openHiTLSTLCP/DTLCP编译与抓包完整操作记录

admin 2026-07-02 06:15:28 网络安全文章 来源:ZONE.CI 全球网 0 阅读模式

文章总结: 本文详细记录了在KaliLinux上编译openHiTLS0.3.3版本并启用TLCP/DTLCP国密协议的完整过程,包括获取源码、编译SecureC安全库、通过configure.py配置关键编译宏(如HITLSTLSPROTOTLCP11等)以及最终生成可执行文件。操作步骤清晰,验证了产物为64位可执行文件。 综合评分: 82 文章分类: 安全工具,应用安全,安全开发


cover_image

openHiTLS TLCP/DTLCP 编译与抓包完整操作记录

原创

利刃信安 利刃信安

利刃信安

2026年7月2日 01:30 北京

在小说阅读器读本章

去阅读

openHiTLS TLCP/DTLCP 编译与抓包完整操作记录


一、获取源码

1.1 克隆 openHiTLS 主仓库

cd /home/kali/M
git clone https://gitcode.com/openhitls/openhitls.git

输出:

┌──(kali㉿kali)-[~]
└─$ sudo -i

┌──(root㉿kali)-[~]
└─# cd /home/kali/M

┌──(root㉿kali)-[/home/kali/M]
└─# git clone https://gitcode.com/openhitls/openhitls.git
正克隆到 'openhitls'...
remote: Enumerating objects: 40601, done.
remote: Counting objects: 100% (4625/4625), done.
remote: Compressing objects: 100% (459/459), done.
remote: Total 40601 (delta 4332), reused 4168 (delta 4166), pack-reused 35976 (from 1)
接收对象中: 100% (40601/40601), 57.41 MiB | 11.15 MiB/s, 完成.
处理 delta 中: 100% (26901/26901), 完成.

1.2 切换到稳定版本 openhitls-0.3.3

cd /home/kali/M/openhitls
git checkout openhitls-0.3.3

输出:

┌──(root㉿kali)-[/home/kali/M]
└─# cd /home/kali/M/openhitls

┌──(root㉿kali)-[/home/kali/M/openhitls]
└─# git checkout openhitls-0.3.3
注意:正在切换到 'openhitls-0.3.3'。

您正处于分离头指针状态。您可以查看、做试验性的修改及提交,并且您可以在切换
回一个分支时,丢弃在此状态下所做的提交而不对分支造成影响。

如果您想要通过创建分支来保留在此状态下所做的提交,您可以通过在 switch 命令
中添加参数 -c 来实现(现在或稍后)。例如:

&nbsp; git switch -c <新分支名>

或者撤销此操作:

&nbsp; git switch -

通过将配置变量 advice.detachedHead 设置为 false 来关闭此建议

HEAD 目前位于 dd08164c fix:Fix the issue where the chain is not cleared when only one certificate is loaded in HITLS_CFG_UseCertificateChainBuffer

1.3 克隆安全函数库 Secure_C(非子模块,需手动克隆到 platform/ 目录)

cd&nbsp;/home/kali/M/openhitls
git&nbsp;clone&nbsp;https://gitee.com/openeuler/libboundscheck platform/Secure_C

输出:

┌──(root㉿kali)-[/home/kali/M/openhitls]
└─# cd /home/kali/M/openhitls

┌──(root㉿kali)-[/home/kali/M/openhitls]
└─# git clone https://gitee.com/openeuler/libboundscheck platform/Secure_C
正克隆到 'platform/Secure_C'...
remote: Enumerating objects: 189, done.
remote: Total 189 (delta 0), reused 0 (delta 0), pack-reused 189 (from 1)
接收对象中: 100% (189/189), 113.63 KiB | 1.50 MiB/s, 完成.
处理 delta 中: 100% (113/113), 完成.

二、编译 Secure_C 安全库

cd&nbsp;/home/kali/M/openhitls/platform/Secure_C
make -j$(nproc)

输出(截取尾部):

cc -c src/vwscanf_s.c ... -o obj/vwscanf_s.o
cc -c src/wcscat_s.c ... -o obj/wcscat_s.o
... (省略中间编译日志)
cc -shared -o lib/libboundscheck.so obj/*.o ... -Wl,-z,relro,-z,now,-z,noexecstack -fstack-protector-all
finish libboundscheck.so

产物:/home/kali/M/openhitls/platform/Secure_C/lib/libboundscheck.so


三、配置并编译 openHiTLS 主程序

3.1 使用 configure.py 生成 CMake 配置

关键:必须显式启用 TLCP 国密协议相关编译宏,HITLS_BUILD_PROFILE=full 不足以启用国密 provider。HITLS_CRYPTO_PROVIDER_DEFAULT_SM 将 SM2/SM3/SM4 集成到默认 Provider,是 0.3.3 版本可用性的必要条件。

cd&nbsp;/home/kali/M/openhitls
mkdir&nbsp;-p build

python3 configure.py \
&nbsp; &nbsp; --enable&nbsp;hitls_bsl hitls_crypto hitls_tls hitls_pki hitls_auth \
&nbsp; &nbsp; --system linux --bits 64 --asm_type x8664 \
&nbsp; &nbsp; --lib_type shared static \
&nbsp; &nbsp; --executes hitls \
&nbsp; &nbsp; --add_options&nbsp;"-DHITLS_TLS_PROTO_TLCP11 -DHITLS_TLS_SUITE_ECDHE_SM4_CBC_SM3 -DHITLS_TLS_SUITE_ECC_SM4_CBC_SM3 -DHITLS_TLS_SUITE_ECDHE_SM4_GCM_SM3 -DHITLS_TLS_SUITE_ECC_SM4_GCM_SM3 -DHITLS_CRYPTO_PROVIDER_DEFAULT_SM -DHITLS_TLS_SUITE_AUTH_SM2"&nbsp;\
&nbsp; &nbsp; -m --build_dir build

编译宏说明:

| 编译宏 | 作用 | | — | — | | HITLS_TLS_PROTO_TLCP11 | 启用 TLCP 1.1 协议支持 | | HITLS_TLS_SUITE_ECDHE_SM4_CBC_SM3 | ECDHE_SM4_CBC_SM3 密码套件 | | HITLS_TLS_SUITE_ECC_SM4_CBC_SM3 | ECC_SM4_CBC_SM3 密码套件 | | HITLS_TLS_SUITE_ECDHE_SM4_GCM_SM3 | ECDHE_SM4_GCM_SM3 密码套件 | | HITLS_TLS_SUITE_ECC_SM4_GCM_SM3 | ECC_SM4_GCM_SM3 密码套件 | | HITLS_CRYPTO_PROVIDER_DEFAULT_SM | SM2/SM3/SM4 集成到默认 Provider | | HITLS_TLS_SUITE_AUTH_SM2 | SM2 身份认证 |

configure.py 无错误输出(空输出表示成功)。

3.2 CMake 生成构建文件

cd&nbsp;/home/kali/M/openhitls/build
cmake -DCMAKE_BUILD_TYPE=Debug ..

输出(截取尾部):

┌──(root㉿kali)-[/home/…/M/openhitls/platform/Secure_C]
└─# cd /home/kali/M/openhitls

┌──(root㉿kali)-[/home/kali/M/openhitls]
└─# mkdir -p build

┌──(root㉿kali)-[/home/kali/M/openhitls]
└─# python3 configure.py \
&nbsp; &nbsp; --enable hitls_bsl hitls_crypto hitls_tls hitls_pki hitls_auth \
&nbsp; &nbsp; --system linux --bits 64 --asm_type x8664 \
&nbsp; &nbsp; --lib_type shared static \
&nbsp; &nbsp; --executes hitls \
&nbsp; &nbsp; --add_options "-DHITLS_TLS_PROTO_TLCP11 -DHITLS_TLS_SUITE_ECDHE_SM4_CBC_SM3 -DHITLS_TLS_SUITE_ECC_SM4_CBC_SM3 -DHITLS_TLS_SUITE_ECDHE_SM4_GCM_SM3 -DHITLS_TLS_SUITE_ECC_SM4_GCM_SM3 -DHITLS_CRYPTO_PROVIDER_DEFAULT_SM -DHITLS_TLS_SUITE_AUTH_SM2" \
&nbsp; &nbsp; -m --build_dir build

┌──(root㉿kali)-[/home/kali/M/openhitls]
└─# cd /home/kali/M/openhitls/build

┌──(root㉿kali)-[/home/kali/M/openhitls/build]
└─# cmake -DCMAKE_BUILD_TYPE=Debug ..
-- The C compiler identification is GNU 15.3.0
-- The CXX compiler identification is GNU 15.3.0
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: /usr/bin/cc - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: /usr/bin/c++ - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Configuring securec dependency...
--
-- === Configuring libboundscheck (Secure C) ===
-- Searching for sources in: /home/kali/M/openhitls/platform/Secure_C/src
-- Found 39 securec source files
-- System: Linux
-- Compiler: GNU 15.3.0
-- Securec library configured:
-- &nbsp; Source dir: &nbsp; /home/kali/M/openhitls/platform/Secure_C/src
-- &nbsp; Include dir: &nbsp;/home/kali/M/openhitls/platform/Secure_C/include
-- &nbsp; Output dir: &nbsp; /home/kali/M/openhitls/platform/Secure_C/lib
-- &nbsp; Library type: STATIC
-- &nbsp; Library name: libboundscheck.a (Linux/macOS) / boundscheck.lib (Windows)
-- ========================================
--
-- The ASM compiler identification is GNU
-- Found assembler: /usr/bin/cc
-- Provider library for apps: libhitls.so
-- Configuring done (0.4s)
-- Generating done (0.2s)
-- Build files have been written to: /home/kali/M/openhitls/build

3.3 编译

make -j$(nproc) hitls

输出(截取尾部):

[100%] Built target handshake-objs
[100%] Linking C shared library libhitls_tls.so
[100%] Built target hitls_tls-shared
[100%] Linking C executable hitls
[100%] Built target hitls

3.4 验证产物

ls&nbsp;-la /home/kali/M/openhitls/build/hitls
file /home/kali/M/openhitls/build/hitls

输出:

┌──(root㉿kali)-[/home/kali/M/openhitls/build]
└─# ls -la /home/kali/M/openhitls/build/hitls
-rwxr-xr-x 1 root root 925152 &nbsp;7月 1日 12:29 /home/kali/M/openhitls/build/hitls

┌──(root㉿kali)-[/home/kali/M/openhitls/build]
└─# file /home/kali/M/openhitls/build/hitls
/home/kali/M/openhitls/build/hitls: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, with debug_info, not stripped
mkdir&nbsp;-p /home/kali/M/captures

LD_LIBRARY_PATH=/home/kali/M/openhitls/build /home/kali/M/openhitls/build/hitls&nbsp;help

输出(首部):

┌──(root㉿kali)-[/home/kali/M/openhitls/build]
└─# mkdir -p /home/kali/M/captures

┌──(root㉿kali)-[/home/kali/M/openhitls/build]
└─# LD_LIBRARY_PATH=/home/kali/M/openhitls/build

┌──(root㉿kali)-[/home/kali/M/openhitls/build]
└─# /home/kali/M/openhitls/build/hitls help
function: HiTLS supports the following commands:
help &nbsp; &nbsp; &nbsp; &nbsp; rand &nbsp; &nbsp; &nbsp; &nbsp; enc &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;pkcs12
rsa &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;x509 &nbsp; &nbsp; &nbsp; &nbsp; list &nbsp; &nbsp; &nbsp; &nbsp; dgst
crl &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;genrsa &nbsp; &nbsp; &nbsp; verify &nbsp; &nbsp; &nbsp; pkey
genpkey &nbsp; &nbsp; &nbsp;req &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;mac &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;kdf
prime &nbsp; &nbsp; &nbsp; &nbsp;s_client &nbsp; &nbsp; s_server &nbsp; &nbsp; pkeyutl

四、创建测试脚本

测试证书路径(均为 DER 格式,openHiTLS 源码内置):

/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid/
├── ca.crt &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;# 根 CA 证书
├── ca.key &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;# 根 CA 私钥
├── inter.crt &nbsp; &nbsp; &nbsp; # 中间 CA 证书
├── inter.key &nbsp; &nbsp; &nbsp; # 中间 CA 私钥
├── sign.crt &nbsp; &nbsp; &nbsp; &nbsp;# SM2 签名证书
├── sign.key &nbsp; &nbsp; &nbsp; &nbsp;# SM2 签名私钥
├── enc.crt &nbsp; &nbsp; &nbsp; &nbsp; # SM2 加密证书
└── enc.key &nbsp; &nbsp; &nbsp; &nbsp; # SM2 加密私钥

4.1 服务端脚本 — server_tlcp.sh(TLCP 服务端)

#!/bin/bash
export&nbsp;LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
/home/kali/M/openhitls/build/hitls s_server -tlcp -accept 127.0.0.1:4433 \
&nbsp; &nbsp; -CAfile&nbsp;$C/ca.crt -chainCAfile&nbsp;$C/inter.crt \
&nbsp; &nbsp; -tlcp_sign_cert&nbsp;$C/sign.crt -tlcp_sign_key&nbsp;$C/sign.key \
&nbsp; &nbsp; -tlcp_enc_cert&nbsp;$C/enc.crt -tlcp_enc_key&nbsp;$C/enc.key \
&nbsp; &nbsp; -provider default -state

参数说明:

  • • -tlcp:强制使用 TLCP 1.1 协议(GB/T 38636-2020)
  • • -accept 127.0.0.1:4433:监听地址和端口
  • • -CAfile:根 CA 证书(用于验证客户端证书链)
  • • -chainCAfile:中间 CA 证书
  • • -tlcp_sign_cert / -tlcp_sign_key:签名证书与私钥(SM2 签名密钥对)
  • • -tlcp_enc_cert / -tlcp_enc_key:加密证书与私钥(SM2 加密密钥对)
  • • -provider default:使用默认加密服务提供商
  • • -state:输出详细握手状态信息

4.2 服务端脚本 — server_dtlcp.sh(DTLCP 服务端)

#!/bin/bash
export&nbsp;LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
/home/kali/M/openhitls/build/hitls s_server -dtlcp -accept 127.0.0.1:4433 \
&nbsp; &nbsp; -CAfile&nbsp;$C/ca.crt -chainCAfile&nbsp;$C/inter.crt \
&nbsp; &nbsp; -tlcp_sign_cert&nbsp;$C/sign.crt -tlcp_sign_key&nbsp;$C/sign.key \
&nbsp; &nbsp; -tlcp_enc_cert&nbsp;$C/enc.crt -tlcp_enc_key&nbsp;$C/enc.key \
&nbsp; &nbsp; -provider default -state

4.3 客户端脚本 — client_tlcp_bidir.sh(TLCP 双向,提供客户端证书)

#!/bin/bash
export&nbsp;LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
echo&nbsp;"tlcp_bidir_test"&nbsp;| /home/kali/M/openhitls/build/hitls s_client -tlcp \
&nbsp; &nbsp; -host 127.0.0.1 -port 4433 \
&nbsp; &nbsp; -CAfile&nbsp;$C/ca.crt -chainCAfile&nbsp;$C/inter.crt \
&nbsp; &nbsp; -tlcp_sign_cert&nbsp;$C/sign.crt -tlcp_sign_key&nbsp;$C/sign.key \
&nbsp; &nbsp; -tlcp_enc_cert&nbsp;$C/enc.crt -tlcp_enc_key&nbsp;$C/enc.key \
&nbsp; &nbsp; -provider default -state

4.4 客户端脚本 — client_tlcp_unidir.sh(TLCP 单向,不提供客户端证书)

#!/bin/bash
export&nbsp;LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
echo&nbsp;"tlcp_unidir_test"&nbsp;| /home/kali/M/openhitls/build/hitls s_client -tlcp \
&nbsp; &nbsp; -host 127.0.0.1 -port 4433 \
&nbsp; &nbsp; -CAfile&nbsp;$C/ca.crt -chainCAfile&nbsp;$C/inter.crt \
&nbsp; &nbsp; -provider default -state

4.5 客户端脚本 — client_dtlcp_bidir.sh(DTLCP 双向)

#!/bin/bash
export&nbsp;LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
echo&nbsp;"dtlcp_bidir_test"&nbsp;| /home/kali/M/openhitls/build/hitls s_client -dtlcp \
&nbsp; &nbsp; -host 127.0.0.1 -port 4433 \
&nbsp; &nbsp; -CAfile&nbsp;$C/ca.crt -chainCAfile&nbsp;$C/inter.crt \
&nbsp; &nbsp; -tlcp_sign_cert&nbsp;$C/sign.crt -tlcp_sign_key&nbsp;$C/sign.key \
&nbsp; &nbsp; -tlcp_enc_cert&nbsp;$C/enc.crt -tlcp_enc_key&nbsp;$C/enc.key \
&nbsp; &nbsp; -provider default -state

4.6 客户端脚本 — client_dtlcp_unidir.sh(DTLCP 单向)

#!/bin/bash
export&nbsp;LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
echo&nbsp;"dtlcp_unidir_test"&nbsp;| /home/kali/M/openhitls/build/hitls s_client -dtlcp \
&nbsp; &nbsp; -host 127.0.0.1 -port 4433 \
&nbsp; &nbsp; -CAfile&nbsp;$C/ca.crt -chainCAfile&nbsp;$C/inter.crt \
&nbsp; &nbsp; -provider default -state

五、测试一:TLCP 双向身份鉴别

方法:服务端(终端3)和客户端(终端4)均携带 SM2 签名+加密双证书。终端5 使用 tcpdump 抓 lo 口流量。

5.1 启动抓包(终端5)

sudo&nbsp;tcpdump -i lo -w /home/kali/M/captures/02_tlcp_two_way.pcap port 4433

输出:

┌──(kali㉿kali)-[~]
└─$ sudo tcpdump -i lo -w /home/kali/M/captures/02_tlcp_two_way.pcap port 4433
tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes

5.2 启动服务端(终端3)

bash /home/kali/M/server_tlcp.sh

输出:

┌──(kali㉿kali)-[~]
└─$ sudo -i

┌──(root㉿kali)-[~]
└─# bash /home/kali/M/server_tlcp.sh
Listening on 127.0.0.1:4433 (TCP)
Server started, waiting for connections...
Accepted connection from 127.0.0.1:55718
Starting TLS handshake with client...
TLS handshake completed successfully
Protocol version: TLCP v1.1
Cipher suite negotiated
Handshake state: connected
Received 15 bytes from client:
tlcp_bidir_test
Sent 51 bytes response to client
Connection 1 completed
Accepted connection from 127.0.0.1:59498
Starting TLS handshake with client...
TLS handshake completed successfully
Protocol version: TLCP v1.1
Cipher suite negotiated
Handshake state: connected
Received 15 bytes from client:
tlcp_bidir_test
Sent 51 bytes response to client
Connection 2 completed
Accepted connection from 127.0.0.1:59504
Starting TLS handshake with client...
TLS handshake completed successfully
Protocol version: TLCP v1.1
Cipher suite negotiated
Handshake state: connected
Received 15 bytes from client:
tlcp_bidir_test
Sent 51 bytes response to client
Connection 3 completed

5.3 启动客户端(终端4)

bash /home/kali/M/client_tlcp_bidir.sh

输出:

┌──(kali㉿kali)-[~]
└─$ sudo -i

┌──(root㉿kali)-[~]
└─# bash /home/kali/M/client_tlcp_bidir.sh
Connected to 127.0.0.1:4433
Starting TLS handshake...
TLS handshake completed successfully
Protocol version: TLCP v1.1
Cipher suite negotiated
Handshake state: connected
Interactive mode - type messages (Ctrl+C to exit):
Response: HTTP/1.1 200 OK
Content-Length: 12

Hello World!
Client completed successfully

┌──(root㉿kali)-[~]
└─# bash /home/kali/M/client_tlcp_bidir.sh
Connected to 127.0.0.1:4433
Starting TLS handshake...
TLS handshake completed successfully
Protocol version: TLCP v1.1
Cipher suite negotiated
Handshake state: connected
Interactive mode - type messages (Ctrl+C to exit):
Response: HTTP/1.1 200 OK
Content-Length: 12

Hello World!
Client completed successfully

┌──(root㉿kali)-[~]
└─# bash /home/kali/M/client_tlcp_bidir.sh
Connected to 127.0.0.1:4433
Starting TLS handshake...
TLS handshake completed successfully
Protocol version: TLCP v1.1
Cipher suite negotiated
Handshake state: connected
Interactive mode - type messages (Ctrl+C to exit):
Response: HTTP/1.1 200 OK
Content-Length: 12

Hello World!
Client completed successfully

结果:握手成功,通过 TLCP v1.1 建立了 SM4 加密隧道,客户端向服务端发送 “tlcp_bidir_test” 字符串,收到服务端返回的 “Hello World!”。

5.4 停止服务端和抓包

sudo&nbsp;pkill -f&nbsp;"hitls s_server"
sleep&nbsp;1
sudo&nbsp;pkill tcpdump

5.5 抓包文件

02_tlcp_two_way.pcap &nbsp; 16,333 bytes

六、测试二:TLCP 单向身份鉴别

方法:服务端(终端3)携带双证书并配置 CA 链(默认要求客户端证书)。客户端(终端4)仅携带 -CAfile/-chainCAfile 验证服务端,不提供自身证书。

6.1 启动抓包(终端5)

sudo&nbsp;tcpdump -i lo -w /home/kali/M/captures/01_tlcp_one_way.pcap port 4433

输出:

┌──(kali㉿kali)-[~]
└─$ sudo tcpdump -i lo -w /home/kali/M/captures/01_tlcp_one_way.pcap port 4433
tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes

6.2 启动服务端(终端3)

bash /home/kali/M/server_tlcp.sh

输出:

┌──(root㉿kali)-[~]
└─# bash /home/kali/M/server_tlcp.sh
Listening on 127.0.0.1:4433 (TCP)
Server started, waiting for connections...
Accepted connection from 127.0.0.1:45362
Starting TLS handshake with client...
TLS handshake failed: 0x2040017
Failed to handle client connection
Connection 1 completed
Accepted connection from 127.0.0.1:37132
Starting TLS handshake with client...
TLS handshake failed: 0x2040017
Failed to handle client connection
Connection 2 completed
Accepted connection from 127.0.0.1:37134
Starting TLS handshake with client...
TLS handshake failed: 0x2040017
Failed to handle client connection
Connection 3 completed

6.3 启动客户端(终端4,不提供客户端证书)

bash /home/kali/M/client_tlcp_unidir.sh

输出:

┌──(root㉿kali)-[~]
└─# bash /home/kali/M/client_tlcp_unidir.sh
Connected to 127.0.0.1:4433
Starting TLS handshake...
client: TLS handshake failed: 0x20c0029
client: Failed to create config and connection: 0x27

┌──(root㉿kali)-[~]
└─# bash /home/kali/M/client_tlcp_unidir.sh
Connected to 127.0.0.1:4433
Starting TLS handshake...
client: TLS handshake failed: 0x20c0029
client: Failed to create config and connection: 0x27

┌──(root㉿kali)-[~]
└─# bash /home/kali/M/client_tlcp_unidir.sh
Connected to 127.0.0.1:4433
Starting TLS handshake...
client: TLS handshake failed: 0x20c0029
client: Failed to create config and connection: 0x27

结果:握手失败,错误码 0x20c0029(证书添加/加载失败)。服务端在 CertificateRequest 阶段向客户端要求证书,但客户端未配置签名+加密双证书,握手中断。

6.4 停止服务端和抓包

sudo&nbsp;pkill -f&nbsp;"hitls s_server"
sleep&nbsp;1
sudo&nbsp;pkill tcpdump

6.5 抓包文件

01_tlcp_one_way.pcap &nbsp; 8,780 bytes

说明:虽然握手失败,但抓包中保留了 ClientHello → ServerHello → Certificate → ServerKeyExchange → CertificateRequest → ServerHelloDone 的完整交互序列,以及客户端返回空 Certificate 后的 Alert。可用于分析 TLCP 单向鉴别场景中的协议报文。


七、测试三:DTLCP 双向身份鉴别

方法:服务端和客户端均携带双证书,使用 DTLCP 协议(UDP 承载)。参数与 TLCP 一致,仅将 -tlcp 替换为 -dtlcp

7.1 启动抓包(终端5)

sudo&nbsp;tcpdump -i lo -w /home/kali/M/captures/04_dtlcp_two_way.pcap port 4433

输出:

┌──(kali㉿kali)-[~]
└─$ sudo tcpdump -i lo -w /home/kali/M/captures/04_dtlcp_two_way.pcap port 4433
tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes

7.2 启动服务端(终端3)

bash /home/kali/M/server_dtlcp.sh

输出:

┌──(root㉿kali)-[~]
└─# bash /home/kali/M/server_dtlcp.sh
Listening on 127.0.0.1:4433 (UDP)
Server started, waiting for connections...
Starting TLS handshake with client...
TLS handshake completed successfully
Protocol version: TLCP v1.1
Cipher suite negotiated
Handshake state: connected
Received 16 bytes from client:
dtlcp_bidir_test
Sent 51 bytes response to client
Connection 1 completed
Starting TLS handshake with client...
TLS handshake completed successfully
Protocol version: TLCP v1.1
Cipher suite negotiated
Handshake state: connected
Failed to read client data: 0x20a000b
Connection 2 completed
Starting TLS handshake with client...
TLS handshake completed successfully
Protocol version: TLCP v1.1
Cipher suite negotiated
Handshake state: connected
Failed to read client data: 0x20a000b
Connection 3 completed
Starting TLS handshake with client...

7.3 启动客户端(终端4)

bash /home/kali/M/client_dtlcp_bidir.sh

输出:

┌──(root㉿kali)-[~]
└─# bash /home/kali/M/client_dtlcp_bidir.sh
Connected to 127.0.0.1:4433
Starting TLS handshake...
TLS handshake completed successfully
Protocol version: TLCP v1.1
Cipher suite negotiated
Handshake state: connected
Interactive mode - type messages (Ctrl+C to exit):
Response: HTTP/1.1 200 OK
Content-Length: 12

Hello World!
Client completed successfully

┌──(root㉿kali)-[~]
└─# bash /home/kali/M/client_dtlcp_bidir.sh
Connected to 127.0.0.1:4433
Starting TLS handshake...
TLS handshake completed successfully
Protocol version: TLCP v1.1
Cipher suite negotiated
Handshake state: connected
Interactive mode - type messages (Ctrl+C to exit):
Client completed successfully

┌──(root㉿kali)-[~]
└─# bash /home/kali/M/client_dtlcp_bidir.sh
Connected to 127.0.0.1:4433
Starting TLS handshake...
TLS handshake completed successfully
Protocol version: TLCP v1.1
Cipher suite negotiated
Handshake state: connected
Interactive mode - type messages (Ctrl+C to exit):
Client completed successfully

结果:握手成功。协议版本标识为 “TLCP v1.1″(DTLCP 基于 TLCP 在 UDP 上的适配,版本标识仍沿用 TLCP v1.1)。

7.4 停止服务端和抓包

sudo&nbsp;pkill -f&nbsp;"hitls s_server"
sleep&nbsp;1
sudo&nbsp;pkill tcpdump

7.5 抓包文件

04_dtlcp_two_way.pcap &nbsp; 15,228 bytes

八、测试四:DTLCP 单向身份鉴别

方法:服务端携带双证书,客户端不提供自身证书。

8.1 启动抓包(终端5)

sudo&nbsp;tcpdump -i lo -w /home/kali/M/captures/03_dtlcp_one_way.pcap port 4433

输出:

┌──(kali㉿kali)-[~]
└─$ sudo tcpdump -i lo -w /home/kali/M/captures/03_dtlcp_one_way.pcap port 4433
tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes

8.2 启动服务端(终端3)

bash /home/kali/M/server_dtlcp.sh

输出:

┌──(root㉿kali)-[~]
└─# bash /home/kali/M/server_dtlcp.sh
Listening on 127.0.0.1:4433 (UDP)
Server started, waiting for connections...
Starting TLS handshake with client...
TLS handshake failed: 0x2040017
Failed to handle client connection
Connection 1 completed
Starting TLS handshake with client...
TLS handshake failed: 0x2040017
Failed to handle client connection
Connection 2 completed
Starting TLS handshake with client...
TLS handshake failed: 0x2040017
Failed to handle client connection
Connection 3 completed
Starting TLS handshake with client...

8.3 启动客户端(终端4,不提供客户端证书)

bash /home/kali/M/client_dtlcp_unidir.sh

输出:

┌──(root㉿kali)-[~]
└─# bash /home/kali/M/client_dtlcp_unidir.sh
Connected to 127.0.0.1:4433
Starting TLS handshake...
client: TLS handshake failed: 0x20c0029
client: Failed to create config and connection: 0x27

┌──(root㉿kali)-[~]
└─# bash /home/kali/M/client_dtlcp_unidir.sh
Connected to 127.0.0.1:4433
Starting TLS handshake...
client: TLS handshake failed: 0x20c0029
client: Failed to create config and connection: 0x27

┌──(root㉿kali)-[~]
└─# bash /home/kali/M/client_dtlcp_unidir.sh
Connected to 127.0.0.1:4433
Starting TLS handshake...
client: TLS handshake failed: 0x20c0029
client: Failed to create config and connection: 0x27

结果:握手失败,错误码 0x20c0029,与服务端要求客户端证书一致。

8.4 停止服务端和抓包

sudo&nbsp;pkill -f&nbsp;"hitls s_server"
sleep&nbsp;1
sudo&nbsp;pkill tcpdump

8.5 抓包文件

03_dtlcp_one_way.pcap &nbsp; 7,899 bytes

九、交付:4个数据包总览

ls&nbsp;-la /home/kali/M/captures/

输出:

┌──(root㉿kali)-[~]
└─# ls -la /home/kali/M/captures/
总计 60
drwxr-xr-x 2 root &nbsp; &nbsp;root &nbsp; &nbsp; 4096 &nbsp;7月 1日 12:51 .
drwxrwxrwx 4 root &nbsp; &nbsp;root &nbsp; &nbsp; 4096 &nbsp;7月 1日 12:39 ..
-rw-r--r-- 1 tcpdump tcpdump &nbsp;8780 &nbsp;7月 1日 12:46 01_tlcp_one_way.pcap
-rw-r--r-- 1 tcpdump tcpdump 16333 &nbsp;7月 1日 12:41 02_tlcp_two_way.pcap
-rw-r--r-- 1 tcpdump tcpdump &nbsp;7899 &nbsp;7月 1日 12:53 03_dtlcp_one_way.pcap
-rw-r--r-- 1 tcpdump tcpdump 15228 &nbsp;7月 1日 12:49 04_dtlcp_two_way.pcap

9.1 pcap 内容验证

for&nbsp;f&nbsp;in&nbsp;/home/kali/M/captures/*.pcap;&nbsp;do
&nbsp; &nbsp;&nbsp;echo&nbsp;"===&nbsp;$(basename $f)&nbsp;==="
&nbsp; &nbsp; tcpdump -r&nbsp;"$f"&nbsp;-nn |&nbsp;head&nbsp;-15
&nbsp; &nbsp;&nbsp;echo&nbsp;""
done

输出:

01_tlcp_one_way.pcap(TLCP 单向,TCP 握手失败)

┌──(root㉿kali)-[~]
└─# for f in /home/kali/M/captures/*.pcap; do
&nbsp; &nbsp; echo "=== $(basename $f) ==="
&nbsp; &nbsp; tcpdump -r "$f" -nn | head -15
&nbsp; &nbsp; echo ""
done

=== 01_tlcp_one_way.pcap ===
reading from file /home/kali/M/captures/01_tlcp_one_way.pcap, link-type EN10MB (Ethernet), snapshot length 262144
12:46:13.250839 IP 127.0.0.1.45362 > 127.0.0.1.4433: Flags [S], seq 3300490400, win 65495, options [mss 65495,sackOK,TS val 2226550677 ecr 0,nop,wscale 10], length 0
12:46:13.250846 IP 127.0.0.1.4433 > 127.0.0.1.45362: Flags [S.], seq 46529753, ack 3300490401, win 65483, options [mss 65495,sackOK,TS val 836346331 ecr 2226550677,nop,wscale 10], length 0
12:46:13.250852 IP 127.0.0.1.45362 > 127.0.0.1.4433: Flags [.], ack 1, win 64, options [nop,nop,TS val 2226550677 ecr 836346331], length 0
12:46:13.250950 IP 127.0.0.1.45362 > 127.0.0.1.4433: Flags [P.], seq 1:79, ack 1, win 64, options [nop,nop,TS val 2226550677 ecr 836346331], length 78
12:46:13.250953 IP 127.0.0.1.4433 > 127.0.0.1.45362: Flags [.], ack 79, win 64, options [nop,nop,TS val 836346331 ecr 2226550677], length 0
12:46:13.254965 IP 127.0.0.1.4433 > 127.0.0.1.45362: Flags [P.], seq 1:1902, ack 79, win 64, options [nop,nop,TS val 836346335 ecr 2226550677], length 1901
12:46:13.255076 IP 127.0.0.1.45362 > 127.0.0.1.4433: Flags [.], ack 1902, win 84, options [nop,nop,TS val 2226550681 ecr 836346335], length 0
12:46:13.256938 IP 127.0.0.1.45362 > 127.0.0.1.4433: Flags [P.], seq 79:176, ack 1902, win 84, options [nop,nop,TS val 2226550683 ecr 836346335], length 97
12:46:13.257001 IP 127.0.0.1.4433 > 127.0.0.1.45362: Flags [P.], seq 1902:1909, ack 176, win 64, options [nop,nop,TS val 836346337 ecr 2226550683], length 7
12:46:13.257068 IP 127.0.0.1.4433 > 127.0.0.1.45362: Flags [R.], seq 1909, ack 176, win 64, options [nop,nop,TS val 836346337 ecr 2226550683], length 0
12:46:22.214506 IP 127.0.0.1.37132 > 127.0.0.1.4433: Flags [S], seq 1833535807, win 65495, options [mss 65495,sackOK,TS val 928550738 ecr 0,nop,wscale 10], length 0
12:46:22.214516 IP 127.0.0.1.4433 > 127.0.0.1.37132: Flags [S.], seq 1949242838, ack 1833535808, win 65483, options [mss 65495,sackOK,TS val 1780669965 ecr 928550738,nop,wscale 10], length 0
12:46:22.214524 IP 127.0.0.1.37132 > 127.0.0.1.4433: Flags [.], ack 1, win 64, options [nop,nop,TS val 928550738 ecr 1780669965], length 0
12:46:22.214786 IP 127.0.0.1.37132 > 127.0.0.1.4433: Flags [P.], seq 1:79, ack 1, win 64, options [nop,nop,TS val 928550738 ecr 1780669965], length 78
12:46:22.214789 IP 127.0.0.1.4433 > 127.0.0.1.37132: Flags [.], ack 79, win 64, options [nop,nop,TS val 1780669965 ecr 928550738], length 0

02_tlcp_two_way.pcap(TLCP 双向,握手成功 + 应用数据)

┌──(root㉿kali)-[~]
└─# for f in /home/kali/M/captures/*.pcap; do
&nbsp; &nbsp; echo "=== $(basename $f) ==="
&nbsp; &nbsp; tcpdump -r "$f" -nn | head -15
&nbsp; &nbsp; echo ""
done

=== 02_tlcp_two_way.pcap ===
reading from file /home/kali/M/captures/02_tlcp_two_way.pcap, link-type EN10MB (Ethernet), snapshot length 262144
12:41:09.946808 IP 127.0.0.1.55718 > 127.0.0.1.4433: Flags [S], seq 1470452005, win 65495, options [mss 65495,sackOK,TS val 4209665706 ecr 0,nop,wscale 10], length 0
12:41:09.946924 IP 127.0.0.1.4433 > 127.0.0.1.55718: Flags [S.], seq 2194274755, ack 1470452006, win 65483, options [mss 65495,sackOK,TS val 4153713132 ecr 4209665706,nop,wscale 10], length 0
12:41:09.946932 IP 127.0.0.1.55718 > 127.0.0.1.4433: Flags [.], ack 1, win 64, options [nop,nop,TS val 4209665706 ecr 4153713132], length 0
12:41:09.947089 IP 127.0.0.1.55718 > 127.0.0.1.4433: Flags [P.], seq 1:79, ack 1, win 64, options [nop,nop,TS val 4209665706 ecr 4153713132], length 78
12:41:09.947093 IP 127.0.0.1.4433 > 127.0.0.1.55718: Flags [.], ack 79, win 64, options [nop,nop,TS val 4153713132 ecr 4209665706], length 0
12:41:09.954698 IP 127.0.0.1.4433 > 127.0.0.1.55718: Flags [P.], seq 1:1902, ack 79, win 64, options [nop,nop,TS val 4153713140 ecr 4209665706], length 1901
12:41:09.954770 IP 127.0.0.1.55718 > 127.0.0.1.4433: Flags [.], ack 1902, win 84, options [nop,nop,TS val 4209665714 ecr 4153713140], length 0
12:41:09.955768 IP 127.0.0.1.55718 > 127.0.0.1.4433: Flags [P.], seq 79:1962, ack 1902, win 84, options [nop,nop,TS val 4209665715 ecr 4153713140], length 1883
12:41:09.956782 IP 127.0.0.1.4433 > 127.0.0.1.55718: Flags [P.], seq 1902:1993, ack 1962, win 83, options [nop,nop,TS val 4153713142 ecr 4209665715], length 91
12:41:09.957213 IP 127.0.0.1.55718 > 127.0.0.1.4433: Flags [P.], seq 1962:2031, ack 1993, win 84, options [nop,nop,TS val 4209665716 ecr 4153713142], length 69
12:41:09.957481 IP 127.0.0.1.4433 > 127.0.0.1.55718: Flags [P.], seq 1993:2110, ack 2031, win 83, options [nop,nop,TS val 4153713143 ecr 4209665716], length 117
12:41:09.957532 IP 127.0.0.1.55718 > 127.0.0.1.4433: Flags [P.], seq 2031:2100, ack 2110, win 84, options [nop,nop,TS val 4209665717 ecr 4153713143], length 69
12:41:09.957543 IP 127.0.0.1.4433 > 127.0.0.1.55718: Flags [P.], seq 2110:2179, ack 2100, win 83, options [nop,nop,TS val 4153713143 ecr 4209665717], length 69
12:41:09.957564 IP 127.0.0.1.4433 > 127.0.0.1.55718: Flags [R.], seq 2179, ack 2100, win 83, options [nop,nop,TS val 4153713143 ecr 4209665717], length 0
12:41:25.843699 IP 127.0.0.1.59498 > 127.0.0.1.4433: Flags [S], seq 1434616062, win 65495, options [mss 65495,sackOK,TS val 7932366 ecr 0,nop,wscale 10], length 0

03_dtlcp_one_way.pcap(DTLCP 单向,UDP 握手失败)

┌──(root㉿kali)-[~]
└─# for f in /home/kali/M/captures/*.pcap; do
&nbsp; &nbsp; echo "=== $(basename $f) ==="
&nbsp; &nbsp; tcpdump -r "$f" -nn | head -15
&nbsp; &nbsp; echo ""
done

=== 03_dtlcp_one_way.pcap ===
reading from file /home/kali/M/captures/03_dtlcp_one_way.pcap, link-type EN10MB (Ethernet), snapshot length 262144
12:51:52.836081 IP 127.0.0.1.4433 > 127.0.0.1.58571: UDP, length 15
12:52:08.763535 IP 127.0.0.1.58962 > 127.0.0.1.4433: UDP, length 95
12:52:08.763698 IP 127.0.0.1.4433 > 127.0.0.1.58962: UDP, length 112
12:52:08.763725 IP 127.0.0.1.4433 > 127.0.0.1.58962: UDP, length 1472
12:52:08.763918 IP 127.0.0.1.4433 > 127.0.0.1.58962: UDP, length 421
12:52:08.764688 IP 127.0.0.1.58962 > 127.0.0.1.4433: UDP, length 137
12:52:08.764820 IP 127.0.0.1.4433 > 127.0.0.1.58962: UDP, length 15
12:52:12.397219 IP 127.0.0.1.47187 > 127.0.0.1.4433: UDP, length 95
12:52:12.397466 IP 127.0.0.1.4433 > 127.0.0.1.47187: UDP, length 112
12:52:12.397509 IP 127.0.0.1.4433 > 127.0.0.1.47187: UDP, length 1472
12:52:12.397604 IP 127.0.0.1.4433 > 127.0.0.1.47187: UDP, length 422
12:52:12.398220 IP 127.0.0.1.47187 > 127.0.0.1.4433: UDP, length 137
12:52:12.398408 IP 127.0.0.1.4433 > 127.0.0.1.47187: UDP, length 15
12:52:15.408682 IP 127.0.0.1.35086 > 127.0.0.1.4433: UDP, length 95
12:52:15.408843 IP 127.0.0.1.4433 > 127.0.0.1.35086: UDP, length 112

04_dtlcp_two_way.pcap(DTLCP 双向,握手成功 + 应用数据)

┌──(root㉿kali)-[~]
└─# for f in /home/kali/M/captures/*.pcap; do
&nbsp; &nbsp; echo "=== $(basename $f) ==="
&nbsp; &nbsp; tcpdump -r "$f" -nn | head -15
&nbsp; &nbsp; echo ""
done

=== 04_dtlcp_two_way.pcap ===
reading from file /home/kali/M/captures/04_dtlcp_two_way.pcap, link-type EN10MB (Ethernet), snapshot length 262144
12:48:41.910301 IP 127.0.0.1.51938 > 127.0.0.1.4433: UDP, length 95
12:48:41.910665 IP 127.0.0.1.4433 > 127.0.0.1.51938: UDP, length 112
12:48:41.910699 IP 127.0.0.1.4433 > 127.0.0.1.51938: UDP, length 1472
12:48:41.910793 IP 127.0.0.1.4433 > 127.0.0.1.51938: UDP, length 423
12:48:41.912517 IP 127.0.0.1.51938 > 127.0.0.1.4433: UDP, length 1472
12:48:41.912765 IP 127.0.0.1.51938 > 127.0.0.1.4433: UDP, length 500
12:48:41.913707 IP 127.0.0.1.4433 > 127.0.0.1.51938: UDP, length 107
12:48:41.913929 IP 127.0.0.1.51938 > 127.0.0.1.4433: UDP, length 93
12:48:41.913983 IP 127.0.0.1.4433 > 127.0.0.1.51938: UDP, length 125
12:48:41.914011 IP 127.0.0.1.4433 > 127.0.0.1.51938: UDP, length 77
12:48:41.914027 IP 127.0.0.1.51938 > 127.0.0.1.4433: UDP, length 77
12:48:45.489428 IP 127.0.0.1.34398 > 127.0.0.1.4433: UDP, length 95
12:48:45.489874 IP 127.0.0.1.4433 > 127.0.0.1.34398: UDP, length 112
12:48:45.489897 IP 127.0.0.1.4433 > 127.0.0.1.34398: UDP, length 1472
12:48:45.489989 IP 127.0.0.1.4433 > 127.0.0.1.34398: UDP, length 422

9.2 汇总

| 文件名 | 协议 | 认证方式 | 大小 | 状态 | 报文特征 | | — | — | — | — | — | — | | 01_tlcp_one_way.pcap | TLCP(TCP) | 单向 | 8,780B | 失败 | ClientHello→CertificateRequest→空Certificate→Alert→RST | | 02_tlcp_two_way.pcap | TLCP(TCP) | 双向 | 16,333B | 成功 | 完整握手×3+ApplicationData×12 | | 03_dtlcp_one_way.pcap | DTLCP(UDP) | 单向 | 7,899B | 失败 | 18个UDP包,Certificate 分片,空 Certificate | | 04_dtlcp_two_way.pcap | DTLCP(UDP) | 双向 | 15,228B | 成功 | 33个UDP包,完整握手+ApplicationData×12 |


十、关键注意事项

10.1 版本选择

必须使用 openhitls-0.3.3 标签。主分支的编译方式不同(纯 CMake),且测试中某些宏在最新版本中已移除或更名(如 HITLS_CRYPTO_PROVIDER_DEFAULT_SM),导致 SM 算法不可用。

10.2 编译宏

仅使用 -DHITLS_BUILD_PROFILE=full 不足以启用 TLCP 国密 provider。必须显式指定 HITLS_TLS_PROTO_TLCP11 和 HITLS_CRYPTO_PROVIDER_DEFAULT_SM 等宏。

10.3 服务端强制客户端证书

openHiTLS 0.3.3 的服务端通过 -CAfile + -chainCAfile 即启用客户端证书验证,无法通过命令行关闭。要实现真正”单向鉴别”(服务端不验证客户端证书),需修改源码调用 HITLS_CFG_SetClientVerifySupport(config, false)

10.4 终端分离

服务端(s_server)和客户端(s_client)必须在不同终端中运行。tcpdump 再占用一个独立终端。

10.5 库路径

运行 hitls 前必须设置 LD_LIBRARY_PATH 指向编译输出目录,否则报错找不到 libhitls_tls.so 等动态库。

10.6 证书格式

内置测试证书为 DER 格式,命令行默认即 DER,无需 -certform/-keyform 参数。不可用 cat 拼接 DER 证书(与 PEM 不同)。

10.7 常见错误码

| 错误码 | 含义 | 出现场景 | 原因 | | — | — | — | — | | 0x2040017 | 缺少客户端证书 | 服务端 | 客户端未提供签名+加密双证书 | | 0x20c0029 | 证书添加/加载失败 | 客户端 | 握手中断,对端要求证书 | | 0x20a000c | 不支持的密码套件 | ClientHello | SM 算法未集成到默认 Provider | | 0x20c001f | 证书链验证失败 | 握手 | 缺少 -CAfile 或 -chainCAfile |


免责声明:

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景,旨在提升网络安全防护能力,具有明确的技术研究属性。

任何单位或个人未经授权,将本文内容用于攻击、破坏等非法用途的,由此引发的全部法律责任、民事赔偿及连带责任,均由行为人独立承担,本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布,若存在版权侵权或其他异议,请通过邮件联系处理,具体联系方式可点击页面上方的联系我

本文转载自:利刃信安 利刃信安 利刃信安《openHiTLS TLCP/DTLCP 编译与抓包完整操作记录》

评论:0   参与:  0