文章总结: 本文详细记录了在KaliLinux上编译openHiTLS0.3.3版本并启用TLCP/DTLCP国密协议的完整过程,包括获取源码、编译SecureC安全库、通过configure.py配置关键编译宏(如HITLSTLSPROTOTLCP11等)以及最终生成可执行文件。操作步骤清晰,验证了产物为64位可执行文件。 综合评分: 82 文章分类: 安全工具,应用安全,安全开发
openHiTLS TLCP/DTLCP 编译与抓包完整操作记录
原创
利刃信安 利刃信安
利刃信安
2026年7月2日 01:30 北京
在小说阅读器读本章
去阅读
openHiTLS TLCP/DTLCP 编译与抓包完整操作记录
一、获取源码
1.1 克隆 openHiTLS 主仓库
cd /home/kali/M
git clone https://gitcode.com/openhitls/openhitls.git
输出:
┌──(kali㉿kali)-[~]
└─$ sudo -i
┌──(root㉿kali)-[~]
└─# cd /home/kali/M
┌──(root㉿kali)-[/home/kali/M]
└─# git clone https://gitcode.com/openhitls/openhitls.git
正克隆到 'openhitls'...
remote: Enumerating objects: 40601, done.
remote: Counting objects: 100% (4625/4625), done.
remote: Compressing objects: 100% (459/459), done.
remote: Total 40601 (delta 4332), reused 4168 (delta 4166), pack-reused 35976 (from 1)
接收对象中: 100% (40601/40601), 57.41 MiB | 11.15 MiB/s, 完成.
处理 delta 中: 100% (26901/26901), 完成.
1.2 切换到稳定版本 openhitls-0.3.3
cd /home/kali/M/openhitls
git checkout openhitls-0.3.3
输出:
┌──(root㉿kali)-[/home/kali/M]
└─# cd /home/kali/M/openhitls
┌──(root㉿kali)-[/home/kali/M/openhitls]
└─# git checkout openhitls-0.3.3
注意:正在切换到 'openhitls-0.3.3'。
您正处于分离头指针状态。您可以查看、做试验性的修改及提交,并且您可以在切换
回一个分支时,丢弃在此状态下所做的提交而不对分支造成影响。
如果您想要通过创建分支来保留在此状态下所做的提交,您可以通过在 switch 命令
中添加参数 -c 来实现(现在或稍后)。例如:
git switch -c <新分支名>
或者撤销此操作:
git switch -
通过将配置变量 advice.detachedHead 设置为 false 来关闭此建议
HEAD 目前位于 dd08164c fix:Fix the issue where the chain is not cleared when only one certificate is loaded in HITLS_CFG_UseCertificateChainBuffer
1.3 克隆安全函数库 Secure_C(非子模块,需手动克隆到 platform/ 目录)
cd /home/kali/M/openhitls
git clone https://gitee.com/openeuler/libboundscheck platform/Secure_C
输出:
┌──(root㉿kali)-[/home/kali/M/openhitls]
└─# cd /home/kali/M/openhitls
┌──(root㉿kali)-[/home/kali/M/openhitls]
└─# git clone https://gitee.com/openeuler/libboundscheck platform/Secure_C
正克隆到 'platform/Secure_C'...
remote: Enumerating objects: 189, done.
remote: Total 189 (delta 0), reused 0 (delta 0), pack-reused 189 (from 1)
接收对象中: 100% (189/189), 113.63 KiB | 1.50 MiB/s, 完成.
处理 delta 中: 100% (113/113), 完成.
二、编译 Secure_C 安全库
cd /home/kali/M/openhitls/platform/Secure_C
make -j$(nproc)
输出(截取尾部):
cc -c src/vwscanf_s.c ... -o obj/vwscanf_s.o
cc -c src/wcscat_s.c ... -o obj/wcscat_s.o
... (省略中间编译日志)
cc -shared -o lib/libboundscheck.so obj/*.o ... -Wl,-z,relro,-z,now,-z,noexecstack -fstack-protector-all
finish libboundscheck.so
产物:/home/kali/M/openhitls/platform/Secure_C/lib/libboundscheck.so
三、配置并编译 openHiTLS 主程序
3.1 使用 configure.py 生成 CMake 配置
关键:必须显式启用 TLCP 国密协议相关编译宏,
HITLS_BUILD_PROFILE=full不足以启用国密 provider。HITLS_CRYPTO_PROVIDER_DEFAULT_SM将 SM2/SM3/SM4 集成到默认 Provider,是 0.3.3 版本可用性的必要条件。
cd /home/kali/M/openhitls
mkdir -p build
python3 configure.py \
--enable hitls_bsl hitls_crypto hitls_tls hitls_pki hitls_auth \
--system linux --bits 64 --asm_type x8664 \
--lib_type shared static \
--executes hitls \
--add_options "-DHITLS_TLS_PROTO_TLCP11 -DHITLS_TLS_SUITE_ECDHE_SM4_CBC_SM3 -DHITLS_TLS_SUITE_ECC_SM4_CBC_SM3 -DHITLS_TLS_SUITE_ECDHE_SM4_GCM_SM3 -DHITLS_TLS_SUITE_ECC_SM4_GCM_SM3 -DHITLS_CRYPTO_PROVIDER_DEFAULT_SM -DHITLS_TLS_SUITE_AUTH_SM2" \
-m --build_dir build
编译宏说明:
| 编译宏 | 作用 |
| — | — |
| HITLS_TLS_PROTO_TLCP11 | 启用 TLCP 1.1 协议支持 |
| HITLS_TLS_SUITE_ECDHE_SM4_CBC_SM3 | ECDHE_SM4_CBC_SM3 密码套件 |
| HITLS_TLS_SUITE_ECC_SM4_CBC_SM3 | ECC_SM4_CBC_SM3 密码套件 |
| HITLS_TLS_SUITE_ECDHE_SM4_GCM_SM3 | ECDHE_SM4_GCM_SM3 密码套件 |
| HITLS_TLS_SUITE_ECC_SM4_GCM_SM3 | ECC_SM4_GCM_SM3 密码套件 |
| HITLS_CRYPTO_PROVIDER_DEFAULT_SM | SM2/SM3/SM4 集成到默认 Provider |
| HITLS_TLS_SUITE_AUTH_SM2 | SM2 身份认证 |
configure.py 无错误输出(空输出表示成功)。
3.2 CMake 生成构建文件
cd /home/kali/M/openhitls/build
cmake -DCMAKE_BUILD_TYPE=Debug ..
输出(截取尾部):
┌──(root㉿kali)-[/home/…/M/openhitls/platform/Secure_C]
└─# cd /home/kali/M/openhitls
┌──(root㉿kali)-[/home/kali/M/openhitls]
└─# mkdir -p build
┌──(root㉿kali)-[/home/kali/M/openhitls]
└─# python3 configure.py \
--enable hitls_bsl hitls_crypto hitls_tls hitls_pki hitls_auth \
--system linux --bits 64 --asm_type x8664 \
--lib_type shared static \
--executes hitls \
--add_options "-DHITLS_TLS_PROTO_TLCP11 -DHITLS_TLS_SUITE_ECDHE_SM4_CBC_SM3 -DHITLS_TLS_SUITE_ECC_SM4_CBC_SM3 -DHITLS_TLS_SUITE_ECDHE_SM4_GCM_SM3 -DHITLS_TLS_SUITE_ECC_SM4_GCM_SM3 -DHITLS_CRYPTO_PROVIDER_DEFAULT_SM -DHITLS_TLS_SUITE_AUTH_SM2" \
-m --build_dir build
┌──(root㉿kali)-[/home/kali/M/openhitls]
└─# cd /home/kali/M/openhitls/build
┌──(root㉿kali)-[/home/kali/M/openhitls/build]
└─# cmake -DCMAKE_BUILD_TYPE=Debug ..
-- The C compiler identification is GNU 15.3.0
-- The CXX compiler identification is GNU 15.3.0
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: /usr/bin/cc - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: /usr/bin/c++ - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Configuring securec dependency...
--
-- === Configuring libboundscheck (Secure C) ===
-- Searching for sources in: /home/kali/M/openhitls/platform/Secure_C/src
-- Found 39 securec source files
-- System: Linux
-- Compiler: GNU 15.3.0
-- Securec library configured:
-- Source dir: /home/kali/M/openhitls/platform/Secure_C/src
-- Include dir: /home/kali/M/openhitls/platform/Secure_C/include
-- Output dir: /home/kali/M/openhitls/platform/Secure_C/lib
-- Library type: STATIC
-- Library name: libboundscheck.a (Linux/macOS) / boundscheck.lib (Windows)
-- ========================================
--
-- The ASM compiler identification is GNU
-- Found assembler: /usr/bin/cc
-- Provider library for apps: libhitls.so
-- Configuring done (0.4s)
-- Generating done (0.2s)
-- Build files have been written to: /home/kali/M/openhitls/build
3.3 编译
make -j$(nproc) hitls
输出(截取尾部):
[100%] Built target handshake-objs
[100%] Linking C shared library libhitls_tls.so
[100%] Built target hitls_tls-shared
[100%] Linking C executable hitls
[100%] Built target hitls
3.4 验证产物
ls -la /home/kali/M/openhitls/build/hitls
file /home/kali/M/openhitls/build/hitls
输出:
┌──(root㉿kali)-[/home/kali/M/openhitls/build]
└─# ls -la /home/kali/M/openhitls/build/hitls
-rwxr-xr-x 1 root root 925152 7月 1日 12:29 /home/kali/M/openhitls/build/hitls
┌──(root㉿kali)-[/home/kali/M/openhitls/build]
└─# file /home/kali/M/openhitls/build/hitls
/home/kali/M/openhitls/build/hitls: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, with debug_info, not stripped
mkdir -p /home/kali/M/captures
LD_LIBRARY_PATH=/home/kali/M/openhitls/build /home/kali/M/openhitls/build/hitls help
输出(首部):
┌──(root㉿kali)-[/home/kali/M/openhitls/build]
└─# mkdir -p /home/kali/M/captures
┌──(root㉿kali)-[/home/kali/M/openhitls/build]
└─# LD_LIBRARY_PATH=/home/kali/M/openhitls/build
┌──(root㉿kali)-[/home/kali/M/openhitls/build]
└─# /home/kali/M/openhitls/build/hitls help
function: HiTLS supports the following commands:
help rand enc pkcs12
rsa x509 list dgst
crl genrsa verify pkey
genpkey req mac kdf
prime s_client s_server pkeyutl
四、创建测试脚本
测试证书路径(均为 DER 格式,openHiTLS 源码内置):
/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid/
├── ca.crt # 根 CA 证书
├── ca.key # 根 CA 私钥
├── inter.crt # 中间 CA 证书
├── inter.key # 中间 CA 私钥
├── sign.crt # SM2 签名证书
├── sign.key # SM2 签名私钥
├── enc.crt # SM2 加密证书
└── enc.key # SM2 加密私钥
4.1 服务端脚本 — server_tlcp.sh(TLCP 服务端)
#!/bin/bash
export LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
/home/kali/M/openhitls/build/hitls s_server -tlcp -accept 127.0.0.1:4433 \
-CAfile $C/ca.crt -chainCAfile $C/inter.crt \
-tlcp_sign_cert $C/sign.crt -tlcp_sign_key $C/sign.key \
-tlcp_enc_cert $C/enc.crt -tlcp_enc_key $C/enc.key \
-provider default -state
参数说明:
- •
-tlcp:强制使用 TLCP 1.1 协议(GB/T 38636-2020) - •
-accept 127.0.0.1:4433:监听地址和端口 - •
-CAfile:根 CA 证书(用于验证客户端证书链) - •
-chainCAfile:中间 CA 证书 - •
-tlcp_sign_cert/-tlcp_sign_key:签名证书与私钥(SM2 签名密钥对) - •
-tlcp_enc_cert/-tlcp_enc_key:加密证书与私钥(SM2 加密密钥对) - •
-provider default:使用默认加密服务提供商 - •
-state:输出详细握手状态信息
4.2 服务端脚本 — server_dtlcp.sh(DTLCP 服务端)
#!/bin/bash
export LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
/home/kali/M/openhitls/build/hitls s_server -dtlcp -accept 127.0.0.1:4433 \
-CAfile $C/ca.crt -chainCAfile $C/inter.crt \
-tlcp_sign_cert $C/sign.crt -tlcp_sign_key $C/sign.key \
-tlcp_enc_cert $C/enc.crt -tlcp_enc_key $C/enc.key \
-provider default -state
4.3 客户端脚本 — client_tlcp_bidir.sh(TLCP 双向,提供客户端证书)
#!/bin/bash
export LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
echo "tlcp_bidir_test" | /home/kali/M/openhitls/build/hitls s_client -tlcp \
-host 127.0.0.1 -port 4433 \
-CAfile $C/ca.crt -chainCAfile $C/inter.crt \
-tlcp_sign_cert $C/sign.crt -tlcp_sign_key $C/sign.key \
-tlcp_enc_cert $C/enc.crt -tlcp_enc_key $C/enc.key \
-provider default -state
4.4 客户端脚本 — client_tlcp_unidir.sh(TLCP 单向,不提供客户端证书)
#!/bin/bash
export LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
echo "tlcp_unidir_test" | /home/kali/M/openhitls/build/hitls s_client -tlcp \
-host 127.0.0.1 -port 4433 \
-CAfile $C/ca.crt -chainCAfile $C/inter.crt \
-provider default -state
4.5 客户端脚本 — client_dtlcp_bidir.sh(DTLCP 双向)
#!/bin/bash
export LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
echo "dtlcp_bidir_test" | /home/kali/M/openhitls/build/hitls s_client -dtlcp \
-host 127.0.0.1 -port 4433 \
-CAfile $C/ca.crt -chainCAfile $C/inter.crt \
-tlcp_sign_cert $C/sign.crt -tlcp_sign_key $C/sign.key \
-tlcp_enc_cert $C/enc.crt -tlcp_enc_key $C/enc.key \
-provider default -state
4.6 客户端脚本 — client_dtlcp_unidir.sh(DTLCP 单向)
#!/bin/bash
export LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
echo "dtlcp_unidir_test" | /home/kali/M/openhitls/build/hitls s_client -dtlcp \
-host 127.0.0.1 -port 4433 \
-CAfile $C/ca.crt -chainCAfile $C/inter.crt \
-provider default -state
五、测试一:TLCP 双向身份鉴别
方法:服务端(终端3)和客户端(终端4)均携带 SM2 签名+加密双证书。终端5 使用 tcpdump 抓 lo 口流量。
5.1 启动抓包(终端5)
sudo tcpdump -i lo -w /home/kali/M/captures/02_tlcp_two_way.pcap port 4433
输出:
┌──(kali㉿kali)-[~]
└─$ sudo tcpdump -i lo -w /home/kali/M/captures/02_tlcp_two_way.pcap port 4433
tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
5.2 启动服务端(终端3)
bash /home/kali/M/server_tlcp.sh
输出:
┌──(kali㉿kali)-[~]
└─$ sudo -i
┌──(root㉿kali)-[~]
└─# bash /home/kali/M/server_tlcp.sh
Listening on 127.0.0.1:4433 (TCP)
Server started, waiting for connections...
Accepted connection from 127.0.0.1:55718
Starting TLS handshake with client...
TLS handshake completed successfully
Protocol version: TLCP v1.1
Cipher suite negotiated
Handshake state: connected
Received 15 bytes from client:
tlcp_bidir_test
Sent 51 bytes response to client
Connection 1 completed
Accepted connection from 127.0.0.1:59498
Starting TLS handshake with client...
TLS handshake completed successfully
Protocol version: TLCP v1.1
Cipher suite negotiated
Handshake state: connected
Received 15 bytes from client:
tlcp_bidir_test
Sent 51 bytes response to client
Connection 2 completed
Accepted connection from 127.0.0.1:59504
Starting TLS handshake with client...
TLS handshake completed successfully
Protocol version: TLCP v1.1
Cipher suite negotiated
Handshake state: connected
Received 15 bytes from client:
tlcp_bidir_test
Sent 51 bytes response to client
Connection 3 completed
5.3 启动客户端(终端4)
bash /home/kali/M/client_tlcp_bidir.sh
输出:
┌──(kali㉿kali)-[~]
└─$ sudo -i
┌──(root㉿kali)-[~]
└─# bash /home/kali/M/client_tlcp_bidir.sh
Connected to 127.0.0.1:4433
Starting TLS handshake...
TLS handshake completed successfully
Protocol version: TLCP v1.1
Cipher suite negotiated
Handshake state: connected
Interactive mode - type messages (Ctrl+C to exit):
Response: HTTP/1.1 200 OK
Content-Length: 12
Hello World!
Client completed successfully
┌──(root㉿kali)-[~]
└─# bash /home/kali/M/client_tlcp_bidir.sh
Connected to 127.0.0.1:4433
Starting TLS handshake...
TLS handshake completed successfully
Protocol version: TLCP v1.1
Cipher suite negotiated
Handshake state: connected
Interactive mode - type messages (Ctrl+C to exit):
Response: HTTP/1.1 200 OK
Content-Length: 12
Hello World!
Client completed successfully
┌──(root㉿kali)-[~]
└─# bash /home/kali/M/client_tlcp_bidir.sh
Connected to 127.0.0.1:4433
Starting TLS handshake...
TLS handshake completed successfully
Protocol version: TLCP v1.1
Cipher suite negotiated
Handshake state: connected
Interactive mode - type messages (Ctrl+C to exit):
Response: HTTP/1.1 200 OK
Content-Length: 12
Hello World!
Client completed successfully
结果:握手成功,通过 TLCP v1.1 建立了 SM4 加密隧道,客户端向服务端发送 “tlcp_bidir_test” 字符串,收到服务端返回的 “Hello World!”。
5.4 停止服务端和抓包
sudo pkill -f "hitls s_server"
sleep 1
sudo pkill tcpdump
5.5 抓包文件
02_tlcp_two_way.pcap 16,333 bytes
六、测试二:TLCP 单向身份鉴别
方法:服务端(终端3)携带双证书并配置 CA 链(默认要求客户端证书)。客户端(终端4)仅携带
-CAfile/-chainCAfile验证服务端,不提供自身证书。
6.1 启动抓包(终端5)
sudo tcpdump -i lo -w /home/kali/M/captures/01_tlcp_one_way.pcap port 4433
输出:
┌──(kali㉿kali)-[~]
└─$ sudo tcpdump -i lo -w /home/kali/M/captures/01_tlcp_one_way.pcap port 4433
tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
6.2 启动服务端(终端3)
bash /home/kali/M/server_tlcp.sh
输出:
┌──(root㉿kali)-[~]
└─# bash /home/kali/M/server_tlcp.sh
Listening on 127.0.0.1:4433 (TCP)
Server started, waiting for connections...
Accepted connection from 127.0.0.1:45362
Starting TLS handshake with client...
TLS handshake failed: 0x2040017
Failed to handle client connection
Connection 1 completed
Accepted connection from 127.0.0.1:37132
Starting TLS handshake with client...
TLS handshake failed: 0x2040017
Failed to handle client connection
Connection 2 completed
Accepted connection from 127.0.0.1:37134
Starting TLS handshake with client...
TLS handshake failed: 0x2040017
Failed to handle client connection
Connection 3 completed
6.3 启动客户端(终端4,不提供客户端证书)
bash /home/kali/M/client_tlcp_unidir.sh
输出:
┌──(root㉿kali)-[~]
└─# bash /home/kali/M/client_tlcp_unidir.sh
Connected to 127.0.0.1:4433
Starting TLS handshake...
client: TLS handshake failed: 0x20c0029
client: Failed to create config and connection: 0x27
┌──(root㉿kali)-[~]
└─# bash /home/kali/M/client_tlcp_unidir.sh
Connected to 127.0.0.1:4433
Starting TLS handshake...
client: TLS handshake failed: 0x20c0029
client: Failed to create config and connection: 0x27
┌──(root㉿kali)-[~]
└─# bash /home/kali/M/client_tlcp_unidir.sh
Connected to 127.0.0.1:4433
Starting TLS handshake...
client: TLS handshake failed: 0x20c0029
client: Failed to create config and connection: 0x27
结果:握手失败,错误码 0x20c0029(证书添加/加载失败)。服务端在 CertificateRequest 阶段向客户端要求证书,但客户端未配置签名+加密双证书,握手中断。
6.4 停止服务端和抓包
sudo pkill -f "hitls s_server"
sleep 1
sudo pkill tcpdump
6.5 抓包文件
01_tlcp_one_way.pcap 8,780 bytes
说明:虽然握手失败,但抓包中保留了 ClientHello → ServerHello → Certificate → ServerKeyExchange → CertificateRequest → ServerHelloDone 的完整交互序列,以及客户端返回空 Certificate 后的 Alert。可用于分析 TLCP 单向鉴别场景中的协议报文。
七、测试三:DTLCP 双向身份鉴别
方法:服务端和客户端均携带双证书,使用 DTLCP 协议(UDP 承载)。参数与 TLCP 一致,仅将
-tlcp替换为-dtlcp。
7.1 启动抓包(终端5)
sudo tcpdump -i lo -w /home/kali/M/captures/04_dtlcp_two_way.pcap port 4433
输出:
┌──(kali㉿kali)-[~]
└─$ sudo tcpdump -i lo -w /home/kali/M/captures/04_dtlcp_two_way.pcap port 4433
tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
7.2 启动服务端(终端3)
bash /home/kali/M/server_dtlcp.sh
输出:
┌──(root㉿kali)-[~]
└─# bash /home/kali/M/server_dtlcp.sh
Listening on 127.0.0.1:4433 (UDP)
Server started, waiting for connections...
Starting TLS handshake with client...
TLS handshake completed successfully
Protocol version: TLCP v1.1
Cipher suite negotiated
Handshake state: connected
Received 16 bytes from client:
dtlcp_bidir_test
Sent 51 bytes response to client
Connection 1 completed
Starting TLS handshake with client...
TLS handshake completed successfully
Protocol version: TLCP v1.1
Cipher suite negotiated
Handshake state: connected
Failed to read client data: 0x20a000b
Connection 2 completed
Starting TLS handshake with client...
TLS handshake completed successfully
Protocol version: TLCP v1.1
Cipher suite negotiated
Handshake state: connected
Failed to read client data: 0x20a000b
Connection 3 completed
Starting TLS handshake with client...
7.3 启动客户端(终端4)
bash /home/kali/M/client_dtlcp_bidir.sh
输出:
┌──(root㉿kali)-[~]
└─# bash /home/kali/M/client_dtlcp_bidir.sh
Connected to 127.0.0.1:4433
Starting TLS handshake...
TLS handshake completed successfully
Protocol version: TLCP v1.1
Cipher suite negotiated
Handshake state: connected
Interactive mode - type messages (Ctrl+C to exit):
Response: HTTP/1.1 200 OK
Content-Length: 12
Hello World!
Client completed successfully
┌──(root㉿kali)-[~]
└─# bash /home/kali/M/client_dtlcp_bidir.sh
Connected to 127.0.0.1:4433
Starting TLS handshake...
TLS handshake completed successfully
Protocol version: TLCP v1.1
Cipher suite negotiated
Handshake state: connected
Interactive mode - type messages (Ctrl+C to exit):
Client completed successfully
┌──(root㉿kali)-[~]
└─# bash /home/kali/M/client_dtlcp_bidir.sh
Connected to 127.0.0.1:4433
Starting TLS handshake...
TLS handshake completed successfully
Protocol version: TLCP v1.1
Cipher suite negotiated
Handshake state: connected
Interactive mode - type messages (Ctrl+C to exit):
Client completed successfully
结果:握手成功。协议版本标识为 “TLCP v1.1″(DTLCP 基于 TLCP 在 UDP 上的适配,版本标识仍沿用 TLCP v1.1)。
7.4 停止服务端和抓包
sudo pkill -f "hitls s_server"
sleep 1
sudo pkill tcpdump
7.5 抓包文件
04_dtlcp_two_way.pcap 15,228 bytes
八、测试四:DTLCP 单向身份鉴别
方法:服务端携带双证书,客户端不提供自身证书。
8.1 启动抓包(终端5)
sudo tcpdump -i lo -w /home/kali/M/captures/03_dtlcp_one_way.pcap port 4433
输出:
┌──(kali㉿kali)-[~]
└─$ sudo tcpdump -i lo -w /home/kali/M/captures/03_dtlcp_one_way.pcap port 4433
tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
8.2 启动服务端(终端3)
bash /home/kali/M/server_dtlcp.sh
输出:
┌──(root㉿kali)-[~]
└─# bash /home/kali/M/server_dtlcp.sh
Listening on 127.0.0.1:4433 (UDP)
Server started, waiting for connections...
Starting TLS handshake with client...
TLS handshake failed: 0x2040017
Failed to handle client connection
Connection 1 completed
Starting TLS handshake with client...
TLS handshake failed: 0x2040017
Failed to handle client connection
Connection 2 completed
Starting TLS handshake with client...
TLS handshake failed: 0x2040017
Failed to handle client connection
Connection 3 completed
Starting TLS handshake with client...
8.3 启动客户端(终端4,不提供客户端证书)
bash /home/kali/M/client_dtlcp_unidir.sh
输出:
┌──(root㉿kali)-[~]
└─# bash /home/kali/M/client_dtlcp_unidir.sh
Connected to 127.0.0.1:4433
Starting TLS handshake...
client: TLS handshake failed: 0x20c0029
client: Failed to create config and connection: 0x27
┌──(root㉿kali)-[~]
└─# bash /home/kali/M/client_dtlcp_unidir.sh
Connected to 127.0.0.1:4433
Starting TLS handshake...
client: TLS handshake failed: 0x20c0029
client: Failed to create config and connection: 0x27
┌──(root㉿kali)-[~]
└─# bash /home/kali/M/client_dtlcp_unidir.sh
Connected to 127.0.0.1:4433
Starting TLS handshake...
client: TLS handshake failed: 0x20c0029
client: Failed to create config and connection: 0x27
结果:握手失败,错误码 0x20c0029,与服务端要求客户端证书一致。
8.4 停止服务端和抓包
sudo pkill -f "hitls s_server"
sleep 1
sudo pkill tcpdump
8.5 抓包文件
03_dtlcp_one_way.pcap 7,899 bytes
九、交付:4个数据包总览
ls -la /home/kali/M/captures/
输出:
┌──(root㉿kali)-[~]
└─# ls -la /home/kali/M/captures/
总计 60
drwxr-xr-x 2 root root 4096 7月 1日 12:51 .
drwxrwxrwx 4 root root 4096 7月 1日 12:39 ..
-rw-r--r-- 1 tcpdump tcpdump 8780 7月 1日 12:46 01_tlcp_one_way.pcap
-rw-r--r-- 1 tcpdump tcpdump 16333 7月 1日 12:41 02_tlcp_two_way.pcap
-rw-r--r-- 1 tcpdump tcpdump 7899 7月 1日 12:53 03_dtlcp_one_way.pcap
-rw-r--r-- 1 tcpdump tcpdump 15228 7月 1日 12:49 04_dtlcp_two_way.pcap
9.1 pcap 内容验证
for f in /home/kali/M/captures/*.pcap; do
echo "=== $(basename $f) ==="
tcpdump -r "$f" -nn | head -15
echo ""
done
输出:
01_tlcp_one_way.pcap(TLCP 单向,TCP 握手失败)
┌──(root㉿kali)-[~]
└─# for f in /home/kali/M/captures/*.pcap; do
echo "=== $(basename $f) ==="
tcpdump -r "$f" -nn | head -15
echo ""
done
=== 01_tlcp_one_way.pcap ===
reading from file /home/kali/M/captures/01_tlcp_one_way.pcap, link-type EN10MB (Ethernet), snapshot length 262144
12:46:13.250839 IP 127.0.0.1.45362 > 127.0.0.1.4433: Flags [S], seq 3300490400, win 65495, options [mss 65495,sackOK,TS val 2226550677 ecr 0,nop,wscale 10], length 0
12:46:13.250846 IP 127.0.0.1.4433 > 127.0.0.1.45362: Flags [S.], seq 46529753, ack 3300490401, win 65483, options [mss 65495,sackOK,TS val 836346331 ecr 2226550677,nop,wscale 10], length 0
12:46:13.250852 IP 127.0.0.1.45362 > 127.0.0.1.4433: Flags [.], ack 1, win 64, options [nop,nop,TS val 2226550677 ecr 836346331], length 0
12:46:13.250950 IP 127.0.0.1.45362 > 127.0.0.1.4433: Flags [P.], seq 1:79, ack 1, win 64, options [nop,nop,TS val 2226550677 ecr 836346331], length 78
12:46:13.250953 IP 127.0.0.1.4433 > 127.0.0.1.45362: Flags [.], ack 79, win 64, options [nop,nop,TS val 836346331 ecr 2226550677], length 0
12:46:13.254965 IP 127.0.0.1.4433 > 127.0.0.1.45362: Flags [P.], seq 1:1902, ack 79, win 64, options [nop,nop,TS val 836346335 ecr 2226550677], length 1901
12:46:13.255076 IP 127.0.0.1.45362 > 127.0.0.1.4433: Flags [.], ack 1902, win 84, options [nop,nop,TS val 2226550681 ecr 836346335], length 0
12:46:13.256938 IP 127.0.0.1.45362 > 127.0.0.1.4433: Flags [P.], seq 79:176, ack 1902, win 84, options [nop,nop,TS val 2226550683 ecr 836346335], length 97
12:46:13.257001 IP 127.0.0.1.4433 > 127.0.0.1.45362: Flags [P.], seq 1902:1909, ack 176, win 64, options [nop,nop,TS val 836346337 ecr 2226550683], length 7
12:46:13.257068 IP 127.0.0.1.4433 > 127.0.0.1.45362: Flags [R.], seq 1909, ack 176, win 64, options [nop,nop,TS val 836346337 ecr 2226550683], length 0
12:46:22.214506 IP 127.0.0.1.37132 > 127.0.0.1.4433: Flags [S], seq 1833535807, win 65495, options [mss 65495,sackOK,TS val 928550738 ecr 0,nop,wscale 10], length 0
12:46:22.214516 IP 127.0.0.1.4433 > 127.0.0.1.37132: Flags [S.], seq 1949242838, ack 1833535808, win 65483, options [mss 65495,sackOK,TS val 1780669965 ecr 928550738,nop,wscale 10], length 0
12:46:22.214524 IP 127.0.0.1.37132 > 127.0.0.1.4433: Flags [.], ack 1, win 64, options [nop,nop,TS val 928550738 ecr 1780669965], length 0
12:46:22.214786 IP 127.0.0.1.37132 > 127.0.0.1.4433: Flags [P.], seq 1:79, ack 1, win 64, options [nop,nop,TS val 928550738 ecr 1780669965], length 78
12:46:22.214789 IP 127.0.0.1.4433 > 127.0.0.1.37132: Flags [.], ack 79, win 64, options [nop,nop,TS val 1780669965 ecr 928550738], length 0
02_tlcp_two_way.pcap(TLCP 双向,握手成功 + 应用数据)
┌──(root㉿kali)-[~]
└─# for f in /home/kali/M/captures/*.pcap; do
echo "=== $(basename $f) ==="
tcpdump -r "$f" -nn | head -15
echo ""
done
=== 02_tlcp_two_way.pcap ===
reading from file /home/kali/M/captures/02_tlcp_two_way.pcap, link-type EN10MB (Ethernet), snapshot length 262144
12:41:09.946808 IP 127.0.0.1.55718 > 127.0.0.1.4433: Flags [S], seq 1470452005, win 65495, options [mss 65495,sackOK,TS val 4209665706 ecr 0,nop,wscale 10], length 0
12:41:09.946924 IP 127.0.0.1.4433 > 127.0.0.1.55718: Flags [S.], seq 2194274755, ack 1470452006, win 65483, options [mss 65495,sackOK,TS val 4153713132 ecr 4209665706,nop,wscale 10], length 0
12:41:09.946932 IP 127.0.0.1.55718 > 127.0.0.1.4433: Flags [.], ack 1, win 64, options [nop,nop,TS val 4209665706 ecr 4153713132], length 0
12:41:09.947089 IP 127.0.0.1.55718 > 127.0.0.1.4433: Flags [P.], seq 1:79, ack 1, win 64, options [nop,nop,TS val 4209665706 ecr 4153713132], length 78
12:41:09.947093 IP 127.0.0.1.4433 > 127.0.0.1.55718: Flags [.], ack 79, win 64, options [nop,nop,TS val 4153713132 ecr 4209665706], length 0
12:41:09.954698 IP 127.0.0.1.4433 > 127.0.0.1.55718: Flags [P.], seq 1:1902, ack 79, win 64, options [nop,nop,TS val 4153713140 ecr 4209665706], length 1901
12:41:09.954770 IP 127.0.0.1.55718 > 127.0.0.1.4433: Flags [.], ack 1902, win 84, options [nop,nop,TS val 4209665714 ecr 4153713140], length 0
12:41:09.955768 IP 127.0.0.1.55718 > 127.0.0.1.4433: Flags [P.], seq 79:1962, ack 1902, win 84, options [nop,nop,TS val 4209665715 ecr 4153713140], length 1883
12:41:09.956782 IP 127.0.0.1.4433 > 127.0.0.1.55718: Flags [P.], seq 1902:1993, ack 1962, win 83, options [nop,nop,TS val 4153713142 ecr 4209665715], length 91
12:41:09.957213 IP 127.0.0.1.55718 > 127.0.0.1.4433: Flags [P.], seq 1962:2031, ack 1993, win 84, options [nop,nop,TS val 4209665716 ecr 4153713142], length 69
12:41:09.957481 IP 127.0.0.1.4433 > 127.0.0.1.55718: Flags [P.], seq 1993:2110, ack 2031, win 83, options [nop,nop,TS val 4153713143 ecr 4209665716], length 117
12:41:09.957532 IP 127.0.0.1.55718 > 127.0.0.1.4433: Flags [P.], seq 2031:2100, ack 2110, win 84, options [nop,nop,TS val 4209665717 ecr 4153713143], length 69
12:41:09.957543 IP 127.0.0.1.4433 > 127.0.0.1.55718: Flags [P.], seq 2110:2179, ack 2100, win 83, options [nop,nop,TS val 4153713143 ecr 4209665717], length 69
12:41:09.957564 IP 127.0.0.1.4433 > 127.0.0.1.55718: Flags [R.], seq 2179, ack 2100, win 83, options [nop,nop,TS val 4153713143 ecr 4209665717], length 0
12:41:25.843699 IP 127.0.0.1.59498 > 127.0.0.1.4433: Flags [S], seq 1434616062, win 65495, options [mss 65495,sackOK,TS val 7932366 ecr 0,nop,wscale 10], length 0
03_dtlcp_one_way.pcap(DTLCP 单向,UDP 握手失败)
┌──(root㉿kali)-[~]
└─# for f in /home/kali/M/captures/*.pcap; do
echo "=== $(basename $f) ==="
tcpdump -r "$f" -nn | head -15
echo ""
done
=== 03_dtlcp_one_way.pcap ===
reading from file /home/kali/M/captures/03_dtlcp_one_way.pcap, link-type EN10MB (Ethernet), snapshot length 262144
12:51:52.836081 IP 127.0.0.1.4433 > 127.0.0.1.58571: UDP, length 15
12:52:08.763535 IP 127.0.0.1.58962 > 127.0.0.1.4433: UDP, length 95
12:52:08.763698 IP 127.0.0.1.4433 > 127.0.0.1.58962: UDP, length 112
12:52:08.763725 IP 127.0.0.1.4433 > 127.0.0.1.58962: UDP, length 1472
12:52:08.763918 IP 127.0.0.1.4433 > 127.0.0.1.58962: UDP, length 421
12:52:08.764688 IP 127.0.0.1.58962 > 127.0.0.1.4433: UDP, length 137
12:52:08.764820 IP 127.0.0.1.4433 > 127.0.0.1.58962: UDP, length 15
12:52:12.397219 IP 127.0.0.1.47187 > 127.0.0.1.4433: UDP, length 95
12:52:12.397466 IP 127.0.0.1.4433 > 127.0.0.1.47187: UDP, length 112
12:52:12.397509 IP 127.0.0.1.4433 > 127.0.0.1.47187: UDP, length 1472
12:52:12.397604 IP 127.0.0.1.4433 > 127.0.0.1.47187: UDP, length 422
12:52:12.398220 IP 127.0.0.1.47187 > 127.0.0.1.4433: UDP, length 137
12:52:12.398408 IP 127.0.0.1.4433 > 127.0.0.1.47187: UDP, length 15
12:52:15.408682 IP 127.0.0.1.35086 > 127.0.0.1.4433: UDP, length 95
12:52:15.408843 IP 127.0.0.1.4433 > 127.0.0.1.35086: UDP, length 112
04_dtlcp_two_way.pcap(DTLCP 双向,握手成功 + 应用数据)
┌──(root㉿kali)-[~]
└─# for f in /home/kali/M/captures/*.pcap; do
echo "=== $(basename $f) ==="
tcpdump -r "$f" -nn | head -15
echo ""
done
=== 04_dtlcp_two_way.pcap ===
reading from file /home/kali/M/captures/04_dtlcp_two_way.pcap, link-type EN10MB (Ethernet), snapshot length 262144
12:48:41.910301 IP 127.0.0.1.51938 > 127.0.0.1.4433: UDP, length 95
12:48:41.910665 IP 127.0.0.1.4433 > 127.0.0.1.51938: UDP, length 112
12:48:41.910699 IP 127.0.0.1.4433 > 127.0.0.1.51938: UDP, length 1472
12:48:41.910793 IP 127.0.0.1.4433 > 127.0.0.1.51938: UDP, length 423
12:48:41.912517 IP 127.0.0.1.51938 > 127.0.0.1.4433: UDP, length 1472
12:48:41.912765 IP 127.0.0.1.51938 > 127.0.0.1.4433: UDP, length 500
12:48:41.913707 IP 127.0.0.1.4433 > 127.0.0.1.51938: UDP, length 107
12:48:41.913929 IP 127.0.0.1.51938 > 127.0.0.1.4433: UDP, length 93
12:48:41.913983 IP 127.0.0.1.4433 > 127.0.0.1.51938: UDP, length 125
12:48:41.914011 IP 127.0.0.1.4433 > 127.0.0.1.51938: UDP, length 77
12:48:41.914027 IP 127.0.0.1.51938 > 127.0.0.1.4433: UDP, length 77
12:48:45.489428 IP 127.0.0.1.34398 > 127.0.0.1.4433: UDP, length 95
12:48:45.489874 IP 127.0.0.1.4433 > 127.0.0.1.34398: UDP, length 112
12:48:45.489897 IP 127.0.0.1.4433 > 127.0.0.1.34398: UDP, length 1472
12:48:45.489989 IP 127.0.0.1.4433 > 127.0.0.1.34398: UDP, length 422
9.2 汇总
| 文件名 | 协议 | 认证方式 | 大小 | 状态 | 报文特征 | | — | — | — | — | — | — | | 01_tlcp_one_way.pcap | TLCP(TCP) | 单向 | 8,780B | 失败 | ClientHello→CertificateRequest→空Certificate→Alert→RST | | 02_tlcp_two_way.pcap | TLCP(TCP) | 双向 | 16,333B | 成功 | 完整握手×3+ApplicationData×12 | | 03_dtlcp_one_way.pcap | DTLCP(UDP) | 单向 | 7,899B | 失败 | 18个UDP包,Certificate 分片,空 Certificate | | 04_dtlcp_two_way.pcap | DTLCP(UDP) | 双向 | 15,228B | 成功 | 33个UDP包,完整握手+ApplicationData×12 |
十、关键注意事项
10.1 版本选择
必须使用 openhitls-0.3.3 标签。主分支的编译方式不同(纯 CMake),且测试中某些宏在最新版本中已移除或更名(如 HITLS_CRYPTO_PROVIDER_DEFAULT_SM),导致 SM 算法不可用。
10.2 编译宏
仅使用 -DHITLS_BUILD_PROFILE=full 不足以启用 TLCP 国密 provider。必须显式指定 HITLS_TLS_PROTO_TLCP11 和 HITLS_CRYPTO_PROVIDER_DEFAULT_SM 等宏。
10.3 服务端强制客户端证书
openHiTLS 0.3.3 的服务端通过 -CAfile + -chainCAfile 即启用客户端证书验证,无法通过命令行关闭。要实现真正”单向鉴别”(服务端不验证客户端证书),需修改源码调用 HITLS_CFG_SetClientVerifySupport(config, false)。
10.4 终端分离
服务端(s_server)和客户端(s_client)必须在不同终端中运行。tcpdump 再占用一个独立终端。
10.5 库路径
运行 hitls 前必须设置 LD_LIBRARY_PATH 指向编译输出目录,否则报错找不到 libhitls_tls.so 等动态库。
10.6 证书格式
内置测试证书为 DER 格式,命令行默认即 DER,无需 -certform/-keyform 参数。不可用 cat 拼接 DER 证书(与 PEM 不同)。
10.7 常见错误码
| 错误码 | 含义 | 出现场景 | 原因 |
| — | — | — | — |
| 0x2040017 | 缺少客户端证书 | 服务端 | 客户端未提供签名+加密双证书 |
| 0x20c0029 | 证书添加/加载失败 | 客户端 | 握手中断,对端要求证书 |
| 0x20a000c | 不支持的密码套件 | ClientHello | SM 算法未集成到默认 Provider |
| 0x20c001f | 证书链验证失败 | 握手 | 缺少 -CAfile 或 -chainCAfile |
免责声明:
本文所载程序、技术方法仅面向合法合规的安全研究与教学场景,旨在提升网络安全防护能力,具有明确的技术研究属性。
任何单位或个人未经授权,将本文内容用于攻击、破坏等非法用途的,由此引发的全部法律责任、民事赔偿及连带责任,均由行为人独立承担,本站不承担任何连带责任。
本站内容均为技术交流与知识分享目的发布,若存在版权侵权或其他异议,请通过邮件联系处理,具体联系方式可点击页面上方的联系我。
本文转载自:利刃信安 利刃信安 利刃信安《openHiTLS TLCP/DTLCP 编译与抓包完整操作记录》
版权声明
本站仅做备份收录,仅供研究与教学参考之用。
读者将信息用于其他用途的,全部法律及连带责任由读者自行承担,本站不承担任何责任。










评论