发送Openssl客户端Hello,禁用扩展主密钥(Send Openssl Client Hello with extended master secret disabled)
出于测试目的,我需要使用EMS模拟SSL请求 - 在我的Ubuntu机器上禁用扩展主密钥。
我检查了官方openssl页面https://wiki.openssl.org/index.php/Compilation_and_Installation ,但找不到任何我可以使用的标志/选项,以便在没有EMS选项的情况下编译openssl。
客户端始终将EMS报告为“是”,如何将其设置为“否”? 请提供意见。
openssl version OpenSSL 1.1.1-dev xx XXX xxxx openssl version -a OpenSSL 1.1.1-dev xx XXX xxxx built on: reproducible build, date unspecified platform: linux-x86_64 compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/compssl\"" -DENGINESDIR="\"/usr/local/lib/engines-1.1\"" -Wa,--noexecstack OPENSSLDIR: "/usr/local/compssl" ENGINESDIR: "/usr/local/lib/engines-1.1" Seeding source: os-specific Server: sudo openssl s_server -key 384private-key.pem -cert 384server.pem -accept 443 -www -cipher ALL:COMPLEMENTOFALL -comp Client: sudo openssl s_client -connect 10.92.0.10:443 -cipher ECDHE-ECDSA-AES128-SHA -comp CONNECTED(00000003) depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd verify error:num=18:self signed certificate verify return:1 depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd verify return:1 --- Certificate chain 0 s:C = AU, ST = Some-State, O = Internet Widgits Pty Ltd i:C = AU, ST = Some-State, O = Internet Widgits Pty Ltd --- Server certificate -----BEGIN CERTIFICATE----- MIICDTCCAZSgAwIBAgIJAN7qjHB4CZ1mMAoGCCqGSM49BAMCMEUxCzAJBgNVBAYT AkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRn aXRzIFB0eSBMdGQwHhcNMTcwNzI3MjIwODQzWhcNMTkwNzI3MjIwODQzWjBFMQsw CQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJu ZXQgV2lkZ2l0cyBQdHkgTHRkMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3nDWwzwX RGLwdOARyQdM3yvQc7FlXIlsIIi2ISWjQlrDEcIilDIYAqPYnBjzPhp23BgqwGWR mHGcsAP6kkX3EyitAhAJxSBaW/c1Wnq/XodcnOUPc7g4yCS6p7dOgRMHo1AwTjAd BgNVHQ4EFgQUh+zW2Ny3wElGGZJHq9bcabpAP20wHwYDVR0jBBgwFoAUh+zW2Ny3 wElGGZJHq9bcabpAP20wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNnADBkAjA4 1EQEQVkxMPFQ2BR+PqkUyFD+L+Umu0Ab7nL86Qrqgcmz+oGeZP16ZzY37D2rWeYC MH1ff4dhrhJnaUdQ7xypzT2WOAHT1zpW7Hms9XYuNAmYasRDvoZmRVjMvU7gne7R eQ== -----END CERTIFICATE----- subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd issuer=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 1050 bytes and written 272 bytes Verification error: self signed certificate --- New, TLSv1.0, Cipher is ECDHE-ECDSA-AES128-SHA Server public key is 384 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-ECDSA-AES128-SHA Session-ID: 56A50DE80262675795C00BFAFE1A63B6487A83FFE0A7D3AD691C2086E63124DC Session-ID-ctx: Master-Key: A3D769131534FAFAB0E5DE59FE9B332911F3C1F28D7668C9AF14078E412AEEF0B04DAB969EDCEC1D1CA963AC58097630 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 39 47 ea b2 1a 38 54 09-56 a7 76 d0 21 81 d2 6a 9G...8T.V.v.!..j 0010 - 6e d9 b2 10 2f 02 ff 6f-d9 0e 23 4b 3a 7e 84 01 n.../..o..#K:~.. 0020 - f8 86 80 fb ef b1 dc bf-f7 ba 62 c7 e8 eb 48 da ..........b...H. 0030 - 6e 03 c2 2d 07 51 e9 b3-df 63 a6 27 06 78 e7 79 n..-.Q...c.'.x.y 0040 - 20 b4 32 a9 6d 8a ab b8-f2 59 c5 f7 76 25 b9 e7 .2.m....Y..v%.. 0050 - 5e 99 66 4f 45 d1 b1 2b-df f4 0b 7e 70 f7 93 b3 ^.fOE..+...~p... 0060 - 92 98 51 ee ac d4 ce 68-a0 95 fa de c5 e9 f2 d6 ..Q....h........ 0070 - ed 37 93 e3 64 05 91 1a-32 e9 f2 19 d3 43 98 31 .7..d...2....C.1 0080 - 72 48 89 0c 37 53 67 1b-b6 09 f9 ce 22 20 9f de rH..7Sg....." .. 0090 - a2 12 68 db 8c 44 f9 5b-de a2 fd 39 cd fc e2 1f ..h..D.[...9.... 00a0 - 30 c0 1a 87 42 25 86 e0-c4 44 9b 53 ee a9 f3 90 0...B%...D.S.... Start Time: 1508783166 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) Extended master secret: yesFor testing purpose, I need to simulate a SSL request with EMS - Extended master secret disabled on my Ubuntu machine.
I checked the official openssl page https://wiki.openssl.org/index.php/Compilation_and_Installation, but could not find any flags/options that I could use in order to compile openssl without the EMS option.
The client always reports EMS as 'Yes', how do I set it to 'No'? Please provide inputs.
openssl version OpenSSL 1.1.1-dev xx XXX xxxx openssl version -a OpenSSL 1.1.1-dev xx XXX xxxx built on: reproducible build, date unspecified platform: linux-x86_64 compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/compssl\"" -DENGINESDIR="\"/usr/local/lib/engines-1.1\"" -Wa,--noexecstack OPENSSLDIR: "/usr/local/compssl" ENGINESDIR: "/usr/local/lib/engines-1.1" Seeding source: os-specific Server: sudo openssl s_server -key 384private-key.pem -cert 384server.pem -accept 443 -www -cipher ALL:COMPLEMENTOFALL -comp Client: sudo openssl s_client -connect 10.92.0.10:443 -cipher ECDHE-ECDSA-AES128-SHA -comp CONNECTED(00000003) depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd verify error:num=18:self signed certificate verify return:1 depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd verify return:1 --- Certificate chain 0 s:C = AU, ST = Some-State, O = Internet Widgits Pty Ltd i:C = AU, ST = Some-State, O = Internet Widgits Pty Ltd --- Server certificate -----BEGIN CERTIFICATE----- MIICDTCCAZSgAwIBAgIJAN7qjHB4CZ1mMAoGCCqGSM49BAMCMEUxCzAJBgNVBAYT AkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRn aXRzIFB0eSBMdGQwHhcNMTcwNzI3MjIwODQzWhcNMTkwNzI3MjIwODQzWjBFMQsw CQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJu ZXQgV2lkZ2l0cyBQdHkgTHRkMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3nDWwzwX RGLwdOARyQdM3yvQc7FlXIlsIIi2ISWjQlrDEcIilDIYAqPYnBjzPhp23BgqwGWR mHGcsAP6kkX3EyitAhAJxSBaW/c1Wnq/XodcnOUPc7g4yCS6p7dOgRMHo1AwTjAd BgNVHQ4EFgQUh+zW2Ny3wElGGZJHq9bcabpAP20wHwYDVR0jBBgwFoAUh+zW2Ny3 wElGGZJHq9bcabpAP20wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNnADBkAjA4 1EQEQVkxMPFQ2BR+PqkUyFD+L+Umu0Ab7nL86Qrqgcmz+oGeZP16ZzY37D2rWeYC MH1ff4dhrhJnaUdQ7xypzT2WOAHT1zpW7Hms9XYuNAmYasRDvoZmRVjMvU7gne7R eQ== -----END CERTIFICATE----- subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd issuer=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 1050 bytes and written 272 bytes Verification error: self signed certificate --- New, TLSv1.0, Cipher is ECDHE-ECDSA-AES128-SHA Server public key is 384 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-ECDSA-AES128-SHA Session-ID: 56A50DE80262675795C00BFAFE1A63B6487A83FFE0A7D3AD691C2086E63124DC Session-ID-ctx: Master-Key: A3D769131534FAFAB0E5DE59FE9B332911F3C1F28D7668C9AF14078E412AEEF0B04DAB969EDCEC1D1CA963AC58097630 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 39 47 ea b2 1a 38 54 09-56 a7 76 d0 21 81 d2 6a 9G...8T.V.v.!..j 0010 - 6e d9 b2 10 2f 02 ff 6f-d9 0e 23 4b 3a 7e 84 01 n.../..o..#K:~.. 0020 - f8 86 80 fb ef b1 dc bf-f7 ba 62 c7 e8 eb 48 da ..........b...H. 0030 - 6e 03 c2 2d 07 51 e9 b3-df 63 a6 27 06 78 e7 79 n..-.Q...c.'.x.y 0040 - 20 b4 32 a9 6d 8a ab b8-f2 59 c5 f7 76 25 b9 e7 .2.m....Y..v%.. 0050 - 5e 99 66 4f 45 d1 b1 2b-df f4 0b 7e 70 f7 93 b3 ^.fOE..+...~p... 0060 - 92 98 51 ee ac d4 ce 68-a0 95 fa de c5 e9 f2 d6 ..Q....h........ 0070 - ed 37 93 e3 64 05 91 1a-32 e9 f2 19 d3 43 98 31 .7..d...2....C.1 0080 - 72 48 89 0c 37 53 67 1b-b6 09 f9 ce 22 20 9f de rH..7Sg....." .. 0090 - a2 12 68 db 8c 44 f9 5b-de a2 fd 39 cd fc e2 1f ..h..D.[...9.... 00a0 - 30 c0 1a 87 42 25 86 e0-c4 44 9b 53 ee a9 f3 90 0...B%...D.S.... Start Time: 1508783166 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) Extended master secret: yes最满意答案
查看OpenSSL中的源代码,似乎无法在不更改源代码的情况下禁用扩展主密钥(搜索EXTMS)。 但你可以简单地使用一个不支持扩展主密码的OpenSSL版本:而不是使用前沿1.1.1dev只需使用1.0.2(无论如何它应该是当前Ubuntu上的默认OpenSSL)。
Looking at the source code in OpenSSL there seems to be no way to disable extended master secrets without changing the source code (search for EXTMS). But you could simply use a version of OpenSSL which does not support extended master secrets yet: instead of using bleeding edge 1.1.1dev simply use 1.0.2 (which should be the default OpenSSL on current Ubuntu anyway).
更多推荐
发布评论