出于客户支持的目的,我想检查API请求使用的是哪个TLS版本。我使用cURL创建了一个php脚本,向https://www.howsmyssl.com/a/check发送请求,得到的答案是“TLS 1.3”。我使用VERBOSE=true记录了相同的请求,并在此输出中发现使用了“TLSv1.2”。
怎么会这样?
cURL响应:
{"given_cipher_suites":["TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","TLS_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_DHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_DHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384","TLS_DHE_RSA_WITH_AES_256_CBC_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","TLS_DHE_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_DHE_RSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_DHE_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_CBC_SHA256","TLS_RSA_WITH_AES_128_CBC_SHA256","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_EMPTY_RENEGOTIATION_INFO_SCSV"],"ephemeral_keys_supported":true,"session_ticket_supported":false,"tls_compression_supported":false,"unknown_cipher_suite_supported":false,"beast_vuln":false,"able_to_detect_n_minus_one_splitting":false,"insecure_cipher_suites":{},"tls_version":"TLS 1.3","rating":"Probably Okay"}STDERR输出:
* Trying 34.71.45.200:443...
* Connected to www.howsmyssl.com (34.71.45.200) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=www.howsmyssl.com
* start date: Oct 30 02:45:45 2022 GMT
* expire date: Jan 28 02:45:44 2023 GMT
* subjectAltName: host "www.howsmyssl.com" matched cert's "www.howsmyssl.com"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET /a/check HTTP/1.1
Host: www.howsmyssl.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.0.13) Gecko/2009073022 Firefox/3.5.2
Accept: */*
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Length: 1459
< Access-Control-Allow-Origin: *
< Connection: close
< Content-Type: application/json
< Date: Wed, 09 Nov 2022 08:08:44 GMT
< Strict-Transport-Security: max-age=631138519; includeSubdomains; preload
<
* Closing connection 0我PHP代码:(我使用Kint转储变量)
$out = fopen('php://temp', 'w+');
$curl = curl_init('https://www.howsmyssl.com/a/check');
curl_setopt_array($curl, array(
CURLOPT_RETURNTRANSFER => true,
CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.0.13) Gecko/2009073022 Firefox/3.5.2',
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_VERBOSE => true,
CURLOPT_STDERR => $out,
//CURLOPT_SSLVERSION => CURL_SSLVERSION_MAX_TLSv1_2, //6 = 1.2 | 4 = 1.1.1m
));
$curl_result = curl_exec($curl);
if ($curl_result)
{
Kint::dump($curl_result);
}
rewind($out);
curl_close($curl);
$TLS_logOutput = stream_get_contents($out);
Kint::dump($TLS_logOutput);
1条答案
按热度按时间qcuzuvrc1#
howsmyssl.com 只显示了客户端的功能,但实际上并没有使用最好的功能。它将根据ClientHello握手数据包显示客户端支持哪些密码和协议版本(以及其他信息)。但它目前只使用TLS 1.2(或更低版本,取决于客户端的能力)与客户端建立TLS连接,即使客户端可以做得更好。
因此,可以使用howsmyssl.com来了解特定TLS客户端支持的密码和协议版本。这些密码和协议版本中的哪一个实际上用于特定服务器(就像您的API客户端用于API服务器一样)取决于服务器支持什么--而对于howsmyssl.com,服务器目前不支持TLS 1.3。