SSL协议(protocol)格式版本兼容性(报文格式versino VS加密版本)

Question

这将是一个有点高级的问题，所以请忽略不太高级的细节。我有协议(protocol)问题而不是如何解决它，但我需要提供一些背景信息。

背景:

• .NET/Windows 默认禁用 SSLv3。有注册表问题和代码问题。不管出于什么原因，我无法激活 SSLv3，但没关系，它可以保持这种状态。 TLS+ 应该可以正常工作。
• 以上是使用 OpenSSL 客户端或 .NET 客户端和 .NET 服务器测试的。 SSL3 客户端将无法工作，但没关系。
• 我有一个定制的 Cellular 模块，可以通过 SSL 加密的 TCP 连接。

这是发送的客户端问候消息的示例:

0x16 [0x03 0x00] 0x00 0x65 0x01 0x00 0x00 0x61 [0x03 0x03] 0x36 0xF4 0x42 0x51 0x6D 0xE8 0x84 0xA2 0xDA 0xD0 0x09 0x45 0xB5 0xA1 0x12 0x8A 0x6B 0x43 0x24 0x14 0xD7 0x86 0x48 0x28 0xAE 0x0D 0x90 0x50 0x5C 0x1B 0x20 0xA1 0x00 0x00 0x2A 0x00 0x6B 0x00 0x6A 0x00 0x3D 0x00 0x67 0x00 0x40 0x00 0x3C 0x00 0x39 0x00 0x38 0x00 0x35 0x00 0x33 0x00 0x32 0x00 0x2F 0x00 0x16 0x00 0x13 0x00 0x0A 0x00 0x05 0x00 0x04 0x00 0x15 0x00 0x12 0x00 0x09 0x00 0xFF 0x01 0x00 0x00 0x0E 0x00 0x0D 0x00 0x0A 0x00 0x08 0x04 0x01 0x02 0x01 0x04 0x02 0x02 0x02

如您所见，您是否知道要查看哪些字节: 1. 记录格式为 SSL 3.0 (0x0300) 2. Client Hello协议(protocol)版本为TLS 1.2 (0x0303)

换句话说，即使整个消息不是扩展的TLS格式，加密请求也是TLS 1.2

我假设 windows/.NET 允许这样做，因为加密级别仍然是安全的，并且只有客户端 hello 格式未扩展。我不明白为什么它仍然会被拒绝。

问题:

1. 蜂窝模块发送 TLS1.2 加密级别但使用未扩展的 SSLv3 格式是否有意义？
2. 如何让 Windows 允许这个，但不允许 SSLv3 加密？看来你不能简单地拥有这个中间立场。

Answer 1

在这个例子中，我模拟了客户端消息，并将其返回给 ssl 服务器用于测试目的。未扩展协议(protocol)(原始 ssl3)最终出现 AlgorithmMismatch，而扩展协议(protocol)即使我手动将其记录层版本更改为 SSL3 也能正常工作。

这是失败的:

System.Net.Sockets Verbose: 0 : [4240] Exiting TcpClient#59817589::GetStream()  -> NetworkStream#48209832
System.Net Information: 0 : [4240] SecureChannel#5773521::.ctor(hostname=?124, #clientCertificates=0, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [4240] Enumerating security packages:
System.Net Information: 0 : [4240]     Negotiate
System.Net Information: 0 : [4240]     NegoExtender
System.Net Information: 0 : [4240]     Kerberos
System.Net Information: 0 : [4240]     NTLM
System.Net Information: 0 : [4240]     TSSSP
System.Net Information: 0 : [4240]     pku2u
System.Net Information: 0 : [4240]     WDigest
System.Net Information: 0 : [4240]     Schannel
System.Net Information: 0 : [4240]     Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [4240]     CREDSSP
System.Net.Sockets Verbose: 0 : [4240] Socket#6044116::BeginReceive()
System.Net.Sockets Verbose: 0 : [4240] Exiting Socket#6044116::BeginReceive()   -> OverlappedAsyncResult#63094882
System.Net.Sockets Verbose: 0 : [8360] Data from Socket#6044116::PostCompletion
System.Net.Sockets Verbose: 0 : [8360] 00000000 : 16 03 00 00 39                                  : ....9
System.Net.Sockets Verbose: 0 : [8360] Socket#6044116::EndReceive(OverlappedAsyncResult#63094882)
System.Net.Sockets Verbose: 0 : [8360] Exiting Socket#6044116::EndReceive()     -> Int32#5
System.Net.Sockets Verbose: 0 : [8360] Socket#6044116::BeginReceive()
System.Net.Sockets Verbose: 0 : [8360] Exiting Socket#6044116::BeginReceive()   -> OverlappedAsyncResult#62476613
System.Net.Sockets Verbose: 0 : [10888] Data from Socket#6044116::PostCompletion
System.Net.Sockets Verbose: 0 : [10888] 00000000 : 01 00 00 35 03 03 5A 53-AD A7 80 91 4D 9C FD 1F : ...5..ZS....M...
System.Net.Sockets Verbose: 0 : [10888] 00000010 : AB 5B FA CD 1B 42 BF EA-26 52 77 D8 18 19 9E E3 : .[...B..&Rw.....
System.Net.Sockets Verbose: 0 : [10888] 00000020 : C8 92 D2 63 7D 74 00 00-0E 00 0A 00 13 00 62 00 : ...c}t........b.
System.Net.Sockets Verbose: 0 : [10888] 00000030 : 09 00 63 00 12 00 FF 01-00                      : ..c......
System.Net.Sockets Verbose: 0 : [10888] Socket#6044116::EndReceive(OverlappedAsyncResult#62476613)
System.Net.Sockets Verbose: 0 : [10888] Exiting Socket#6044116::EndReceive()    -> Int32#57
System.Net Information: 0 : [10888] SecureChannel#5773521 - Locating the private key for the certificate: [Version]
  V3

[Subject]
  CN=Test Labs (CA)
  Simple Name: Test Labs (CA)
  DNS Name: Test Labs (CA)

[Issuer]
  CN=Test Labs (CA)
  Simple Name: Test Labs (CA)
  DNS Name: Test Labs (CA)

[Serial Number]
  3120C1CCC8D477974B311D82A9B7881E

[Not Before]
  11/9/2016 1:10:37 PM

[Not After]
  12/31/2039 6:59:59 PM

[Thumbprint]
  EA7091EE4171B38C04DC210BFDEF0DBAE5289D8B

[Signature Algorithm]
  sha256RSA(1.2.840.113549.1.1.11)

[Public Key]
  Algorithm: RSA
  Length: 2048
  Key Blob: 30 82 01 0a 02 82 01 01 00 af 67 80 80 31 64 a2 6b a1 b1 36 ce 9e 16 ef 61 e3 26 25 e9 49 a9 cc 80 2c 3d d6 0e 60 01 65 78 cd ce a9 e9 cc a6 ac 3f 99 7d 02 df cd d3 ff 78 fe 1f cb 73 f5 26 70 db 30 70 f6 8d 8f 92 d2 77 1c ea 84 53 3c 43 e8 48 cc 52 d3 26 07 5f b3 33 b7 4e d6 fc 00 e4 32 82 76 11 f5 c9 df 98 3e af d8 da 5f 21 74 b2 64 38 f9 d1 b1 96 0c c3 81 12 f8 49 a6 54 42 0e 7d 89 13 f7 9f 45 1e 04 1f 7d 41 7c 44 f3 30 14 79 ee 7c 78 b0 d4 e2 e4 d6 cc 85 2d b1 94 95 fb 30 47 9a 86 90 6f 50 c8 ....
System.Net Information: 0 : [10888] SecureChannel#5773521 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [10888] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Inbound, scc     = System.Net.SecureCredential)
System.Net Information: 0 : [10888] AcceptSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, AcceptStream)
System.Net Information: 0 : [10888] AcceptSecurityContext(In-Buffer length=62, Out-Buffer length=0, returned code=AlgorithmMismatch).
System.Net.Sockets Verbose: 0 : [4240] Socket#6044116::Dispose()
System.Net.Sockets Verbose: 0 : [4240] TcpClient#59817589::Close()
System.Net.Sockets Verbose: 0 : [4240] TcpClient#59817589::Dispose()
System.Net.Sockets Verbose: 0 : [4240] Exiting TcpClient#59817589::Dispose() 
System.Net.Sockets Verbose: 0 : [4240] Exiting TcpClient#59817589::Close() 
System.Net.Sockets Verbose: 0 : [4240] TcpListener#21950498::AcceptTcpClient()
System.Net.Sockets Verbose: 0 : [4240] Socket#37614147::Accept()

这成功了:

System.Net.Sockets Information: 0 : [8344] Socket#6044116 - Accepted connection from 192.168.3.106:55907 to 192.168.3.106:7001.
System.Net.Sockets Verbose: 0 : [8344] Exiting Socket#37614147::Accept()    -> Socket#6044116
System.Net.Sockets Verbose: 0 : [8344] TcpClient#59817589::TcpClient(Socket#6044116)
System.Net.Sockets Verbose: 0 : [8344] Exiting TcpClient#59817589::TcpClient() 
System.Net.Sockets Verbose: 0 : [8344] Exiting TcpListener#21950498::AcceptTcpClient()  -> TcpClient#59817589
System.Net.Sockets Verbose: 0 : [8344] TcpClient#59817589::GetStream()
System.Net.Sockets Verbose: 0 : [8344] Exiting TcpClient#59817589::GetStream()  -> NetworkStream#48209832
System.Net Information: 0 : [8344] SecureChannel#5773521::.ctor(hostname=?124, #clientCertificates=0, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [8344] Enumerating security packages:
System.Net Information: 0 : [8344]     Negotiate
System.Net Information: 0 : [8344]     NegoExtender
System.Net Information: 0 : [8344]     Kerberos
System.Net Information: 0 : [8344]     NTLM
System.Net Information: 0 : [8344]     TSSSP
System.Net Information: 0 : [8344]     pku2u
System.Net Information: 0 : [8344]     WDigest
System.Net Information: 0 : [8344]     Schannel
System.Net Information: 0 : [8344]     Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [8344]     CREDSSP
System.Net.Sockets Verbose: 0 : [8344] Socket#6044116::BeginReceive()
System.Net.Sockets Verbose: 0 : [8344] Exiting Socket#6044116::BeginReceive()   -> OverlappedAsyncResult#63094882
System.Net.Sockets Verbose: 0 : [14296] Data from Socket#6044116::PostCompletion
System.Net.Sockets Verbose: 0 : [14296] 00000000 : 16 03 00 00 A7                                  : .....
System.Net.Sockets Verbose: 0 : [14296] Socket#6044116::EndReceive(OverlappedAsyncResult#63094882)
System.Net.Sockets Verbose: 0 : [14296] Exiting Socket#6044116::EndReceive()    -> Int32#5
System.Net.Sockets Verbose: 0 : [14296] Socket#6044116::BeginReceive()
System.Net.Sockets Verbose: 0 : [14296] Exiting Socket#6044116::BeginReceive()  -> OverlappedAsyncResult#62476613
System.Net.Sockets Verbose: 0 : [13340] Data from Socket#6044116::PostCompletion
System.Net.Sockets Verbose: 0 : [13340] 00000000 : 01 00 00 A3 03 03 5A 53-AD 98 78 ED 38 1B 06 57 : ......ZS..x.8..W
System.Net.Sockets Verbose: 0 : [13340] 00000010 : 52 BF E5 61 58 A2 37 A3-AC 6E 18 83 AE 2E 25 EF : R..aX.7..n....%.
System.Net.Sockets Verbose: 0 : [13340] 00000020 : 60 32 67 A3 BF D4 00 00-38 C0 30 C0 2F C0 28 C0 : `2g.....8.0./.(.
System.Net.Sockets Verbose: 0 : [13340] 00000030 : 27 C0 14 C0 13 C0 2C C0-2B C0 24 C0 23 C0 0A C0 : '.....,.+.$.#...
System.Net.Sockets Verbose: 0 : [13340] 00000040 : 09 00 9D 00 9C 00 3D 00-3C 00 35 00 2F 00 0A 00 : ......=.<.5./...
System.Net.Sockets Verbose: 0 : [13340] 00000050 : 9F 00 9E 00 39 00 33 00-6A 00 40 00 38 00 32 00 : ....9.3.j.@.8.2.
System.Net.Sockets Verbose: 0 : [13340] 00000060 : 13 01 00 00 42 00 00 00-09 00 07 00 00 04 3F 31 : ....B.........?1
System.Net.Sockets Verbose: 0 : [13340] 00000070 : 32 34 00 0A 00 06 00 04-00 17 00 18 00 0B 00 02 : 24..............
System.Net.Sockets Verbose: 0 : [13340] 00000080 : 01 00 00 0D 00 14 00 12-06 01 06 03 04 01 05 01 : ................
System.Net.Sockets Verbose: 0 : [13340] 00000090 : 02 01 04 03 05 03 02 03-02 02 00 23 00 00 00 17 : ...........#....
System.Net.Sockets Verbose: 0 : [13340] 000000A0 : 00 00 FF 01 00 01 00                            : .......
System.Net.Sockets Verbose: 0 : [13340] Socket#6044116::EndReceive(OverlappedAsyncResult#62476613)
System.Net.Sockets Verbose: 0 : [13340] Exiting Socket#6044116::EndReceive()    -> Int32#167
System.Net Information: 0 : [13340] SecureChannel#5773521 - Locating the private key for the certificate: [Version]
  V3

[Subject]
  CN=Test Labs (CA)
  Simple Name: Test Labs (CA)
  DNS Name: Test Labs (CA)

[Issuer]
  CN=Test Labs (CA)
  Simple Name: Test Labs (CA)
  DNS Name: Test Labs (CA)

[Serial Number]
  3120C1CCC8D477974B311D82A9B7881E

[Not Before]
  11/9/2016 1:10:37 PM

[Not After]
  12/31/2039 6:59:59 PM

[Thumbprint]
  EA7091EE4171B38C04DC210BFDEF0DBAE5289D8B

[Signature Algorithm]
  sha256RSA(1.2.840.113549.1.1.11)

[Public Key]
  Algorithm: RSA
  Length: 2048
  Key Blob: 30 82 01 0a 02 82 01 01 00 af 67 80 80 31 64 a2 6b a1 b1 36 ce 9e 16 ef 61 e3 26 25 e9 49 a9 cc 80 2c 3d d6 0e 60 01 65 78 cd ce a9 e9 cc a6 ac 3f 99 7d 02 df cd d3 ff 78 fe 1f cb 73 f5 26 70 db 30 70 f6 8d 8f 92 d2 77 1c ea 84 53 3c 43 e8 48 cc 52 d3 26 07 5f b3 33 b7 4e d6 fc 00 e4 32 82 76 11 f5 c9 df 98 3e af d8 da 5f 21 74 b2 64 38 f9 d1 b1 96 0c c3 81 12 f8 49 a6 54 42 0e 7d 89 13 f7 9f 45 1e 04 1f 7d 41 7c 44 f3 30 14 79 ee 7c 78 b0 d4 e2 e4 d6 cc 85 2d b1 94 95 fb 30 47 9a 86 90 6f 50 c8 ....
System.Net Information: 0 : [13340] SecureChannel#5773521 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [13340] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Inbound, scc     = System.Net.SecureCredential)
System.Net Information: 0 : [13340] AcceptSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, AcceptStream)
System.Net Information: 0 : [13340] AcceptSecurityContext(In-Buffer length=172, Out-Buffer length=1236, returned code=ContinueNeeded).
System.Net.Sockets Verbose: 0 : [13340] Socket#6044116::BeginSend()
System.Net.Sockets Verbose: 0 : [13340] Exiting Socket#6044116::BeginSend()     -> OverlappedAsyncResult#45653674
System.Net.Sockets Verbose: 0 : [8396] Data from Socket#6044116::PostCompletion