通过curl请求示例详解HTTPS协议
基于HTTPS通信是当前互联网最通用便捷的通信方式,简单理解来看可以视为HTTP协议 + SSL/TLS协议,通过一个curl的示例阐述一下HTTPS协议。
特性:
信息加密传输,防止窃听风险 具有校验机制,防止篡改风险 配备身份证书,防止冒充风险版本变更
SSL1.0 1994年,未发布 SSL2.0 1995年,有严重漏洞 SSL3.0 1996年,大规模应用,有风险现在不建议 TLS1.0 1999年(别称SSL3.1) TLS1.1 2006年(别称SSL3.2) TLS1.2 2008年,2011年修订(别称SSL3.3)原理
公钥放在数字证书,验证证书可信,即公钥可信,采用公钥加密,服务器收到后,私钥解密,考虑到加密计算量,公钥将对话密钥加密,而其他的信息则采用对话密钥进行对称加密,尽量提升性能。
客户端向服务端索要并验证公钥 双方生成“对话密钥” 双方采用对话密钥加密通信curl分析HTTPS请求时间
HTTPs耗时 = TCP握手 + SSL握手, 因为涉及到一些加密,及多了几次握手交互,可以看到的时要多于平常时间的3-5倍,当然这个和机器性能相关。
curl -w "TCP handshake: %{time_connect}, SSL handshake: %{time_appconnect}\n" -so /dev/null https://www.baidu.com TCP handshake: 0.005, SSL handshake: 0.026
curl分析HTTPS请求过程
curl –trace 命令 可以记录请求的详情,我们就用它来了解一下https整个过程,命令如下:
curl -kv -1 --trace temp.txt 'https://www.baidu.com'客户端请求ClientHello
客户端主要向服务器提供以下信息:
1. 支持的协议版本,比如TLS 1.0版。
2. 一个客户端生成的随机数,稍后用于生成”对话密钥”。
3. 支持的加密方法,比如RSA公钥加密。
4. 支持的压缩方法。
curl第一步请求如下
== Info: SSLv3, TLS handshake, Client hello (1): <= Send SSL data, 84 bytes (0x54) 0000: 01 00 00 50 03 01 5a 39 c4 54 cc f0 0c ed a6 7f ...P..Z9.T..... 0010: 0d a1 ee 69 13 cd dc 09 c8 e6 c6 89 1e 63 b2 8b ...i.........c.. 0020: 3e d5 52 a2 be 4e 00 00 28 00 39 00 38 00 35 00 >.R..N..(.9.8.5. 0030: 16 00 13 00 0a 00 33 00 32 00 2f 00 05 00 04 00 ......3.2./..... 0040: 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ................ 0050: ff 02 01 00服务端响应SeverHello
服务器的回应包含以下内容:
1. 确认使用的加密通信协议版本,比如TLS 1.0版本。如果浏览器与服务器支持的版本不一致,服务器关闭加密通信。
2. 一个服务器生成的随机数,稍后用于生成”对话密钥”。
3. 确认使用的加密方法,比如RSA公钥加密。
4. 服务器证书。
还有一种形式是服务端会校验客户端的证书,比如金融类一般金融机构以前网银key即包含一张客户端证书
== Info: SSLv3, TLS handshake, Server hello (2): <= Recv SSL data, 81 bytes (0x51) 0000: 02 00 00 4d 03 01 5a 39 c4 54 98 71 18 90 44 44 ...M..Z9.T.q..DD 0010: 19 6b c1 12 cd 3e f4 a1 b7 a3 e3 51 44 02 b2 19 .k...>.....QD... 0020: 88 3a 9d 24 54 77 20 13 39 83 14 88 a7 15 3e eb .:.$Tw .9.....>. 0030: b3 06 09 b4 30 cb cb 7e 30 73 67 1c 8b e5 d4 31 ....0..~0sg....1 0040: ed a3 01 d1 bf ef ac 00 2f 00 00 05 ff 01 00 01 ......../....... 0050: 00 . == Info: SSLv3, TLS handshake, CERT (11): <= Recv SSL data, 4760 bytes (0x1298) 0000: 0b 00 12 94 00 12 91 00 08 78 30 82 08 74 30 82 .........x0..t0. ......省略部分内容 1290: ba c9 8e 12 7e c6 bd ff ....~... == Info: SSLv3, TLS handshake, Server finished (14): <= Recv SSL data, 4 bytes (0x4) 0000: 0e 00 00 00 .... == Info: SSLv3, TLS handshake, Client key exchange (16): <= Send SSL data, 262 bytes (0x106) 0000: 10 00 01 02 01 00 c6 9c 69 60 5d 34 76 a1 3b 64 ........i`]4v.;d 0010: a6 15 84 88 94 12 ae d5 7d 12 22 7b 03 57 dd bf ........}."{.W.. ......省略部分内容 00e0: 95 8d 2a 30 68 34 12 8b ab e7 f1 08 db 06 2a 6f ..*0h4........*o 00f0: 2c d7 d8 e2 55 6a 74 f3 47 a7 68 cb 69 f4 c5 2d ,...Ujt.G.h.i..- 0100: 72 4e 83 fe b1 7d rN...}客户端回应 一个随机数。该随机数用服务器公钥加密,防止被窃听。 编码改变通知,表示随后的信息都将用双方商定的加密方法和密钥发送。 客户端握手结束通知,表示客户端的握手阶段已经结束。这一项同时也是前面发送的所有内容的hash值,用来供服务器校验。
三个随机数,生成会话密钥。 此外,如果前一步,服务器要求客户端证书,客户端会在这一步发送证书及相关信息。
== Info: SSLv3, TLS change cipher, Client hello (1): <= Send SSL data, 1 bytes (0x1) 0000: 01 . == Info: SSLv3, TLS handshake, Finished (20): <= Send SSL data, 16 bytes (0x10) 0000: 14 00 00 0c eb 56 cc 54 85 f8 b4 18 ac db 65 d1 .....V.T......e.服务器的最后回应 编码改变通知,表示随后的信息都将用双方商定的加密方法和密钥发送。 服务器握手结束通知,表示服务器的握手阶段已经结束。这一项同时也是前面发送的所有内容的hash值,用来供客户端校验。
== Info: SSLv3, TLS handshake, Finished (20): <= Recv SSL data, 16 bytes (0x10) 0000: 14 00 00 0c 6b f7 be 86 e4 b1 3a 06 47 37 bd ae ....k.....:.G7.. == Info: SSL connection using AES128-SHA == Info: Server certificate: == Info: subject: /C=CN/ST=beijing/L=beijing/O=BeiJing Baidu Netcom Science Technology Co., Ltd/OU=service operation department./CN=baidu.com == Info: start date: 2017-06-29 00:00:00 GMT == Info: expire date: 2018-08-17 23:59:59 GMT == Info: subjectAltName: www.baidu.com matched == Info: issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4 == Info: SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
curl整个请求过程:
== Info: About to connect() to www.baidu.com port 443 == Info: Trying 220.181.112.244... == Info: connected == Info: Connected to www.baidu.com (220.181.112.244) port 443 == Info: successfully set certificate verify locations: == Info: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none == Info: SSLv3, TLS handshake, Client hello (1): <= Send SSL data, 84 bytes (0x54) 0000: 01 00 00 50 03 01 5a 39 c4 54 cc f0 0c ed a6 7f ...P..Z9.T..... 0010: 0d a1 ee 69 13 cd dc 09 c8 e6 c6 89 1e 63 b2 8b ...i.........c.. 0020: 3e d5 52 a2 be 4e 00 00 28 00 39 00 38 00 35 00 >.R..N..(.9.8.5. 0030: 16 00 13 00 0a 00 33 00 32 00 2f 00 05 00 04 00 ......3.2./..... 0040: 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ................ 0050: ff 02 01 00 .... == Info: SSLv3, TLS handshake, Server hello (2): <= Recv SSL data, 81 bytes (0x51) 0000: 02 00 00 4d 03 01 5a 39 c4 54 98 71 18 90 44 44 ...M..Z9.T.q..DD 0010: 19 6b c1 12 cd 3e f4 a1 b7 a3 e3 51 44 02 b2 19 .k...>.....QD... 0020: 88 3a 9d 24 54 77 20 13 39 83 14 88 a7 15 3e eb .:.$Tw .9.....>. 0030: b3 06 09 b4 30 cb cb 7e 30 73 67 1c 8b e5 d4 31 ....0..~0sg....1 0040: ed a3 01 d1 bf ef ac 00 2f 00 00 05 ff 01 00 01 ......../....... 0050: 00 . == Info: SSLv3, TLS handshake, CERT (11): <= Recv SSL data, 4760 bytes (0x1298) 0000: 0b 00 12 94 00 12 91 00 08 78 30 82 08 74 30 82 .........x0..t0. ......省略部分内容 1290: ba c9 8e 12 7e c6 bd ff ....~... == Info: SSLv3, TLS handshake, Server finished (14): <= Recv SSL data, 4 bytes (0x4) 0000: 0e 00 00 00 .... == Info: SSLv3, TLS handshake, Client key exchange (16): <= Send SSL data, 262 bytes (0x106) 0000: 10 00 01 02 01 00 c6 9c 69 60 5d 34 76 a1 3b 64 ........i`]4v.;d 0010: a6 15 84 88 94 12 ae d5 7d 12 22 7b 03 57 dd bf ........}."{.W.. ......省略部分内容 00e0: 95 8d 2a 30 68 34 12 8b ab e7 f1 08 db 06 2a 6f ..*0h4........*o 00f0: 2c d7 d8 e2 55 6a 74 f3 47 a7 68 cb 69 f4 c5 2d ,...Ujt.G.h.i..- 0100: 72 4e 83 fe b1 7d rN...} == Info: SSLv3, TLS change cipher, Client hello (1): <= Send SSL data, 1 bytes (0x1) 0000: 01 . == Info: SSLv3, TLS handshake, Finished (20): <= Send SSL data, 16 bytes (0x10) 0000: 14 00 00 0c eb 56 cc 54 85 f8 b4 18 ac db 65 d1 .....V.T......e. == Info: SSLv3, TLS change cipher, Client hello (1): <= Recv SSL data, 1 bytes (0x1) 0000: 01 . == Info: SSLv3, TLS handshake, Finished (20): <= Recv SSL data, 16 bytes (0x10) 0000: 14 00 00 0c 6b f7 be 86 e4 b1 3a 06 47 37 bd ae ....k.....:.G7.. == Info: SSL connection using AES128-SHA == Info: Server certificate: == Info: subject: /C=CN/ST=beijing/L=beijing/O=BeiJing Baidu Netcom Science Technology Co., Ltd/OU=service operation department./CN=baidu.com == Info: start date: 2017-06-29 00:00:00 GMT == Info: expire date: 2018-08-17 23:59:59 GMT == Info: subjectAltName: www.baidu.com matched == Info: issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4 == Info: SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. => Send header, 157 bytes (0x9d) 0000: 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a GET / HTTP/1.1.. 0010: 55 73 65 72 2d 41 67 65 6e 74 3a 20 63 75 72 6c User-Agent: curl 0020: 2f 37 2e 31 35 2e 35 20 28 78 38 36 5f 36 34 2d /7.15.5 (x86_64- 0030: 72 65 64 68 61 74 2d 6c 69 6e 75 78 2d 67 6e 75 redhat-linux-gnu 0040: 29 20 6c 69 62 63 75 72 6c 2f 37 2e 31 35 2e 35 ) libcurl/7.15.5 0050: 20 4f 70 65 6e 53 53 4c 2f 30 2e 39 2e 38 62 20 OpenSSL/0.9.8b 0060: 7a 6c 69 62 2f 31 2e 32 2e 33 20 6c 69 62 69 64 zlib/1.2.3 libid 0070: 6e 2f 30 2e 36 2e 35 0d 0a 48 6f 73 74 3a 20 77 n/0.6.5..Host: w 0080: 77 77 2e 62 61 69 64 75 2e 63 6f 6d 0d 0a 41 63 ww.baidu.com..Ac 0090: 63 65 70 74 3a 20 2a 2f 2a 0d 0a 0d 0a cept: */*.... <= Recv header, 17 bytes (0x11) 0000: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK. 0010: 0a . <= Recv header, 22 bytes (0x16) 0000: 41 63 63 65 70 74 2d 52 61 6e 67 65 73 3a 20 62 Accept-Ranges: b 0010: 79 74 65 73 0d 0a ytes.. <= Recv header, 76 bytes (0x4c) 0000: 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 Cache-Control: p 0010: 72 69 76 61 74 65 2c 20 6e 6f 2d 63 61 63 68 65 rivate, no-cache 0020: 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 70 72 6f 78 , no-store, prox 0030: 79 2d 72 65 76 61 6c 69 64 61 74 65 2c 20 6e 6f y-revalidate, no 0040: 2d 74 72 61 6e 73 66 6f 72 6d 0d 0a -transform.. <= Recv header, 24 bytes (0x18) 0000: 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 Connection: Keep 0010: 2d 41 6c 69 76 65 0d 0a -Alive.. <= Recv header, 22 bytes (0x16) 0000: 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 Content-Length: 0010: 32 34 34 33 0d 0a 2443.. <= Recv header, 25 bytes (0x19) 0000: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 Content-Type: te 0010: 78 74 2f 68 74 6d 6c 0d 0a xt/html.. <= Recv header, 37 bytes (0x25) 0000: 44 61 74 65 3a 20 57 65 64 2c 20 32 30 20 44 65 Date: Wed, 20 De 0010: 63 20 32 30 31 37 20 30 32 3a 30 30 3a 35 32 20 c 2017 02:00:52 0020: 47 4d 54 0d 0a GMT.. <= Recv header, 22 bytes (0x16) 0000: 45 74 61 67 3a 20 22 35 38 38 36 30 33 65 63 2d Etag: "588603ec- 0010: 39 38 62 22 0d 0a 98b".. <= Recv header, 46 bytes (0x2e) 0000: 4c 61 73 74 2d 4d 6f 64 69 66 69 65 64 3a 20 4d Last-Modified: M 0010: 6f 6e 2c 20 32 33 20 4a 61 6e 20 32 30 31 37 20 on, 23 Jan 2017 0020: 31 33 3a 32 33 3a 35 36 20 47 4d 54 0d 0a 13:23:56 GMT.. <= Recv header, 18 bytes (0x12) 0000: 50 72 61 67 6d 61 3a 20 6e 6f 2d 63 61 63 68 65 Pragma: no-cache 0010: 0d 0a .. <= Recv header, 22 bytes (0x16) 0000: 53 65 72 76 65 72 3a 20 62 66 65 2f 31 2e 30 2e Server: bfe/1.0. 0010: 38 2e 31 38 0d 0a 8.18.. <= Recv header, 67 bytes (0x43) 0000: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 42 44 4f 52 Set-Cookie: BDOR 0010: 5a 3d 32 37 33 31 35 3b 20 6d 61 78 2d 61 67 65 Z=27315; max-age 0020: 3d 38 36 34 30 30 3b 20 64 6f 6d 61 69 6e 3d 2e =86400; domain=. 0030: 62 61 69 64 75 2e 63 6f 6d 3b 20 70 61 74 68 3d baidu.com; path= 0040: 2f 0d 0a /.. <= Recv data, 1040 bytes (0x410) 0000: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d <!DOCTYPE html>. 0010: 0a 3c 21 2d 2d 53 54 41 54 55 53 20 4f 4b 2d 2d .<!--STATUS OK-- 0020: 3e 3c 68 74 6d 6c 3e 20 3c 68 65 61 64 3e 3c 6d ><html> <head><m ......省略部分内容 0400: 3c 69 6e 70 75 74 20 74 79 70 65 3d 73 75 62 6d <input type=subm <= Recv data, 1 bytes (0x1) 0000: 69 i <= Recv data, 1402 bytes (0x57a) 0000: 74 20 69 64 3d 73 75 20 76 61 6c 75 65 3d e7 99 t id=su value=.. 0010: be e5 ba a6 e4 b8 80 e4 b8 8b 20 63 6c 61 73 73 .......... class ......省略部分内容 0560: 3e 20 3c 2f 64 69 76 3e 20 3c 2f 62 6f 64 79 3e > </div> </body> 0570: 20 3c 2f 68 74 6d 6c 3e 0d 0a </html>.. == Info: Connection #0 to host www.baidu.com left intact == Info: Closing connection #0 == Info: SSLv3, TLS alert, Client hello (1): <= Send SSL data, 2 bytes (0x2) 0000: 01 00 ..
参考:SSL/TLS协议运行机制的概述
文章来源:
Author:ancongcong
link:https://www.congcong.us/post/curl_https_ssl_tls.html