/
index.html
591 lines (563 loc) · 139 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
<!DOCTYPE html><html lang="zh-CN" data-theme="light"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width,initial-scale=1"><title>国密算法/协议/工控 | Koper</title><meta name="robots" content="noindex"><meta name="keywords" content="algorithm,protocol,Industrial control"><meta name="author" content="Koper"><meta name="copyright" content="Koper"><meta name="format-detection" content="telephone=no"><meta name="theme-color" content="#ffffff"><meta name="description" content="研究国密SSL/TLS的相关算法、密码组件,搭建环境并用TLS-Attacker对其测试分析">
<meta property="og:type" content="article">
<meta property="og:title" content="国密算法/协议/工控">
<meta property="og:url" content="https://koper.top/2021/04/28/%E5%9B%BD%E5%AF%86%E7%AE%97%E6%B3%95-%E5%8D%8F%E8%AE%AE-%E5%B7%A5%E6%8E%A7/index.html">
<meta property="og:site_name" content="Koper">
<meta property="og:description" content="研究国密SSL/TLS的相关算法、密码组件,搭建环境并用TLS-Attacker对其测试分析">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://koper.top/images/%E5%9B%BD%E5%AF%86%E7%AE%97%E6%B3%95-%E5%8D%8F%E8%AE%AE-%E5%B7%A5%E6%8E%A7/gmssl-cover.png">
<meta property="article:published_time" content="2021-04-28T12:19:09.000Z">
<meta property="article:modified_time" content="2021-08-03T10:55:15.794Z">
<meta property="article:author" content="Koper">
<meta property="article:tag" content="algorithm">
<meta property="article:tag" content="protocol">
<meta property="article:tag" content="Industrial control">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://koper.top/images/%E5%9B%BD%E5%AF%86%E7%AE%97%E6%B3%95-%E5%8D%8F%E8%AE%AE-%E5%B7%A5%E6%8E%A7/gmssl-cover.png"><link rel="shortcut icon" href="/url(https:/koper.top/images/avatar-1.jpeg)"><link rel="canonical" href="https://koper.top/2021/04/28/%E5%9B%BD%E5%AF%86%E7%AE%97%E6%B3%95-%E5%8D%8F%E8%AE%AE-%E5%B7%A5%E6%8E%A7/"><link rel="preconnect" href="//cdn.jsdelivr.net"/><link rel="preconnect" href="//hm.baidu.com"/><link rel="preconnect" href="//busuanzi.ibruce.info"/><meta name="google-site-verification" content="Jf44vMTh-5bU3UwYmXPAZZ5BVZYxijDqdSJmd98DncE"/><link rel="manifest" href="/manifest.json"/><link rel="apple-touch-icon" sizes="180x180" href="/images/siteicon/apple-touch-icon.png"/><link rel="icon" type="image/png" sizes="32x32" href="/images/siteicon/favicon-32x32.png"/><link rel="icon" type="image/png" sizes="16x16" href="/images/siteicon/favicon-16x16.png"/><link rel="mask-icon" href="/images/siteicon/safari-pinned-tab.svg" color="#5bbad5"/><link rel="stylesheet" href="/css/index.css"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free/css/all.min.css" media="print" onload="this.media='all'"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/node-snackbar/dist/snackbar.min.css" media="print" onload="this.media='all'"><script>var _hmt = _hmt || [];
(function() {
var hm = document.createElement("script");
hm.src = "https://hm.baidu.com/hm.js?cc0406ed801f1edae76a788eed5f326e";
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(hm, s);
})();
</script><script>const GLOBAL_CONFIG = {
root: '/',
algolia: undefined,
localSearch: {"path":"search.xml","languages":{"hits_empty":"找不到您查询的内容:${query}"}},
translate: undefined,
noticeOutdate: undefined,
highlight: {"plugin":"highlighjs","highlightCopy":true,"highlightLang":true,"highlightHeightLimit":false},
copy: {
success: '复制成功',
error: '复制错误',
noSupport: '浏览器不支持'
},
relativeDate: {
homepage: true,
post: false
},
runtime: '天',
date_suffix: {
just: '刚刚',
min: '分钟前',
hour: '小时前',
day: '天前',
month: '个月前'
},
copyright: {"limitCount":50,"languages":{"author":"作者: Koper","link":"链接: ","source":"来源: Koper","info":"著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。"}},
lightbox: 'fancybox',
Snackbar: {"chs_to_cht":"你已切换为繁体","cht_to_chs":"你已切换为简体","day_to_night":"你已切换为深色模式","night_to_day":"你已切换为浅色模式","bgLight":"#49b1f5","bgDark":"#121212","position":"bottom-left"},
source: {
jQuery: 'https://cdn.jsdelivr.net/npm/jquery@latest/dist/jquery.min.js',
justifiedGallery: {
js: 'https://cdn.jsdelivr.net/npm/justifiedGallery/dist/js/jquery.justifiedGallery.min.js',
css: 'https://cdn.jsdelivr.net/npm/justifiedGallery/dist/css/justifiedGallery.min.css'
},
fancybox: {
js: 'https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@latest/dist/jquery.fancybox.min.js',
css: 'https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@latest/dist/jquery.fancybox.min.css'
}
},
isPhotoFigcaption: true,
islazyload: false,
isanchor: false
}</script><script id="config-diff">var GLOBAL_CONFIG_SITE = {
isPost: true,
isHome: false,
isHighlightShrink: false,
isToc: true,
postUpdate: '2021-08-03 18:55:15'
}</script><noscript><style type="text/css">
#nav {
opacity: 1
}
.justified-gallery img {
opacity: 1
}
#recent-posts time,
#post-meta time {
display: inline !important
}
</style></noscript><script>(win=>{
win.saveToLocal = {
set: function setWithExpiry(key, value, ttl) {
if (ttl === 0) return
const now = new Date()
const expiryDay = ttl * 86400000
const item = {
value: value,
expiry: now.getTime() + expiryDay,
}
localStorage.setItem(key, JSON.stringify(item))
},
get: function getWithExpiry(key) {
const itemStr = localStorage.getItem(key)
if (!itemStr) {
return undefined
}
const item = JSON.parse(itemStr)
const now = new Date()
if (now.getTime() > item.expiry) {
localStorage.removeItem(key)
return undefined
}
return item.value
}
}
win.getScript = url => new Promise((resolve, reject) => {
const script = document.createElement('script')
script.src = url
script.async = true
script.onerror = reject
script.onload = script.onreadystatechange = function() {
const loadState = this.readyState
if (loadState && loadState !== 'loaded' && loadState !== 'complete') return
script.onload = script.onreadystatechange = null
resolve()
}
document.head.appendChild(script)
})
win.activateDarkMode = function () {
document.documentElement.setAttribute('data-theme', 'dark')
if (document.querySelector('meta[name="theme-color"]') !== null) {
document.querySelector('meta[name="theme-color"]').setAttribute('content', '#0d0d0d')
}
}
win.activateLightMode = function () {
document.documentElement.setAttribute('data-theme', 'light')
if (document.querySelector('meta[name="theme-color"]') !== null) {
document.querySelector('meta[name="theme-color"]').setAttribute('content', '#ffffff')
}
}
const t = saveToLocal.get('theme')
if (t === 'dark') activateDarkMode()
else if (t === 'light') activateLightMode()
const asideStatus = saveToLocal.get('aside-status')
if (asideStatus !== undefined) {
if (asideStatus === 'hide') {
document.documentElement.classList.add('hide-aside')
} else {
document.documentElement.classList.remove('hide-aside')
}
}
})(window)</script><meta name="generator" content="Hexo 5.4.0"></head><body><div id="loading-box"><div class="loading-left-bg"></div><div class="loading-right-bg"></div><div class="spinner-box"><div class="configure-border-1"><div class="configure-core"></div></div><div class="configure-border-2"><div class="configure-core"></div></div><div class="loading-word">加载中...</div></div></div><div id="sidebar"><div id="menu-mask"></div><div id="sidebar-menus"><div class="author-avatar"><img class="avatar-img" src="/images/avatar-1.jpeg" onerror="onerror=null;src='/img/friend_404.gif'" alt="avatar"/></div><div class="site-data"><div class="data-item is-center"><div class="data-item-link"><a href="/archives/"><div class="headline">文章</div><div class="length-num">10</div></a></div></div><div class="data-item is-center"><div class="data-item-link"><a href="/tags/"><div class="headline">标签</div><div class="length-num">10</div></a></div></div></div><hr/><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> Home</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fas fa-archive"></i><span> Archives</span></a></div><div class="menus_item"><a class="site-page" href="/about/"><i class="fa-fw fas fa-heart"></i><span> About</span></a></div></div></div></div><div class="post" id="body-wrap"><header class="not-top-img" id="page-header"><nav id="nav"><span id="blog_name"><a id="site-name" href="/">Koper</a></span><div id="menus"><div id="search-button"><a class="site-page social-icon search"><i class="fas fa-search fa-fw"></i><span> 搜索</span></a></div><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> Home</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fas fa-archive"></i><span> Archives</span></a></div><div class="menus_item"><a class="site-page" href="/about/"><i class="fa-fw fas fa-heart"></i><span> About</span></a></div></div><div id="toggle-menu"><a class="site-page"><i class="fas fa-bars fa-fw"></i></a></div></div></nav></header><main class="layout" id="content-inner"><div id="post"><div id="post-info"><h1 class="post-title">国密算法/协议/工控</h1><div id="post-meta"><div class="meta-firstline"><span class="post-meta-date"><i class="far fa-calendar-alt fa-fw post-meta-icon"></i><span class="post-meta-label">发表于</span><time class="post-meta-date-created" datetime="2021-04-28T12:19:09.000Z" title="发表于 2021-04-28 20:19:09">2021-04-28</time><span class="post-meta-separator">|</span><i class="fas fa-history fa-fw post-meta-icon"></i><span class="post-meta-label">更新于</span><time class="post-meta-date-updated" datetime="2021-08-03T10:55:15.794Z" title="更新于 2021-08-03 18:55:15">2021-08-03</time></span></div><div class="meta-secondline"><span class="post-meta-separator">|</span><span class="post-meta-wordcount"><i class="far fa-file-word fa-fw post-meta-icon"></i><span class="post-meta-label">字数总计:</span><span class="word-count">10.5k</span><span class="post-meta-separator">|</span><i class="far fa-clock fa-fw post-meta-icon"></i><span class="post-meta-label">阅读时长:</span><span>54分钟</span></span><span class="post-meta-separator">|</span><span class="post-meta-pv-cv" id="" data-flag-title="国密算法/协议/工控"><i class="far fa-eye fa-fw post-meta-icon"></i><span class="post-meta-label">阅读量:</span><span id="busuanzi_value_page_pv"></span></span></div></div></div><article class="post-content" id="article-container"><h1>国密标准</h1>
<p>关注<a target="_blank" rel="noopener" href="http://www.scctc.org.cn/index.aspx">国家商用密码检测中心</a>和<a target="_blank" rel="noopener" href="http://openstd.samr.gov.cn/bzgk/gb/">国家标准全文公开系统</a>和<a target="_blank" rel="noopener" href="http://std.samr.gov.cn/">全国标准信息公共服务平台</a>以及<a target="_blank" rel="noopener" href="https://www.oscca.gov.cn/sca/index.shtml">国家密码管理局</a>和<a target="_blank" rel="noopener" href="https://www.cacrnet.org.cn/">中国密码学会</a>和<a target="_blank" rel="noopener" href="http://www.gmbz.org.cn/main/index.html">密码行业标准化技术委员会</a>发布的标准。</p>
<p>🌟🌟🌟注意:<strong>GMT_0024-2014</strong>关于GM的SSL VPN标准已经是2015年的标准,现在2020-11-01已经出台新的标准,也就是<a target="_blank" rel="noopener" href="http://c.gb688.cn/bzgk/gb/showGb?type=online&hcno=778097598DA2761E94A5FF3F77BD66DA"><strong>GB/T 38636-2020</strong></a>标准(TLCP-传输层密码协议),其中关于密码组件有了新的描述和值,如下图所示:<br>
<img src="/images/%E5%9B%BD%E5%AF%86%E7%AE%97%E6%B3%95-%E5%8D%8F%E8%AE%AE-%E5%B7%A5%E6%8E%A7/image-20210713210116996.png" alt=""></p>
<p>同时,我国的<strong>SM2/3/4/9</strong>已经成为了<strong>ISO/IEC</strong>的标准,以后应用更加广泛</p>
<p>关于商密和RFC的一些标准文档:<a target="_blank" rel="noopener" href="https://www.rfc-editor.org/rfc/rfc8998.html">RFC-8998</a>:ShangMi (SM) Cipher Suites for TLS 1.3</p>
<h1>国密SSL/TLS</h1>
<p>🌟🌟🌟<a target="_blank" rel="noopener" href="https://www.gmssl.cn/gmssl/index.jsp?go=down">国密SSL实验室</a>(重点):好多使用的工具,包括国密Web浏览器、国密Web服务器、国密性能测试、国密工具箱等等。可以从这里面下载Web服务器,搭建并进行TLS-Attacker的测试。一个<a target="_blank" rel="noopener" href="https://developer.aliyun.com/article/770830">阿里云的实战博客</a>,该博客实战了GMSSL的Nginx安装和使用。一个相关测试的专栏文章-<a target="_blank" rel="noopener" href="https://segmentfault.com/a/1190000024448440">国密SSL之性能测试</a>。</p>
<p>一个在线工具:<a target="_blank" rel="noopener" href="https://myssl.com/">SSL/TLS安全评估报告-在线网站检测</a>。其支持国密HTTPS的检测分析。</p>
<p>江南天安<a target="_blank" rel="noopener" href="https://github.com/jntass">Github主页-jntass</a>:提供源码下载和Nginx服务器的安装。</p>
<p><a target="_blank" rel="noopener" href="http://gmssl.org/">GmSSL</a>:支持国密的密码工具箱,GmSSL作者关志教授的Github主页:<a target="_blank" rel="noopener" href="https://github.com/guanzhi">GmSSL-guanzhi</a>。其中关志教授将<a target="_blank" rel="noopener" href="https://github.com/guanzhi/GM-Standards">GM-Standards</a>都列了出来,所有国密行业的标准pdf。</p>
<p><a target="_blank" rel="noopener" href="https://www.doubleca.com/test_toIndexPage.action">大宝CA数字证书测试平台</a>(工具平台/Java/服务器):该平台有Java国密算法基本组件(JSE),有Java国密SSL算法基础套件,有国密SSL规范的Tomcat组件,有国密SSL规范Nginx服务器。❌(网站未备案,说不定过段时间就可以了)</p>
<p><a target="_blank" rel="noopener" href="https://github.com/BabaSSL/BabaSSL">阿里巴巴的BabaSSL</a>,支持国密操作的OpenSSL开源项目,其<a target="_blank" rel="noopener" href="https://codeup.openanolis.cn/codeup/crypto">代码库</a>。</p>
<p><a target="_blank" rel="noopener" href="https://github.com/mrpre/atls">ATLS</a>:A light TLS implementation used for learning: TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 GMSSL 1.1(国密SSL) based on <a target="_blank" rel="noopener" href="http://libcrypto.so">libcrypto.so</a>.</p>
<h1>实验</h1>
<h2 id="第一次GmSSL环境搭建实验(国密SSL实验室):">第一次GmSSL环境搭建实验(国密SSL实验室):</h2>
<ul>
<li><a target="_blank" rel="noopener" href="https://developer.aliyun.com/article/770830">国密SSL协议之Nginx集成</a>:结合前面的<em>国密SSL实验室</em>进行,在CentOS 7环境上实验~~(失败)~~❌❌❌</li>
</ul>
<ol>
<li>先在国密SSL实验室官网下载国密Web服务器:gmssl_openssl_1.1_b4.tar.gz</li>
<li>在CentOS8虚拟机中,解压文件到/usr/local目录下面,解压后文件为/gmssl</li>
<li>从Nginx官网下载Nginx:nginx-1.18.0.tar.gz,将conf中的OPENSSL位置进行更改(这里改文件出了一点小差错,还好看出来并解决了)</li>
<li>从GMSSL中生成证书,然后开启nginx服务</li>
<li>下载360极速浏览器,访问centos服务器的地址。出错误了,在这里访问CentOS的IP地址并不能成功进行访问。这里能正常访问http但是不能访问https,无论如何都不行,也不知道是不是浏览器的问题。无法解决,换一个环境。</li>
</ol>
<h2 id="第二次GmSSL环境搭建实验(GmSSL-关志教授):">第二次GmSSL环境搭建实验(GmSSL-关志教授):</h2>
<ul>
<li><a target="_blank" rel="noopener" href="https://cloud.tencent.com/developer/article/1597165">搭建国密SSL开发测试环境</a>:结合前面的<em><strong>GmSSL-关志教师-Github</strong></em>进行,在CentOS 7环境上进行实验**(成功)**</li>
</ul>
<ol>
<li>决定换一个,换成guanzhi的GmSSL环境搭建,试一下有无用,如果在不行,就换成TaSSL的环境。</li>
<li>先安装CentOS 7,接下来安装相关软件,Openssl、Gcc、GmSSL,环境都搭建好了,且都能成功运行测试。</li>
<li>接下来进行server的创建,然后本地连接服务器,进行国密SSL测试</li>
<li>出了一个问题,就是提示libcrypto.so.1.1和libssl.so.1.1文件有问题。这里打算重新安装d版本的openssl试一下是否有错误。这次重装了一次GmSSL之后,就没有出现错误了。</li>
<li>开始打开GmSSL的服务端,试一下国密浏览器是否能连接。</li>
<li>又出现了一个问题,就是主机上并不能访问虚拟机openssl的ip地址,这就很奇怪了,能相互ping通,但是不能在主机浏览器上进行访问,但是能在虚拟机上对本地进行连接。尝试关闭虚拟机的防火墙之后,主机能对虚拟机进行正常访问。</li>
<li>通过在Mac上下载GmBrowser并且访问CentOS服务器的地址,成功进行国密连接。</li>
<li>接下来,使用TLS-Attacker和TLS-Scnner对本地环境进行测试。开始着手TLS-Attacker和TLS-Scanner的熟悉和编程修改优化。</li>
</ol>
<h2 id="第三次GMSSL环境搭建(国密SSL实验室)">第三次GMSSL环境搭建(国密SSL实验室)</h2>
<p>结合前面的<em>国密SSL实验室</em>进行,在CentOS 7环境上实验(<s>失败</s>)❌❌❌</p>
<p>主要是在外部服务器上进行搭建测试,这次测试了2种搭建(特殊:这个支持CBC模式)</p>
<ol>
<li>
<p>Nginx(国密版)搭建(完成)</p>
</li>
<li>
<p>Apache(国密版)搭建(完成)</p>
</li>
<li>
<p>国密HTTPS在线Demo(完成),Demo如下图所示:</p>
<p><img src="/images/%E5%9B%BD%E5%AF%86%E7%AE%97%E6%B3%95-%E5%8D%8F%E8%AE%AE-%E5%B7%A5%E6%8E%A7/%E5%9B%BD%E5%AF%86HTTPS%E5%9C%A8%E7%BA%BFDemo.png" alt="国密HTTPS在线Demo"></p>
</li>
</ol>
<p>问题:能访问,但是Mac上用Wireshark抓包失败</p>
<p>分析:服务器在国外,产生的流并不是直接指向服务器地址,而是在本地代理的环境下进行了转发。</p>
<p>解决:找到本地代理的固定口,让流量只通过这个,不更换,更好的捕获流量(5.27中午吃饭之前要解决,然后TLS-Attacker底层)</p>
<p>结果:代理是clash,不好更改,抓包不方便,该方案取消</p>
<h2 id="第四次GmSSL环境搭建(百度云VPS主机)">第四次GmSSL环境搭建(百度云VPS主机)</h2>
<p>算是失败的搭建,无法检测❌❌❌</p>
<p>完成搭建,可以抓包</p>
<p>下一步改TLS-Attacker框架,适应国密</p>
<p>GmSSL实验室的Nginx实验室服务器的支持的密码组件是<strong>ECC-SM4-CBC-SM3、ECDHE-SM4-CBC-SM3、ECC-SM4-GCM-SM3、ECDHE-SM4-GCM-SM3</strong>,但是并不知道密码组件所代表的值,其中两个是CBC密码模式的组件。是否可以通过<strong>Wireshark</strong>来抓取服务器的包,然后知道其所代表的值(这估计是不行的)。</p>
<h2 id="正式实验记录(第四次搭建实验):">正式实验记录(第四次搭建实验):</h2>
<p>遇到的问题:Nginx服务器的密码组件格式是ECDHE-SM4-CBC-SM3形式,而正式标准规定TLS的密码组件格式为ECDHE_SM4_CBC_SM3(下划线分割)格式,GmSSL实验室的服务器是这样,不知道现在其他的服务器是否是如此规定。可以试图修改服务器的组件表达方式。</p>
<p>找到了/usr/local/gmssl/lib目录下的libcrypto.a文件,解压之后发现了sm2、sm3等的obj类型文件,例如sm3.o文件,该文件不可读,打开是乱码,但是百度有方法可以解码后阅读。</p>
<ul>
<li>最终决定对现有服务器进行测试,再自己搭建服务器进行测试,测试记录如下:</li>
</ul>
<p>测试并记录带有GmTLS的服务器:测试工具<a target="_blank" rel="noopener" href="https://myssl.com/">MySSL</a>和<a target="_blank" rel="noopener" href="https://www.ssllabs.com">SSLLab</a>:</p>
<table>
<thead>
<tr>
<th>域名</th>
<th>IP</th>
<th>端口</th>
<th>地区</th>
<th>检测日期</th>
<th>评级</th>
<th>GmSSL</th>
</tr>
</thead>
<tbody>
<tr>
<td><a target="_blank" rel="noopener" href="https://106.12.214.59/">https://106.12.214.59/</a></td>
<td>106.12.214.59</td>
<td>443</td>
<td></td>
<td>07-15</td>
<td>无</td>
<td>❌</td>
</tr>
<tr>
<td><a target="_blank" rel="noopener" href="https://www.ovssl.cn">https://www.ovssl.cn</a></td>
<td>180.163.248.215</td>
<td>443</td>
<td>上海</td>
<td>07-15</td>
<td><a target="_blank" rel="noopener" href="https://myssl.com/www.ovssl.cn?port=443&ip=180.163.248.215">A</a></td>
<td>❌</td>
</tr>
<tr>
<td><a target="_blank" rel="noopener" href="https://sm2test.ovssl.cn">https://sm2test.ovssl.cn</a></td>
<td>180.163.248.139</td>
<td>443</td>
<td>沃通</td>
<td>07-15</td>
<td><a target="_blank" rel="noopener" href="https://myssl.com/sm2test.ovssl.cn?port=443&ip=180.163.248.139">B</a></td>
<td>✅❌</td>
</tr>
<tr>
<td><a target="_blank" rel="noopener" href="https://ovssl.cn">https://ovssl.cn</a></td>
<td>180.163.248.215</td>
<td>443</td>
<td>上海</td>
<td>07-15</td>
<td><a target="_blank" rel="noopener" href="https://myssl.com/ovssl.cn?port=443&ip=180.163.248.215">A</a></td>
<td>❌</td>
</tr>
<tr>
<td><a target="_blank" rel="noopener" href="https://www.mct.gov.cn/">https://www.mct.gov.cn/</a></td>
<td>60.165.153.71</td>
<td>443</td>
<td></td>
<td>07-15</td>
<td>无</td>
<td>❌</td>
</tr>
<tr>
<td><a target="_blank" rel="noopener" href="https://demo.gmssl.cn">https://demo.gmssl.cn</a></td>
<td>8.140.108.135</td>
<td>443</td>
<td></td>
<td>07-15</td>
<td><a target="_blank" rel="noopener" href="https://myssl.com/demo.gmssl.cn?port=2443&ip=8.140.108.135">T</a></td>
<td>✅-0x0101</td>
</tr>
<tr>
<td><a target="_blank" rel="noopener" href="https://demo.gmssl.cn:1443">https://demo.gmssl.cn:1443</a></td>
<td>8.140.108.135</td>
<td>1443</td>
<td></td>
<td>07-15</td>
<td><a target="_blank" rel="noopener" href="https://myssl.com/demo.gmssl.cn?port=2443&ip=8.140.108.135">T</a></td>
<td>✅❌</td>
</tr>
<tr>
<td><a target="_blank" rel="noopener" href="https://demo.gmssl.cn:2443">https://demo.gmssl.cn:2443</a></td>
<td>8.140.108.135</td>
<td>2443</td>
<td></td>
<td>07-15</td>
<td><a target="_blank" rel="noopener" href="https://myssl.com/demo.gmssl.cn?port=2443&ip=8.140.108.135">T</a></td>
<td>✅❌</td>
</tr>
<tr>
<td><a target="_blank" rel="noopener" href="https://ebssec.boc.cn/">https://ebssec.boc.cn/</a></td>
<td>219.141.191.183</td>
<td>443</td>
<td>中行</td>
<td>07-15</td>
<td><a target="_blank" rel="noopener" href="https://myssl.com/wacc.boc.cn?port=443&ip=112.64.122.223">A</a></td>
<td>✅❌</td>
</tr>
<tr>
<td><a target="_blank" rel="noopener" href="https://www.globalsign.cn/">https://www.globalsign.cn/</a></td>
<td>47.102.214.116</td>
<td>443</td>
<td>上海</td>
<td>07-15</td>
<td><a target="_blank" rel="noopener" href="https://myssl.com/demo.gmssl.cn?port=2443&ip=8.140.108.135">T</a></td>
<td>✅❌</td>
</tr>
<tr>
<td><a target="_blank" rel="noopener" href="https://www.zjca.com.cn">https://www.zjca.com.cn</a></td>
<td>60.190.254.11</td>
<td>443</td>
<td>杭州</td>
<td>07-15</td>
<td><a target="_blank" rel="noopener" href="https://myssl.com/demo.gmssl.cn?port=2443&ip=8.140.108.135">T</a></td>
<td>✅❌</td>
</tr>
<tr>
<td><a target="_blank" rel="noopener" href="https://www.trustasia.com">https://www.trustasia.com</a></td>
<td>52.81.64.209/54.223.64.100</td>
<td>443</td>
<td>北京</td>
<td>07-16</td>
<td><a target="_blank" rel="noopener" href="https://myssl.com/ovssl.cn?port=443&ip=180.163.248.215">A</a></td>
<td>✅✅</td>
</tr>
<tr>
<td><a target="_blank" rel="noopener" href="https://gm.trustasia.com">https://gm.trustasia.com</a></td>
<td>52.81.64.209</td>
<td>443</td>
<td>北京</td>
<td>07-24</td>
<td><a target="_blank" rel="noopener" href="https://myssl.com/demo.gmssl.cn?port=2443&ip=8.140.108.135">T</a></td>
<td>✅✅</td>
</tr>
</tbody>
</table>
<ul>
<li>[ ] 接下来任务:修改TLS-Attacker和TLS-Scanner框架使得能够扫描上面支持GmSSL的服务器</li>
</ul>
<ol>
<li>
<p>首先测试服务器:<a target="_blank" rel="noopener" href="https://sm2test.ovssl.cn">https://sm2test.ovssl.cn</a></p>
<p>发送ClientHello之后,服务器返回的不是正常的TLSv1.2版本消息,而是SSL版本的Continuation Data消息,一般是大包分块传输,这个服务器可能不好进行测试,毕竟评级是B,挺安全的。</p>
</li>
<li>
<p>测试服务器:<a target="_blank" rel="noopener" href="https://demo.gmssl.cn">https://demo.gmssl.cn</a></p>
<p>测试发现,无法抓取TLS协议数据包,因为服务器使用的TLS协议版本是GmTLS(0x0101),这个协议版本是Wireshark无法识别,且框架也无法识别的。对国密SSL协议还是不太熟悉,得经过测试修改才能进行正常通信。</p>
</li>
<li>
<p>测试服务器:<a target="_blank" rel="noopener" href="https://ebssec.boc.cn/">https://ebssec.boc.cn/</a></p>
<p>测试之后,可以提前发出ClientHello消息进行通信连接,但是对方服务器并没有进行TLS握手协议消息回复,只能进行TCP的握手和挥手过程,这里很奇怪,可能是服务器协议还存在一些问题。</p>
</li>
<li>
<p>测试服务器:<a target="_blank" rel="noopener" href="https://demo.gmssl.cn:1443">https://demo.gmssl.cn:1443</a></p>
<p>测试发现无法进行通信,这个1443端口是进行双向国密证书认证测试的端口,可能是因为这个无法建立连接。以后对双证书熟悉且能进行适配之后进行连接测试。同样的,2443端口也不能进行连接测试。</p>
</li>
<li>
<p>测试服务器:<a target="_blank" rel="noopener" href="https://www.globalsign.cn/">https://www.globalsign.cn/</a></p>
<p>能正常发送TLSv1.2握手协议消息,但是服务器并不进行TLS握手协议消息回复,只能进行基本的TCP握手和挥手。</p>
</li>
<li>
<p>测试服务器:<a target="_blank" rel="noopener" href="https://www.zjca.com.cn">https://www.zjca.com.cn</a></p>
<p>和第一个测试服务器结果一样,只能接收到Continuation Data的SSL协议消息。</p>
</li>
<li>
<p>测试服务器:<a target="_blank" rel="noopener" href="https://www.trustasia.com">https://www.trustasia.com</a></p>
<p>亚洲诚信服务器可以进行正常通信,可以作为初期测试对象</p>
<p><img src="/images/%E5%9B%BD%E5%AF%86%E7%AE%97%E6%B3%95-%E5%8D%8F%E8%AE%AE-%E5%B7%A5%E6%8E%A7/image-20210724100828452.png" alt=""></p>
</li>
<li>
<p>测试服务器:<a target="_blank" rel="noopener" href="https://gm.trustasia.com">https://gm.trustasia.com</a></p>
<p><img src="/images/%E5%9B%BD%E5%AF%86%E7%AE%97%E6%B3%95-%E5%8D%8F%E8%AE%AE-%E5%B7%A5%E6%8E%A7/image-20210724095742763.png" alt=""></p>
<p>经过测试,用Mac上的wireshark抓包无法显示GmSSLv1协议,所以会显示SSL协议的Continuation Data消息,但是通过Win10上国密版wiresahrk查看抓取的数据包就可以完全正确的显示。</p>
</li>
</ol>
<h2 id="正式实验记录(第二次搭建实验):">正式实验记录(第二次搭建实验):</h2>
<ol>
<li>
<p>先熟悉GmSSL的生成证书以及国密算法组件</p>
<ul>
<li>新增国密密码套件如下,有对应的16进制表示</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"> 1 ECDHE-SM1-SM3 0xE001</span><br><span class="line"> 2 ECC-SM1-SM3 0xE003</span><br><span class="line"> 3 IBSDH-SM1-SM3 0xE005</span><br><span class="line"> 4 IBC-SM1-SM3 0xE007</span><br><span class="line"> 5 RSA-SM1-SM3 0xE009</span><br><span class="line"> 6 RSA-SM1-SHA1 0xE00A</span><br><span class="line"> 7 ECDHE-SM4-SM3 0xE011</span><br><span class="line"> 8 ECC-SM4-SM3 0xE013</span><br><span class="line"> 9 IBSDH-SM4-SM3 0xE015</span><br><span class="line">10 IBC-SM4-SM3 0xE017</span><br><span class="line">11 RSA-SM4-SM3 0xE019</span><br><span class="line">12 RSA-SM4-SHA1 0xE01A</span><br></pre></td></tr></table></figure>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">gmssl对国标支持</span><br><span class="line"></span><br><span class="line">gmssl ciphers -V |grep GMTLS</span><br><span class="line">0xE0,0x17 - SM9-WITH-SMS4-SM3 GMTLSv1.1 Kx=SM9 Au=SM9 Enc=SMS4(128) Mac=SM3</span><br><span class="line">0xE0,0x15 - SM9DHE-WITH-SMS4-SM3 GMTLSv1.1 Kx=SM9DHE Au=SM9 Enc=SMS4(128) Mac=SM3</span><br><span class="line">0xE0,0x13 - SM2-WITH-SMS4-SM3 GMTLSv1.1 Kx=SM2 Au=SM2 Enc=SMS4(128) Mac=SM3</span><br><span class="line">0xE0,0x11 - SM2DHE-WITH-SMS4-SM3 GMTLSv1.1 Kx=SM2DHE Au=SM2 Enc=SMS4(128) Mac=SM3</span><br><span class="line">0xE0,0x1A - RSA-WITH-SMS4-SHA1 GMTLSv1.1 Kx=RSA Au=RSA Enc=SMS4(128) Mac=SHA1</span><br><span class="line">0xE0,0x19 - RSA-WITH-SMS4-SM3 GMTLSv1.1 Kx=RSA Au=RSA Enc=SMS4(128) Mac=SM3</span><br></pre></td></tr></table></figure>
<p>GMBroswer链接GM服务器之后网页显示的内容:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br></pre></td><td class="code"><pre><span class="line">s_server -key user.key -cert user_cert.pem -port 44330 -www -debug </span><br><span class="line">Secure Renegotiation IS supported</span><br><span class="line">Ciphers supported in s_server binary</span><br><span class="line">TLSv1.2 :ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 :ECDHE-RSA-AES256-GCM-SHA384 </span><br><span class="line">TLSv1.2 :DHE-RSA-AES256-GCM-SHA384 TLSv1.2 :ECDHE-ECDSA-CHACHA20-POLY1305 </span><br><span class="line">TLSv1.2 :ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 :DHE-RSA-CHACHA20-POLY1305 </span><br><span class="line">TLSv1.2 :ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 :ECDHE-RSA-AES128-GCM-SHA256 </span><br><span class="line">TLSv1.2 :DHE-RSA-AES128-GCM-SHA256 TLSv1.2 :ECDHE-SM2-WITH-SMS4-GCM-SM3 </span><br><span class="line">TLSv1.2 :ECDHE-ECDSA-AES256-SHA384 TLSv1.2 :ECDHE-RSA-AES256-SHA384 </span><br><span class="line">TLSv1.2 :DHE-RSA-AES256-SHA256 TLSv1.2 :ECDHE-ECDSA-AES128-SHA256 </span><br><span class="line">TLSv1.2 :ECDHE-RSA-AES128-SHA256 TLSv1.2 :DHE-RSA-AES128-SHA256 </span><br><span class="line">TLSv1.2 :ECDHE-SM2-WITH-SMS4-SM3 SSLv3 :ECDHE-ECDSA-AES256-SHA </span><br><span class="line">SSLv3 :ECDHE-RSA-AES256-SHA SSLv3 :DHE-RSA-AES256-SHA </span><br><span class="line">SSLv3 :ECDHE-ECDSA-AES128-SHA SSLv3 :ECDHE-RSA-AES128-SHA </span><br><span class="line">SSLv3 :DHE-RSA-AES128-SHA TLSv1.2 :RSA-PSK-AES256-GCM-SHA384 </span><br><span class="line">TLSv1.2 :DHE-PSK-AES256-GCM-SHA384 TLSv1.2 :RSA-PSK-CHACHA20-POLY1305 </span><br><span class="line">TLSv1.2 :DHE-PSK-CHACHA20-POLY1305 TLSv1.2 :ECDHE-PSK-CHACHA20-POLY1305 </span><br><span class="line">TLSv1.2 :AES256-GCM-SHA384 TLSv1.2 :PSK-AES256-GCM-SHA384 </span><br><span class="line">TLSv1.2 :PSK-CHACHA20-POLY1305 TLSv1.2 :RSA-PSK-AES128-GCM-SHA256 </span><br><span class="line">TLSv1.2 :DHE-PSK-AES128-GCM-SHA256 TLSv1.2 :AES128-GCM-SHA256 </span><br><span class="line">TLSv1.2 :PSK-AES128-GCM-SHA256 TLSv1.2 :AES256-SHA256 </span><br><span class="line">TLSv1.2 :AES128-SHA256 TLSv1.0 :ECDHE-PSK-AES256-CBC-SHA384 </span><br><span class="line">SSLv3 :ECDHE-PSK-AES256-CBC-SHA SSLv3 :SRP-RSA-AES-256-CBC-SHA </span><br><span class="line">SSLv3 :SRP-AES-256-CBC-SHA TLSv1.0 :RSA-PSK-AES256-CBC-SHA384 </span><br><span class="line">TLSv1.0 :DHE-PSK-AES256-CBC-SHA384 SSLv3 :RSA-PSK-AES256-CBC-SHA </span><br><span class="line">SSLv3 :DHE-PSK-AES256-CBC-SHA SSLv3 :AES256-SHA </span><br><span class="line">TLSv1.0 :PSK-AES256-CBC-SHA384 SSLv3 :PSK-AES256-CBC-SHA </span><br><span class="line">TLSv1.0 :ECDHE-PSK-AES128-CBC-SHA256 SSLv3 :ECDHE-PSK-AES128-CBC-SHA </span><br><span class="line">SSLv3 :SRP-RSA-AES-128-CBC-SHA SSLv3 :SRP-AES-128-CBC-SHA </span><br><span class="line">TLSv1.0 :RSA-PSK-AES128-CBC-SHA256 TLSv1.0 :DHE-PSK-AES128-CBC-SHA256 </span><br><span class="line">SSLv3 :RSA-PSK-AES128-CBC-SHA SSLv3 :DHE-PSK-AES128-CBC-SHA </span><br><span class="line">TLSv1.0 :ECDHE-PSK-WITH-SMS4-CBC-SM3 GMTLSv1.1 :SM9-WITH-SMS4-SM3 </span><br><span class="line">GMTLSv1.1 :SM9DHE-WITH-SMS4-SM3 GMTLSv1.1 :SM2-WITH-SMS4-SM3 </span><br><span class="line">GMTLSv1.1 :SM2DHE-WITH-SMS4-SM3 SSLv3 :AES128-SHA </span><br><span class="line">GMTLSv1.1 :RSA-WITH-SMS4-SHA1 GMTLSv1.1 :RSA-WITH-SMS4-SM3 </span><br><span class="line">TLSv1.0 :PSK-AES128-CBC-SHA256 SSLv3 :PSK-AES128-CBC-SHA </span><br><span class="line">SSLv3 :PSK-WITH-SMS4-CBC-SM3 </span><br><span class="line">---</span><br><span class="line">Ciphers common between both SSL end points:</span><br><span class="line">ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384</span><br><span class="line">ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305</span><br><span class="line">ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-SM2-WITH-SMS4-SM3 </span><br><span class="line">AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA </span><br><span class="line">AES256-SHA</span><br><span class="line">Signature Algorithms: ECDSA+SHA256:0x04+0x08:RSA+SHA256:SM2+SM3:ECDSA+SHA384:0x05+0x08:RSA+SHA384:0x06+0x08:RSA+SHA512:RSA+SHA1</span><br><span class="line">Shared Signature Algorithms: ECDSA+SHA256:RSA+SHA256:SM2+SM3:ECDSA+SHA384:RSA+SHA384:RSA+SHA512:RSA+SHA1</span><br><span class="line">Supported Elliptic Curves: 0x7A7A:X25519:P-256:P-384:SM2</span><br><span class="line">Shared Elliptic curves: X25519:P-256:P-384:SM2</span><br><span class="line">---</span><br><span class="line">New, TLSv1.2, Cipher is ECDHE-SM2-WITH-SMS4-SM3</span><br><span class="line">SSL-Session:</span><br><span class="line"> Protocol : TLSv1.2</span><br><span class="line"> Cipher : ECDHE-SM2-WITH-SMS4-SM3</span><br><span class="line"> Session-ID: </span><br><span class="line"> Session-ID-ctx: 01000000</span><br><span class="line"> Master-Key: 7C4F28BB5846F9DFE42BFD295E441A8520D50A3FA0E9D6C51C31AA3C153A69C46126ADE3CC77D6074F8127B2C93043A6</span><br><span class="line"> PSK identity: None</span><br><span class="line"> PSK identity hint: None</span><br><span class="line"> SRP username: None</span><br><span class="line"> Start Time: 1620646292</span><br><span class="line"> Timeout : 7200 (sec)</span><br><span class="line"> Verify return code: 0 (ok)</span><br><span class="line"> Extended master secret: yes</span><br><span class="line">---</span><br><span class="line"> 0 items in the session cache</span><br><span class="line"> 0 client connects (SSL_connect())</span><br><span class="line"> 0 client renegotiates (SSL_connect())</span><br><span class="line"> 0 client connects that finished</span><br><span class="line"> 1 server accepts (SSL_accept())</span><br><span class="line"> 0 server renegotiates (SSL_accept())</span><br><span class="line"> 1 server accepts that finished</span><br><span class="line"> 0 session cache hits</span><br><span class="line"> 1 session cache misses</span><br><span class="line"> 0 session cache timeouts</span><br><span class="line"> 0 callback cache hits</span><br><span class="line"> 0 cache full overflows (128 allowed)</span><br><span class="line">---</span><br><span class="line">no client certificate available</span><br></pre></td></tr></table></figure>
</li>
<li>
<p>GmSSL国密证书生成以及单向和双向认证</p>
<p><a target="_blank" rel="noopener" href="https://www.cnblogs.com/skills/p/13620478.html">GmSSL开发环境搭建及双证书生成</a>:在生成证书里面是讲的最详细也是最好的一个博客文章(注意博客生成根证书的时候命令有一处错误,Root.key应该改成CA.key)(注意里面的key和crt文件)(如果这里的证书不行,直接去国密SSL实验室进行生成就行,都有)</p>
<ul>
<li>实验结果:</li>
</ul>
<p>单证书单向双向认证都能完成进行,且在GMBroswer也可以连接;双证书的单项认证完成通信,但是双向认证可能还存在问题(源码问题),并不能如愿进行,而且双证书都不能和GMBroswer进行连接。如果需要360安全浏览器进行连接,需要在编译GmSSL修改其中的一个C文件,具体见:<a target="_blank" rel="noopener" href="https://blog.csdn.net/qq_15077747/article/details/108602988?spm=1001.2014.3001.5501">gmssl编译后不支持360浏览器双向https问题</a></p>
<ul>
<li>实验记录:</li>
</ul>
<h3 id="单证书单向认证:">单证书单向认证:</h3>
<p>抓包文件:“1-one-cert-one-auth.pcapng”</p>
<p>首先打开服务器s_server,服务端命令和输出如下:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">[root@localhost demoCA]# gmssl s_server -key ./sm2.server/sm2.server.sig.key.pem -cert ./sm2.server/sm2.server.sig.crt.pem -CAfile sm2.trust.pem -state -accept 44330</span><br><span class="line">Using default temp DH parameters</span><br><span class="line">[GMTLS_DEBUG] set sm2 signing certificate</span><br><span class="line">[GMTLS_DEBUG] set sm2 signing private key</span><br><span class="line">ACCEPT</span><br></pre></td></tr></table></figure>
<p>然后s_client进行连接,客户端s_client的输出如下:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br></pre></td><td class="code"><pre><span class="line">[root@localhost demoCA]# gmssl s_client -connect localhost:44330 -key ./sm2.koper/sm2.koper.sig.key.pem -cert ./sm2.koper/sm2.koper.sig.crt.pem -CAfile sm2.trust.pem -state</span><br><span class="line">[GMTLS_DEBUG] set sm2 signing certificate</span><br><span class="line">[GMTLS_DEBUG] set sm2 signing private key</span><br><span class="line">CONNECTED(00000003)</span><br><span class="line">SSL_connect:before SSL initialization</span><br><span class="line">SSL_connect:SSLv3/TLS write client hello</span><br><span class="line">SSL_connect:SSLv3/TLS write client hello</span><br><span class="line">SSL_connect:SSLv3/TLS read server hello</span><br><span class="line">depth=2 C = CN, O = GMSSL, OU = PKI/SM2, CN = RootCA for Test</span><br><span class="line">verify return:1</span><br><span class="line">depth=1 C = CN, O = GMSSL, OU = PKI/SM2, CN = MiddleCA for Test</span><br><span class="line">verify return:1</span><br><span class="line">depth=0 C = CN, ST = Beijing, L = Beijing, O = Sec, OU = Sec, CN = server, emailAddress = sec@email.com</span><br><span class="line">verify return:1</span><br><span class="line">SSL_connect:SSLv3/TLS read server certificate</span><br><span class="line">SSL_connect:SSLv3/TLS read server key exchange</span><br><span class="line">SSL_connect:SSLv3/TLS read server done</span><br><span class="line">SSL_connect:SSLv3/TLS write client key exchange</span><br><span class="line">SSL_connect:SSLv3/TLS write change cipher spec</span><br><span class="line">SSL_connect:SSLv3/TLS write finished</span><br><span class="line">SSL_connect:SSLv3/TLS write finished</span><br><span class="line">SSL_connect:SSLv3/TLS read server session ticket</span><br><span class="line">SSL_connect:SSLv3/TLS read change cipher spec</span><br><span class="line">SSL_connect:SSLv3/TLS read finished</span><br><span class="line">---</span><br><span class="line">Certificate chain</span><br><span class="line"> 0 s:/C=CN/ST=Beijing/L=Beijing/O=Sec/OU=Sec/CN=server/emailAddress=sec@email.com</span><br><span class="line"> i:/C=CN/O=GMSSL/OU=PKI/SM2/CN=MiddleCA for Test</span><br><span class="line"> 1 s:/C=CN/O=GMSSL/OU=PKI/SM2/CN=MiddleCA for Test</span><br><span class="line"> i:/C=CN/O=GMSSL/OU=PKI/SM2/CN=RootCA for Test</span><br><span class="line"> 2 s:/C=CN/O=GMSSL/OU=PKI/SM2/CN=RootCA for Test</span><br><span class="line"> i:/C=CN/O=GMSSL/OU=PKI/SM2/CN=RootCA for Test</span><br><span class="line">---</span><br><span class="line">Server certificate</span><br><span class="line">-----BEGIN CERTIFICATE-----</span><br><span class="line">MIICLDCCAc+gAwIBAgIGAXlllPWnMAwGCCqBHM9VAYN1BQAwSzELMAkGA1UEBhMC</span><br><span class="line">Q04xDjAMBgNVBAoTBUdNU1NMMRAwDgYDVQQLEwdQS0kvU00yMRowGAYDVQQDExFN</span><br><span class="line">aWRkbGVDQSBmb3IgVGVzdDAiGA8yMDIxMDUxMjE2MDAwMFoYDzIwMjIwNTEyMTYw</span><br><span class="line">MDAwWjB8MQswCQYDVQQGEwJDTjEQMA4GA1UECBMHQmVpamluZzEQMA4GA1UEBxMH</span><br><span class="line">QmVpamluZzEMMAoGA1UEChMDU2VjMQwwCgYDVQQLEwNTZWMxDzANBgNVBAMTBnNl</span><br><span class="line">cnZlcjEcMBoGCSqGSIb3DQEJARYNc2VjQGVtYWlsLmNvbTBZMBMGByqGSM49AgEG</span><br><span class="line">CCqBHM9VAYItA0IABBpkgKei2J+g3S/qd/KHQL2j6wVhHS+qD2oAxJ/T05zIsBOI</span><br><span class="line">/BC+/xOYX86uk3D9V03zC3J2GNZ1le88SIb4McqjaDBmMBsGA1UdIwQUMBKAEPl/</span><br><span class="line">VbQnlDNiplbKb8xdGv8wGQYDVR0OBBIEEDXQBbbJ66twX//RjZHc4r0wEQYDVR0R</span><br><span class="line">BAowCIIGc2VydmVyMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgDAMAwGCCqBHM9V</span><br><span class="line">AYN1BQADSQAwRgIhALEqYaJDmh24cyV3mbKt+4VHBvAirFrv/+g/D4OeWS3YAiEA</span><br><span class="line">jUINEpX+B9UTO4onSuOslfXpsK1ZGU28YARCOjzAUq8=</span><br><span class="line">-----END CERTIFICATE-----</span><br><span class="line">subject=/C=CN/ST=Beijing/L=Beijing/O=Sec/OU=Sec/CN=server/emailAddress=sec@email.com</span><br><span class="line">issuer=/C=CN/O=GMSSL/OU=PKI/SM2/CN=MiddleCA for Test</span><br><span class="line">---</span><br><span class="line">No client certificate CA names sent</span><br><span class="line">Peer signing digest: SM3</span><br><span class="line">Server Temp Key: ECDH, SM2, 256 bits</span><br><span class="line">---</span><br><span class="line">SSL handshake has read 2000 bytes and written 322 bytes</span><br><span class="line">Verification: OK</span><br><span class="line">---</span><br><span class="line">New, TLSv1.2, Cipher is ECDHE-SM2-WITH-SMS4-GCM-SM3</span><br><span class="line">Server public key is 256 bit</span><br><span class="line">Secure Renegotiation IS supported</span><br><span class="line">Compression: NONE</span><br><span class="line">Expansion: NONE</span><br><span class="line">No ALPN negotiated</span><br><span class="line">SSL-Session:</span><br><span class="line"> Protocol : TLSv1.2</span><br><span class="line"> Cipher : ECDHE-SM2-WITH-SMS4-GCM-SM3</span><br><span class="line"> Session-ID: 120E30267852E4300EEACEE62B3C1FEDF38504FB71950A7E1567176E44EA04E0</span><br><span class="line"> Session-ID-ctx: </span><br><span class="line"> Master-Key: 6F092582E1943404E58EB37D13577FB3AE9C20308878A1055425E007A4412475C44C1C425B593C69A9EBFB47A8C56A67</span><br><span class="line"> PSK identity: None</span><br><span class="line"> PSK identity hint: None</span><br><span class="line"> SRP username: None</span><br><span class="line"> TLS session ticket lifetime hint: 7200 (seconds)</span><br><span class="line"> TLS session ticket:</span><br><span class="line"> 0000 - 86 b6 ec 0e 15 ba c8 1b-58 61 5a 08 64 cf 92 e7 ........XaZ.d...</span><br><span class="line"> 0010 - 3d 79 e1 1c 59 c4 c2 9b-1b bd 6d a7 80 f4 65 6d =y..Y.....m...em</span><br><span class="line"> 0020 - 74 fd 9c 60 ce 70 4a 7d-11 35 ce d0 fd df 1a 3e t..`.pJ}.5.....></span><br><span class="line"> 0030 - 81 62 c1 13 b9 d6 22 cf-9a c2 8a 07 0e 81 c1 af .b....".........</span><br><span class="line"> 0040 - f3 44 a5 07 d9 d8 97 3c-fe fe f6 e0 e3 43 ac 41 .D.....<.....C.A</span><br><span class="line"> 0050 - e3 09 8c 69 b5 ab 2e f2-bb 85 cc 10 ca 54 a8 44 ...i.........T.D</span><br><span class="line"> 0060 - e7 a2 80 2f f7 b4 21 49-46 a8 7a cd 1b b7 69 17 .../..!IF.z...i.</span><br><span class="line"> 0070 - 10 68 5d 24 d2 09 4a 12-d2 bc 7e a8 1a af 4f f3 .h]$..J...~...O.</span><br><span class="line"> 0080 - 95 94 1d aa b3 bc 06 46-61 cc 54 03 a3 88 75 6d .......Fa.T...um</span><br><span class="line"> 0090 - 37 a4 88 5b b0 25 83 54-ec ff 95 e2 4d f6 1e db 7..[.%.T....M...</span><br><span class="line"></span><br><span class="line"> Start Time: 1620974867</span><br><span class="line"> Timeout : 7200 (sec)</span><br><span class="line"> Verify return code: 0 (ok)</span><br><span class="line"> Extended master secret: yes</span><br><span class="line">---</span><br><span class="line">Hello!</span><br></pre></td></tr></table></figure>
<p>服务器端s_server的显示如下:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line">SSL_accept:before SSL initialization</span><br><span class="line">SSL_accept:before SSL initialization</span><br><span class="line">SSL_accept:SSLv3/TLS read client hello</span><br><span class="line">SSL_accept:SSLv3/TLS write server hello</span><br><span class="line">SSL_accept:SSLv3/TLS write certificate</span><br><span class="line">SSL_accept:SSLv3/TLS write key exchange</span><br><span class="line">SSL_accept:SSLv3/TLS write server done</span><br><span class="line">SSL_accept:SSLv3/TLS write server done</span><br><span class="line">SSL_accept:SSLv3/TLS read client key exchange</span><br><span class="line">SSL_accept:SSLv3/TLS read change cipher spec</span><br><span class="line">SSL_accept:SSLv3/TLS read finished</span><br><span class="line">SSL_accept:SSLv3/TLS write session ticket</span><br><span class="line">SSL_accept:SSLv3/TLS write change cipher spec</span><br><span class="line">SSL_accept:SSLv3/TLS write finished</span><br><span class="line">-----BEGIN SSL SESSION PARAMETERS-----</span><br><span class="line">MFoCAQECAgMDBALhBwQABDBvCSWC4ZQ0BOWOs30TV3+zrpwgMIh4oQVUJeAHpEEk</span><br><span class="line">dcRMHEJbWTxpqev7R6jFamehBgIEYJ4dE6IEAgIcIKQGBAQBAAAArQMCAQE=</span><br><span class="line">-----END SSL SESSION PARAMETERS-----</span><br><span class="line">Shared ciphers:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-SM2-WITH-SMS4-GCM-SM3:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-SM2-WITH-SMS4-SM3:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:SM9-WITH-SMS4-SM3:SM9DHE-WITH-SMS4-SM3:SM2-WITH-SMS4-SM3:SM2DHE-WITH-SMS4-SM3:AES128-SHA:RSA-WITH-SMS4-SHA1:RSA-WITH-SMS4-SM3</span><br><span class="line">Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1:SM2+SM3</span><br><span class="line">Shared Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1:SM2+SM3</span><br><span class="line">Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2</span><br><span class="line">Supported Elliptic Curves: SM2:X25519:P-256:P-521:P-384</span><br><span class="line">Shared Elliptic curves: SM2:X25519:P-256:P-521:P-384</span><br><span class="line">CIPHER is ECDHE-SM2-WITH-SMS4-GCM-SM3</span><br><span class="line">Secure Renegotiation IS supported</span><br><span class="line">Hello!</span><br><span class="line">ERROR</span><br><span class="line">shutting down SSL</span><br><span class="line">CONNECTION CLOSED</span><br><span class="line">ACCEPT</span><br></pre></td></tr></table></figure>
<p>分析:</p>
<p>在<em><strong>ClientHello</strong></em>提供的国密组件有:0xe107(<strong>ECDHE-SM2-WITH-SMS4-GCM-SM3</strong>),0xe102(<strong>ECDHE-SM2-WITH-SMS4-SM3</strong>),0xe011(<strong>ECDHE-SM4-SM3</strong>),0xe013(<strong>ECC-SM4-SM3</strong>),0xe015(<strong>IBSDH-SM4-SM3</strong>),0xe017(<strong>IBC-SM4-SM3</strong>),0xe019(<strong>RSA-SM4-SM3</strong>),0xe01a(<strong>RSA-SM4-SHA1</strong>);</p>
<p>在<em><strong>ClientHello</strong></em>提供的国密Hash+签名算法有:0x0707(<strong>SM3+SM2</strong>)</p>
<p>此时共同协商的密码组件是<strong>ECDHE-SM2-WITH-SMS4-GCM-SM3</strong>,在数据包中其值表示为“0xe107”,传输协议为<strong>TLSv1.2</strong>,其值为“0x0303”</p>
<p>图解数据包:</p>
<p><img src="/images/%E5%9B%BD%E5%AF%86%E7%AE%97%E6%B3%95-%E5%8D%8F%E8%AE%AE-%E5%B7%A5%E6%8E%A7/1-one-cert-one-auth-anlysis.jpg" alt="1-one-cert-one-auth-anlysis"></p>
<h3 id="单证书双向认证">单证书双向认证</h3>
<p>抓包文件:2-one-cert-two-auth.pcapng</p>
<p>首先打开服务器s_server,服务端命令和输出如下:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">[root@localhost demoCA]# gmssl s_server -key ./sm2.server/sm2.server.sig.key.pem -cert ./sm2.server/sm2.server.sig.crt.pem -CAfile sm2.trust.pem -state -accept 44330 -verify 1</span><br><span class="line">verify depth is 1</span><br><span class="line">Using default temp DH parameters</span><br><span class="line">[GMTLS_DEBUG] set sm2 signing certificate</span><br><span class="line">[GMTLS_DEBUG] set sm2 signing private key</span><br><span class="line">ACCEPT</span><br></pre></td></tr></table></figure>
<p>然后s_client进行连接,客户端s_client的输出如下:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br></pre></td><td class="code"><pre><span class="line">[root@localhost demoCA]# gmssl s_client -connect localhost:44330 -key ./sm2.koper/sm2.koper.sig.key.pem -cert ./sm2.koper/sm2.koper.sig.crt.pem -CAfile sm2.trust.pem -state</span><br><span class="line">[GMTLS_DEBUG] set sm2 signing certificate</span><br><span class="line">[GMTLS_DEBUG] set sm2 signing private key</span><br><span class="line">CONNECTED(00000003)</span><br><span class="line">SSL_connect:before SSL initialization</span><br><span class="line">SSL_connect:SSLv3/TLS write client hello</span><br><span class="line">SSL_connect:SSLv3/TLS write client hello</span><br><span class="line">SSL_connect:SSLv3/TLS read server hello</span><br><span class="line">depth=2 C = CN, O = GMSSL, OU = PKI/SM2, CN = RootCA for Test</span><br><span class="line">verify return:1</span><br><span class="line">depth=1 C = CN, O = GMSSL, OU = PKI/SM2, CN = MiddleCA for Test</span><br><span class="line">verify return:1</span><br><span class="line">depth=0 C = CN, ST = Beijing, L = Beijing, O = Sec, OU = Sec, CN = server, emailAddress = sec@email.com</span><br><span class="line">verify return:1</span><br><span class="line">SSL_connect:SSLv3/TLS read server certificate</span><br><span class="line">SSL_connect:SSLv3/TLS read server key exchange</span><br><span class="line">SSL_connect:SSLv3/TLS read server certificate request</span><br><span class="line">SSL_connect:SSLv3/TLS read server done</span><br><span class="line">SSL_connect:SSLv3/TLS write client certificate</span><br><span class="line">SSL_connect:SSLv3/TLS write client key exchange</span><br><span class="line">SSL_connect:SSLv3/TLS write certificate verify</span><br><span class="line">SSL_connect:SSLv3/TLS write change cipher spec</span><br><span class="line">SSL_connect:SSLv3/TLS write finished</span><br><span class="line">SSL_connect:SSLv3/TLS write finished</span><br><span class="line">SSL_connect:SSLv3/TLS read server session ticket</span><br><span class="line">SSL_connect:SSLv3/TLS read change cipher spec</span><br><span class="line">SSL_connect:SSLv3/TLS read finished</span><br><span class="line">---</span><br><span class="line">Certificate chain</span><br><span class="line"> 0 s:/C=CN/ST=Beijing/L=Beijing/O=Sec/OU=Sec/CN=server/emailAddress=sec@email.com</span><br><span class="line"> i:/C=CN/O=GMSSL/OU=PKI/SM2/CN=MiddleCA for Test</span><br><span class="line"> 1 s:/C=CN/O=GMSSL/OU=PKI/SM2/CN=MiddleCA for Test</span><br><span class="line"> i:/C=CN/O=GMSSL/OU=PKI/SM2/CN=RootCA for Test</span><br><span class="line"> 2 s:/C=CN/O=GMSSL/OU=PKI/SM2/CN=RootCA for Test</span><br><span class="line"> i:/C=CN/O=GMSSL/OU=PKI/SM2/CN=RootCA for Test</span><br><span class="line">---</span><br><span class="line">Server certificate</span><br><span class="line">-----BEGIN CERTIFICATE-----</span><br><span class="line">MIICLDCCAc+gAwIBAgIGAXlllPWnMAwGCCqBHM9VAYN1BQAwSzELMAkGA1UEBhMC</span><br><span class="line">Q04xDjAMBgNVBAoTBUdNU1NMMRAwDgYDVQQLEwdQS0kvU00yMRowGAYDVQQDExFN</span><br><span class="line">aWRkbGVDQSBmb3IgVGVzdDAiGA8yMDIxMDUxMjE2MDAwMFoYDzIwMjIwNTEyMTYw</span><br><span class="line">MDAwWjB8MQswCQYDVQQGEwJDTjEQMA4GA1UECBMHQmVpamluZzEQMA4GA1UEBxMH</span><br><span class="line">QmVpamluZzEMMAoGA1UEChMDU2VjMQwwCgYDVQQLEwNTZWMxDzANBgNVBAMTBnNl</span><br><span class="line">cnZlcjEcMBoGCSqGSIb3DQEJARYNc2VjQGVtYWlsLmNvbTBZMBMGByqGSM49AgEG</span><br><span class="line">CCqBHM9VAYItA0IABBpkgKei2J+g3S/qd/KHQL2j6wVhHS+qD2oAxJ/T05zIsBOI</span><br><span class="line">/BC+/xOYX86uk3D9V03zC3J2GNZ1le88SIb4McqjaDBmMBsGA1UdIwQUMBKAEPl/</span><br><span class="line">VbQnlDNiplbKb8xdGv8wGQYDVR0OBBIEEDXQBbbJ66twX//RjZHc4r0wEQYDVR0R</span><br><span class="line">BAowCIIGc2VydmVyMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgDAMAwGCCqBHM9V</span><br><span class="line">AYN1BQADSQAwRgIhALEqYaJDmh24cyV3mbKt+4VHBvAirFrv/+g/D4OeWS3YAiEA</span><br><span class="line">jUINEpX+B9UTO4onSuOslfXpsK1ZGU28YARCOjzAUq8=</span><br><span class="line">-----END CERTIFICATE-----</span><br><span class="line">subject=/C=CN/ST=Beijing/L=Beijing/O=Sec/OU=Sec/CN=server/emailAddress=sec@email.com</span><br><span class="line">issuer=/C=CN/O=GMSSL/OU=PKI/SM2/CN=MiddleCA for Test</span><br><span class="line">---</span><br><span class="line">Acceptable client certificate CA names</span><br><span class="line">/C=CN/O=GMSSL/OU=PKI/SM2/CN=RootCA for Test</span><br><span class="line">/C=CN/O=GMSSL/OU=PKI/SM2/CN=MiddleCA for Test</span><br><span class="line">Client Certificate Types: RSA sign, DSA sign, ECDSA sign</span><br><span class="line">Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1:SM2+SM3</span><br><span class="line">Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1:SM2+SM3</span><br><span class="line">Peer signing digest: SM3</span><br><span class="line">Server Temp Key: ECDH, SM2, 256 bits</span><br><span class="line">---</span><br><span class="line">SSL handshake has read 2780 bytes and written 1951 bytes</span><br><span class="line">Verification: OK</span><br><span class="line">---</span><br><span class="line">New, TLSv1.2, Cipher is ECDHE-SM2-WITH-SMS4-GCM-SM3</span><br><span class="line">Server public key is 256 bit</span><br><span class="line">Secure Renegotiation IS supported</span><br><span class="line">Compression: NONE</span><br><span class="line">Expansion: NONE</span><br><span class="line">No ALPN negotiated</span><br><span class="line">SSL-Session:</span><br><span class="line"> Protocol : TLSv1.2</span><br><span class="line"> Cipher : ECDHE-SM2-WITH-SMS4-GCM-SM3</span><br><span class="line"> Session-ID: 9CD7AA2E27F5E99B8F9DBAF0DE60FF4C62F779758D273569E0A9640A4389BA33</span><br><span class="line"> Session-ID-ctx: </span><br><span class="line"> Master-Key: 8D425B913570771786862AC9A8683569B02996AFE418B5A6BED6D19AFCBCC769246D38376D1F39B05242F75CB6503D0E</span><br><span class="line"> PSK identity: None</span><br><span class="line"> PSK identity hint: None</span><br><span class="line"> SRP username: None</span><br><span class="line"> TLS session ticket lifetime hint: 7200 (seconds)</span><br><span class="line"> TLS session ticket:</span><br><span class="line"> 0000 - d0 fb c1 bc 3a 89 d3 45-eb 58 1a ea 53 ad f5 71 ....:..E.X..S..q</span><br><span class="line"> 0010 - 92 38 35 50 f0 99 cf 92-ea cc cd 68 e1 61 08 f8 .85P.......h.a..</span><br><span class="line"> 0020 - 32 c0 c1 36 af 5c 55 fb-33 9a 87 5e e5 b9 8b f8 2..6.\U.3..^....</span><br><span class="line"> 0030 - f2 e8 d1 3c aa b4 d1 e7-4c 89 00 af c0 56 29 cf ...<....L....V).</span><br><span class="line"> 0040 - 3e de 8a a5 a4 90 f3 41-af 85 19 26 fb 12 a5 ec >......A...&....</span><br><span class="line"> 0050 - 22 29 3a 98 9d 4d bd 77-ac 07 c3 bc 98 34 72 35 "):..M.w.....4r5</span><br><span class="line"> 0060 - d0 6f 3e 1c 56 f7 29 32-42 fb 58 19 04 01 60 62 .o>.V.)2B.X...`b</span><br><span class="line"> 0070 - 07 26 92 dd 25 98 b0 60-c5 ea 62 53 d6 4e a0 18 .&..%..`..bS.N..</span><br><span class="line"> 0080 - ec b8 e5 48 3c 0b 9d c4-a4 95 de 99 9c 44 df de ...H<........D..</span><br><span class="line"> 0090 - b8 04 37 ed a2 57 59 6c-89 3c f2 54 a9 bb 9e 5b ..7..WYl.<.T...[</span><br><span class="line"> 00a0 - 23 de e8 cd 9a cb 19 bc-c8 ff ca 28 97 3c a2 bd #..........(.<..</span><br><span class="line"> 00b0 - ce 52 28 b2 45 2f 7a 2b-77 85 c8 94 d5 a3 83 83 .R(.E/z+w.......</span><br><span class="line"> 00c0 - 5f a1 d2 d3 4e 09 62 57-87 c5 fa 21 85 17 5d ad _...N.bW...!..].</span><br><span class="line"> 00d0 - c0 f5 f1 4d b0 43 ed 05-76 d1 55 7a b0 5b 19 d3 ...M.C..v.Uz.[..</span><br><span class="line"> 00e0 - 00 f5 a6 43 88 80 6b b5-1f 77 ef 9f d7 d6 d4 a7 ...C..k..w......</span><br><span class="line"> 00f0 - 1a 05 2a d4 d7 0b 25 c3-54 93 35 20 03 b8 3e 02 ..*...%.T.5 ..>.</span><br><span class="line"> 0100 - 79 f7 ff 54 95 b4 97 73-81 10 12 2c 8d bc 2d 78 y..T...s...,..-x</span><br><span class="line"> 0110 - 50 5c 5f 30 32 8f 68 f4-f4 74 3c d5 26 b2 e3 4e P\_02.h..t<.&..N</span><br><span class="line"> 0120 - c9 72 b5 e3 df 71 7d bf-33 4a 64 39 61 aa 58 1d .r...q}.3Jd9a.X.</span><br><span class="line"> 0130 - 62 6e 4d 78 16 01 97 63-6c e9 e8 49 38 f9 3a ec bnMx...cl..I8.:.</span><br><span class="line"> 0140 - 87 ee 5a d4 89 24 41 23-af 80 4f ae 01 62 9f e5 ..Z..$A#..O..b..</span><br><span class="line"> 0150 - 3e 4f ca 55 f9 ba 67 d5-55 8b c9 b5 ee 90 08 92 >O.U..g.U.......</span><br><span class="line"> 0160 - 12 57 28 2f c1 f8 32 d6-51 8c 39 27 8f c8 d1 5a .W(/..2.Q.9'...Z</span><br><span class="line"> 0170 - 3a f5 0a ce fd 1f 72 97-e5 3b 15 29 ab 1e 20 58 :.....r..;.).. X</span><br><span class="line"> 0180 - 65 aa 26 99 ef 05 fd b5-d4 05 f6 17 a3 08 3f 38 e.&...........?8</span><br><span class="line"> 0190 - ba 70 90 ba c9 20 22 5d-19 a5 d4 33 0c 9f ed 2b .p... "]...3...+</span><br><span class="line"> 01a0 - 3a a7 c1 d3 63 f3 71 c2-a4 7c ac 7b f2 29 04 3e :...c.q..|.{.).></span><br><span class="line"> 01b0 - 6b c9 bf 93 d6 d9 1d a3-6a 42 c8 48 e1 d1 f5 7b k.......jB.H...{</span><br><span class="line"> 01c0 - cf 9a fe 59 f9 9d ad 3c-0b 2b 86 b5 cb 0f cb 62 ...Y...<.+.....b</span><br><span class="line"> 01d0 - 47 8a 8f 99 09 00 9d 9e-03 06 90 d7 4e ca 35 97 G...........N.5.</span><br><span class="line"> 01e0 - 33 8e e8 77 2c 66 86 26-d6 74 8a de 00 3a 84 95 3..w,f.&.t...:..</span><br><span class="line"> 01f0 - e6 4b e7 83 cf c3 4d 6d-c1 65 28 a4 0c 3e bc 37 .K....Mm.e(..>.7</span><br><span class="line"> 0200 - b5 f3 7c cc 03 50 ad 86-0d b6 52 61 47 d9 69 e2 ..|..P....RaG.i.</span><br><span class="line"> 0210 - 1c 68 e4 4e 85 f9 47 2f-46 f3 34 75 f1 5e ad 9f .h.N..G/F.4u.^..</span><br><span class="line"> 0220 - ff 42 dd ac b9 ea 24 b0-f7 b8 26 2b 51 4e 00 45 .B....$...&+QN.E</span><br><span class="line"> 0230 - 82 32 df f7 29 d9 d6 a1-13 28 59 e3 03 d1 e2 4a .2..)....(Y....J</span><br><span class="line"> 0240 - bd c5 63 0c 3f 07 4d ed-3c 02 a6 11 82 76 2b 6f ..c.?.M.<....v+o</span><br><span class="line"> 0250 - f4 5e 20 d3 5d e8 24 d2-0a 30 6d d7 18 7d 43 28 .^ .].$..0m..}C(</span><br><span class="line"> 0260 - 32 9e 2f 17 47 a7 3e e2-8d e5 d2 2e 6b cd 4e ad 2./.G.>.....k.N.</span><br><span class="line"> 0270 - e5 bd 97 ae f7 ac 18 7b-56 cb d0 67 13 17 4b 81 .......{V..g..K.</span><br><span class="line"> 0280 - ea df 3f a3 79 d6 cf 07-1e e8 56 37 75 31 37 f7 ..?.y.....V7u17.</span><br><span class="line"> 0290 - f6 43 d4 20 fd d7 35 89-5b 4a 4d 3c 6e 95 70 be .C. ..5.[JM<n.p.</span><br><span class="line"> 02a0 - 7c 89 3c 66 1b 13 7d 63-f9 14 b0 33 9d c3 72 42 |.<f..}c...3..rB</span><br><span class="line"> 02b0 - 70 d2 1a 07 c3 3e 43 a5-77 32 4e 9f 81 f1 89 ac p....>C.w2N.....</span><br><span class="line"> 02c0 - 0f b4 43 18 95 3b 12 c3-ec 10 45 5e ec 3c 19 b0 ..C..;....E^.<..</span><br><span class="line"> 02d0 - d8 19 ac 2f a6 24 22 71-f1 9c 37 16 c8 35 44 28 .../.$"q..7..5D(</span><br><span class="line"></span><br><span class="line"> Start Time: 1620975768</span><br><span class="line"> Timeout : 7200 (sec)</span><br><span class="line"> Verify return code: 0 (ok)</span><br><span class="line"> Extended master secret: yes</span><br><span class="line">---</span><br><span class="line">Hello!</span><br></pre></td></tr></table></figure>
<p>服务器端s_server的显示如下:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br></pre></td><td class="code"><pre><span class="line">SSL_accept:before SSL initialization</span><br><span class="line">SSL_accept:before SSL initialization</span><br><span class="line">SSL_accept:SSLv3/TLS read client hello</span><br><span class="line">SSL_accept:SSLv3/TLS write server hello</span><br><span class="line">SSL_accept:SSLv3/TLS write certificate</span><br><span class="line">SSL_accept:SSLv3/TLS write key exchange</span><br><span class="line">SSL_accept:SSLv3/TLS write certificate request</span><br><span class="line">SSL_accept:SSLv3/TLS write server done</span><br><span class="line">SSL_accept:SSLv3/TLS write server done</span><br><span class="line">depth=2 C = CN, O = GMSSL, OU = PKI/SM2, CN = RootCA for Test</span><br><span class="line">verify return:1</span><br><span class="line">depth=1 C = CN, O = GMSSL, OU = PKI/SM2, CN = MiddleCA for Test</span><br><span class="line">verify return:1</span><br><span class="line">depth=0 C = CN, ST = Beijing, L = Beijing, O = Sec, OU = Sec, CN = koper, emailAddress = sec@email.com</span><br><span class="line">verify return:1</span><br><span class="line">SSL_accept:SSLv3/TLS read client certificate</span><br><span class="line">SSL_accept:SSLv3/TLS read client key exchange</span><br><span class="line">SSL_accept:SSLv3/TLS read certificate verify</span><br><span class="line">SSL_accept:SSLv3/TLS read change cipher spec</span><br><span class="line">SSL_accept:SSLv3/TLS read finished</span><br><span class="line">SSL_accept:SSLv3/TLS write session ticket</span><br><span class="line">SSL_accept:SSLv3/TLS write change cipher spec</span><br><span class="line">SSL_accept:SSLv3/TLS write finished</span><br><span class="line">-----BEGIN SSL SESSION PARAMETERS-----</span><br><span class="line">MIICkwIBAQICAwMEAuEHBAAEMI1CW5E1cHcXhoYqyahoNWmwKZav5Bi1pr7W0Zr8</span><br><span class="line">vMdpJG04N20fObBSQvdctlA9DqEGAgRgniCYogQCAhwgo4ICNTCCAjEwggHVoAMC</span><br><span class="line">AQICBgF5ZZUapjAMBggqgRzPVQGDdQUAMEsxCzAJBgNVBAYTAkNOMQ4wDAYDVQQK</span><br><span class="line">EwVHTVNTTDEQMA4GA1UECxMHUEtJL1NNMjEaMBgGA1UEAxMRTWlkZGxlQ0EgZm9y</span><br><span class="line">IFRlc3QwIhgPMjAyMTA1MTIxNjAwMDBaGA8yMDIyMDUxMjE2MDAwMFowezELMAkG</span><br><span class="line">A1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0JlaWppbmcxDDAK</span><br><span class="line">BgNVBAoTA1NlYzEMMAoGA1UECxMDU2VjMQ4wDAYDVQQDEwVrb3BlcjEcMBoGCSqG</span><br><span class="line">SIb3DQEJARYNc2VjQGVtYWlsLmNvbTBZMBMGByqGSM49AgEGCCqBHM9VAYItA0IA</span><br><span class="line">BOhXh8LQpC+cATyRNCSm2cEuMLoGY9mCPQCkl2v7z6ZlmsJNYw9ZHeHXKjOfzbN/</span><br><span class="line">rZ1Fj2wQ6BDyEouRhIbZsQOjbzBtMBsGA1UdIwQUMBKAEPl/VbQnlDNiplbKb8xd</span><br><span class="line">Gv8wGQYDVR0OBBIEEJQv2LqXmxUlo4nbIQCC+mMwGAYDVR0RBBEwD4ENc2VjQGVt</span><br><span class="line">YWlsLmNvbTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIAwDAMBggqgRzPVQGDdQUA</span><br><span class="line">A0gAMEUCIQDWC+/sbV51DqGF8TyFDhlLzMFv198cmqH2WJt9bIiZgwIgJ1cO33LC</span><br><span class="line">cwmoPfuaXmQrseP+RmOEBjbRRCIh1LGrUhSkBgQEAQAAAK0DAgEB</span><br><span class="line">-----END SSL SESSION PARAMETERS-----</span><br><span class="line">Client certificate</span><br><span class="line">-----BEGIN CERTIFICATE-----</span><br><span class="line">MIICMTCCAdWgAwIBAgIGAXlllRqmMAwGCCqBHM9VAYN1BQAwSzELMAkGA1UEBhMC</span><br><span class="line">Q04xDjAMBgNVBAoTBUdNU1NMMRAwDgYDVQQLEwdQS0kvU00yMRowGAYDVQQDExFN</span><br><span class="line">aWRkbGVDQSBmb3IgVGVzdDAiGA8yMDIxMDUxMjE2MDAwMFoYDzIwMjIwNTEyMTYw</span><br><span class="line">MDAwWjB7MQswCQYDVQQGEwJDTjEQMA4GA1UECBMHQmVpamluZzEQMA4GA1UEBxMH</span><br><span class="line">QmVpamluZzEMMAoGA1UEChMDU2VjMQwwCgYDVQQLEwNTZWMxDjAMBgNVBAMTBWtv</span><br><span class="line">cGVyMRwwGgYJKoZIhvcNAQkBFg1zZWNAZW1haWwuY29tMFkwEwYHKoZIzj0CAQYI</span><br><span class="line">KoEcz1UBgi0DQgAE6FeHwtCkL5wBPJE0JKbZwS4wugZj2YI9AKSXa/vPpmWawk1j</span><br><span class="line">D1kd4dcqM5/Ns3+tnUWPbBDoEPISi5GEhtmxA6NvMG0wGwYDVR0jBBQwEoAQ+X9V</span><br><span class="line">tCeUM2KmVspvzF0a/zAZBgNVHQ4EEgQQlC/YupebFSWjidshAIL6YzAYBgNVHREE</span><br><span class="line">ETAPgQ1zZWNAZW1haWwuY29tMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgDAMAwG</span><br><span class="line">CCqBHM9VAYN1BQADSAAwRQIhANYL7+xtXnUOoYXxPIUOGUvMwW/X3xyaofZYm31s</span><br><span class="line">iJmDAiAnVw7fcsJzCag9+5peZCux4/5GY4QGNtFEIiHUsatSFA==</span><br><span class="line">-----END CERTIFICATE-----</span><br><span class="line">subject=/C=CN/ST=Beijing/L=Beijing/O=Sec/OU=Sec/CN=koper/emailAddress=sec@email.com</span><br><span class="line">issuer=/C=CN/O=GMSSL/OU=PKI/SM2/CN=MiddleCA for Test</span><br><span class="line">Shared ciphers:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-SM2-WITH-SMS4-GCM-SM3:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-SM2-WITH-SMS4-SM3:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:SM9-WITH-SMS4-SM3:SM9DHE-WITH-SMS4-SM3:SM2-WITH-SMS4-SM3:SM2DHE-WITH-SMS4-SM3:AES128-SHA:RSA-WITH-SMS4-SHA1:RSA-WITH-SMS4-SM3</span><br><span class="line">Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1:SM2+SM3</span><br><span class="line">Shared Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1:SM2+SM3</span><br><span class="line">Peer signing digest: SM3</span><br><span class="line">Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2</span><br><span class="line">Supported Elliptic Curves: SM2:X25519:P-256:P-521:P-384</span><br><span class="line">Shared Elliptic curves: SM2:X25519:P-256:P-521:P-384</span><br><span class="line">CIPHER is ECDHE-SM2-WITH-SMS4-GCM-SM3</span><br><span class="line">Secure Renegotiation IS supported</span><br><span class="line">Hello!</span><br><span class="line">ERROR</span><br><span class="line">shutting down SSL</span><br><span class="line">CONNECTION CLOSED</span><br><span class="line">ACCEPT</span><br></pre></td></tr></table></figure>
<h3 id="双证书单向认证">双证书单向认证</h3>
<p>抓包文件:3-two-cert-one-auth.pcapng</p>
<p>首先打开服务器s_server,服务端命令和输出如下:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">[root@localhost demoCA]# gmssl s_server -key ./sm2.server/sm2.server.sig.key.pem -cert ./sm2.server/sm2.server.sig.crt.pem -dkey ./sm2.server/sm2.server.enc.key.pem -dcert ./sm2.server/sm2.server.enc.crt.pem -CAfile sm2.trust.pem -state -accept 44330</span><br><span class="line">Using default temp DH parameters</span><br><span class="line">[GMTLS_DEBUG] set sm2 signing certificate</span><br><span class="line">[GMTLS_DEBUG] set sm2 signing private key</span><br><span class="line">[GMTLS_DEBUG] set sm2 encryption certificate</span><br><span class="line">[GMTLS_DEBUG] set sm2 decryption private key</span><br><span class="line">ACCEPT</span><br></pre></td></tr></table></figure>
<p>然后s_client进行连接,客户端s_client的输出如下:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br></pre></td><td class="code"><pre><span class="line">[root@localhost demoCA]# gmssl s_client -connect localhost:44330 -key ./sm2.koper/sm2.koper.sig.key.pem -cert ./sm2.koper/sm2.koper.sig.crt.pem -dkey ./sm2.koper/sm2.koper.enc.key.pem -dcert ./sm2.koper/sm2.koper.enc.crt.pem -CAfile sm2.trust.pem -state</span><br><span class="line">[GMTLS_DEBUG] set sm2 signing certificate</span><br><span class="line">[GMTLS_DEBUG] set sm2 signing private key</span><br><span class="line">[GMTLS_DEBUG] set sm2 encryption certificate</span><br><span class="line">[GMTLS_DEBUG] set sm2 decryption private key</span><br><span class="line">CONNECTED(00000003)</span><br><span class="line">SSL_connect:before SSL initialization</span><br><span class="line">SSL_connect:SSLv3/TLS write client hello</span><br><span class="line">SSL_connect:SSLv3/TLS write client hello</span><br><span class="line">SSL_connect:SSLv3/TLS read server hello</span><br><span class="line">depth=2 C = CN, O = GMSSL, OU = PKI/SM2, CN = RootCA for Test</span><br><span class="line">verify return:1</span><br><span class="line">depth=1 C = CN, O = GMSSL, OU = PKI/SM2, CN = MiddleCA for Test</span><br><span class="line">verify return:1</span><br><span class="line">depth=0 C = CN, ST = Beijing, L = Beijing, O = Sec, OU = Sec, CN = server, emailAddress = sec@email.com</span><br><span class="line">verify return:1</span><br><span class="line">SSL_connect:SSLv3/TLS read server certificate</span><br><span class="line">SSL_connect:SSLv3/TLS read server key exchange</span><br><span class="line">SSL_connect:SSLv3/TLS read server done</span><br><span class="line">SSL_connect:SSLv3/TLS write client key exchange</span><br><span class="line">SSL_connect:SSLv3/TLS write change cipher spec</span><br><span class="line">SSL_connect:SSLv3/TLS write finished</span><br><span class="line">SSL_connect:SSLv3/TLS write finished</span><br><span class="line">SSL_connect:SSLv3/TLS read server session ticket</span><br><span class="line">SSL_connect:SSLv3/TLS read change cipher spec</span><br><span class="line">SSL_connect:SSLv3/TLS read finished</span><br><span class="line">---</span><br><span class="line">Certificate chain</span><br><span class="line"> 0 s:/C=CN/ST=Beijing/L=Beijing/O=Sec/OU=Sec/CN=server/emailAddress=sec@email.com</span><br><span class="line"> i:/C=CN/O=GMSSL/OU=PKI/SM2/CN=MiddleCA for Test</span><br><span class="line"> 1 s:/C=CN/O=GMSSL/OU=PKI/SM2/CN=MiddleCA for Test</span><br><span class="line"> i:/C=CN/O=GMSSL/OU=PKI/SM2/CN=RootCA for Test</span><br><span class="line"> 2 s:/C=CN/O=GMSSL/OU=PKI/SM2/CN=RootCA for Test</span><br><span class="line"> i:/C=CN/O=GMSSL/OU=PKI/SM2/CN=RootCA for Test</span><br><span class="line">---</span><br><span class="line">Server certificate</span><br><span class="line">-----BEGIN CERTIFICATE-----</span><br><span class="line">MIICLDCCAc+gAwIBAgIGAXlllPWnMAwGCCqBHM9VAYN1BQAwSzELMAkGA1UEBhMC</span><br><span class="line">Q04xDjAMBgNVBAoTBUdNU1NMMRAwDgYDVQQLEwdQS0kvU00yMRowGAYDVQQDExFN</span><br><span class="line">aWRkbGVDQSBmb3IgVGVzdDAiGA8yMDIxMDUxMjE2MDAwMFoYDzIwMjIwNTEyMTYw</span><br><span class="line">MDAwWjB8MQswCQYDVQQGEwJDTjEQMA4GA1UECBMHQmVpamluZzEQMA4GA1UEBxMH</span><br><span class="line">QmVpamluZzEMMAoGA1UEChMDU2VjMQwwCgYDVQQLEwNTZWMxDzANBgNVBAMTBnNl</span><br><span class="line">cnZlcjEcMBoGCSqGSIb3DQEJARYNc2VjQGVtYWlsLmNvbTBZMBMGByqGSM49AgEG</span><br><span class="line">CCqBHM9VAYItA0IABBpkgKei2J+g3S/qd/KHQL2j6wVhHS+qD2oAxJ/T05zIsBOI</span><br><span class="line">/BC+/xOYX86uk3D9V03zC3J2GNZ1le88SIb4McqjaDBmMBsGA1UdIwQUMBKAEPl/</span><br><span class="line">VbQnlDNiplbKb8xdGv8wGQYDVR0OBBIEEDXQBbbJ66twX//RjZHc4r0wEQYDVR0R</span><br><span class="line">BAowCIIGc2VydmVyMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgDAMAwGCCqBHM9V</span><br><span class="line">AYN1BQADSQAwRgIhALEqYaJDmh24cyV3mbKt+4VHBvAirFrv/+g/D4OeWS3YAiEA</span><br><span class="line">jUINEpX+B9UTO4onSuOslfXpsK1ZGU28YARCOjzAUq8=</span><br><span class="line">-----END CERTIFICATE-----</span><br><span class="line">subject=/C=CN/ST=Beijing/L=Beijing/O=Sec/OU=Sec/CN=server/emailAddress=sec@email.com</span><br><span class="line">issuer=/C=CN/O=GMSSL/OU=PKI/SM2/CN=MiddleCA for Test</span><br><span class="line">---</span><br><span class="line">No client certificate CA names sent</span><br><span class="line">Peer signing digest: SM3</span><br><span class="line">Server Temp Key: ECDH, SM2, 256 bits</span><br><span class="line">---</span><br><span class="line">SSL handshake has read 2000 bytes and written 322 bytes</span><br><span class="line">Verification: OK</span><br><span class="line">---</span><br><span class="line">New, TLSv1.2, Cipher is ECDHE-SM2-WITH-SMS4-GCM-SM3</span><br><span class="line">Server public key is 256 bit</span><br><span class="line">Secure Renegotiation IS supported</span><br><span class="line">Compression: NONE</span><br><span class="line">Expansion: NONE</span><br><span class="line">No ALPN negotiated</span><br><span class="line">SSL-Session:</span><br><span class="line"> Protocol : TLSv1.2</span><br><span class="line"> Cipher : ECDHE-SM2-WITH-SMS4-GCM-SM3</span><br><span class="line"> Session-ID: 74900E774DFC5EA731925765651AA7AE8D919A25DCC9219E4987B0B14AC20B1D</span><br><span class="line"> Session-ID-ctx: </span><br><span class="line"> Master-Key: 8B13A72CD68C5F0B8DBFF22A9C97EB67F30F8D11A38FD58DEAD255FEAADEFE426225AA2C90F77809A9853B246A6563C3</span><br><span class="line"> PSK identity: None</span><br><span class="line"> PSK identity hint: None</span><br><span class="line"> SRP username: None</span><br><span class="line"> TLS session ticket lifetime hint: 7200 (seconds)</span><br><span class="line"> TLS session ticket:</span><br><span class="line"> 0000 - 94 e5 a8 ce a0 bd 7a 15-30 4e 4b bb 6c be 41 a8 ......z.0NK.l.A.</span><br><span class="line"> 0010 - fb d9 d2 a1 11 d5 5a 7d-c3 9a 7d 01 c4 50 1b ad ......Z}..}..P..</span><br><span class="line"> 0020 - e7 2d a9 98 5f 64 06 85-0e d7 3e 46 c3 77 d8 13 .-.._d....>F.w..</span><br><span class="line"> 0030 - 2a 4b 4d 45 cb 04 0f 50-d8 d2 fd 94 b7 a5 38 88 *KME...P......8.</span><br><span class="line"> 0040 - 61 14 f3 e3 fb b2 93 e8-16 84 bb 95 41 ee 4f bf a...........A.O.</span><br><span class="line"> 0050 - 80 c2 ef 9e 91 49 0d 23-19 07 80 ff 88 66 fb 8c .....I.#.....f..</span><br><span class="line"> 0060 - 34 b3 1f 4a db 6a 67 29-5a d2 46 aa 4d 89 00 cb 4..J.jg)Z.F.M...</span><br><span class="line"> 0070 - ce 78 f5 bc c3 c0 71 c6-d9 b5 4a a0 2c 3f 95 fb .x....q...J.,?..</span><br><span class="line"> 0080 - 38 51 68 38 15 b7 c1 c6-0f 6d 1e 92 19 f9 7b ed 8Qh8.....m....{.</span><br><span class="line"> 0090 - 67 45 64 e6 9f c8 af 3b-57 80 a6 31 13 13 b8 d2 gEd....;W..1....</span><br><span class="line"></span><br><span class="line"> Start Time: 1620976379</span><br><span class="line"> Timeout : 7200 (sec)</span><br><span class="line"> Verify return code: 0 (ok)</span><br><span class="line"> Extended master secret: yes</span><br><span class="line">---</span><br><span class="line">Hello!</span><br></pre></td></tr></table></figure>
<p>服务器端s_server的显示如下:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line">SSL_accept:before SSL initialization</span><br><span class="line">SSL_accept:before SSL initialization</span><br><span class="line">SSL_accept:SSLv3/TLS read client hello</span><br><span class="line">SSL_accept:SSLv3/TLS write server hello</span><br><span class="line">SSL_accept:SSLv3/TLS write certificate</span><br><span class="line">SSL_accept:SSLv3/TLS write key exchange</span><br><span class="line">SSL_accept:SSLv3/TLS write server done</span><br><span class="line">SSL_accept:SSLv3/TLS write server done</span><br><span class="line">SSL_accept:SSLv3/TLS read client key exchange</span><br><span class="line">SSL_accept:SSLv3/TLS read change cipher spec</span><br><span class="line">SSL_accept:SSLv3/TLS read finished</span><br><span class="line">SSL_accept:SSLv3/TLS write session ticket</span><br><span class="line">SSL_accept:SSLv3/TLS write change cipher spec</span><br><span class="line">SSL_accept:SSLv3/TLS write finished</span><br><span class="line">-----BEGIN SSL SESSION PARAMETERS-----</span><br><span class="line">MFoCAQECAgMDBALhBwQABDCLE6cs1oxfC42/8iqcl+tn8w+NEaOP1Y3q0lX+qt7+</span><br><span class="line">QmIlqiyQ93gJqYU7JGplY8OhBgIEYJ4i+6IEAgIcIKQGBAQBAAAArQMCAQE=</span><br><span class="line">-----END SSL SESSION PARAMETERS-----</span><br><span class="line">Shared ciphers:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-SM2-WITH-SMS4-GCM-SM3:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-SM2-WITH-SMS4-SM3:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:SM9-WITH-SMS4-SM3:SM9DHE-WITH-SMS4-SM3:SM2-WITH-SMS4-SM3:SM2DHE-WITH-SMS4-SM3:AES128-SHA:RSA-WITH-SMS4-SHA1:RSA-WITH-SMS4-SM3</span><br><span class="line">Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1:SM2+SM3</span><br><span class="line">Shared Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1:SM2+SM3</span><br><span class="line">Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2</span><br><span class="line">Supported Elliptic Curves: SM2:X25519:P-256:P-521:P-384</span><br><span class="line">Shared Elliptic curves: SM2:X25519:P-256:P-521:P-384</span><br><span class="line">CIPHER is ECDHE-SM2-WITH-SMS4-GCM-SM3</span><br><span class="line">Secure Renegotiation IS supported</span><br><span class="line">Hello!</span><br><span class="line">ERROR</span><br><span class="line">shutting down SSL</span><br><span class="line">CONNECTION CLOSED</span><br><span class="line">ACCEPT</span><br></pre></td></tr></table></figure>
<h3 id="双证书双向认证">双证书双向认证</h3>
<p>抓包文件:4-two-cert-two-auth.pcapng</p>
<p>首先打开服务器s_server,服务端命令和输出如下:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">[root@localhost demoCA]# gmssl s_server -key ./sm2.server/sm2.server.sig.key.pem -cert ./sm2.server/sm2.server.sig.crt.pem -dkey ./sm2.server/sm2.server.enc.key.pem -dcert ./sm2.server/sm2.server.enc.crt.pem -CAfile sm2.trust.pem -state -accept 44330 -verify 1</span><br><span class="line">verify depth is 1</span><br><span class="line">Using default temp DH parameters</span><br><span class="line">[GMTLS_DEBUG] set sm2 signing certificate</span><br><span class="line">[GMTLS_DEBUG] set sm2 signing private key</span><br><span class="line">[GMTLS_DEBUG] set sm2 encryption certificate</span><br><span class="line">[GMTLS_DEBUG] set sm2 decryption private key</span><br><span class="line">ACCEPT</span><br></pre></td></tr></table></figure>
<p>然后s_client进行连接,客户端s_client的输出如下:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br></pre></td><td class="code"><pre><span class="line">[root@localhost demoCA]# gmssl s_client -connect localhost:44330 -key ./sm2.koper/sm2.koper.sig.key.pem -cert ./sm2.koper/sm2.koper.sig.crt.pem -dkey ./sm2.koper/sm2.koper.enc.key.pem -dcert ./sm2.koper/sm2.koper.enc.crt.pem -CAfile sm2.trust.pem -state</span><br><span class="line">[GMTLS_DEBUG] set sm2 signing certificate</span><br><span class="line">[GMTLS_DEBUG] set sm2 signing private key</span><br><span class="line">[GMTLS_DEBUG] set sm2 encryption certificate</span><br><span class="line">[GMTLS_DEBUG] set sm2 decryption private key</span><br><span class="line">CONNECTED(00000003)</span><br><span class="line">SSL_connect:before SSL initialization</span><br><span class="line">SSL_connect:SSLv3/TLS write client hello</span><br><span class="line">SSL_connect:SSLv3/TLS write client hello</span><br><span class="line">SSL_connect:SSLv3/TLS read server hello</span><br><span class="line">depth=2 C = CN, O = GMSSL, OU = PKI/SM2, CN = RootCA for Test</span><br><span class="line">verify return:1</span><br><span class="line">depth=1 C = CN, O = GMSSL, OU = PKI/SM2, CN = MiddleCA for Test</span><br><span class="line">verify return:1</span><br><span class="line">depth=0 C = CN, ST = Beijing, L = Beijing, O = Sec, OU = Sec, CN = server, emailAddress = sec@email.com</span><br><span class="line">verify return:1</span><br><span class="line">SSL_connect:SSLv3/TLS read server certificate</span><br><span class="line">SSL_connect:SSLv3/TLS read server key exchange</span><br><span class="line">SSL_connect:SSLv3/TLS read server certificate request</span><br><span class="line">SSL_connect:SSLv3/TLS read server done</span><br><span class="line">SSL_connect:SSLv3/TLS write client certificate</span><br><span class="line">SSL_connect:SSLv3/TLS write client key exchange</span><br><span class="line">SSL_connect:SSLv3/TLS write change cipher spec</span><br><span class="line">SSL_connect:SSLv3/TLS write finished</span><br><span class="line">SSL_connect:SSLv3/TLS write finished</span><br><span class="line">SSL_connect:SSLv3/TLS read server session ticket</span><br><span class="line">SSL_connect:SSLv3/TLS read change cipher spec</span><br><span class="line">SSL_connect:SSLv3/TLS read finished</span><br><span class="line">---</span><br><span class="line">Certificate chain</span><br><span class="line"> 0 s:/C=CN/ST=Beijing/L=Beijing/O=Sec/OU=Sec/CN=server/emailAddress=sec@email.com</span><br><span class="line"> i:/C=CN/O=GMSSL/OU=PKI/SM2/CN=MiddleCA for Test</span><br><span class="line"> 1 s:/C=CN/O=GMSSL/OU=PKI/SM2/CN=MiddleCA for Test</span><br><span class="line"> i:/C=CN/O=GMSSL/OU=PKI/SM2/CN=RootCA for Test</span><br><span class="line"> 2 s:/C=CN/O=GMSSL/OU=PKI/SM2/CN=RootCA for Test</span><br><span class="line"> i:/C=CN/O=GMSSL/OU=PKI/SM2/CN=RootCA for Test</span><br><span class="line">---</span><br><span class="line">Server certificate</span><br><span class="line">-----BEGIN CERTIFICATE-----</span><br><span class="line">MIICLDCCAc+gAwIBAgIGAXlllPWnMAwGCCqBHM9VAYN1BQAwSzELMAkGA1UEBhMC</span><br><span class="line">Q04xDjAMBgNVBAoTBUdNU1NMMRAwDgYDVQQLEwdQS0kvU00yMRowGAYDVQQDExFN</span><br><span class="line">aWRkbGVDQSBmb3IgVGVzdDAiGA8yMDIxMDUxMjE2MDAwMFoYDzIwMjIwNTEyMTYw</span><br><span class="line">MDAwWjB8MQswCQYDVQQGEwJDTjEQMA4GA1UECBMHQmVpamluZzEQMA4GA1UEBxMH</span><br><span class="line">QmVpamluZzEMMAoGA1UEChMDU2VjMQwwCgYDVQQLEwNTZWMxDzANBgNVBAMTBnNl</span><br><span class="line">cnZlcjEcMBoGCSqGSIb3DQEJARYNc2VjQGVtYWlsLmNvbTBZMBMGByqGSM49AgEG</span><br><span class="line">CCqBHM9VAYItA0IABBpkgKei2J+g3S/qd/KHQL2j6wVhHS+qD2oAxJ/T05zIsBOI</span><br><span class="line">/BC+/xOYX86uk3D9V03zC3J2GNZ1le88SIb4McqjaDBmMBsGA1UdIwQUMBKAEPl/</span><br><span class="line">VbQnlDNiplbKb8xdGv8wGQYDVR0OBBIEEDXQBbbJ66twX//RjZHc4r0wEQYDVR0R</span><br><span class="line">BAowCIIGc2VydmVyMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgDAMAwGCCqBHM9V</span><br><span class="line">AYN1BQADSQAwRgIhALEqYaJDmh24cyV3mbKt+4VHBvAirFrv/+g/D4OeWS3YAiEA</span><br><span class="line">jUINEpX+B9UTO4onSuOslfXpsK1ZGU28YARCOjzAUq8=</span><br><span class="line">-----END CERTIFICATE-----</span><br><span class="line">subject=/C=CN/ST=Beijing/L=Beijing/O=Sec/OU=Sec/CN=server/emailAddress=sec@email.com</span><br><span class="line">issuer=/C=CN/O=GMSSL/OU=PKI/SM2/CN=MiddleCA for Test</span><br><span class="line">---</span><br><span class="line">Acceptable client certificate CA names</span><br><span class="line">/C=CN/O=GMSSL/OU=PKI/SM2/CN=RootCA for Test</span><br><span class="line">/C=CN/O=GMSSL/OU=PKI/SM2/CN=MiddleCA for Test</span><br><span class="line">Client Certificate Types: RSA sign, DSA sign, ECDSA sign</span><br><span class="line">Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1:SM2+SM3</span><br><span class="line">Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1:SM2+SM3</span><br><span class="line">Peer signing digest: SM3</span><br><span class="line">Server Temp Key: ECDH, SM2, 256 bits</span><br><span class="line">---</span><br><span class="line">SSL handshake has read 2204 bytes and written 334 bytes</span><br><span class="line">Verification: OK</span><br><span class="line">---</span><br><span class="line">New, TLSv1.2, Cipher is ECDHE-SM2-WITH-SMS4-GCM-SM3</span><br><span class="line">Server public key is 256 bit</span><br><span class="line">Secure Renegotiation IS supported</span><br><span class="line">Compression: NONE</span><br><span class="line">Expansion: NONE</span><br><span class="line">No ALPN negotiated</span><br><span class="line">SSL-Session:</span><br><span class="line"> Protocol : TLSv1.2</span><br><span class="line"> Cipher : ECDHE-SM2-WITH-SMS4-GCM-SM3</span><br><span class="line"> Session-ID: 8F24410489864FE9CB6688032BBB484DC641531AC1BEA0CCB256C60C06DEA4FA</span><br><span class="line"> Session-ID-ctx: </span><br><span class="line"> Master-Key: EC69FA7721F60D09C2F58EFFC5CE0061FD9D73F46A13D91BE89A593282F7DAA3534D1826D1E2B5D05EDADF6A37E60B7A</span><br><span class="line"> PSK identity: None</span><br><span class="line"> PSK identity hint: None</span><br><span class="line"> SRP username: None</span><br><span class="line"> TLS session ticket lifetime hint: 7200 (seconds)</span><br><span class="line"> TLS session ticket:</span><br><span class="line"> 0000 - cc 97 5c 83 02 da d4 9c-30 03 6a 4b 12 fd 24 c2 ..\.....0.jK..$.</span><br><span class="line"> 0010 - a1 80 ca ff 04 95 33 39-3c 23 a6 6c 44 95 e2 33 ......39<#.lD..3</span><br><span class="line"> 0020 - 23 bd 56 20 9e 25 9b 7d-52 36 7a 3b 11 c6 eb b0 #.V .%.}R6z;....</span><br><span class="line"> 0030 - d0 bd 7a 62 3e 12 a0 39-35 a3 03 7a 2a fc 93 2e ..zb>..95..z*...</span><br><span class="line"> 0040 - d0 f0 88 a1 6b 99 f3 12-8f 37 d6 cc 6f 30 5f fb ....k....7..o0_.</span><br><span class="line"> 0050 - 78 2e 45 d8 05 d4 fd 6c-69 56 66 e9 f9 73 5c d7 x.E....liVf..s\.</span><br><span class="line"> 0060 - 17 68 80 b9 53 19 d4 71-ad 97 8b df a7 3b 11 5f .h..S..q.....;._</span><br><span class="line"> 0070 - 3e 32 55 77 6d 2d 1d a0-95 2e b8 cd 44 de d5 4f >2Uwm-......D..O</span><br><span class="line"> 0080 - 62 ab 1a 02 8f 47 e9 ac-63 56 15 0b 80 a3 1e 84 b....G..cV......</span><br><span class="line"> 0090 - 7f 54 e7 f9 d1 39 9e 7e-67 85 d5 1a e3 6e db ad .T...9.~g....n..</span><br><span class="line"></span><br><span class="line"> Start Time: 1620976664</span><br><span class="line"> Timeout : 7200 (sec)</span><br><span class="line"> Verify return code: 0 (ok)</span><br><span class="line"> Extended master secret: yes</span><br><span class="line">---</span><br><span class="line">Hello!</span><br></pre></td></tr></table></figure>
<p>服务器端s_server的显示如下:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br></pre></td><td class="code"><pre><span class="line">SSL_accept:before SSL initialization</span><br><span class="line">SSL_accept:before SSL initialization</span><br><span class="line">SSL_accept:SSLv3/TLS read client hello</span><br><span class="line">SSL_accept:SSLv3/TLS write server hello</span><br><span class="line">SSL_accept:SSLv3/TLS write certificate</span><br><span class="line">SSL_accept:SSLv3/TLS write key exchange</span><br><span class="line">SSL_accept:SSLv3/TLS write certificate request</span><br><span class="line">SSL_accept:SSLv3/TLS write server done</span><br><span class="line">SSL_accept:SSLv3/TLS write server done</span><br><span class="line">SSL_accept:SSLv3/TLS read client certificate</span><br><span class="line">SSL_accept:SSLv3/TLS read client key exchange</span><br><span class="line">SSL_accept:SSLv3/TLS read change cipher spec</span><br><span class="line">SSL_accept:SSLv3/TLS read finished</span><br><span class="line">SSL_accept:SSLv3/TLS write session ticket</span><br><span class="line">SSL_accept:SSLv3/TLS write change cipher spec</span><br><span class="line">SSL_accept:SSLv3/TLS write finished</span><br><span class="line">-----BEGIN SSL SESSION PARAMETERS-----</span><br><span class="line">MFoCAQECAgMDBALhBwQABDDsafp3IfYNCcL1jv/FzgBh/Z1z9GoT2Rvomlkygvfa</span><br><span class="line">o1NNGCbR4rXQXtrfajfmC3qhBgIEYJ4kGKIEAgIcIKQGBAQBAAAArQMCAQE=</span><br><span class="line">-----END SSL SESSION PARAMETERS-----</span><br><span class="line">Shared ciphers:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-SM2-WITH-SMS4-GCM-SM3:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-SM2-WITH-SMS4-SM3:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:SM9-WITH-SMS4-SM3:SM9DHE-WITH-SMS4-SM3:SM2-WITH-SMS4-SM3:SM2DHE-WITH-SMS4-SM3:AES128-SHA:RSA-WITH-SMS4-SHA1:RSA-WITH-SMS4-SM3</span><br><span class="line">Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1:SM2+SM3</span><br><span class="line">Shared Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1:SM2+SM3</span><br><span class="line">Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2</span><br><span class="line">Supported Elliptic Curves: SM2:X25519:P-256:P-521:P-384</span><br><span class="line">Shared Elliptic curves: SM2:X25519:P-256:P-521:P-384</span><br><span class="line">CIPHER is ECDHE-SM2-WITH-SMS4-GCM-SM3</span><br><span class="line">Secure Renegotiation IS supported</span><br><span class="line">Hello!</span><br><span class="line">ERROR</span><br><span class="line">shutting down SSL</span><br><span class="line">CONNECTION CLOSED</span><br><span class="line">ACCEPT</span><br></pre></td></tr></table></figure>
</li>
</ol>
<h1>参考:</h1>
<h2 id="国密SSL-HTTP">国密SSL/HTTP</h2>
<ul>
<li>
<p><a target="_blank" rel="noopener" href="https://blog.csdn.net/WoTrusCA">沃通的CSDN官方博客</a>有许多GM相关的东西,可以多看看</p>
<p><a target="_blank" rel="noopener" href="https://blog.csdn.net/WoTrusCA/article/details/108366659?spm=1001.2014.3001.5501">沃通:关于国密HTTPS的那些事(一)</a>:国密SSL的协议过程的图解详细分析(双证书和双向认证)。</p>
<p><img src="/images/%E5%9B%BD%E5%AF%86%E7%AE%97%E6%B3%95-%E5%8D%8F%E8%AE%AE-%E5%B7%A5%E6%8E%A7/GM-SSL-Process.png" alt="GM-SSL-Process"></p>
<p><a target="_blank" rel="noopener" href="https://blog.csdn.net/WoTrusCA/article/details/108398730?spm=1001.2014.3001.5501">沃通:关于国密HTTPS的那些事(二)</a>:每个协议版本和密码组件都有其对应的值(Value),ClientHello中包含客户端本地支持的所有密码组件,以供服务端可以选择。</p>
<p><a target="_blank" rel="noopener" href="https://blog.csdn.net/WoTrusCA/article/details/108440658?spm=1001.2014.3001.5501">沃通:关于国密HTTPS的那些事(三)</a>:12个国密组件及其对应值,简单阐述了国密SSL和Openssl的区别。</p>
<p><img src="/images/%E5%9B%BD%E5%AF%86%E7%AE%97%E6%B3%95-%E5%8D%8F%E8%AE%AE-%E5%B7%A5%E6%8E%A7/GM-CipherSuites.png" alt="GM-CipherSuites"></p>
</li>
<li>
<p><strong>GmSSL-Github-guanzhi相关:</strong></p>
<p>CSDN-viqjeee:<a target="_blank" rel="noopener" href="https://blog.csdn.net/qq_39952971/article/details/115178980">gmssl 国密ssl流程测试</a></p>
<p>CSDN-viqjeee:<a target="_blank" rel="noopener" href="https://blog.csdn.net/qq_39952971/article/details/115168241">gmssl国密双证书制作</a></p>
<p>CSDN-viqjeee:<a target="_blank" rel="noopener" href="https://blog.csdn.net/qq_39952971/article/details/115251306?spm=1001.2014.3001.5501">登录过程中密码的安全和攻击风险</a></p>
<p>CSDN-viqjeee:<a target="_blank" rel="noopener" href="https://blog.csdn.net/qq_39952971/article/details/114868960?spm=1001.2014.3001.5501">使用第三方PC对通信设备进行抓包的方法</a></p>
<p>CSDN-小火龙呢:<a target="_blank" rel="noopener" href="https://blog.csdn.net/qq_15077747/article/details/108218240">GMSSL编译及https链接(一)</a></p>
<p>CSDN-小火龙呢:<a target="_blank" rel="noopener" href="https://blog.csdn.net/qq_15077747/article/details/102501978?spm=1001.2014.3001.5501">TCP的三次握手与四次挥手理解</a></p>
<p><a target="_blank" rel="noopener" href="https://kb.cnblogs.com/page/162080/">SSL协议详解</a></p>
<p>CSDN-小火龙呢:<a target="_blank" rel="noopener" href="https://blog.csdn.net/qq_15077747/article/details/108220046?spm=1001.2014.3001.5501">编译配置nginx支持国密(二)</a></p>
<p>CSDN-小火龙呢:<a target="_blank" rel="noopener" href="https://blog.csdn.net/qq_15077747/article/details/108602988?spm=1001.2014.3001.5501">gmssl编译后不支持360浏览器双向https问题</a></p>
<p><a target="_blank" rel="noopener" href="https://www.cnblogs.com/bigben0123/p/12650545.html">OpenSSL和GmSSL在Windows下编译过程</a></p>
<p><a target="_blank" rel="noopener" href="https://www.cnblogs.com/cherishui/p/14626196.html">SSL/TLS 与国密算法</a></p>
<p><a target="_blank" rel="noopener" href="https://www.cnblogs.com/skills/p/13620478.html">GmSSL开发环境搭建及双证书生成</a>:在生成证书里面是讲的最详细也是最好的一个博客文章(注意博客生成根证书的时候命令有一处错误,Root.key应该改成CA.key)(注意里面的key和crt文件)(如果这里的证书不行,直接去国密SSL实验室进行生成就行,都有)</p>
<p><a target="_blank" rel="noopener" href="https://blog.csdn.net/mogoweb/article/details/105020965">何为单证书和双证书?</a></p>
</li>
</ul>
<h2 id="初期资料">初期资料</h2>
<p><a target="_blank" rel="noopener" href="https://juejin.cn/post/6844904114879463438">掘金:浅谈国密算法</a>;</p>
<p><a target="_blank" rel="noopener" href="https://www.jianshu.com/p/3ac6d7b3cf02">简书:国密算法</a>;</p>
<p><a target="_blank" rel="noopener" href="https://github.com/PopezLotado/SM2Java">SM2的Java算法实现</a></p>
<p><a target="_blank" rel="noopener" href="https://github.com/windard/sm4/blob/master/README.md">SM4:Github的一个项目</a>;</p>
<p><a target="_blank" rel="noopener" href="https://www.huaweicloud.com/theme/484689-1-G">华为云:国产密码算法</a>;</p>
<p><a target="_blank" rel="noopener" href="https://github.com/hwyqb/SM2_SM3_SM4Encrypt">SM2/SM3/SM4的Java算法实现-Github</a>;</p>
<p><a target="_blank" rel="noopener" href="https://www.wosign.com/FAQ/faq_2019062501.htm">国密SSL协议</a>;</p>
<p><a target="_blank" rel="noopener" href="https://fisco-bcos-documentation.readthedocs.io/zh_CN/latest/docs/articles/3_features/36_cryptographic/index.html">国密算法和协议</a>;</p>
<p><a target="_blank" rel="noopener" href="https://patents.google.com/patent/CN106656939A/zh">专利:国密SSL协议和标准SSL协议转发系统及方法</a>;</p>
<p><a target="_blank" rel="noopener" href="https://patents.google.com/patent/CN104394179A/zh">专利:支持国密算法的安全套接层协议扩展方法</a>;</p>
<p><a target="_blank" rel="noopener" href="https://blog.csdn.net/mrpre/article/details/78015580">CSDN:国密SSL协议</a>;CSDN的源码:<a target="_blank" rel="noopener" href="https://github.com/mrpre/atls">Github:ATls</a>;有wireshark抓包进行分析</p>
<p><a target="_blank" rel="noopener" href="https://blog.csdn.net/WoTrusCA/article/details/108440658">关于国密HTTPS的那些事</a></p>
<p><a target="_blank" rel="noopener" href="https://blog.csdn.net/upset_ming/article/details/79880688">国密SSL协议开发总结(附报文详细分析)</a>:详细分析了GMSSL协议的合格部分和过程(很全了),其<a target="_blank" rel="noopener" href="https://blog.csdn.net/upset_ming">大宝CA国密SSL国密TOMCAT_CSDN博客</a>有一些相关的东西,注意还有一个<a target="_blank" rel="noopener" href="https://www.doubleca.com/test_toIndexPage.action">大宝CA数字证书测试平台</a>。</p>
<p><em><strong>segmentfault平台:</strong></em><a target="_blank" rel="noopener" href="https://segmentfault.com/a/1190000024448440">国密SSL性能测试</a>-可以结合前面国密SSL实验室的测试工具进行。<a target="_blank" rel="noopener" href="https://segmentfault.com/a/1190000023890321?utm_source=sf-similar-article">国密SSL之Java实现</a>-有Java源码,感觉可能会存在一些问题。<a target="_blank" rel="noopener" href="https://segmentfault.com/a/1190000016808783?utm_source=sf-similar-article">Bytom国密网说明和指南</a>-有Github源码。</p>
<p><a target="_blank" rel="noopener" href="https://developer.aliyun.com/article/770830">国密SSL协议之Nginx集成</a>:结合前面的<em>国密SSL实验室</em>进行,在CentOS 7环境上实验(失败)</p>
<p><a target="_blank" rel="noopener" href="https://cloud.tencent.com/developer/article/1597165">搭建国密SSL开发测试环境</a>:结合前面的<em><strong>GmSSL-关志教师-Github</strong></em>进行,在CentOS 7环境上进行实验(成功)</p>
<!-- flag of hidden posts --></article><div class="post-copyright"><div class="post-copyright__author"><span class="post-copyright-meta">文章作者: </span><span class="post-copyright-info"><a href="mailto:undefined">Koper</a></span></div><div class="post-copyright__type"><span class="post-copyright-meta">文章链接: </span><span class="post-copyright-info"><a href="https://koper.top/2021/04/28/%E5%9B%BD%E5%AF%86%E7%AE%97%E6%B3%95-%E5%8D%8F%E8%AE%AE-%E5%B7%A5%E6%8E%A7/">https://koper.top/2021/04/28/国密算法-协议-工控/</a></span></div><div class="post-copyright__notice"><span class="post-copyright-meta">版权声明: </span><span class="post-copyright-info">本博客所有文章除特别声明外,均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/" target="_blank">CC BY-NC-SA 4.0</a> 许可协议。转载请注明来自 <a href="https://koper.top" target="_blank">Koper</a>!</span></div></div><div class="tag_share"><div class="post-meta__tag-list"><a class="post-meta__tags" href="/tags/algorithm/">algorithm</a><a class="post-meta__tags" href="/tags/protocol/">protocol</a><a class="post-meta__tags" href="/tags/Industrial-control/">Industrial control</a></div><div class="post_share"><div class="social-share" data-image="/images/%E5%9B%BD%E5%AF%86%E7%AE%97%E6%B3%95-%E5%8D%8F%E8%AE%AE-%E5%B7%A5%E6%8E%A7/gmssl-cover.png" data-sites="facebook,twitter,wechat,weibo,qq"></div><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/social-share.js/dist/css/share.min.css" media="print" onload="this.media='all'"><script src="https://cdn.jsdelivr.net/npm/social-share.js/dist/js/social-share.min.js" defer></script></div></div><nav class="pagination-post" id="pagination"></nav><div class="relatedPosts"><div class="headline"><i class="fas fa-thumbs-up fa-fw"></i><span> 相关推荐</span></div><div class="relatedPosts-list"><div><a href="/2021/04/27/LeetCode/" title="LeetCode"><img class="cover" src="/images/LeetCode/cover.jpg" alt="cover"><div class="content is-center"><div class="date"><i class="far fa-calendar-alt fa-fw"></i> 2021-04-27</div><div class="title">LeetCode</div></div></a></div></div></div></div><div class="aside-content" id="aside-content"><div class="card-widget card-info"><div class="card-info-avatar is-center"><img class="avatar-img" src="/images/avatar-1.jpeg" onerror="this.onerror=null;this.src='/img/friend_404.gif'" alt="avatar"/><div class="author-info__name">Koper</div><div class="author-info__description">在读打工人的学习和日常分享</div></div><div class="card-info-data"><div class="card-info-data-item is-center"><a href="/archives/"><div class="headline">文章</div><div class="length-num">10</div></a></div><div class="card-info-data-item is-center"><a href="/tags/"><div class="headline">标签</div><div class="length-num">10</div></a></div></div><a class="button--animated" id="card-info-btn" target="_blank" rel="noopener" href="https://github.com/Jupiterliu"><i class="fab fa-github"></i><span>Follow Me</span></a><div class="card-info-social-icons is-center"><a class="social-icon" href="https://github.com/Jupiterliu" target="_blank" title="Github"><i class="fab fa-github"></i></a><a class="social-icon" href="mailto:taifengl@outlook.com" target="_blank" title="Email"><i class="fas fa-envelope"></i></a></div></div><div class="card-widget card-announcement"><div class="item-headline"><i class="fas fa-bullhorn card-announcement-animation"></i><span>公告</span></div><div class="announcement_content">科研人,科研魂,科研就是人上人!!!</div></div><div class="sticky_layout"><div class="card-widget" id="card-toc"><div class="item-headline"><i class="fas fa-stream"></i><span>目录</span></div><div class="toc-content"><ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link"><span class="toc-number">1.</span> <span class="toc-text">国密标准</span></a></li><li class="toc-item toc-level-1"><a class="toc-link"><span class="toc-number">2.</span> <span class="toc-text">国密SSL/TLS</span></a></li><li class="toc-item toc-level-1"><a class="toc-link"><span class="toc-number">3.</span> <span class="toc-text">实验</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E7%AC%AC%E4%B8%80%E6%AC%A1GmSSL%E7%8E%AF%E5%A2%83%E6%90%AD%E5%BB%BA%E5%AE%9E%E9%AA%8C%EF%BC%88%E5%9B%BD%E5%AF%86SSL%E5%AE%9E%E9%AA%8C%E5%AE%A4%EF%BC%89%EF%BC%9A"><span class="toc-number">3.1.</span> <span class="toc-text">第一次GmSSL环境搭建实验(国密SSL实验室):</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E7%AC%AC%E4%BA%8C%E6%AC%A1GmSSL%E7%8E%AF%E5%A2%83%E6%90%AD%E5%BB%BA%E5%AE%9E%E9%AA%8C%EF%BC%88GmSSL-%E5%85%B3%E5%BF%97%E6%95%99%E6%8E%88%EF%BC%89%EF%BC%9A"><span class="toc-number">3.2.</span> <span class="toc-text">第二次GmSSL环境搭建实验(GmSSL-关志教授):</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E7%AC%AC%E4%B8%89%E6%AC%A1GMSSL%E7%8E%AF%E5%A2%83%E6%90%AD%E5%BB%BA%EF%BC%88%E5%9B%BD%E5%AF%86SSL%E5%AE%9E%E9%AA%8C%E5%AE%A4%EF%BC%89"><span class="toc-number">3.3.</span> <span class="toc-text">第三次GMSSL环境搭建(国密SSL实验室)</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E7%AC%AC%E5%9B%9B%E6%AC%A1GmSSL%E7%8E%AF%E5%A2%83%E6%90%AD%E5%BB%BA%EF%BC%88%E7%99%BE%E5%BA%A6%E4%BA%91VPS%E4%B8%BB%E6%9C%BA%EF%BC%89"><span class="toc-number">3.4.</span> <span class="toc-text">第四次GmSSL环境搭建(百度云VPS主机)</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%AD%A3%E5%BC%8F%E5%AE%9E%E9%AA%8C%E8%AE%B0%E5%BD%95%EF%BC%88%E7%AC%AC%E5%9B%9B%E6%AC%A1%E6%90%AD%E5%BB%BA%E5%AE%9E%E9%AA%8C%EF%BC%89%EF%BC%9A"><span class="toc-number">3.5.</span> <span class="toc-text">正式实验记录(第四次搭建实验):</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%AD%A3%E5%BC%8F%E5%AE%9E%E9%AA%8C%E8%AE%B0%E5%BD%95%EF%BC%88%E7%AC%AC%E4%BA%8C%E6%AC%A1%E6%90%AD%E5%BB%BA%E5%AE%9E%E9%AA%8C%EF%BC%89%EF%BC%9A"><span class="toc-number">3.6.</span> <span class="toc-text">正式实验记录(第二次搭建实验):</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E5%8D%95%E8%AF%81%E4%B9%A6%E5%8D%95%E5%90%91%E8%AE%A4%E8%AF%81%EF%BC%9A"><span class="toc-number">3.6.1.</span> <span class="toc-text">单证书单向认证:</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E5%8D%95%E8%AF%81%E4%B9%A6%E5%8F%8C%E5%90%91%E8%AE%A4%E8%AF%81"><span class="toc-number">3.6.2.</span> <span class="toc-text">单证书双向认证</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E5%8F%8C%E8%AF%81%E4%B9%A6%E5%8D%95%E5%90%91%E8%AE%A4%E8%AF%81"><span class="toc-number">3.6.3.</span> <span class="toc-text">双证书单向认证</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E5%8F%8C%E8%AF%81%E4%B9%A6%E5%8F%8C%E5%90%91%E8%AE%A4%E8%AF%81"><span class="toc-number">3.6.4.</span> <span class="toc-text">双证书双向认证</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link"><span class="toc-number">4.</span> <span class="toc-text">参考:</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%9B%BD%E5%AF%86SSL-HTTP"><span class="toc-number">4.1.</span> <span class="toc-text">国密SSL/HTTP</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%88%9D%E6%9C%9F%E8%B5%84%E6%96%99"><span class="toc-number">4.2.</span> <span class="toc-text">初期资料</span></a></li></ol></li></ol></div></div><div class="card-widget card-recent-post"><div class="item-headline"><i class="fas fa-history"></i><span>最新文章</span></div><div class="aside-list"><div class="aside-list-item"><a class="thumbnail" href="/2021/09/05/Papers/" title="Papers"><img src="https://cdn.jsdelivr.net/npm/butterfly-extsrc@1/img/default.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="Papers"/></a><div class="content"><a class="title" href="/2021/09/05/Papers/" title="Papers">Papers</a><time datetime="2021-09-05T01:20:22.000Z" title="发表于 2021-09-05 09:20:22">2021-09-05</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2021/08/26/Roadmap-of-Java-Learning/" title="Roadmap of Java Learning"><img src="/images/Roadmap-of-Java-Learning/2021%20%E5%B9%B4%20Java%20%E5%BC%80%E5%8F%91%E4%BA%BA%E5%91%98%E7%9A%84%E8%B7%AF%E7%BA%BF%E5%9B%BE.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="Roadmap of Java Learning"/></a><div class="content"><a class="title" href="/2021/08/26/Roadmap-of-Java-Learning/" title="Roadmap of Java Learning">Roadmap of Java Learning</a><time datetime="2021-08-26T03:02:03.000Z" title="发表于 2021-08-26 11:02:03">2021-08-26</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2021/07/15/TLS-Scanner%E9%A1%B9%E7%9B%AE/" title="TLS-Scanner项目"><img src="/images/TLS-Scanner%E9%A1%B9%E7%9B%AE/TLS-Scanner-cover.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="TLS-Scanner项目"/></a><div class="content"><a class="title" href="/2021/07/15/TLS-Scanner%E9%A1%B9%E7%9B%AE/" title="TLS-Scanner项目">TLS-Scanner项目</a><time datetime="2021-07-15T08:18:47.000Z" title="发表于 2021-07-15 16:18:47">2021-07-15</time></div></div></div></div></div></div></main><footer id="footer"><div id="footer-wrap"><div class="copyright">©2021 By Koper</div><div class="footer_custom_text">Hi, welcome to my <a href="https://koper.top/">blog</a>!</div></div></footer></div><div id="rightside"><div id="rightside-config-hide"><button id="readmode" type="button" title="阅读模式"><i class="fas fa-book-open"></i></button><button id="darkmode" type="button" title="浅色和深色模式转换"><i class="fas fa-adjust"></i></button><button id="hide-aside-btn" type="button" title="单栏和双栏切换"><i class="fas fa-arrows-alt-h"></i></button></div><div id="rightside-config-show"><button id="rightside_config" type="button" title="设置"><i class="fas fa-cog fa-spin"></i></button><button class="close" id="mobile-toc-button" type="button" title="目录"><i class="fas fa-list-ul"></i></button><button id="go-up" type="button" title="回到顶部"><i class="fas fa-arrow-up"></i></button></div></div><div id="local-search"><div class="search-dialog"><div class="search-dialog__title" id="local-search-title">本地搜索</div><div id="local-input-panel"><div id="local-search-input"><div class="local-search-box"><input class="local-search-box--input" placeholder="搜索文章" type="text"/></div></div></div><hr/><div id="local-search-results"></div><span class="search-close-button"><i class="fas fa-times"></i></span></div><div id="search-mask"></div></div><div><script src="/js/utils.js"></script><script src="/js/main.js"></script><script src="https://cdn.jsdelivr.net/npm/node-snackbar/dist/snackbar.min.js"></script><script src="/js/search/local-search.js"></script><script>var preloader = {
endLoading: () => {
document.body.style.overflow = 'auto';
document.getElementById('loading-box').classList.add("loaded")
},
initLoading: () => {
document.body.style.overflow = '';
document.getElementById('loading-box').classList.remove("loaded")
}
}
window.addEventListener('load',preloader.endLoading())</script><div class="js-pjax"></div><script defer="defer" id="ribbon" src="https://cdn.jsdelivr.net/npm/butterfly-extsrc@1/dist/canvas-ribbon.min.js" size="150" alpha="0.6" zIndex="-1" mobile="false" data-click="false"></script><script id="click-show-text" src="https://cdn.jsdelivr.net/npm/butterfly-extsrc@1/dist/click-show-text.min.js" data-mobile="false" data-text="富强,民主,文明,和谐,自由,平等,公正,法治,爱国,敬业,诚信,友善" data-fontsize="15px" data-random="false" async="async"></script><script src="https://cdn.jsdelivr.net/npm/pjax/pjax.min.js"></script><script>let pjaxSelectors = [
'title',
'#config-diff',
'#body-wrap',
'#rightside-config-hide',
'#rightside-config-show',
'.js-pjax'
]
if (false) {
pjaxSelectors.unshift('meta[property="og:image"]', 'meta[property="og:title"]', 'meta[property="og:url"]')
}
var pjax = new Pjax({
elements: 'a:not([target="_blank"])',
selectors: pjaxSelectors,
cacheBust: false,
analytics: false,
scrollRestoration: false
})
document.addEventListener('pjax:complete', function () {
window.refreshFn()
document.querySelectorAll('script[data-pjax]').forEach(item => {
const newScript = document.createElement('script')
const content = item.text || item.textContent || item.innerHTML || ""
Array.from(item.attributes).forEach(attr => newScript.setAttribute(attr.name, attr.value))
newScript.appendChild(document.createTextNode(content))
item.parentNode.replaceChild(newScript, item)
})
GLOBAL_CONFIG.islazyload && window.lazyLoadInstance.update()
typeof chatBtnFn === 'function' && chatBtnFn()
typeof panguInit === 'function' && panguInit()
// google analytics
typeof gtag === 'function' && gtag('config', '', {'page_path': window.location.pathname});
// baidu analytics
typeof _hmt === 'object' && _hmt.push(['_trackPageview',window.location.pathname]);
typeof loadMeting === 'function' && document.getElementsByClassName('aplayer').length && loadMeting()
// Analytics
if (false) {
MtaH5.pgv()
}
// prismjs
typeof Prism === 'object' && Prism.highlightAll()
typeof preloader === 'object' && preloader.endLoading()
})
document.addEventListener('pjax:send', function () {
typeof preloader === 'object' && preloader.initLoading()
if (window.aplayers) {
for (let i = 0; i < window.aplayers.length; i++) {
if (!window.aplayers[i].options.fixed) {
window.aplayers[i].destroy()
}
}
}
typeof typed === 'object' && typed.destroy()
//reset readmode
const $bodyClassList = document.body.classList
$bodyClassList.contains('read-mode') && $bodyClassList.remove('read-mode')
})
document.addEventListener('pjax:error', (e) => {
if (e.request.status === 404) {
pjax.loadUrl('/404.html')
}
})</script><script async data-pjax src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script></div><script async>window.onload=function(){var a=document.createElement('script'),b=document.getElementsByTagName('script')[0];a.type='text/javascript',a.async=!0,a.src='/sw-register.js?v='+Date.now(),b.parentNode.insertBefore(a,b)};</script></body></html>