Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gmssl server与360国密浏览器通信-gmssl返回Decrypt Error #940

Closed
sydkhfl opened this issue Apr 3, 2020 · 13 comments
Closed

gmssl server与360国密浏览器通信-gmssl返回Decrypt Error #940

sydkhfl opened this issue Apr 3, 2020 · 13 comments
Labels
no-issue-activity

Comments

@sydkhfl
Copy link

sydkhfl commented Apr 3, 2020

我在服务器上使用gmssl的s_server开启443端口监听:

[GMTLS_DEBUG] set sm2 signing certificate
[GMTLS_DEBUG] set sm2 signing private key
[GMTLS_DEBUG] set sm2 encryption certificate
[GMTLS_DEBUG] set sm2 decryption private key
ACCEPT

使用360国密浏览器与之连接,发现gmssl校验360浏览器时失败

SSL_accept:before SSL initialization
SSL_accept:before SSL initialization
SSL_accept:SSLv3/TLS read client hello
SSL_accept:SSLv3/TLS write server hello
SSL_accept:SSLv3/TLS write certificate
SSL_accept:SSLv3/TLS write key exchange
SSL_accept:SSLv3/TLS write server done
SSL_accept:SSLv3/TLS write server done
SSL_accept:SSLv3/TLS read client key exchange
SSL_accept:SSLv3/TLS read change cipher spec
SSL3 alert write:fatal:decrypt error
SSL_accept:error in error
ERROR
139959203039040:error:1416C095:SSL routines:tls_process_finished:digest check failed:ssl/statem/statem_lib.c:266:

调试发现报错的地方:

文件:ssl/statem/statem_lib.c
方法:tls_process_finished
出错退出:CRYPTO_memcmp(PACKET_data(pkt), s->s3->tmp.peer_finish_md, i) != 0

image

抓包:

360国密浏览器给gmssl :
    发送了client hello/ client Key Exchange/Change Cipher Spec/Encrypted  Handshake Message
gmssl给360国密浏览器:
    发送了Server Hello/Certificate/Server Key Exchange/Server Hello Done
Alert:
    服务器报 Alert Decrypt Error

image

已做修改:

参照[](https://github.com/guanzhi/GmSSL/issues/939)
已将
EVP_SignUpdate(md_ctx, buf, n)改为EVP_SignUpdate(md_ctx, buf, n+3)
ID使用默认的"1234567812345678"
@Nu1i
Copy link

Nu1i commented Apr 7, 2020

请问此问题解决了吗?我也遇到相同问题

@sydkhfl
Copy link
Author

sydkhfl commented Apr 7, 2020

没有

@Nu1i
Copy link

Nu1i commented Apr 7, 2020

@yalifeng 看下你客户端和服务端交互的密码套件是ECDHE_SM4_SM3还是ECC_SM4_SM3,我按照939的换完之后,ECC_SM4_SM3可以调试通过,ECDHE_SM4_SM3还是同样的报错。

@Nu1i
Copy link

Nu1i commented Apr 7, 2020

@yalifeng ECDHE_SM4_SM3算法只能在双向SSL中使用,这似乎是此问题的原因。

@sydkhfl
Copy link
Author

sydkhfl commented Apr 7, 2020

您也是用360浏览器访问的吗

@sydkhfl
Copy link
Author

sydkhfl commented Apr 7, 2020

@yalifeng ECDHE_SM4_SM3算法只能在双向SSL中使用,这似乎是此问题的原因。

我服务器是使用gmssl的s_server来监听的:
./gmssl s_server -gmtls -accept 443 -cert ../sm2Certs/SS.cert.pem -key ../sm2Certs/SS.key.pem -dcert ../sm2Certs/SE.cert.pem -dkey ../sm2Certs/SE.key.pem
然后直接使用360浏览器访问

@sydkhfl
Copy link
Author

sydkhfl commented Apr 7, 2020

@Nu1i 请问您是怎么指定的,我看我抓的包使用的是0xe013算法套件

@sydkhfl
Copy link
Author

sydkhfl commented Apr 8, 2020

请问你们使用的哪个版本的gmssl

@Nu1i
Copy link

Nu1i commented Apr 8, 2020

@yalifeng 我用的是gmssl做客户端访问别的服务端,这样没问题,但是用gmssl做服务端,出现的问题和你这个一样。

@sydkhfl
Copy link
Author

sydkhfl commented Apr 8, 2020
edited
Loading

补充说明:

  • 1.使用未修改前的gmssl与自己客户端通信

服务器端:
./gmssl s_server -gmtls -accept 443 -cert ./sm2Certs/SS.cert.pem -key ./sm2Certs/SS.key.pem -dcert ./sm2Certs/SE.cert.pem -dkey ./sm2Certs/SE.key.pem -state
客户端:
./gmssl s_client -gmtls -cipher 'SM2-WITH-SMS4-SM3' -connect localhost:443
通信:
联通后,发送信息,可以正常通信,查看抓包也是很正常的

image

  • 2.使用未修改前的gmssl与360国密浏览器通信:

抓包图中217是gmssl服务端,94是客户端
image

  • 3.使用修改后的gmssl与360国密浏览器通信:
    为防止自己修改的有问题,我试了939提出的分支-GmSSL-patch-3,跟我修改后的是同样的结果
    这次360浏览器应该正常校验了服务器端发送的内容,但是gmssl校验360发送的又失败了
    image
    image

  • 3.使用修改后的gmssl与自己通信:
    发现与自己也无法正常通信了,与未修改前与360浏览器通信卡在一样的地方
    image

  • 4.使用gmssl与密信浏览器通信:
    发现密信浏览器发client hello时,未发送国密算法套件,导致无法正常握手
    我配置的nginx只可与国密算法套件通信,所以密信浏览器未发送国密套件,导致失败
    image
    image

@wuyougongzi
Copy link

请教下,问题解决了吗?遇到同样的问题了。

@JagnDC
Copy link

JagnDC commented Jun 22, 2020

您好,想请教一下,您这个问题解决了吗?

@github-actions
Copy link

Marked as stale issue. Will be closed later if no activity for a while.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
no-issue-activity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wuyougongzi @JagnDC @sydkhfl @Nu1i