如何测试我的 .Net 客户端使用的 TLS 版本
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/34276358/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to test which version of TLS my .Net client is using
提问by Brondahl
I support a .NET site which (amongst many, MANY, other things) talks to remote APIs from supplier systems.
我支持一个 .NET 站点,该站点(在很多很多其他东西中)与来自供应商系统的远程 API 进行对话。
We want to upgrade to support TLS 1.2 We're hoping to do so as per this question: Are there .NET implementation of TLS 1.2?
我们希望升级以支持 TLS 1.2 我们希望按照以下问题进行升级:是否存在 TLS 1.2 的 .NET 实现?
But how do I check that this is actually working once I've made the change.
但是,一旦我进行了更改,我如何检查这是否确实有效。
Ideally one of my supplier sites would start using TLS 1.2 ONLYand then my test could just be "can we talk to that supplier now?" But we don't have that. I'm guessing I can do something with a packet sniffer of some sort, but I wouldn't know what I was looking for exactly, nor how to set up the sniffer to be collecting the neccessary data in a readable manner.
理想情况下,我的供应商站点之一将开始仅使用 TLS 1.2 ,然后我的测试可能只是“我们现在可以与该供应商交谈吗?” 但我们没有那个。我猜我可以用某种数据包嗅探器做一些事情,但我不知道我在寻找什么,也不知道如何设置嗅探器以可读的方式收集必要的数据。
Either:
任何一个:
- Can someone point me in the direction of a comprehensive guide to how to collect that data in Fiddler/WireShark
- 有人可以指出我如何在 Fiddler/WireShark 中收集数据的综合指南的方向吗?
Or
或者
- Can someone advise an alternative way to test that the change has worked.
- 有人可以建议另一种方法来测试更改是否有效。
采纳答案by Rich
If you capture the connection creation in Wireshark, and examine the first packet from the client, then Wireshark will annotate the fields in the ClientHellostruct for you, including the TLS version requested by the client.
如果您在 Wireshark 中捕获连接创建,并检查来自客户端的第一个数据包,则 Wireshark 将为您注释ClientHello结构中的字段,包括客户端请求的 TLS 版本。
Similarly, if you look at the first reply packet from the server, then Wireshark will annotate the fields in the ServerHellostruct for you, including the TLS version settled on for the connection.
同样,如果您查看来自服务器的第一个回复数据包,则 Wireshark 将为您注释ServerHello结构中的字段,包括为连接确定的 TLS 版本。
See this blog postor this onefor worked examples.
回答by spottedmahn
If you turn on "CONNECTS" in Fiddler, you can see the TLS/SSL version in Inspectors -> TextView
如果您在Fiddler 中打开“ CONNECTS” ,您可以在 Inspectors -> TextView 中看到 TLS/SSL 版本
To turn on Connects, go to Rulesin the menu bar and removethe check from "Hide CONNECTs"
要打开连接,请转到Rules菜单栏中的 并取消选中“隐藏连接”
Note:Decrypt HTTPs traffic must be disabled
注意:必须禁用解密 HTTPs 流量
Reference: Viewing HTTPS Handshakes in Fiddler
回答by Rich
The System.Net tracing does include sufficient detail to check this, although it's not very accessible.
System.Net 跟踪确实包含足够的细节来检查这一点,尽管它不是很容易访问。
This KB describes how to turn on System.Net tracing.
This blog post shows a full HTTPS request in System.Net tracing.
这篇博文展示了 System.Net 跟踪中的完整 HTTPS 请求。
The bytes sent over the wire are logged, and in the example given on that blog post, the client stream starts:
记录通过线路发送的字节,并且在该博客文章中给出的示例中,客户端流开始:
System.Net.Sockets Verbose: 0 : [3848] Data from Socket#48285313::Send
System.Net.Sockets Verbose: 0 : [3848] 00000000 : 16 03 00 00 41 01 00 00-3D 03 00 43 26 02 90 83 : ....A...=..C&...
RFC5246 describes TLS 1.2 and explains that ClientHello is the first message expected and states its format:
RFC5246 描述了 TLS 1.2 并解释了 ClientHello 是预期的第一条消息并说明其格式:
struct {
ProtocolVersion client_version;
Random random;
SessionID session_id;
CipherSuite cipher_suites<2..2^16-2>;
CompressionMethod compression_methods<1..2^8-1>;
select (extensions_present) {
case false:
struct {};
case true:
Extension extensions<0..2^16-1>;
};
} ClientHello;
This SO answer explainsthat the record starts with 0x16 as a type marker, then the protocol version.
这个 SO answer 解释说记录以 0x16 作为类型标记开始,然后是协议版本。
The session shown above has version 3.0, which means SSL 3.0.
上面显示的会话具有版本 3.0,这意味着 SSL 3.0。
The RFC explainsthat 3.3 is TLS 1.2.
RFC 解释说 3.3 是 TLS 1.2。
So if your client data starts "16 03 03", then your client is attempting to negotiate TLS 1.2.
因此,如果您的客户端数据以“ 16 03 03”开头,则您的客户端正在尝试协商 TLS 1.2。
You may need to examine the ServerHello to establish which version was actually used.
您可能需要检查 ServerHello 以确定实际使用的版本。
