"nghttp2::asio_http2::client" 使用 TLS 1.3 - SSL_CTX_set_cipher_list 不在密码套件中添加密码套件
"nghttp2::asio_http2::client" with TLS 1.3 - SSL_CTX_set_cipher_list doesnt add cipher suite in cipher suites
我将 nghttp2 asio_http2_client 与 TLS 1.3 协议一起使用,但是当我尝试通过 SSL_CTX_get_ciphers 函数在密码套件列表中添加其他套件时,我的客户端问候消息没有任何变化. IE。密码套件列表保持不变。
我的代码示例:
#include <nghttp2/asio_http2_client.h>
#include <iostream>
using boost::asio::ip::tcp;
using namespace nghttp2::asio_http2;
using namespace nghttp2::asio_http2::client;
int main(int argc, char* argv[])
{
boost::system::error_code ec;
boost::asio::io_service io_service;
boost::asio::ssl::context tls(boost::asio::ssl::context::tlsv13_client);
tls.set_verify_mode(boost::asio::ssl::verify_peer);
// https://testssl.sh/openssl-iana.mapping.html
auto rc = SSL_CTX_set_cipher_list(
tls.native_handle(),
R"(TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-OLD:ECDHE-RSA-CHACHA20-POLY1305-OLD:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA)");
if (rc != 1) {
std::cout << "no cipher list found " << rc << std::endl;
}
auto ciph = SSL_CTX_get_ciphers(tls.native_handle());
printf("after SSL_CTX_set_ciphersuites()\n");
for (size_t i = 0; i < sk_SSL_CIPHER_num(ciph); i++)
printf("%s%s", i != 0 ? ":" : "", SSL_CIPHER_get_name(sk_SSL_CIPHER_value(ciph, i)));
// return 1;
configure_tls_context(ec, tls);
// connect to
session sess(io_service, tls, "www.google.com", "443");
sess.on_connect([&sess](tcp::resolver::iterator endpoint_it) {
boost::system::error_code ec;
std::cerr << "Connected!" << std::endl;
});
sess.on_error([](const boost::system::error_code& ec) {
std::cerr << "error: " << ec.message() << std::endl;
});
io_service.run();
}
在 wireshark 中,我看到以下输出(4 个密码套件,但 SSL_CTX_set_cipher_list 参数中还有更多密码套件):
我用 SSL_CTX_set_cipher_list 做了一个实验并注释掉了下一行:
auto rc = SSL_CTX_set_cipher_list(
tls.native_handle(),
R"(TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-OLD:ECDHE-RSA-CHACHA20-POLY1305-OLD:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA)");
if (rc != 1) {
std::cout << "no cipher list found " << rc << std::endl;
}
auto ciph = SSL_CTX_get_ciphers(tls.native_handle());
printf("after SSL_CTX_set_ciphersuites()\n");
for (size_t i = 0; i < sk_SSL_CIPHER_num(ciph); i++)
printf("%s%s", i != 0 ? ":" : "", SSL_CIPHER_get_name(sk_SSL_CIPHER_value(ciph, i)));
但密码套件列表保持不变。怎么了?
如果您查看 SSL_CTX_get_ciphers 的文档,它指出:
SSL_CTX_set_cipher_list() sets the list of available ciphers (TLSv1.2
and below)
和
This function does not impact TLSv1.3 ciphersuites. Use
SSL_CTX_set_ciphersuites() to configure those.
因此,您需要阅读 SSL_CTX_set_cipher_list API,因为 v1.3 密码列表与 v1.2 密码列表有很大不同且小得多。
我将 nghttp2 asio_http2_client 与 TLS 1.3 协议一起使用,但是当我尝试通过 SSL_CTX_get_ciphers 函数在密码套件列表中添加其他套件时,我的客户端问候消息没有任何变化. IE。密码套件列表保持不变。
我的代码示例:
#include <nghttp2/asio_http2_client.h>
#include <iostream>
using boost::asio::ip::tcp;
using namespace nghttp2::asio_http2;
using namespace nghttp2::asio_http2::client;
int main(int argc, char* argv[])
{
boost::system::error_code ec;
boost::asio::io_service io_service;
boost::asio::ssl::context tls(boost::asio::ssl::context::tlsv13_client);
tls.set_verify_mode(boost::asio::ssl::verify_peer);
// https://testssl.sh/openssl-iana.mapping.html
auto rc = SSL_CTX_set_cipher_list(
tls.native_handle(),
R"(TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-OLD:ECDHE-RSA-CHACHA20-POLY1305-OLD:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA)");
if (rc != 1) {
std::cout << "no cipher list found " << rc << std::endl;
}
auto ciph = SSL_CTX_get_ciphers(tls.native_handle());
printf("after SSL_CTX_set_ciphersuites()\n");
for (size_t i = 0; i < sk_SSL_CIPHER_num(ciph); i++)
printf("%s%s", i != 0 ? ":" : "", SSL_CIPHER_get_name(sk_SSL_CIPHER_value(ciph, i)));
// return 1;
configure_tls_context(ec, tls);
// connect to
session sess(io_service, tls, "www.google.com", "443");
sess.on_connect([&sess](tcp::resolver::iterator endpoint_it) {
boost::system::error_code ec;
std::cerr << "Connected!" << std::endl;
});
sess.on_error([](const boost::system::error_code& ec) {
std::cerr << "error: " << ec.message() << std::endl;
});
io_service.run();
}
在 wireshark 中,我看到以下输出(4 个密码套件,但 SSL_CTX_set_cipher_list 参数中还有更多密码套件):
我用 SSL_CTX_set_cipher_list 做了一个实验并注释掉了下一行:
auto rc = SSL_CTX_set_cipher_list(
tls.native_handle(),
R"(TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-OLD:ECDHE-RSA-CHACHA20-POLY1305-OLD:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA)");
if (rc != 1) {
std::cout << "no cipher list found " << rc << std::endl;
}
auto ciph = SSL_CTX_get_ciphers(tls.native_handle());
printf("after SSL_CTX_set_ciphersuites()\n");
for (size_t i = 0; i < sk_SSL_CIPHER_num(ciph); i++)
printf("%s%s", i != 0 ? ":" : "", SSL_CIPHER_get_name(sk_SSL_CIPHER_value(ciph, i)));
但密码套件列表保持不变。怎么了?
如果您查看 SSL_CTX_get_ciphers 的文档,它指出:
SSL_CTX_set_cipher_list() sets the list of available ciphers (TLSv1.2 and below)
和
This function does not impact TLSv1.3 ciphersuites. Use SSL_CTX_set_ciphersuites() to configure those.
因此,您需要阅读 SSL_CTX_set_cipher_list API,因为 v1.3 密码列表与 v1.2 密码列表有很大不同且小得多。