我们来聊一聊Https

Posted IT凯凯

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了我们来聊一聊Https相关的知识,希望对你有一定的参考价值。

     最近工作中被Https困惑了好几天,导致查一个问题不是那么顺手。所以决定下决心把这块东西研究一下,来看看这玩意到底是何物来着。

由于这玩意在平时工作中是个冷门,所以也没空去研究。随着微服务的发展,越来越多的系统间交互都是通过http/https协议来进行的,大家都知道http协议,这种协议是明文传输的,这样就显得非常的不安全,所以才有了https。简单来说,https就是在TCP/IP传输层和应用层加了一层安全协议层SSL/TLS,有了这玩意就可以保证数据传输的安全性和站点的可信性。

那怎么来保证数据传输的安全性呢?最简单的办法就是加密;那怎么来确保站点的可信性呢?当然就是签名啦,这些都属于网络安全和密码学的范畴。加密分为对称加密和非对称加密,对称加密是指加密和解密的密钥是同一个,优点是简单并且效率高,缺点是没法保证密钥的安全分发而不至于落到不怀好意的人手里。非对称加密是指加密和解密用的不是同一个密钥,一般用公钥来进行加密,用私钥来进行解密,公钥是对外公开的,私钥是双方各持有一份,用公钥加密,用私钥来解密,理论上只要私钥不被泄露就是安全的。非对称加密优点就是安全性极高,但缺点就是加密的效率不高。签名算法就是要保证单向不可逆,证明A就是A,就好比一个电子签名,类似于人的身份证件。

简单的介绍了一下加密算法和签名,下面来介绍一下这些是怎么用在https协议里面的。我们知道对称加密和非对称加密都有各自的优缺点,把他们结合起来使用才是王道,https正是这么干的,用非对称加密来传输对称加密用的密钥,保证了对称加密密钥的安全分发,用对称加密来保证应用数据传输的安全性,这样既保证了加密的效率又保证了安全性,真是一举两得啊。

下面来介绍一下https协议的交互过程。

1.   第一步,客户端给出协议版本号、一个客户端生成的随机数(Clientrandom),以及客户端支持的加密方法。

2.   第二步,服务器端确认双方使用的加密方法,并给出数字证书、以及一个服务器生成的随机数(Server random)。

3.   第三步,客户端确认数字证书有效,然后生成一个新的随机数(Premastersecret),并使用数字证书中的公钥,加密这个随机数,发给服务器端。

4.   第四步,服务器端使用自己的私钥,获取客户端发来的随机数(即Premastersecret)。

5.   第五步,客户端和服务器端根据约定的加密方法,使用前面的三个随机数,生成"对话密钥"(session key),用来加密接下来的整个对话过程。


总结一下这个流程,非对称加密只用了一次,用来传输对称加密用的随机密码,保证了密钥的安全分发,后续的交互都使用的是对称加密传输,保证了传输效率,想想是不是设计得很巧妙。详细交互及相关算法设计请参考[RFC5246]https://tools.ietf.org/html/rfc5246。

下面来看一个实际的握手示例,将java的javax.net.debug参数设置为”ssl,handshake”即可跟踪https协议的握手情况,比如:

 

 

trustStore is: C:\ProgramFiles\Java\jre1.8.0_144\lib\security\cacerts

trustStore type is : jks

trustStore provider is :

inittruststore ###添加可信的证书,由于在代码中没有添加可信证书,所以默认使用的是JDK中保存的可信证书。

adding as trusted cert:

 Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc.,C=US

 Issuer:  CN=Equifax Secure GlobaleBusiness CA-1, O=Equifax Secure Inc., C=US

 Algorithm: RSA; Serial number: 0xc3517

 Valid from Mon Jun 21 12:00:00 CST 1999 until Mon Jun 22 12:00:00 CST2020

……

……

adding as trusted cert:

 Subject: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCertInc, C=US

 Issuer:  CN=DigiCert Global RootG2, OU=www.digicert.com, O=DigiCert Inc, C=US

 Algorithm: RSA; Serial number: 0x33af1e6a711a9a0bb2864b11d09fae5

 Valid from Thu Aug 01 20:00:00 CST 2013 until Fri Jan 15 20:00:00 CST2038

 

keyStore is :

keyStore type is : jks

keyStore provider is :

init keystore

init keymanager of type SunX509

trigger seeding of SecureRandom

done seeding SecureRandom

Allow unsafe renegotiation: false

Allow legacy hello messages: true

Is initial handshake: true

Is secure renegotiation: false

main, setSoTimeout(0) called

Ignoring unsupported cipher suite:TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1

%% No cached client session

*** ClientHello,TLSv1.2   ###看到没,在这里会把客户端支持的加密算法和签名算法一并发送至服务端

RandomCookie:  GMT: 1515068280 bytes = { 82, 139, 251, 185,64, 4, 94, 202, 73, 66, 2, 183, 255, 92, 106, 86, 210, 45, 71, 131, 227, 149,36, 190, 170, 127, 189, 156 }

Session ID: {}

Cipher Suites:[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]

Compression Methods:  { 0 }

Extension elliptic_curves, curve names:{secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1,sect571k1, sect571r1, secp256k1}

Extension ec_point_formats, formats:[uncompressed]

Extension signature_algorithms,signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA,SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA,SHA1withRSA, SHA1withDSA

***

main,WRITE: TLSv1.2 Handshake, length = 161 ###客户端发送第一次消息

main, READ: TLSv1.2 Handshake, length = 89

***ServerHello, TLSv1.2 ###服务端收到信息后,会选择客户端支持的加密算法和签名算法并且将证书返回到客户端

RandomCookie:  GMT: 1452445708 bytes = { 181, 174, 156, 166,95, 124, 156, 43, 45, 15, 222, 177, 11, 255, 78, 104, 178, 216, 237, 67, 99,117, 133, 98, 44, 20, 210, 151 }

Session ID: {85, 177, 158, 149, 117, 40, 119, 134, 246, 81, 255, 153, 55, 241, 156,45, 228, 95, 86, 204, 6, 240, 138, 241, 221, 230, 187, 183, 42, 48, 26, 121}

Cipher Suite:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Compression Method: 0

Extension renegotiation_info,renegotiated_connection: <empty>

Extension ec_point_formats, formats:[uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]

***

%% Initialized:  [Session-1,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]

** TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

main,READ: TLSv1.2 Handshake, length = 2811 ###客户读取到证书,下面开始验证

*** Certificate chain

chain [0] = [

[

 Version: V3

 Subject: CN=www.gzssfa.com

 Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

 

 Key:  Sun RSA public key, 2048bits

 modulus:26720433941944675822572586410807215868706516035793471618609457282094099589521440356373658227875417164723264224500933984654662407353604002669438816413635377840310361190644986017575157342272044364219025223927592790558487522028877909950167083638174178302870026890349321739697917241333133070352734727860630748697208246029934662320497981100947381840015102810551387832035382910664155609453432027608980109887301262653157268390225996013048414144532725585247093701424266863634834338253388535865139751502316690352509691481310482927232304055620226266843288511194242080908450676299141798529050500271511199047207176390002867518169

 public exponent: 65537

 Validity: [From: Thu Jun 29 08:00:00 CST 2017,

               To: Sat Jun 30 07:59:59 CST2018]

 Issuer: CN=Symantec Basic DV SSL CA - G1, OU=Domain Validated SSL,OU=Symantec Trust Network, O=Symantec Corporation, C=US

 SerialNumber: [    7caafbe5f9976236 8bc32fe3 bbb45992]

 

Certificate Extensions: 8

[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2Criticality=false

Extension unknown: DER encoded OCTET string=

0000: 04 81 F5 04 81 F2 00 F0   00 75 00 DD EB 1D 2B 7A  .........u....+z

0010: 0D 4F A6 20 8B 81 AD 81   68 70 7E 2E 8E 9D 01 D5  .O. ....hp......

0020: 5C 88 8D 3D 11 C4 CD B6   EC BE CC 00 00 01 5C F4  \..=..........\.

0030: 56 32 FE 00 00 04 03 00   46 30 44 02 20 3B 8C 55  V2......F0D. ;.U

0040: A7 A3 FB 54 E9 EE 95 18   59 BF 62 0B 03 87 CD 8F  ...T....Y.b.....

0050: D7 E5 5A C4 EB 3C 9E D2   B9 7F DE E4 A9 02 20 62  ..Z..<........ b

0060: 1E E2 CB 0A 4B 74 98 67   87 BA E5 05 AE 1E 37 4F  ....Kt.g......7O

0070: 4D C8 3B 2D 67 B2 0D 9B   37 23 6E 4F 1C A7 73 00  M.;-g...7#nO..s.

0080: 77 00 A4 B9 09 90 B4 18   58 14 87 BB 13 A2 CC 67  w.......X......g

0090: 70 0A 3C 35 98 04 F9 1B   DF B8 E3 77 CD 0E C8 0D  p.<5.......w....

00A0: DC 10 00 00 01 5C F4 56   33 14 00 00 04 03 00 48  .....\.V3......H

00B0: 30 46 02 21 00 94 1E 02   F8 B0 07 68 68 6A 11 55  0F.!.......hhj.U

00C0: EE 82 5C 35 FF 93 2A 3A   C9 64 59 79 01 D0 17 2E  ..\5..*:.dYy....

00D0: A6 7F 2F 7B F3 02 21 00   BB 28 90 B6 6B 04 69 AE  ../...!..(..k.i.

00E0: 12 12 8F 0A B2 DF 1F 37   89 D4 6B 44 8E 1A 97 47  .......7..kD...G

00F0: 03 74 E1 8E 4B 64 D3 C6                            .t..Kd..

 

 

[2]: ObjectId: 1.3.6.1.5.5.7.1.1Criticality=false

AuthorityInfoAccess [

  [

  accessMethod: ocsp

  accessLocation: URIName: http://hc.symcd.com

,

  accessMethod: caIssuers

  accessLocation: URIName: http://hc.symcb.com/hc.crt

]

]

 

[3]: ObjectId: 2.5.29.35 Criticality=false

AuthorityKeyIdentifier [

KeyIdentifier [

0000: 5C 61 9E B0 76 41 A9 6A   AA 43 0B E1 C7 6E 30 29  \a..vA.j.C...n0)

0010: 6E B1 CD 36                                        n..6

]

]

 

[4]: ObjectId: 2.5.29.19 Criticality=false

BasicConstraints:[

 CA:false

 PathLen: undefined

]

 

[5]: ObjectId: 2.5.29.32 Criticality=false

CertificatePolicies [

 [CertificatePolicyId: [2.23.140.1.2.1]

[PolicyQualifierInfo: [

 qualifierID: 1.3.6.1.5.5.7.2.1

 qualifier: 0000: 16 17 68 74 74 70 73 3A   2F 2F 64 2E 73 79 6D 63  ..https://d.symc

0010: 62 2E 63 6F 6D 2F 63 70   73                       b.com/cps

 

], PolicyQualifierInfo: [

 qualifierID: 1.3.6.1.5.5.7.2.2

 qualifier: 0000: 30 19 0C 17 68 74 74 70   73 3A 2F 2F 64 2E 73 79  0...https://d.sy

0010: 6D 63 62 2E 63 6F 6D 2F   72 70 61                 mcb.com/rpa

 

]]  ]

]

 

[6]: ObjectId: 2.5.29.37 Criticality=false

ExtendedKeyUsages [

 serverAuth

 clientAuth

]

 

[7]: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [

 DigitalSignature

 Key_Encipherment

]

 

[8]: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

 DNSName: www.gzssfa.com

 DNSName: gzssfa.com

]

 

]

 Algorithm: [SHA256withRSA]

 Signature:

0000: 34 62 EA D8 5B 59 65 78   A1 8C 20 67 A5 76 43 20  4b..[Yex.. g.vC

0010: 98 82 F2 24 8A D4 C5 F3   FE 17 D1 71 49 21 13 BC  ...$.......qI!..

0020: EC 04 84 E3 14 45 37 7D   EB F1 A0 97 F5 9F 49 D2  .....E7.......I.

0030: A8 04 CD 0D 62 96 36 C6   38 8E 31 55 1E A2 A5 16  ....b.6.8.1U....

0040: E8 AE 2F 60 23 51 AB B1   54 04 BF 60 FB FD 4D 12  ../`#Q..T..`..M.

0050: 06 5C 10 CB 54 B5 4F 9D   C2 4F 29 93 29 D3 FD 8A  .\..T.O..O).)...

0060: 74 73 2B 55 81 F6 E7 28   7B 30 54 A8 47 59 F7 33  ts+U...(.0T.GY.3

0070: F7 A4 BB 43 77 44 52 57   E9 EB 13 88 FA 16 68 BF  ...CwDRW......h.

0080: 19 FE 2F A3 A9 80 D4 39   7E A9 9E 92 77 D7 32 E3  ../....9....w.2.

0090: 9F C9 95 91 5A 74 CD 7D   1C 06 42 0C 2C E9 F1 31  ....Zt....B.,..1

00A0: 86 0B 25 2A AB ED E6 B5   1C F8 0D 15 50 F7 BF 9B  ..%*........P...

00B0: 65 DE 0D 1F C8 7D EC 8B   3C 72 77 4B AB DB 17 9E  e.......<rwK....

00C0: 9E F5 43 14 ED DD EE 8F   45 BE 77 39 97 78 D5 67  ..C.....E.w9.x.g

00D0: 9C BC 5B 06 24 96 AA 2F   A3 27 81 19 91 9E 13 78  ..[.$../.'.....x

00E0: D8 F6 F1 97 0B 7D 2A 6C   AD DA 74 A6 B3 3E E5 C2  ......*l..t..>..

00F0: 9D 06 86 29 35 E9 1C 1F   0A 64 4C 58 4F CA F4 5F  ...)5....dLXO.._

 

]

chain [1] = [

[

 Version: V3

 Subject: CN=Symantec Basic DV SSL CA - G1, OU=Domain Validated SSL,OU=Symantec Trust Network, O=Symantec Corporation, C=US

 Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

 

 Key:  Sun RSA public key, 2048bits

 modulus:20730589442093487162926826130531029334031078896427984928089064454802604870382306399692984430396883323005755690357995341427344667917247078652715321928928202867088541621301512373945359916120841361925627124702442044671892277519991021719467948903665525839784057832767938219274601096507505478356163312332263488405890753312212071636913614185385016676146677311043069281284550019484298301746169989899904646881381305473682964554090371773473005651045337456541823048017414595011264202439697003900316775507709509695262846575922888096863384480020422680557771750658090609162490866666411601678894835016296096532567331322081667344897

 public exponent: 65537

 Validity: [From: Tue Jun 07 08:00:00 CST 2016,

               To: Sun Jun 07 07:59:59 CST2026]

 Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSignTrust Network, O="VeriSign, Inc.", C=US

 SerialNumber: [    4c4cd8a0fc4feaae 1554a87f 090eda87]

 

Certificate Extensions: 9

[1]: ObjectId: 1.3.6.1.5.5.7.1.1Criticality=false

AuthorityInfoAccess [

  [

  accessMethod: ocsp

  accessLocation: URIName: http://s.symcd.com

]

]

 

[2]: ObjectId: 2.5.29.35 Criticality=false

AuthorityKeyIdentifier [

KeyIdentifier [

0000: 7F D3 65 A7 C2 DD EC BB   F0 30 09 F3 43 39 FA 02  ..e......0..C9..

0010: AF 33 31 33                                        .313

]

]

 

[3]: ObjectId: 2.5.29.19 Criticality=true

BasicConstraints:[

 CA:true

 PathLen:0

]

 

[4]: ObjectId: 2.5.29.31 Criticality=false

CRLDistributionPoints [

 [DistributionPoint:

    [URIName: http://s.symcb.com/pca3-g5.crl]

]]

 

[5]: ObjectId: 2.5.29.32 Criticality=false

CertificatePolicies [

 [CertificatePolicyId: [2.23.140.1.2.1]

[PolicyQualifierInfo: [

 qualifierID: 1.3.6.1.5.5.7.2.1

 qualifier: 0000: 16 17 68 74 74 70 73 3A   2F 2F 64 2E 73 79 6D 63  ..https://d.symc

0010: 62 2E 63 6F 6D 2F 63 70   73                       b.com/cps

 

], PolicyQualifierInfo: [

 qualifierID: 1.3.6.1.5.5.7.2.2

 qualifier: 0000: 30 19 1A 17 68 74 74 70   73 3A 2F 2F 64 2E 73 79  0...https://d.sy

0010: 6D 63 62 2E 63 6F 6D 2F   72 70 61                 mcb.com/rpa

 

]]  ]

]

 

[6]: ObjectId: 2.5.29.37 Criticality=false

ExtendedKeyUsages [

 serverAuth

 clientAuth

]

 

[7]: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [

 Key_CertSign

 Crl_Sign

]

 

[8]: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

 CN=SymantecPKI-2-555

]

 

[9]: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 5C 61 9E B0 76 41 A9 6A   AA 43 0B E1 C7 6E 30 29  \a..vA.j.C...n0)

0010: 6E B1 CD 36                                        n..6

]

]

 

]

 Algorithm: [SHA256withRSA]

 Signature:

0000: 61 EA 45 71 2F 8D E1 3F   0A 9B 95 48 F1 F2 3C A2  a.Eq/..?...H..<.

0010: 58 16 CA 96 C4 FF DA E2   AB 97 71 10 91 B3 2F A4  X.........q.../.

0020: 8B 81 0F F2 A4 FB 35 F3   E7 90 4A 20 C5 9B E5 31  ......5...J ...1

0030: CB 47 B1 68 1D B5 36 E9   F5 28 57 6E A0 A7 A9 73  .G.h..6..(Wn...s

0040: C2 C3 9E F9 05 91 F6 AC   42 8D C4 8D F4 09 6A FA  ........B.....j.

0050: 53 8E E7 E2 1D A1 4A 76   89 C4 97 9E 03 EC 4A B0  S.....Jv......J.

0060: 0D 55 93 8B FC 78 BB BB   C7 04 65 07 08 59 12 C6  .U...x....e..Y..

0070: 0D 14 05 69 0F 76 04 4E   87 A4 1F CE FB 43 36 6B  ...i.v.N.....C6k

0080: 67 A1 1D 1B FD D5 83 AB   1D B4 70 D0 E2 2F D4 F3  g.........p../..

0090: BB 32 4E 6C 8C DA 5F 2F   5C E1 88 64 37 75 5A BE  .2Nl.._/\..d7uZ.

00A0: 9D A9 E7 B6 16 D0 9F 86   F0 1C 58 C6 EF 87 F2 7A  ..........X....z

00B0: B0 13 87 32 AD 15 9F 91   BC 4E 9E A2 53 0B 11 95  ...2.....N..S...

00C0: 8D 73 EC B6 90 28 09 67   94 E8 A2 65 58 61 7B ED  .s...(.g...eXa..

00D0: 60 BF 32 41 1C 2D 2D F8   7A F6 D9 81 F0 6A 82 83  `.2A.--.z....j..

00E0: 2E 14 81 D0 5F E0 1A 4C   E2 35 0F A9 CB 58 45 9D  ...._..L.5...XE.

00F0: EE 0C 10 EB AF CC EC 49   A6 39 F4 FB 04 48 6C 19  .......I.9...Hl.

 

]

***

Foundtrusted certificate:  ###找到了可信证书,证明服务器返回的证书是合法的。

[

[

 Version: V3

 Subject: CN=VeriSign Class 3 Public Primary Certification Authority -G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

 Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

 

 Key:  Sun RSA public key, 2048bits

 modulus:22109471102059671383796642714942393631149792360856487955190294587841800871022486252652612163196360832938367608763978013876844944237576704237206902072810376180366897841695320192789360300658269712766474225042097261456189264772686300705672328691871464945536513831768596383894122798581104077921511815271705394605095257256954381366139644740877956016759414080557948459417160074173313082409422023967584984099389949088073277478112907997447136173994433125025479812790590943737038696590266840534396683337181295383175344548120097700121250428676269067140626584500149856482388498317203907790209503513966223821253856296202557465877

 public exponent: 65537

 Validity: [From: Wed Nov 08 08:00:00 CST 2006,

               To: Thu Jul 17 07:59:59 CST2036]

 Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSignTrust Network, O="VeriSign, Inc.", C=US

 SerialNumber: [    18dad19e267de8bb 4a2158cd cc6b3b4a]

 

Certificate Extensions: 4

[1]: ObjectId: 1.3.6.1.5.5.7.1.12Criticality=false

Extension unknown: DER encoded OCTET string=

0000: 04 61 30 5F A1 5D A0 5B   30 59 30 57 30 55 16 09  .a0_.].[0Y0W0U..

0010: 69 6D 61 67 65 2F 67 69   66 30 21 30 1F 30 07 06  image/gif0!0.0..

0020: 05 2B 0E 03 02 1A 04 14   8F E5 D3 1A 86 AC 8D 8E  .+..............

0030: 6B C3 CF 80 6A D4 48 18   2C 7B 19 2E 30 25 16 23  k...j.H.,...0%.#

0040: 68 74 74 70 3A 2F 2F 6C   6F 67 6F 2E 76 65 72 69  http://logo.veri

0050: 73 69 67 6E 2E 63 6F 6D   2F 76 73 6C 6F 67 6F 2E  sign.com/vslogo.

0060: 67 69 66                                           gif

 

 

[2]: ObjectId: 2.5.29.19 Criticality=true

BasicConstraints:[

 CA:true

 PathLen:2147483647

]

 

[3]: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [

 Key_CertSign

 Crl_Sign

]

 

[4]: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 7F D3 65 A7 C2 DD EC BB   F0 30 09 F3 43 39 FA 02  ..e......0..C9..

0010: AF 33 31 33                                        .313

]

]

 

]

 Algorithm: [SHA1withRSA]

 Signature:

0000: 93 24 4A 30 5F 62 CF D8   1A 98 2F 3D EA DC 99 2D  .$J0_b..../=...-

0010: BD 77 F6 A5 79 22 38 EC   C4 A7 A0 78 12 AD 62 0E  .w..y"8....x..b.

0020: 45 70 64 C5 E7 97 66 2D   98 09 7E 5F AF D6 CC 28  Epd...f-..._...(

0030: 65 F2 01 AA 08 1A 47 DE   F9 F9 7C 92 5A 08 69 20  e.....G.....Z.i

0040: 0D D9 3E 6D 6E 3C 0D 6E   D8 E6 06 91 40 18 B9 F8  ..>mn<.n....@...

0050: C1 ED DF DB 41 AA E0 96   20 C9 CD 64 15 38 81 C9  ....A... ..d.8..

0060: 94 EE A2 84 29 0B 13 6F   8E DB 0C DD 25 02 DB A4  ....)..o....%...

0070: 8B 19 44 D2 41 7A 05 69   4A 58 4F 60 CA 7E 82 6A  ..D.Az.iJXO`...j

0080: 0B 02 AA 25 17 39 B5 DB   7F E7 84 65 2A 95 8A BD  ...%.9.....e*...

0090: 86 DE 5E 81 16 83 2D 10   CC DE FD A8 82 2A 6D 28  ..^...-......*m(

00A0: 1F 0D 0B C4 E5 E7 1A 26   19 E1 F4 11 6F 10 B5 95  .......&....o...

00B0: FC E7 42 05 32 DB CE 9D   51 5E 28 B6 9E 85 D3 5B  ..B.2...Q^(....[

00C0: EF A5 7D 45 40 72 8E B7   0E 6B 0E 06 FB 33 35 48  ...E@r...k...35H

00D0: 71 B8 9D 27 8B C4 65 5F   0D 86 76 9C 44 7A F6 95  q..'..e_..v.Dz..

00E0: 5C F6 5D 32 08 33 A4 54   B6 18 3F 68 5C F2 42 4A  \.]2.3.T..?h\.BJ

00F0: 85 38 54 83 5F D1 E8 2C   F2 AC 11 D6 A8 ED 63 6A  .8T._..,......cj

 

]

main, READ: TLSv1.2 Handshake, length = 333

***ECDH ServerKeyExchange ###服务端发送交换密钥时的一些参数,好高深的密码学知识,看不懂。

Signature Algorithm SHA512withRSA

Server key: Sun EC public key, 256 bits

 public x coord:82914176407766536474973522139879232776103063371329904383391882527466240631600

 public y coord: 82957322675761160972465763378328983722498673308958763721216412458369972848281

 parameters: secp256r1 [NIST P-256, X9.62 prime256v1](1.2.840.10045.3.1.7)

main, READ: TLSv1.2 Handshake, length = 4

***ServerHelloDone

***ECDHClientKeyExchange

ECDH Public value:  { 4, 72, 8, 180, 216, 139, 239, 232, 114, 27,152, 135, 89, 132, 218, 15, 0, 174, 146, 183, 4, 101, 65, 45, 154, 221, 162,66, 63, 55, 179, 9, 114, 207, 247, 46, 165, 207, 105, 78, 8, 188, 40, 111, 157,242, 195, 183, 38, 39, 69, 188, 98, 118, 5, 247, 80, 17, 21, 100, 108, 24, 133,194, 84 }

main, WRITE: TLSv1.2 Handshake, length = 70

SESSION KEYGEN:

PreMasterSecret:  ###客户端新生成的随机数

0000: 04 CA 34 62 C4 F0 CD 5B   85 87 1A 7E 91 75 D9 6E  ..4b...[.....u.n

0010: 0B D5 91 34 95 AD A9 3F   43 32 DE 94 96 C5 73 1A  ...4...?C2....s.

CONNECTION KEYGEN:

Client Nonce:

0000: 5A 4E 1B 78 52 8B FB B9   40 04 5E CA 49 42 02 B7  ZN.xR...@.^.IB..

0010: FF 5C 6A 56 D2 2D 47 83   E3 95 24 BE AA 7F BD 9C  .\jV.-G...$.....

Server Nonce:

0000: 57 93 90 0C B5 AE 9C A6   5F 7C 9C 2B 2D 0F DE B1  W......._..+-...

0010: 0B FF 4E 68 B2 D8 ED 43   63 75 85 62 2C 14 D2 97  ..Nh...Ccu.b,...

MasterSecret:  ###最终的加密密码,由于ClientRandom+ServerRandom+PreMaster Secret生成的。后续双方交互加密用的。

0000: FB 96 D8 83 EB 36 EB A1   87 50 14 D5 B4 11 9B BA  .....6...P......

0010: 74 07 EB 3B C1 1D A2 FB   1D 0C 6C C2 B0 33 13 BF  t..;......l..3..

0020: C4 28 63 9E 89 FB 47 23   79 3D FB 9C DC 89 14 22  .(c...G#y=....."

... no MAC keys used for this cipher

Client write key:

0000: FB 07 90 E0 55 94 DE 2D   5C E0 0D A8 F0 2B A8 F2  ....U..-\....+..

Server write key:

0000: F1 3A EC 1E 1F 4A 71 C6   43 41 3B CF 18 8E 45 A7  .:...Jq.CA;...E.

Client write IV:

0000: F1 12 25 92                                        ..%.

Server write IV:

0000: 8E 8A AF B9                                        ....

main, WRITE: TLSv1.2 Change Cipher Spec,length = 1

*** Finished

verify_data:  { 225, 157, 131, 124, 111, 106, 47, 115, 111,89, 251, 94 }

***

main, WRITE: TLSv1.2 Handshake, length = 40

main, READ: TLSv1.2 Change Cipher Spec,length = 1

main, READ: TLSv1.2 Handshake, length = 40

***Finished

verify_data:  { 154, 216, 240, 132, 47, 186, 215, 134, 146,91, 8, 11 }

***

%% Cached client session: [Session-1,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]

main, WRITE: TLSv1.2 Application Data,length = 216

main, READ: TLSv1.2 Application Data,length = 16408

main, READ: TLSv1.2 Application Data,length = 16408

main, READ: TLSv1.2 Application Data,length = 12196

{"content"


以上是关于我们来聊一聊Https的主要内容,如果未能解决你的问题,请参考以下文章

面向未来,我们来聊一聊什么是现代化数据架构

不吹不黑!我们来聊一聊云原生和容器技术

老生常谈NIO,我们再来聊一聊关于NIO的故事和一些用法!

面试官:我们来聊一聊Redis吧,你了解多少就答多少

gRPC来聊一聊gRPC认证

今天,我们来聊一聊互联网真的有你所期待的那么好吗?来自一个老码农的碎碎念