Use packet capture tools to analyze HTTPS messages

The https protocol is more secure than http. It transmits encrypted data, which is generally not easy to be intercepted and cracked. However, it is more time-consuming and consumes more CPU. Let’s capture the packet through Tcpdump and use Wireshark to analyze the same request using both protocols. If you compare the packets of the web page and compare the packets of the two, the difference between the two protocols will be clear at a glance.

1. Environment setup

     On the test server, Nginx opens ports 80 and 443 for listening, and configures the CA certificate for port 443 (Note: The CA certificate generated by yourself using the openssl tool is invalid. You need a certificate issued by a qualified organization or a free certificate provided by the cloud provider)

server {
   listen       443 ssl;
   ssl_certificate      /etc/nginx/cert/5490205__vanmilk.com.pem;
   ssl_certificate_key  /etc/nginx/cert/5490205__vanmilk.com.key;
}

2. HTTP message analysis

Monitor the request message sent from the client 118.178.255.158 on the server

tcpdump -n -S -ieth0 host 118.178.255.158 -w http.pcap

Use Wireshark to open the http.pcap message as shown below. There are a total of 10 messages.

illustrate

Seq: Indicates the position of the first bit of the sender's packet in the data stream. For
     ACK without data transmission, the next time there is actual data transmission, it will still start from the Seq of the last ACK data packet sent.
Ack: What is the expected next Seq of the other party.
Although the transmission of SYN/FIN does not have Data, it will increase the PacketSeq of the next transmission by one,
but the transmission of Ack will not increase the PacketSeq of the next transmission.

three handshakes

#1: Client->Server [SYN]          CSeq=0
#2: Server->Client [SYN+ACK]      SSeq=0,Ack=1   对#1的Ack
#3: Client->Server [ACK]          CSeq=1,Ack=1   对#2的Ack

data transmission

#4：Client->Server GET /           CSeq=1,Ack=1      HTTP
#5: Servier->Client [ACK]          SSeq=1,Ack=116
#6: Server->Client       SSeq=1,Ack=116   HTTP明文数据 
#7: Client->Server [ACK]           CSeq=116,Ack=860

Four waves (two were merged into one Packet)

#8: Client->Server [FIN+ACK]     CSeq=116,Ack=860
#9: Server->Client [FIN+ACK]     SSeq=860,Ack=117  对#8的Ack
#10: Client->Server [ACK]        CSeq=117,Ack=861  对#9的Ack

3. https message analysis

tcpdump -n -S -ieth0 host 118.178.255.158 -w https.pcap

Use Wireshark to open the http.pcap message as shown below. There are 14 messages in total.

three handshakes

#1 Client->Server   [SYN]
#2:  Server->Client [SYN+ACK]
#3: Client->Server  [ACK]

TLS handshake

#4: Client->Server  [Client Hello]      TLS
#5: Server-Client   [ACK]
#6:Server-Client  Server Hello 、Certificate、Server Key Exchange、Server Hello Done      TLS
   响应Client Hello消息，然后向客户端下发证书(CA公钥)
#7: Client->Server [ACK]
    Client验证证书合法性，并使用CA公钥对随机码加密
#8: Client->Server Client Key Exchange，Change Cipher Spec，Encrypted Handshake Message    TLS
    上传客户端生成的加密的随机码
#9: Server->Client  New Session Ticket、Change Cipher Spec、Encrypted Handshake Message      TLS
     Server用私钥解密随机码，随后使用随机码对传输的数据进行加解密

data transmission

使用对称加密算法加密数据（每一次连接生成不同的随机密码）
#10：Client->Server  Application Data  TLS
#11: Server->Client  Application Data  TLS

wave four times

#12:   Client->Server [FIN+ACK]
#13:   Server->Client [FIN+ACK]
#14:   Client->Server [ACK]

4. https data transfer process