jul 17 07:59:59 CST2036]
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSignTrust Network, O="VeriSign, Inc.", C=US
SerialNumber: [ 18dad19e267de8bb 4a2158cd cc6b3b4a]
Certificate Extensions: 4
[1]: ObjectId: 1.3.6.1.5.5.7.1.12Criticality=false
Extension unknown: DER encoded OCTET string=
0000: 04 61 30 5F A1 5D A0 5B 30 59 30 57 30 55 16 09 .a0_.].[0Y0W0U..
0010: 69 6D 61 67 65 2F 67 69 66 30 21 30 1F 30 07 06 image/gif0!0.0..
0020: 05 2B 0E 03 02 1A 04 14 8F E5 D3 1A 86 AC 8D 8E .+..............
0030: 6B C3 CF 80 6A D4 48 18 2C 7B 19 2E 30 25 16 23 k...j.H.,...0%.#
0040: 68 74 74 70 3A 2F 2F 6C 6F 67 6F 2E 76 65 72 69 http://logo.veri
0050: 73 69 67 6E 2E 63 6F 6D 2F 76 73 6C 6F 67 6F 2E sign.com/vslogo.
0060: 67 69 66 gif
[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 7F D3 65 A7 C2 DD EC BB F0 30 09 F3 43 39 FA 02 ..e......0..C9..
0010: AF 33 31 33 .313
]
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 93 24 4A 30 5F 62 CF D8 1A 98 2F 3D EA DC 99 2D .$J0_b..../=...-
0010: BD 77 F6 A5 79 22 38 EC C4 A7 A0 78 12 AD 62 0E .w..y"8....x..b.
0020: 45 70 64 C5 E7 97 66 2D 98 09 7E 5F AF D6 CC 28 Epd...f-..._...(
0030: 65 F2 01 AA 08 1A 47 DE F9 F9 7C 92 5A 08 69 20 e.....G.....Z.i
0040: 0D D9 3E 6D 6E 3C 0D 6E D8 E6 06 91 40 18 B9 F8 ..>mn<.n....@...
0050: C1 ED DF DB 41 AA E0 96 20 C9 CD 64 15 38 81 C9 ....A... ..d.8..
0060: 94 EE A2 84 29 0B 13 6F 8E DB 0C DD 25 02 DB A4 ....)..o....%...
0070: 8B 19 44 D2 41 7A 05 69 4A 58 4F 60 CA 7E 82 6A ..D.Az.iJXO`...j
0080: 0B 02 AA 25 17 39 B5 DB 7F E7 84 65 2A 95 8A BD ...%.9.....e*...
0090: 86 DE 5E 81 16 83 2D 10 CC DE FD A8 82 2A 6D 28 ..^...-......*m(
00A0: 1F 0D 0B C4 E5 E7 1A 26 19 E1 F4 11 6F 10 B5 95 .......&....o...
00B0: FC E7 42 05 32 DB CE 9D 51 5E 28 B6 9E 85 D3 5B ..B.2...Q^(....[
00C0: EF A5 7D 45 40 72 8E B7 0E 6B 0E 06 FB 33 35 48 ...E@r...k...35H
00D0: 71 B8 9D 27 8B C4 65 5F 0D 86 76 9C 44 7A F6 95 q..'..e_..v.Dz..
00E0: 5C F6 5D 32 08 33 A4 54 B6 18 3F 68 5C F2 42 4A \.]2.3.T..?h\.BJ
00F0: 85 38 54 83 5F D1 E8 2C F2 AC 11 D6 A8 ED 63 6A .8T._..,......cj
]
main, READ: TLSv1.2 Handshake, length = 333
***ECDH ServerKeyExchange ###服务端发送交换密钥时的一些参数,好高深的密码学知识,看不懂。
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
public x coord:82914176407766536474973522139879232776103063371329904383391882527466240631600
public y coord: 82957322675761160972465763378328983722498673308958763721216412458369972848281
parameters: secp256r1 [NIST P-256, X9.62 prime256v1](1.2.840.10045.3.1.7)
main, READ: TLSv1.2 Handshake, length = 4
***ServerHelloDone
***ECDHClientKeyExchange
ECDH Public value: { 4, 72, 8, 180, 216, 139, 239, 232, 114, 27,152, 135, 89, 132, 218, 15, 0, 174, 146, 183, 4, 101, 65, 45, 154, 221, 162,66, 63, 55, 179, 9, 114, 207, 247, 46, 165, 207, 105, 78, 8, 188, 40, 111, 157,242, 195, 183, 38, 39, 69, 188, 98, 118, 5, 247, 80, 17, 21, 100, 108, 24, 133,194, 84 }
main, WRITE: TLSv1.2 Handshake, length = 70
SESSION KEYGEN:
PreMasterSecret: ###客户端新生成的随机数
0000: 04 CA 34 62 C4 F0 CD 5B 85 87 1A 7E 91 75 D9 6E ..4b...[.....u.n
0010: 0B D5 91 34 95 AD A9 3F 43 32 DE 94 96 C5 73 1A ...4...?C2....s.
CONNECTION KEYGEN:
Client Nonce:
0000: 5A 4E 1B 78 52 8B FB B9 40 04 5E CA 49 42 02 B7 ZN.xR...@.^.IB..
0010: FF 5C 6A 56 D2 2D 47 83 E3 95 24 BE AA 7F BD 9C .\jV.-G...$.....
Server Nonce:
0000: 57 93 90 0C B5 AE 9C A6 5F 7C 9C 2B 2D 0F DE B1 W......._..+-...
0010: 0B FF 4E 68 B2 D8 ED 43 63 75 85 62 2C 14 D2 97 ..Nh...Ccu.b,...
MasterSecret: ###最终的加密密码,由于ClientRandom+ServerRandom+PreMaster Secret生成的。后续双方交互加密用的。
0000: FB 96 D8 83 EB 36 EB A1 87 50 14 D5 B4 11 9B BA .....6...P......
0010: 74 07 EB 3B C1 1D A2 FB 1D 0C 6C C2 B0 33 13 BF t..;......l..3..
0020: C4 28 63 9E 89 FB 47 23 79 3D FB 9C DC 89 14 22 .(c...G#y=....."
... no MAC keys used for this cipher
Client write key:
0000: FB 07 90 E0 55 94 DE 2D 5C E0 0D A8 F0 2B A8 F2 ....U..-\....+..
Server write key:
0000: F1 3A EC 1E 1F 4A 71 C6 43 41 3B CF 18 8E 45 A7 .:...Jq.CA;...E.
Client write IV:
0000: F1 12 25 92 ..%.
Server write IV:
0000: 8E 8A AF B9 ....
main, WRITE: TLSv1.2 Change Cipher Spec,length = 1
*** Finished
verify_data: { 225, 157, 131, 124, 111, 106, 47, 115, 111,89, 251, 94 }
***
main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Change Cipher Spec,length = 1
main, READ: TLSv1.2 Handshake, length = 40
***Finished
verify_data: { 154, 216, 240, 132, 47, 186, 215, 134, 146,91, 8, 11 }
***
%% Cached client session: [Session-1,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
main, WRITE: TLSv1.2 Application Data,length = 216
main, READ: TLSv1.2 Application Data,length = 16408
main, READ: TLSv1.2 Application Data,length = 16408
main, READ: TLSv1.2 Application Data,length = 12196
{"content"
以上是关于我们来聊一聊Https的主要内容,如果未能解决你的问题,请参考以下文章