If the server is configured with a trust keystore, the distinguished names of all certificates in the trust keystore will be listed here.Ĭontains pre-master secret. (2) a list of distinguished names of certificates accepted by the server, which can be root CA or subordinate CA. (1) the type of certificate that the client can provide Requires the client to provide a certificate, including The RSA algorithm does not require this step. If the DH algorithm, DH parameters used by the server to send here. (2) The random number 2 generated by the server, which will be used to generate the "session key" later (2) The server replies to the client with the following information (3) Random number 1 (Challenge) generated by the client, Later used to generate the "session key". (2) Supported encryption algorithm (Cipher Specs) (1) Supported protocol version, such as TLS 1.0 the client provides the following information to the server Because the RSA algorithm is adopted, step 4 is unnecessary. It can be seen that all steps except 4 are included. Server certificate signature algorithm RSA-two-way authentication The server/client uses JAVA7/JSSE encoding. Next, use wireshark to capture the packets of the handshake process. If it is a one-way authentication, the blue font part is not needed.Ĥ The server_key_exchange step is only needed when certain key exchange algorithms such as DH algorithms are selected. The following is its flow chart (taken from rfc5246 ), the steps in parentheses are optional. If the server uses a DSA certificate, DSA can only be used as a signature, so the DH algorithm is also needed to exchange keys. The pre-master secret is encrypted with the public key contained in the server's RSA certificate. If the server uses an RSA certificate, RSA can be used as a signature or asymmetric encryption. Generally, when generating a certificate, the signature algorithm can be RSA or DSA algorithm. Refer to the illustration of the SSL/TLS protocol .įirst two random numbers are transmitted in plain text, and only the pre-master secret is encrypted (RSA or DH). This process actually generates three random numbers: client random, server random, and pre-master secret. We know that the handshake process is actually a process in which the two communicating parties negotiate and exchange a key for symmetric encryption, and the handshake process is in plain text. The SSL/TLS handshake process can be divided into two types:ġ) SSL/TLS mutual authentication means that both parties will authenticate each other, that is, certificates will be exchanged between the two.Ģ) SSL/TLS one-way authentication, the client will authenticate the identity of the server, and the server will not verify the identity of the client.
0 kommentar(er)
