State secret SSL VPN client (browser);
Wireshark client (supporting state secret protocol version, github address) is used to view handshake data.
Open the wireshark client and monitor the corresponding network card. Wireshark can check which network card has network fluctuation when networking, and select the corresponding network card.
Wireshark settings are based on IP filtering, and set IP filtering of national secret servers connected by SSL VPN. An IP address is the address of a gateway or security service for secure access.
At this time, you can see the handshake data through GMTLS protocol. According to the requirements, we analyze it in detail.
The client sends a client Hello message to the server to transmit the version number, random number and encryption algorithm list of the highest SSL protocol supported by the client. The content of the client Hello message is shown in the following figure:
After receiving the client's request to establish SSL connection, the server sends the version number, random number, session ID, encryption algorithm and other related information of SSL protocol to the client by sending the server Hello message. The message reads as follows:
At the same time, the server sends a certificate message containing its certificate to the client. The server public key carried in the certificate. As shown in the figure below:
Send a certificate request message, asking the server to report the certificate, as shown in the following figure:
The client sends the message of client key exchange and changing Crypter Spec. The client key exchange contains the random number Pre_Master_Secret encrypted with the server public key, which is used to generate the master key in the future. (Here, the client generates a third random number with the two random numbers mentioned above, and then encrypts the third random number with the public key in the server certificate to generate pre _ master _ secret) * *; The message of changing password specification informs the server that the next message will be communicated with the newly negotiated encryption suite and key, and informs the client that the handshake process from the server has ended. As shown in the figure below:
The server also sends a change cipher SPE message to inform the end of the handshake process between the server and the client, and sends an encrypted handshake message. After the message is decrypted, the client verifies it. If the verification passes, it means that the data in the handshake process has not been tampered with, and it also means that the server is the holder of the previous exchange certificate. Now both parties can start encrypted communication. As shown in the figure below: