带有 TLS 1.3 的“nghttp2::asio_http2::client” - SSL_CTX_set_cipher_list 不在密码套件中添加密码套件
[英]"nghttp2::asio_http2::client" with TLS 1.3 - SSL_CTX_set_cipher_list doesnt add cipher suite in cipher suites
问题描述
I use nghttp2 asio_http2_client with TLS 1.3 protocol, but when i try to add additional suites in cipher suites list via SSL_CTX_get_ciphers function, i don't see anything changes in my Client hello message.
我将 nghttp2 asio_http2_client 与 TLS 1.3 协议一起使用,但是当我尝试通过 SSL_CTX_get_ciphers function 在密码套件列表中添加其他套件时,我在客户端问候消息中看不到任何变化。 Ie cipher suites list stay without changes.即密码套件列表保持不变。
My code example:我的代码示例:
#include <nghttp2/asio_http2_client.h>
#include <iostream>
using boost::asio::ip::tcp;
using namespace nghttp2::asio_http2;
using namespace nghttp2::asio_http2::client;
int main(int argc, char* argv[])
{
boost::system::error_code ec;
boost::asio::io_service io_service;
boost::asio::ssl::context tls(boost::asio::ssl::context::tlsv13_client);
tls.set_verify_mode(boost::asio::ssl::verify_peer);
// https://testssl.sh/openssl-iana.mapping.html
auto rc = SSL_CTX_set_cipher_list(
tls.native_handle(),
R"(TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-OLD:ECDHE-RSA-CHACHA20-POLY1305-OLD:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA)");
if (rc != 1) {
std::cout << "no cipher list found " << rc << std::endl;
}
auto ciph = SSL_CTX_get_ciphers(tls.native_handle());
printf("after SSL_CTX_set_ciphersuites()\n");
for (size_t i = 0; i < sk_SSL_CIPHER_num(ciph); i++)
printf("%s%s", i != 0 ? ":" : "", SSL_CIPHER_get_name(sk_SSL_CIPHER_value(ciph, i)));
// return 1;
configure_tls_context(ec, tls);
// connect to
session sess(io_service, tls, "www.google.com", "443");
sess.on_connect([&sess](tcp::resolver::iterator endpoint_it) {
boost::system::error_code ec;
std::cerr << "Connected!" << std::endl;
});
sess.on_error([](const boost::system::error_code& ec) {
std::cerr << "error: " << ec.message() << std::endl;
});
io_service.run();
}
In wireshark i see following output(4 cipher suites,but there are many more cipher suites in the SSL_CTX_set_cipher_list arguments):在wireshark中我看到以下输出(4个密码套件,但SSL_CTX_set_cipher_list参数中有更多密码套件):
I did an experiment with SSL_CTX_set_cipher_list and commented out the next lines:我用 SSL_CTX_set_cipher_list 做了一个实验,并注释掉了下一行:
auto rc = SSL_CTX_set_cipher_list(
tls.native_handle(),
R"(TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-OLD:ECDHE-RSA-CHACHA20-POLY1305-OLD:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA)");
if (rc != 1) {
std::cout << "no cipher list found " << rc << std::endl;
}
auto ciph = SSL_CTX_get_ciphers(tls.native_handle());
printf("after SSL_CTX_set_ciphersuites()\n");
for (size_t i = 0; i < sk_SSL_CIPHER_num(ciph); i++)
printf("%s%s", i != 0 ? ":" : "", SSL_CIPHER_get_name(sk_SSL_CIPHER_value(ciph, i)));
But cipher suite list remained the same.但密码套件列表保持不变。 Whats wrong?怎么了?
1 个解决方案
解决方案1
0 已采纳 2021-04-11 18:30:44
If you go to the documentation for SSL_CTX_get_ciphers it states:如果您 go 到SSL_CTX_get_ciphers的文档,它会指出:
SSL_CTX_set_cipher_list() sets the list of available ciphers (TLSv1.2 and below)
and和
This function does not impact TLSv1.3 ciphersuites.
So you need to go read the SSL_CTX_set_cipher_list API as the v1.3 cipher list is a lot different and much smaller than up to v1.2 cipher list.因此,您需要 go 读取SSL_CTX_set_cipher_list API,因为 v1.3 密码列表有很大不同,并且比 v1.2 密码列表小得多。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.