如何使用 OpenSSL 禁用会话恢复 s_server
How to disable session resumption with OpenSSL s_server
我正在尝试检查会话重新协商。
我正在使用 OpenSSL 作为参考服务器,我正在进行 TLS 握手并捕获会话数据(和会话 ID)。
然后我重新建立连接以提供相同的已保存会话,并且正如预期的那样,OpenSSL 服务器恢复会话,为我提供相同的会话 ID。
但我不能让服务器拒绝恢复请求并强制重新协商,建立新的会话 ID 和新的共享密钥
我总是
Reused session-id
Secure Renegotiation IS supported
这是我得到的:
root@test:~# openssl s_server -port 443 -cert leaf1.crt -key leaf1.key -tls1_2 -no_ticket -no_resumption_on_reneg
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MHoCAQECAgMDBALMqAQg2CsxwQa4O8uwlBZIdQsmF4LiAGqiV4iHIafx1cG2LJ0E
MMfN2I0yVW26vrUketgIUptqVE2Tzfmg/Mn7RnO3htgfCyJoI4vwyY4NzfIwz5Aa
O6EGAgReq9fTogQCAhwgpAYEBAEAAACtAwIBAQ==
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
Signature Algorithms: RSA-PSS+SHA512:RSA-PSS+SHA384:RSA-PSS+SHA256:RSA+SHA512:RSA+SHA384:RSA+SHA256:RSA+SHA224:RSA+SHA1
Shared Signature Algorithms: RSA-PSS+SHA512:RSA-PSS+SHA384:RSA-PSS+SHA256:RSA+SHA512:RSA+SHA384:RSA+SHA256:RSA+SHA224:RSA+SHA1
Supported Elliptic Curve Point Formats: uncompressed
Supported Elliptic Groups: X25519:X448:P-384:P-256:P-521:0x0100:0x0101:0x0102:0x0103:0x0104
Shared Elliptic groups: X25519:X448:P-384:P-256:P-521
---
No server certificate CA names sent
CIPHER is ECDHE-RSA-CHACHA20-POLY1305
Secure Renegotiation IS supported
ERROR
shutting down SSL
CONNECTION CLOSED
-----BEGIN SSL SESSION PARAMETERS-----
MHoCAQECAgMDBALMqAQg2CsxwQa4O8uwlBZIdQsmF4LiAGqiV4iHIafx1cG2LJ0E
MMfN2I0yVW26vrUketgIUptqVE2Tzfmg/Mn7RnO3htgfCyJoI4vwyY4NzfIwz5Aa
O6EGAgReq9fTogQCAhwgpAYEBAEAAACtAwIBAQ==
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
Supported Elliptic Curve Point Formats: uncompressed
Supported Elliptic Groups: X25519:X448:P-384:P-256:P-521:0x0100:0x0101:0x0102:0x0103:0x0104
Shared Elliptic groups: X25519:X448:P-384:P-256:P-521
---
No server certificate CA names sent
CIPHER is ECDHE-RSA-CHACHA20-POLY1305
Reused session-id
Secure Renegotiation IS supported
ERROR
shutting down SSL
CONNECTION CLOSED
您似乎混淆了两个不同的概念:恢复和重新谈判。
恢复是指根据先前连接的会话详细信息开始新连接。
重新协商是指在 现有 SSL/TLS 连接上开始第二次或后续握手。
您可以使 s_server 拒绝像这样恢复会话:
openssl s_server -port 443 -cert leaf1.crt -key leaf1.key -no_ticket -no_cache
您可以使 s_server 像这样拒绝重新协商请求(仅来自 OpenSSL 1.1.1 及更高版本):
openssl s_server -port 443 -cert leaf1.crt -key leaf1.key -no_renegotiation
我正在尝试检查会话重新协商。 我正在使用 OpenSSL 作为参考服务器,我正在进行 TLS 握手并捕获会话数据(和会话 ID)。 然后我重新建立连接以提供相同的已保存会话,并且正如预期的那样,OpenSSL 服务器恢复会话,为我提供相同的会话 ID。 但我不能让服务器拒绝恢复请求并强制重新协商,建立新的会话 ID 和新的共享密钥 我总是
Reused session-id
Secure Renegotiation IS supported
这是我得到的:
root@test:~# openssl s_server -port 443 -cert leaf1.crt -key leaf1.key -tls1_2 -no_ticket -no_resumption_on_reneg
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MHoCAQECAgMDBALMqAQg2CsxwQa4O8uwlBZIdQsmF4LiAGqiV4iHIafx1cG2LJ0E
MMfN2I0yVW26vrUketgIUptqVE2Tzfmg/Mn7RnO3htgfCyJoI4vwyY4NzfIwz5Aa
O6EGAgReq9fTogQCAhwgpAYEBAEAAACtAwIBAQ==
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
Signature Algorithms: RSA-PSS+SHA512:RSA-PSS+SHA384:RSA-PSS+SHA256:RSA+SHA512:RSA+SHA384:RSA+SHA256:RSA+SHA224:RSA+SHA1
Shared Signature Algorithms: RSA-PSS+SHA512:RSA-PSS+SHA384:RSA-PSS+SHA256:RSA+SHA512:RSA+SHA384:RSA+SHA256:RSA+SHA224:RSA+SHA1
Supported Elliptic Curve Point Formats: uncompressed
Supported Elliptic Groups: X25519:X448:P-384:P-256:P-521:0x0100:0x0101:0x0102:0x0103:0x0104
Shared Elliptic groups: X25519:X448:P-384:P-256:P-521
---
No server certificate CA names sent
CIPHER is ECDHE-RSA-CHACHA20-POLY1305
Secure Renegotiation IS supported
ERROR
shutting down SSL
CONNECTION CLOSED
-----BEGIN SSL SESSION PARAMETERS-----
MHoCAQECAgMDBALMqAQg2CsxwQa4O8uwlBZIdQsmF4LiAGqiV4iHIafx1cG2LJ0E
MMfN2I0yVW26vrUketgIUptqVE2Tzfmg/Mn7RnO3htgfCyJoI4vwyY4NzfIwz5Aa
O6EGAgReq9fTogQCAhwgpAYEBAEAAACtAwIBAQ==
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
Supported Elliptic Curve Point Formats: uncompressed
Supported Elliptic Groups: X25519:X448:P-384:P-256:P-521:0x0100:0x0101:0x0102:0x0103:0x0104
Shared Elliptic groups: X25519:X448:P-384:P-256:P-521
---
No server certificate CA names sent
CIPHER is ECDHE-RSA-CHACHA20-POLY1305
Reused session-id
Secure Renegotiation IS supported
ERROR
shutting down SSL
CONNECTION CLOSED
您似乎混淆了两个不同的概念:恢复和重新谈判。
恢复是指根据先前连接的会话详细信息开始新连接。
重新协商是指在 现有 SSL/TLS 连接上开始第二次或后续握手。
您可以使 s_server 拒绝像这样恢复会话:
openssl s_server -port 443 -cert leaf1.crt -key leaf1.key -no_ticket -no_cache
您可以使 s_server 像这样拒绝重新协商请求(仅来自 OpenSSL 1.1.1 及更高版本):
openssl s_server -port 443 -cert leaf1.crt -key leaf1.key -no_renegotiation