HelloVerifyRequest 上的 Dtls 握手中使用了错误的 SSL 版本
Wrong SSL version used in Dtls handshake on HelloVerifyRequest
我正在用 C 实现 DTLS 1.2 协议。在使用 openSSL 测试客户端时,我观察到 OpenSSL 发送的其中一个帧没有使用正确的 Dtls 版本 (1.2),而是使用旧版本 (1.0)。
C中的客户端只支持DTLS1.2,因此拒绝OpenSSL发送的帧。
C客户端发送的HelloClient:
Frame 2461: 109 bytes on wire (872 bits), 109 bytes captured (872 bits) on interface 0
Ethernet II, Src: Infineon_00:00:01 (00:03:19:00:00:01), Dst: Tp-LinkT_dc:4e:82 (50:3e:aa:dc:4e:82)
Internet Protocol Version 4, Src: 192.168.88.73, Dst: 192.168.88.77
User Datagram Protocol, Src Port: 50003, Dst Port: 60003
Datagram Transport Layer Security
DTLSv1.0 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: DTLS 1.2 (0xfefd)
Epoch: 0
Sequence Number: 0
Length: 54
Handshake Protocol: Client Hello
来自 OpenSSL 服务器的响应:
Frame 2464: 90 bytes on wire (720 bits), 90 bytes captured (720 bits) on interface 0
Ethernet II, Src: Tp-LinkT_dc:4e:82 (50:3e:aa:dc:4e:82), Dst: Infineon_00:00:01 (00:03:19:00:00:01)
Internet Protocol Version 4, Src: 192.168.88.77, Dst: 192.168.88.73
User Datagram Protocol, Src Port: 60003, Dst Port: 50003
Datagram Transport Layer Security
DTLSv1.0 Record Layer: Handshake Protocol: Hello Verify Request
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 0
Length: 35
Handshake Protocol: Hello Verify Request
我强制 OpenSSL 使用 1.2 版的 DTLS 运行 以下命令:
openssl.exe s_server -nocert -psk 01234567 -accept 443 -cipher PSK-AES128-GCM-SHA256 -dtls1_2
我在TLS的RFC中看到了(https://www.rfc-editor.org/rfc/rfc5246#appendix-E)
TLS versions 1.0, 1.1, and 1.2, and SSL 3.0 are very similar, and use
compatible ClientHello messages; thus, supporting all of them is
relatively easy. Similarly, servers can easily handle clients trying
to use future versions of TLS as long as the ClientHello format
remains compatible, and the client supports the highest protocol
version available in the server.
没有为 HelloRequestVerify(rfc5246 或 rfc6347)指定任何内容,但这是否意味着应该接受 1.0 和 1.2 之间的任何版本?
或者这是 OpenSSL 中的错误?
注意:如果我继续 DTLS 握手,OpenSSL 发送的每个后续帧都使用正确版本的 DTLS (1.2)。
根据RFC 6347, 4.2.1. Denial-of-Service Countermeasures
However, in order to avoid the requirement to do version negotiation
in the initial handshake, DTLS 1.2 server implementations SHOULD use
DTLS version 1.0 regardless of the version of TLS that is expected to
be negotiated.
(该部分包含有关该用法的更多信息。)
我正在用 C 实现 DTLS 1.2 协议。在使用 openSSL 测试客户端时,我观察到 OpenSSL 发送的其中一个帧没有使用正确的 Dtls 版本 (1.2),而是使用旧版本 (1.0)。
C中的客户端只支持DTLS1.2,因此拒绝OpenSSL发送的帧。
C客户端发送的HelloClient:
Frame 2461: 109 bytes on wire (872 bits), 109 bytes captured (872 bits) on interface 0
Ethernet II, Src: Infineon_00:00:01 (00:03:19:00:00:01), Dst: Tp-LinkT_dc:4e:82 (50:3e:aa:dc:4e:82)
Internet Protocol Version 4, Src: 192.168.88.73, Dst: 192.168.88.77
User Datagram Protocol, Src Port: 50003, Dst Port: 60003
Datagram Transport Layer Security
DTLSv1.0 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: DTLS 1.2 (0xfefd)
Epoch: 0
Sequence Number: 0
Length: 54
Handshake Protocol: Client Hello
来自 OpenSSL 服务器的响应:
Frame 2464: 90 bytes on wire (720 bits), 90 bytes captured (720 bits) on interface 0
Ethernet II, Src: Tp-LinkT_dc:4e:82 (50:3e:aa:dc:4e:82), Dst: Infineon_00:00:01 (00:03:19:00:00:01)
Internet Protocol Version 4, Src: 192.168.88.77, Dst: 192.168.88.73
User Datagram Protocol, Src Port: 60003, Dst Port: 50003
Datagram Transport Layer Security
DTLSv1.0 Record Layer: Handshake Protocol: Hello Verify Request
Content Type: Handshake (22)
Version: DTLS 1.0 (0xfeff)
Epoch: 0
Sequence Number: 0
Length: 35
Handshake Protocol: Hello Verify Request
我强制 OpenSSL 使用 1.2 版的 DTLS 运行 以下命令: openssl.exe s_server -nocert -psk 01234567 -accept 443 -cipher PSK-AES128-GCM-SHA256 -dtls1_2
我在TLS的RFC中看到了(https://www.rfc-editor.org/rfc/rfc5246#appendix-E)
TLS versions 1.0, 1.1, and 1.2, and SSL 3.0 are very similar, and use
compatible ClientHello messages; thus, supporting all of them is
relatively easy. Similarly, servers can easily handle clients trying
to use future versions of TLS as long as the ClientHello format
remains compatible, and the client supports the highest protocol
version available in the server.
没有为 HelloRequestVerify(rfc5246 或 rfc6347)指定任何内容,但这是否意味着应该接受 1.0 和 1.2 之间的任何版本?
或者这是 OpenSSL 中的错误?
注意:如果我继续 DTLS 握手,OpenSSL 发送的每个后续帧都使用正确版本的 DTLS (1.2)。
根据RFC 6347, 4.2.1. Denial-of-Service Countermeasures
However, in order to avoid the requirement to do version negotiation in the initial handshake, DTLS 1.2 server implementations SHOULD use DTLS version 1.0 regardless of the version of TLS that is expected to be negotiated.
(该部分包含有关该用法的更多信息。)