TLS handshake过程中的Hello消息

    The cipher suite list, passed from the client to the server in the ClientHello message, contains the combinations of cryptographic algorithms supported by the client in order of the client's preference (favorite choice first). Each cipher suite defines a key exchange algorithm, a bulk encryption algorithm (including secret key length), a MAC algorithm, and a PRF.  The server will select a ciphersuite or, if no acceptable choices are presented, return a handshake failure alert and close the connection.  If the list contains ciphersuites the server does not recognize, support, or wish to use, the server MUSTignore those cipher suites, and process the remaining ones as usual.

Q: ignore具体代表什么意思？

      uint8 CipherSuite[2];

cipher_suites
      This is a list of the cryptographic options supported by the client, with the client's first preference first.  If the session_id field is not empty (implying a session resumption request), this vector MUST include at least the cipher_suite from that session.  Values are defined in Appendix A.5.

 

The Cipher Suite

   The following values define the cipher suite codes used in the ClientHello and ServerHello messages.

   A cipher suite defines a cipher specification supported in TLS Version 1.2.

   TLS_NULL_WITH_NULL_NULL is specified and is the initial state of a TLS connection during the first handshake on that channel, but MUST NOT be negotiated, as it provides no more protection than an unsecured connection.

      CipherSuite TLS_NULL_WITH_NULL_NULL               = { 0x00,0x00 };

   The following CipherSuite definitions require that the server provide an RSA certificate that can be used for key exchange.  The server may request anysignature-capable （这个能力用在哪里？如果是RSA做密钥协商，是client选择随机数，并用server的公钥加密作为pms） certificate in the certificate request message.

      CipherSuite TLS_RSA_WITH_NULL_MD5                 = { 0x00,0x01 };
      CipherSuite TLS_RSA_WITH_NULL_SHA                 = { 0x00,0x02 };
      CipherSuite TLS_RSA_WITH_NULL_SHA256              = { 0x00,0x3B };
      CipherSuite TLS_RSA_WITH_RC4_128_MD5              = { 0x00,0x04 };
      CipherSuite TLS_RSA_WITH_RC4_128_SHA              = { 0x00,0x05 };
      CipherSuite TLS_RSA_WITH_3DES_EDE_CBC_SHA         = { 0x00,0x0A };
      CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA          = { 0x00,0x2F };
      CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA          = { 0x00,0x35 };
      CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA256       = { 0x00,0x3C };
      CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA256       = { 0x00,0x3D };

   The following cipher suite definitions are used for server-authenticated (and optionally client-authenticated) Diffie-Hellman.DH denotes cipher suites in which the server's certificate contains the Diffie-Hellman parameters signed by the certificate authority(CA). DHE denotes ephemeral Diffie-Hellman, where the Diffie-Hellman parameters are signed by a signature-capable certificate, which has been signed by the CA.  The signing algorithm used by the server is specified after the DHE component of the CipherSuite name. The server can request any signature-capable certificate from the client for client authentication, or it may request a Diffie-Hellman certificate.  Any Diffie-Hellman certificate provided by the client must use the parameters (group and generator) described by the server.

DH和DHE主要实现server的认证，也可以添加client的认证。DH情形下，server传递的密钥建立参数是带证书的DH参数，DHE情形下，server传递的DHE参数被某个签名算法签名保护，以实现认证。同时，在client认证时，client需用server证书中包含的群参数请求一个证书并发给server，这个可以理解，为了两方在相同的参数下运行协议。

问题，按照下述的ciphersuite描述，DH已经实现了server的认证，为什么还需要签名算法？还是DH不能抵抗中间人攻击，所以引入签名？还是证书中的DH参数是所引用的签名算法作用生成的？

解答：If the client provided a "signature_algorithms" extension, then all certificates provided by the server MUST be signed by a hash/signature algorithm pair that appears in that extension. Note that this implies that a certificate containing a key for one signature algorithm MAY be signed using a different signature algorithm (for instance, an RSA key signed with a DSA key). This is a departure from TLS 1.1, which required that the algorithms be the same. Note that this also implies that the DH_DSS, DH_RSA, ECDH_ECDSA, and ECDH_RSA key exchange algorithms do not restrict the algorithm used to sign the certificate. Fixed DH certificates MAY be signed with any hash/signature algorithm pair appearing in the extension. The names DH_DSS, DH_RSA, ECDH_ECDSA, and ECDH_RSA are historical.

指出DH_DSS的表达只是历史原因，这里如果client没有填充signature_algorithms，则直接发送DH证书，如果client做了选择，则需要用填充的hash/sig对 对DH证书签名

PS：下面说道，如果client没有填充，则有默认的hash/sig对，这说明所有的情况都需要对证书做签名处理。

 

      CipherSuite TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA      = { 0x00,0x0D };
      CipherSuite TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA      = { 0x00,0x10 };
      CipherSuite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA     = { 0x00,0x13 };
      CipherSuite TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA     = { 0x00,0x16 };
      CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA       = { 0x00,0x30 };
      CipherSuite TLS_DH_RSA_WITH_AES_128_CBC_SHA       = { 0x00,0x31 };
      CipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA      = { 0x00,0x32 };
      CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA      = { 0x00,0x33 };
      CipherSuite TLS_DH_DSS_WITH_AES_256_CBC_SHA       = { 0x00,0x36 };
      CipherSuite TLS_DH_RSA_WITH_AES_256_CBC_SHA       = { 0x00,0x37 };
      CipherSuite TLS_DHE_DSS_WITH_AES_256_CBC_SHA      = { 0x00,0x38 };
      CipherSuite TLS_DHE_RSA_WITH_AES_256_CBC_SHA      = { 0x00,0x39 };
      CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA256    = { 0x00,0x3E };
      CipherSuite TLS_DH_RSA_WITH_AES_128_CBC_SHA256    = { 0x00,0x3F };
      CipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA256   = { 0x00,0x40 };
      CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256   = { 0x00,0x67 };
      CipherSuite TLS_DH_DSS_WITH_AES_256_CBC_SHA256    = { 0x00,0x68 };
      CipherSuite TLS_DH_RSA_WITH_AES_256_CBC_SHA256    = { 0x00,0x69 };
      CipherSuite TLS_DHE_DSS_WITH_AES_256_CBC_SHA256   = { 0x00,0x6A };
      CipherSuite TLS_DHE_RSA_WITH_AES_256_CBC_SHA256   = { 0x00,0x6B };

   The following cipher suites are used for completely anonymous Diffie-Hellman communications in which neither party is authenticated.  Note that this mode is vulnerable to man-in-the-middle attacks.  Using this mode therefore is of limited use: These cipher suites MUST NOT be used by TLS 1.2 implementations unless the application layer has specifically requested to allow anonymous key exchange.  (Anonymous key exchange may sometimes be acceptable, for example, to support opportunistic encryption when no set-up for authentication is in place, or when TLS is used as part of more complex security protocols that have other means to ensure authentication.)

      CipherSuite TLS_DH_anon_WITH_RC4_128_MD5          = { 0x00,0x18 };
      CipherSuite TLS_DH_anon_WITH_3DES_EDE_CBC_SHA     = { 0x00,0x1B };
      CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA      = { 0x00,0x34 };
      CipherSuite TLS_DH_anon_WITH_AES_256_CBC_SHA      = { 0x00,0x3A };
      CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA256   = { 0x00,0x6C };
      CipherSuite TLS_DH_anon_WITH_AES_256_CBC_SHA256   = { 0x00,0x6D };

   Note that using non-anonymous key exchange without actually verifying the key exchange is essentially equivalent to anonymous key exchange, and the same precautions apply.  While non-anonymous key exchange will generally involve a higher computational and communicational cost than anonymous key exchange, it may be in the interest of interoperability not to disable non-anonymous key exchange when the application layer is allowing anonymous key exchange.

New cipher suite values have been assigned by IANA as described in Section 12.

   Note: The cipher suite values { 0x00, 0x1C } and { 0x00, 0x1D } are reserved to avoid collision with Fortezza-based cipher suites in SSL 3.

 

先回过头看client hello具体包含的内容

struct {

ProtocolVersion client_version;

Random random; SessionID session_id;

CipherSuite cipher_suites<2..2^16-2>;

CompressionMethod compression_methods<1..2^8-1>;

select (extensions_present)

{ case false: struct {};

case true: Extension extensions<0..2^16-1>; }; }

ClientHello;

 

extensions： A list of extensions. Note that only extensions offered by the client can appear in the server's list.

The extension format is:

struct {

ExtensionType extension_type;

opaque extension_data<0..2^16-1>;

 } Extension;

enum

{ signature_algorithms(13), (65535) } ExtensionType;

Here:

- "extension_type" identifies the particular extension type.

- "extension_data" contains information specific to the particular extension type.

 

hello extension

If the client does not send the signature_algorithms extension (a single hash/signature pair), the server MUST do the following:

   -  If the negotiated key exchange algorithm is one of (RSA, DHE_RSA, DH_RSA, RSA_PSK, ECDH_RSA, ECDHE_RSA), behave as if client had sent the value {sha1,rsa}.

   -  If the negotiated key exchange algorithm is one of (DHE_DSS, DH_DSS), behave as if the client had sent the value {sha1,dsa}.

   -  If the negotiated key exchange algorithm is one of (ECDH_ECDSA, ECDHE_ECDSA), behave as if the client had sent value {sha1,ecdsa}.

Q：这里as if是什么意思？是说，如果client并没有写明这个extension的情形下，如果最后协商的算法是上述类型，则视为client对该字段的填充是花括号里面的选项么？（我认为是的）