根据上一篇的运行结果,我们根据它的日志分析交互的过程
"C:\Program Files\Java\jdk1.8.0_161\bin\java.exe" "-javaagent:D:\IntelliJ IDEA 2018.1.5\lib\idea_rt.jar=52038:D:\IntelliJ IDEA 2018.1.5\bin" -Dfile.encoding=UTF-8 -classpath "C:\Program Files\Java\jdk1.8.0_161\jre\lib\charsets.jar;C:\Program Files\Java\jdk1.8.0_161\jre\lib\deploy.jar;C:\Program Files\Java\jdk1.8.0_161\jre\lib\ext\access-bridge-64.jar;C:\Program Files\Java\jdk1.8.0_161\jre\lib\ext\cldrdata.jar;C:\Program Files\Java\jdk1.8.0_161\jre\lib\ext\dnsns.jar;C:\Program Files\Java\jdk1.8.0_161\jre\lib\ext\jaccess.jar;C:\Program Files\Java\jdk1.8.0_161\jre\lib\ext\jfxrt.jar;C:\Program Files\Java\jdk1.8.0_161\jre\lib\ext\localedata.jar;C:\Program Files\Java\jdk1.8.0_161\jre\lib\ext\nashorn.jar;C:\Program Files\Java\jdk1.8.0_161\jre\lib\ext\sunec.jar;C:\Program Files\Java\jdk1.8.0_161\jre\lib\ext\sunjce_provider.jar;C:\Program Files\Java\jdk1.8.0_161\jre\lib\ext\sunmscapi.jar;C:\Program Files\Java\jdk1.8.0_161\jre\lib\ext\sunpkcs11.jar;C:\Program Files\Java\jdk1.8.0_161\jre\lib\ext\zipfs.jar;C:\Program Files\Java\jdk1.8.0_161\jre\lib\javaws.jar;C:\Program Files\Java\jdk1.8.0_161\jre\lib\jce.jar;C:\Program Files\Java\jdk1.8.0_161\jre\lib\jfr.jar;C:\Program Files\Java\jdk1.8.0_161\jre\lib\jfxswt.jar;C:\Program Files\Java\jdk1.8.0_161\jre\lib\jsse.jar;C:\Program Files\Java\jdk1.8.0_161\jre\lib\management-agent.jar;C:\Program Files\Java\jdk1.8.0_161\jre\lib\plugin.jar;C:\Program Files\Java\jdk1.8.0_161\jre\lib\resources.jar;C:\Program Files\Java\jdk1.8.0_161\jre\lib\rt.jar;D:\EclipseWorkspace\PKI\out\production\ssl" com.ggp.client.SSLClient
***
found key for : sec_test
chain [0] = [
[
Version: V3
Subject: CN=localhost, OU=DEP, O=XDJA, L=BJ, ST=BJ, C=CN
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 17799277481145082107201966323783350021598082974604990927029968246222141427182620083019911830883319410418286792058337777954917961260884843335408017187863022554055589246407464848394958836432173195513917984182992062990925662898070813715485602457446382766420844502251808097611610570933215001273585365009636761382361952399539839123435464504675529582265209470927021176389455088006021693190396226319471604009564728480541653642157711131244384972778918434338476074810598251476886797184804748574357334816848642823679576390860371538889281995872634548361546575165955097901666562091999269950737002991557864285794833079671370103891
public exponent: 65537
Validity: [From: Thu Nov 29 16:00:29 CST 2018,
To: Sat Nov 05 16:00:29 CST 2118]
Issuer: CN=localhost, OU=DEP, O=XDJA, L=BJ, ST=BJ, C=CN
SerialNumber: [ 6577fca0]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F8 7E CA 91 3B E0 0E 84 7B 4E 3B C1 B2 D3 20 57 ....;....N;... W
0010: 2F E7 E2 29 /..)
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 59 4E 91 98 02 B5 E4 D4 30 64 85 E6 BC 33 68 7E YN......0d...3h.
0010: 43 73 38 71 B5 26 F8 7F 07 F3 F9 25 68 43 14 B1 Cs8q.&.....%hC..
0020: CF CE 6B AE 1F 9C 05 D6 77 30 5B 87 FC E6 74 34 ..k.....w0[...t4
0030: D8 66 3A 2F DF 8A 0D AB 71 F8 B2 96 DB A4 B5 18 .f:/....q.......
0040: 90 39 87 17 93 02 41 9A A7 6E F6 EE C5 7A 9D AE .9....A..n...z..
0050: E3 50 64 C6 98 5F 21 6B DE 2B 7F CF 92 BA F2 54 .Pd.._!k.+.....T
0060: 3C 0D 9A E1 E4 46 26 1E EC 13 15 3F 18 FC 56 12 <....F&....?..V.
0070: BB 41 B5 02 BE 33 A7 5A CC 83 49 0C B4 0E E1 E7 .A...3.Z..I.....
0080: 1E BC 34 FE BE 80 1D 66 FF 0E 34 74 CD 6E 00 46 ..4....f..4t.n.F
0090: 1E 7C D2 1B 60 F5 8F C8 41 8F 95 36 90 58 A0 27 ....`...A..6.X.'
00A0: 3F 1B 9B DE 09 86 C5 50 56 3F B4 0E 69 C3 7A B5 ?......PV?..i.z.
00B0: 62 6F C1 BD B3 79 EC CB 69 9F 3E 24 80 69 1D 91 bo...y..i.>$.i..
00C0: 93 BD 7B 47 FD EC 1F 96 FB AD 5B F0 70 44 B7 4C ...G......[.pD.L
00D0: 73 3A F6 8F 50 83 12 2B A5 44 E9 4C 08 F4 B1 25 s:..P..+.D.L...%
00E0: D0 BC A1 FB B4 2F 12 60 FA DC E3 2E 42 5C 18 1C ...../.`....B\..
00F0: 65 CB D7 F9 63 81 CA 08 E2 92 8A D4 0D C1 A9 5F e...c.........._
]
***
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
trustStore is: D:\client.keystore
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=localhost, OU=DEP, O=XDJA, L=ZZ, ST=HN, C=CN
Issuer: CN=localhost, OU=DEP, O=XDJA, L=ZZ, ST=HN, C=CN
Algorithm: RSA; Serial number: 0x2f48632
Valid from Thu Nov 29 16:02:07 CST 2018 until Sat Nov 05 16:02:07 CST 2118
adding as trusted cert:
Subject: CN=localhost, OU=DEP, O=XDJA, L=BJ, ST=BJ, C=CN
Issuer: CN=localhost, OU=DEP, O=XDJA, L=BJ, ST=BJ, C=CN
Algorithm: RSA; Serial number: 0x6577fca0
Valid from Thu Nov 29 16:00:29 CST 2018 until Sat Nov 05 16:00:29 CST 2118
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session第一步 应该是先加载trueStore和它支持的安全证书
接下来就是客户端和服务端的交互
ClientHello
*** ClientHello, TLSv1
RandomCookie: GMT: 1543477396 bytes = { 249, 96, 160, 105, 152, 255, 16, 176, 217, 194, 65, 30, 8, 192, 87, 33, 241, 230, 211, 80, 194, 80, 138, 127, 249, 194, 33, 109 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension extended_master_secret
***SSLclient通过Client Hello消息将它支持的SSL版本号、加密算法、密钥交换算法、MAC算法等信息发送给SSLserver
ServerHello
*** ServerHello, TLSv1
RandomCookie: GMT: 1543477396 bytes = { 144, 171, 9, 100, 118, 29, 83, 215, 43, 191, 91, 79, 152, 0, 132, 87, 78, 96, 222, 236, 132, 71, 19, 93, 212, 156, 168, 137 }
Session ID: {92, 0, 153, 148, 198, 180, 95, 117, 88, 252, 199, 229, 195, 219, 119, 231, 136, 114, 245, 20, 78, 188, 151, 43, 222, 251, 84, 64, 182, 109, 2, 182}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension extended_master_secret
***
SSLserver确定本次通信採用的SSL版本号和加密套件,并通过Server Hello消息通知给SSLclient。假设SSLserver同意SSLclient在以后的通信中重用本次会话,则SSLserver会为本次会话分配会话ID。并通过Server Hello消息发送给SSLclient。
Certificate
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=localhost, OU=DEP, O=XDJA, L=ZZ, ST=HN, C=CN
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 21140956574323818636518073605989960557980422427308510349067707550805530674132527299365060703831689944913888683442082360718206761343318151748364573948893669929792561194819950297028758789961419830454360368618599082419529631809068463263762329805652636303795957421731938749897495822361445355988371330484204620785753258466130228047005411048922958254164920345807737363708057971162407342950500015175235436212207355022698393072352390998700984365460317808310648204906181341115269254643254789937200195884888790669755310673799950115006806733604044619979481050207532936144960712855653972783096070932584535404751488198481186671913
public exponent: 65537
Validity: [From: Thu Nov 29 16:02:07 CST 2018,
To: Sat Nov 05 16:02:07 CST 2118]
Issuer: CN=localhost, OU=DEP, O=XDJA, L=ZZ, ST=HN, C=CN
SerialNumber: [ 02f48632]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: EF F0 A4 A1 EC 08 46 C6 7E 73 84 5D 31 61 50 9E ......F..s.]1aP.
0010: 1A 9A 41 FA ..A.
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 65 95 78 2B 9B 02 40 58 D4 A2 B6 BE 1E AD 46 BE [email protected].
0010: 8F F6 E1 60 08 EB A7 B2 F1 00 FD 5F A7 4C 2F EA ...`......._.L/.
0020: 22 6D 05 2B CB 5E 60 8B 80 F4 EE 98 31 36 99 85 "m.+.^`.....16..
0030: 48 0E A1 B7 26 3A 7F 76 C1 0E 06 16 3D A3 32 16 H...&:.v....=.2.
0040: 23 1D A6 41 07 7A 36 13 65 FC 8E BB D4 A0 09 79 #..A.z6.e......y
0050: 34 FA C9 D5 CE 87 48 41 3E 8E 32 43 B6 D7 79 5D 4.....HA>.2C..y]
0060: DE 58 82 5E 63 B0 18 70 A1 FD 25 19 93 C0 74 43 .X.^c..p..%...tC
0070: 89 C3 AA 15 EC 32 FA BC 3C E0 E7 B7 C1 2D BE 32 .....2..<....-.2
0080: C7 69 7A 47 28 ED E6 6F C2 BB A2 58 25 79 22 90 .izG(..o...X%y".
0090: 46 A8 8D B6 07 CD B4 22 E5 1A 6C 1F E1 BD 70 DD F......"..l...p.
00A0: 45 44 48 7D 9A 22 DF DA 77 AF FC 2B 18 10 6F 11 EDH.."..w..+..o.
00B0: 4D 01 C3 71 BB F3 81 79 B3 74 39 9E F6 C5 D9 72 M..q...y.t9....r
00C0: DF AD A5 22 84 24 9D 2C 46 8C 88 D0 54 69 5F 5C ...".$.,F...Ti_\
00D0: 3A DF 94 BA F0 0C 7D 8D 3E B0 60 0C 84 FE E4 55 :.......>.`....U
00E0: 73 F2 3B 5B 42 DA 24 A7 0B 02 B9 E7 1C 59 8A 6C s.;[B.$......Y.l
00F0: 22 D3 9F 14 96 4E A0 B5 B7 96 BE 85 F1 D6 A9 B0 "....N..........
]
***
Found trusted certificate:
[
[
Version: V3
Subject: CN=localhost, OU=DEP, O=XDJA, L=ZZ, ST=HN, C=CN
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 21140956574323818636518073605989960557980422427308510349067707550805530674132527299365060703831689944913888683442082360718206761343318151748364573948893669929792561194819950297028758789961419830454360368618599082419529631809068463263762329805652636303795957421731938749897495822361445355988371330484204620785753258466130228047005411048922958254164920345807737363708057971162407342950500015175235436212207355022698393072352390998700984365460317808310648204906181341115269254643254789937200195884888790669755310673799950115006806733604044619979481050207532936144960712855653972783096070932584535404751488198481186671913
public exponent: 65537
Validity: [From: Thu Nov 29 16:02:07 CST 2018,
To: Sat Nov 05 16:02:07 CST 2118]
Issuer: CN=localhost, OU=DEP, O=XDJA, L=ZZ, ST=HN, C=CN
SerialNumber: [ 02f48632]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: EF F0 A4 A1 EC 08 46 C6 7E 73 84 5D 31 61 50 9E ......F..s.]1aP.
0010: 1A 9A 41 FA ..A.
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 65 95 78 2B 9B 02 40 58 D4 A2 B6 BE 1E AD 46 BE [email protected].
0010: 8F F6 E1 60 08 EB A7 B2 F1 00 FD 5F A7 4C 2F EA ...`......._.L/.
0020: 22 6D 05 2B CB 5E 60 8B 80 F4 EE 98 31 36 99 85 "m.+.^`.....16..
0030: 48 0E A1 B7 26 3A 7F 76 C1 0E 06 16 3D A3 32 16 H...&:.v....=.2.
0040: 23 1D A6 41 07 7A 36 13 65 FC 8E BB D4 A0 09 79 #..A.z6.e......y
0050: 34 FA C9 D5 CE 87 48 41 3E 8E 32 43 B6 D7 79 5D 4.....HA>.2C..y]
0060: DE 58 82 5E 63 B0 18 70 A1 FD 25 19 93 C0 74 43 .X.^c..p..%...tC
0070: 89 C3 AA 15 EC 32 FA BC 3C E0 E7 B7 C1 2D BE 32 .....2..<....-.2
0080: C7 69 7A 47 28 ED E6 6F C2 BB A2 58 25 79 22 90 .izG(..o...X%y".
0090: 46 A8 8D B6 07 CD B4 22 E5 1A 6C 1F E1 BD 70 DD F......"..l...p.
00A0: 45 44 48 7D 9A 22 DF DA 77 AF FC 2B 18 10 6F 11 EDH.."..w..+..o.
00B0: 4D 01 C3 71 BB F3 81 79 B3 74 39 9E F6 C5 D9 72 M..q...y.t9....r
00C0: DF AD A5 22 84 24 9D 2C 46 8C 88 D0 54 69 5F 5C ...".$.,F...Ti_\
00D0: 3A DF 94 BA F0 0C 7D 8D 3E B0 60 0C 84 FE E4 55 :.......>.`....U
00E0: 73 F2 3B 5B 42 DA 24 A7 0B 02 B9 E7 1C 59 8A 6C s.;[B.$......Y.l
00F0: 22 D3 9F 14 96 4E A0 B5 B7 96 BE 85 F1 D6 A9 B0 "....N..........
]SSLserver将携带自己公钥信息的数字证书通过Certificate消息发送给SSLclient,客户端校验服务端的证书是否合法,合法则继续,否则警告。
Certificate Request
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Cert Authorities:
<CN=localhost, OU=DEP, O=XDJA, L=ZZ, ST=HN, C=CN>
<CN=localhost, OU=DEP, O=XDJA, L=BJ, ST=BJ, C=CN>SSLserver发送Certificate Request消息。请求SSLclient将其证书发送给SSLserver。
ServerHelloDone
*** ServerHelloDone
matching alias: sec_testSSLserver发送Server Hello Done消息。通知SSLclient版本号和加密套件协商结束。開始进行密钥交换。
Certificate
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=localhost, OU=DEP, O=XDJA, L=BJ, ST=BJ, C=CN
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 17799277481145082107201966323783350021598082974604990927029968246222141427182620083019911830883319410418286792058337777954917961260884843335408017187863022554055589246407464848394958836432173195513917984182992062990925662898070813715485602457446382766420844502251808097611610570933215001273585365009636761382361952399539839123435464504675529582265209470927021176389455088006021693190396226319471604009564728480541653642157711131244384972778918434338476074810598251476886797184804748574357334816848642823679576390860371538889281995872634548361546575165955097901666562091999269950737002991557864285794833079671370103891
public exponent: 65537
Validity: [From: Thu Nov 29 16:00:29 CST 2018,
To: Sat Nov 05 16:00:29 CST 2118]
Issuer: CN=localhost, OU=DEP, O=XDJA, L=BJ, ST=BJ, C=CN
SerialNumber: [ 6577fca0]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F8 7E CA 91 3B E0 0E 84 7B 4E 3B C1 B2 D3 20 57 ....;....N;... W
0010: 2F E7 E2 29 /..)
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 59 4E 91 98 02 B5 E4 D4 30 64 85 E6 BC 33 68 7E YN......0d...3h.
0010: 43 73 38 71 B5 26 F8 7F 07 F3 F9 25 68 43 14 B1 Cs8q.&.....%hC..
0020: CF CE 6B AE 1F 9C 05 D6 77 30 5B 87 FC E6 74 34 ..k.....w0[...t4
0030: D8 66 3A 2F DF 8A 0D AB 71 F8 B2 96 DB A4 B5 18 .f:/....q.......
0040: 90 39 87 17 93 02 41 9A A7 6E F6 EE C5 7A 9D AE .9....A..n...z..
0050: E3 50 64 C6 98 5F 21 6B DE 2B 7F CF 92 BA F2 54 .Pd.._!k.+.....T
0060: 3C 0D 9A E1 E4 46 26 1E EC 13 15 3F 18 FC 56 12 <....F&....?..V.
0070: BB 41 B5 02 BE 33 A7 5A CC 83 49 0C B4 0E E1 E7 .A...3.Z..I.....
0080: 1E BC 34 FE BE 80 1D 66 FF 0E 34 74 CD 6E 00 46 ..4....f..4t.n.F
0090: 1E 7C D2 1B 60 F5 8F C8 41 8F 95 36 90 58 A0 27 ....`...A..6.X.'
00A0: 3F 1B 9B DE 09 86 C5 50 56 3F B4 0E 69 C3 7A B5 ?......PV?..i.z.
00B0: 62 6F C1 BD B3 79 EC CB 69 9F 3E 24 80 69 1D 91 bo...y..i.>$.i..
00C0: 93 BD 7B 47 FD EC 1F 96 FB AD 5B F0 70 44 B7 4C ...G......[.pD.L
00D0: 73 3A F6 8F 50 83 12 2B A5 44 E9 4C 08 F4 B1 25 s:..P..+.D.L...%
00E0: D0 BC A1 FB B4 2F 12 60 FA DC E3 2E 42 5C 18 1C ...../.`....B\..
00F0: 65 CB D7 F9 63 81 CA 08 E2 92 8A D4 0D C1 A9 5F e...c.........._
]
SSLclient通过Certificate消息将携带自己公钥的证书发送给SSLserver。SSLserver验证该证书的合法性
Client key Exchange
*** ECDHClientKeyExchange
ECDH Public value: { 4, 212, 209, 95, 1, 252, 3, 226, 3, 40, 79, 169, 240, 161, 54, 108, 117, 191, 87, 253, 21, 12, 201, 99, 68, 241, 174, 172, 204, 198, 169, 120, 214, 222, 187, 98, 172, 30, 247, 189, 149, 69, 207, 101, 13, 126, 234, 80, 107, 109, 107, 227, 4, 30, 52, 40, 223, 185, 152, 136, 31, 33, 179, 190, 251 }
main, WRITE: TLSv1 Handshake, length = 933
SESSION KEYGEN:
PreMaster Secret:
0000: 63 DB A2 20 5C 7E 42 1A 0F 35 6D 00 6E 01 FD 2B c.. \.B..5m.n..+
0010: A2 F8 73 78 E0 A1 B5 0F 99 09 B1 4D 1D 8D E2 92 ..sx.......M....
CONNECTION KEYGEN:
Client Nonce:
0000: 5C 00 99 94 F9 60 A0 69 98 FF 10 B0 D9 C2 41 1E \....`.i......A.
0010: 08 C0 57 21 F1 E6 D3 50 C2 50 8A 7F F9 C2 21 6D ..W!...P.P....!m
Server Nonce:
0000: 5C 00 99 94 90 AB 09 64 76 1D 53 D7 2B BF 5B 4F \......dv.S.+.[O
0010: 98 00 84 57 4E 60 DE EC 84 47 13 5D D4 9C A8 89 ...WN`...G.]....
Master Secret:
0000: 21 F9 0E 85 D6 9A 28 0C D7 30 D5 6A B4 9C F5 D7 !.....(..0.j....
0010: A0 86 C1 24 65 6C B1 80 C7 36 C9 C7 C0 18 7C 7C ...$el...6......
0020: 70 90 D8 D9 48 EF AE 86 E4 D9 2F E6 61 79 96 3E p...H...../.ay.>
Client MAC write Secret:
0000: 6A 01 45 6F AA 13 0E 28 4E CF 04 55 13 F3 FF A9 j.Eo...(N..U....
0010: 86 79 69 03 .yi.
Server MAC write Secret:
0000: 84 C5 E9 F4 F9 C7 E0 79 AD 16 20 AF CE 66 45 5E .......y.. ..fE^
0010: DA C7 E3 C5 ....
Client write key:
0000: 06 38 B3 EC 0C B5 3F 12 C7 FA DC 73 2D EB 71 2E .8....?....s-.q.
0010: 25 3E 0D 7C 00 A4 A7 B5 36 03 0A 56 34 4C 11 4C %>......6..V4L.L
Server write key:
0000: 94 BD 8B 49 C5 DC 40 C1 47 8C CE E7 38 3F B7 53 [email protected]?.S
0010: 58 9D 6A 6C 91 F7 DA 17 55 3F 11 0D 5F BF 2E 33 X.jl....U?.._..3
Client write IV:
0000: F2 B3 9A 76 B6 96 AD D2 C2 D2 93 60 F4 95 2C 56 ...v.......`..,V
Server write IV:
0000: 70 1A 13 59 17 0C 37 29 EE 16 C6 36 02 28 CB 58 p..Y..7)...6.(.XSSLclient验证SSLserver的证书合法后,利用证书中的公钥加密SSLclient随机生成的premaster secret,并通过Client Key Exchange消息发送给SSLserver。
Certificate Verify
SSLserver计算已交互的握手消息、主密钥的Hash值。利用SSLclient证书中的公钥解密Certificate Verify消息,并将解密结果与计算出的Hash值比較。假设二者同样,则SSLclient身份验证成功。
Change Cipher Spec
SSLclient发送Change Cipher Spec消息,通知SSLserver兴许报文将採用协商好的密钥和加密套件进行加密和MAC计算。
Finished
SSLclient计算已交互的握手消息(除Change Cipher Spec消息外全部已交互的消息)的Hash值,利用协商好的密钥和加密套件处理Hash值(计算并加入MAC值、加密等),并通过Finished消息发送给SSLserver。SSLserver利用相同的方法计算已交互的握手消息的Hash值,并与Finished消息的解密结果比較,假设二者相同,且MAC值验证成功,则证明密钥和加密套件协商成功。
Change Cipher Spec
相同地。SSLserver发送Change Cipher Spec消息,通知SSLclient兴许报文将採用协商好的密钥和加密套件进行加密和MAC计算。
Finished
SSLserver计算已交互的握手消息的Hash值,利用协商好的密钥和加密套件处理Hash值(计算并加入MAC值、加密等),并通过Finished消息发送给SSLclient。SSLclient利用相同的方法计算已交互的握手消息的Hash值,并与Finished消息的解密结果比較,假设二者相同。且MAC值验证成功。则证明密钥和加密套件协商成功
** CertificateVerify
main, WRITE: TLSv1 Handshake, length = 262
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 60, 170, 98, 213, 104, 209, 124, 14, 219, 139, 19, 178 }
***
main, WRITE: TLSv1 Handshake, length = 48
main, READ: TLSv1 Change Cipher Spec, length = 1
main, READ: TLSv1 Handshake, length = 48
*** Finished
verify_data: { 123, 147, 242, 248, 152, 163, 243, 193, 193, 214, 140, 49 }
***& 说明:
l Change Cipher Spec消息属于SSLpassword变化协议,其它握手过程交互的消息均属于SSL握手协议,统称为SSL握手消息。
l 计算Hash值。指的是利用Hash算法(MD5或SHA)将随意长度的数据转换为固定长度的数据。