The https protocol is more secure than http. It transmits encrypted data, which is generally not easy to be intercepted and cracked. However, it is more time-consuming and consumes more CPU. Let’s capture the packet through Tcpdump and use Wireshark to analyze the same request using both protocols. If you compare the packets of the web page and compare the packets of the two, the difference between the two protocols will be clear at a glance.
1. Environment setup
On the test server, Nginx opens ports 80 and 443 for listening, and configures the CA certificate for port 443 (Note: The CA certificate generated by yourself using the openssl tool is invalid. You need a certificate issued by a qualified organization or a free certificate provided by the cloud provider)
server {
listen 443 ssl;
ssl_certificate /etc/nginx/cert/5490205__vanmilk.com.pem;
ssl_certificate_key /etc/nginx/cert/5490205__vanmilk.com.key;
}
2. HTTP message analysis
Monitor the request message sent from the client 118.178.255.158 on the server
tcpdump -n -S -ieth0 host 118.178.255.158 -w http.pcap
Use Wireshark to open the http.pcap message as shown below. There are a total of 10 messages.
illustrate
Seq: Indicates the position of the first bit of the sender's packet in the data stream. For
ACK without data transmission, the next time there is actual data transmission, it will still start from the Seq of the last ACK data packet sent.
Ack: What is the expected next Seq of the other party.
Although the transmission of SYN/FIN does not have Data, it will increase the PacketSeq of the next transmission by one,
but the transmission of Ack will not increase the PacketSeq of the next transmission.
three handshakes
#1: Client->Server [SYN] CSeq=0
#2: Server->Client [SYN+ACK] SSeq=0,Ack=1 对#1的Ack
#3: Client->Server [ACK] CSeq=1,Ack=1 对#2的Ack
data transmission
#4:Client->Server GET / CSeq=1,Ack=1 HTTP
#5: Servier->Client [ACK] SSeq=1,Ack=116
#6: Server->Client SSeq=1,Ack=116 HTTP明文数据
#7: Client->Server [ACK] CSeq=116,Ack=860
Four waves (two were merged into one Packet)
#8: Client->Server [FIN+ACK] CSeq=116,Ack=860
#9: Server->Client [FIN+ACK] SSeq=860,Ack=117 对#8的Ack
#10: Client->Server [ACK] CSeq=117,Ack=861 对#9的Ack
3. https message analysis
tcpdump -n -S -ieth0 host 118.178.255.158 -w https.pcap
Use Wireshark to open the http.pcap message as shown below. There are 14 messages in total.
three handshakes
#1 Client->Server [SYN]
#2: Server->Client [SYN+ACK]
#3: Client->Server [ACK]
TLS handshake
#4: Client->Server [Client Hello] TLS
#5: Server-Client [ACK]
#6:Server-Client Server Hello 、Certificate、Server Key Exchange、Server Hello Done TLS
响应Client Hello消息,然后向客户端下发证书(CA公钥)
#7: Client->Server [ACK]
Client验证证书合法性,并使用CA公钥对随机码加密
#8: Client->Server Client Key Exchange,Change Cipher Spec,Encrypted Handshake Message TLS
上传客户端生成的加密的随机码
#9: Server->Client New Session Ticket、Change Cipher Spec、Encrypted Handshake Message TLS
Server用私钥解密随机码,随后使用随机码对传输的数据进行加解密
data transmission
使用对称加密算法加密数据(每一次连接生成不同的随机密码)
#10:Client->Server Application Data TLS
#11: Server->Client Application Data TLS
wave four times
#12: Client->Server [FIN+ACK]
#13: Server->Client [FIN+ACK]
#14: Client->Server [ACK]