TLS1.3 OpenSSL tls alert unrecognized_name 不出现
TLS1.3 OpenSSL tls alert unrecognized_name do not appear
尝试使用 OpenSSL 为 TLS1.3 触发 TLS 警报 unrecognized_name,但它没有出现。
对于 TLS1.2 它有效。有谁明白为什么?以下是命令示例:
openssl s_server -accept 9443 -key signed-pem.key -cert signed-pem.cert -tls1_2 -key2 anydesk.com.key -cert2 anydesk.com.cert -servername anydesk.com -cipher ALL:COMPLEMENTOFALL
Setting secondary ctx parameters
Using default temp DH parameters
ACCEPT
openssl s_client -connect 10.10.10.55:9443 -CAfile signed-pem.cert -tls1_2 -cipher DHE-RSA
-AES128-SHA -state -servername desk.com
CONNECTED(00000005)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL3 alert read:warning:unrecognized name
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
对于 TLS1.3:
openssl s_server -accept 9443 -key signed-pem.key -cert signed-pem.cert -tls1_3 -key2 anydesk.com.key -cert2 anydesk.com.cert -servername anydesk.com -cipher ALL:COMPLEMENTOFALL
Setting secondary ctx parameters
Using default temp DH parameters
ACCEPT
openssl s_client -connect 10.10.10.55:9443 -CAfile signed-pem.cert -tls1_3 -ciphersuites TLS_AES_128_GCM_SHA256 -state -servername desk.com
CONNECTED(00000005)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
SSL_connect:TLSv1.3 read encrypted extensions
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:TLSv1.3 read server certificate verify
SSL_connect:SSLv3/TLS read finished
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
这是由于 OpenSSL 中的这段代码:
case SSL_TLSEXT_ERR_ALERT_WARNING:
/* TLSv1.3 doesn't have warning alerts so we suppress this */
if (!SSL_IS_TLS13(s))
ssl3_send_alert(s, SSL3_AL_WARNING, altmp);
您会在 TLSv1.2 输出中注意到您看到的警报是一个警告:
SSL3 alert read:warning:unrecognized name
TLSv1.3 不在警报中使用“严重性”指示。所有错误警报都被认为是致命的。因此 OpenSSL 不会发送此警报,因为它在上下文中不是致命的。
尝试使用 OpenSSL 为 TLS1.3 触发 TLS 警报 unrecognized_name,但它没有出现。 对于 TLS1.2 它有效。有谁明白为什么?以下是命令示例:
openssl s_server -accept 9443 -key signed-pem.key -cert signed-pem.cert -tls1_2 -key2 anydesk.com.key -cert2 anydesk.com.cert -servername anydesk.com -cipher ALL:COMPLEMENTOFALL
Setting secondary ctx parameters
Using default temp DH parameters
ACCEPT
openssl s_client -connect 10.10.10.55:9443 -CAfile signed-pem.cert -tls1_2 -cipher DHE-RSA
-AES128-SHA -state -servername desk.com
CONNECTED(00000005)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL3 alert read:warning:unrecognized name
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
对于 TLS1.3:
openssl s_server -accept 9443 -key signed-pem.key -cert signed-pem.cert -tls1_3 -key2 anydesk.com.key -cert2 anydesk.com.cert -servername anydesk.com -cipher ALL:COMPLEMENTOFALL
Setting secondary ctx parameters
Using default temp DH parameters
ACCEPT
openssl s_client -connect 10.10.10.55:9443 -CAfile signed-pem.cert -tls1_3 -ciphersuites TLS_AES_128_GCM_SHA256 -state -servername desk.com
CONNECTED(00000005)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
SSL_connect:TLSv1.3 read encrypted extensions
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:TLSv1.3 read server certificate verify
SSL_connect:SSLv3/TLS read finished
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
这是由于 OpenSSL 中的这段代码:
case SSL_TLSEXT_ERR_ALERT_WARNING:
/* TLSv1.3 doesn't have warning alerts so we suppress this */
if (!SSL_IS_TLS13(s))
ssl3_send_alert(s, SSL3_AL_WARNING, altmp);
您会在 TLSv1.2 输出中注意到您看到的警报是一个警告:
SSL3 alert read:warning:unrecognized name
TLSv1.3 不在警报中使用“严重性”指示。所有错误警报都被认为是致命的。因此 OpenSSL 不会发送此警报,因为它在上下文中不是致命的。