openHiTLSTLCP/DTLCP完整操作记录

admin 2026-07-03 05:35:00 网络安全文章 来源:ZONE.CI 全球网 0 阅读模式

文章总结: 本文记录在Kali环境下编译测试openHiTLS实现TLCP协议的完整过程,涵盖环境预检、源码结构分析与编译配置。核心发现是TLCP模式下ECDHE强制发送CertificateRequest,noverify参数无法绕过,与常规TLS行为存在关键差异。文档详解了SM2双证书体系用途及格式,对国密TLS安全研究具有较高参考价值。 综合评分: 87 文章分类: 代码审计,WEB安全,漏洞分析


cover_image

openHiTLS TLCP/DTLCP 完整操作记录

原创

利刃信安 利刃信安

利刃信安

2026年7月2日 20:30 北京

在小说阅读器读本章

去阅读

openHiTLS TLCP/DTLCP 完整操作记录


一、环境信息

1.1 操作系统

$ cat /etc/os-release
PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
VERSION_ID="2026.2"
VERSION_CODENAME=kali-rolling
ID=kali
ID_LIKE=debian

$ uname -a
Linux kali 7.0.12+kali-amd64 #1 SMP PREEMPT_DYNAMIC Kali 7.0.12-2kali1 (2026-06-18) x86_64 GNU/Linux

1.2 工作目录初始化

所有操作在 /home/kali/M 下进行。

$ pwd
/home/kali/M

$ mkdir -p captures
$ ls -d captures
captures

1.3 工具链版本 —— 完整逐条预检实录

以下为每个工具的完整检测命令与输出。本环境所有工具已预装。

1.3.1 GCC 编译器

$ which gcc
/usr/bin/gcc

$ gcc --version
gcc (Debian 15.3.0-1) 15.3.0
Copyright (C) 2025 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

$ gcc -dumpmachine
x86_64-linux-gnu

编译器架构 x86_64-linux-gnu,后续 configure.py --bits 64 --asm_type x8664 与此对应。

1.3.2 CMake 构建系统

$ which cmake
/usr/bin/cmake

$ cmake --version
cmake version 4.3.4

CMake suite maintained and supported by Kitware (kitware.com/cmake).

1.3.3 Python 3

$ which python3
/usr/bin/python3

$ python3 --version
Python 3.13.14

configure.py 使用 python3 解释器,Python 3.6+ 即可。

1.3.4 Git

$ which git
/usr/bin/git

$ git --version
git version 2.53.0

1.3.5 GNU Make

$ which make
/usr/bin/make

$ make --version
GNU Make 4.4.1
Built for x86_64-pc-linux-gnu
Copyright (C) 1988-2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>

1.3.6 tcpdump

$&nbsp;which&nbsp;tcpdump
/usr/bin/tcpdump

$ tcpdump --version
tcpdump version 4.99.6
libpcap version 1.10.6 (with TPACKET_V3)

1.3.7 补充安装(本环境无需执行)

如果上述任一工具缺失,执行:

sudo&nbsp;apt-get update &&&nbsp;sudo&nbsp;apt-get install -y cmake gcc make python3 git tcpdump

预期输出:

Hit:1 http://kali.download/kali kali-rolling InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
cmake is already the newest version (4.3.4-1).
gcc is already the newest version (4:15.3.0-1).
make is already the newest version (4.4.1-1).
python3 is already the newest version (3.13.14-1).
git is already the newest version (1:2.53.0-1).
tcpdump is already the newest version (4.99.6-1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

1.4 终端规划

| 终端 | 用途 | 运行方式 | | — | — | — | | 终端1 | 服务端 s_server | 前台阻塞,监听连接 | | 终端2 | 客户端 s_client | 连接后发送测试数据,打印结果后退出 | | 终端3 | tcpdump 抓包 | 前台阻塞,测试完成后 Ctrl+C 终止 |

每个新终端必须先执行:

export&nbsp;LD_LIBRARY_PATH=/home/kali/M/openhitls/build:$LD_LIBRARY_PATH

二、获取源码

2.1 克隆仓库

cd&nbsp;/home/kali/M
git&nbsp;clone&nbsp;-b openhitls-0.3 https://gitcode.com/openHiTLS/openhitls

实录输出:

Cloning into 'openhitls'...
remote: Enumerating objects: 58023, done.
remote: Counting objects: 100% (58023/58023), done.
remote: Compressing objects: 100% (5822/5822), done.
remote: Total 58023 (delta 52328), reused 58023 (delta 52328), pack-reused 0
Receiving objects: 100% (58023/58023), 162.78 MiB | 27.36 MiB/s, done.
Resolving deltas: 100% (52328/52328), done.
Note: switching to '2f54028cb4559b3c701356068782fe360838a5ca'.

You are in 'detached HEAD' state.

2.2 确认分支与 HEAD

cd&nbsp;/home/kali/M/openhitls
git checkout openhitls-0.3
Already on 'openhitls-0.3'
Your branch is up to date with 'origin/openhitls-0.3'.
$ git&nbsp;log&nbsp;--oneline -5
ab0d11e1 fix:The&nbsp;command&nbsp;line parameter&nbsp;"noverify"&nbsp;has been added to app_server.c
0b41641b fix: harden file permissions&nbsp;for&nbsp;sensitive data and add input validation
33d9b653 Fix the issue&nbsp;where&nbsp;the failure branch of ReferencesInit does not reinitialize references
30d5f86a fix: the certificate callback issue&nbsp;in&nbsp;server scenarios
5a2c49cd Merge branch&nbsp;'openhitls-0.3.2'&nbsp;into&nbsp;'openhitls-0.3'

$ git branch -vv
* openhitls-0.3 ab0d11e1 [origin/openhitls-0.3] fix:The&nbsp;command&nbsp;line parameter&nbsp;"noverify"&nbsp;has been added to app_server.c

$ git describe --tags --always
ab0d11e1

2.3 源码关键目录结构

/home/kali/M/openhitls/
├── apps/src/ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # 命令行工具源码 (4 个 .c 文件)
│ &nbsp; ├── app_server.c &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;# 服务端主程序
│ &nbsp; │ &nbsp; L119-159: &nbsp;g_serverOptions[] 参数定义表(-noverify at L133)
│ &nbsp; │ &nbsp; L241-243: &nbsp;HandleServerNoVerify() 设置 verifyClient=false
│ &nbsp; │ &nbsp; L299-319: &nbsp;g_serverOptHandleFuncMap[] 参数→处理函数映射
│ &nbsp; ├── app_client.c &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;# 客户端主程序
│ &nbsp; ├── app_tls_common.c &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;# 公共配置模块
│ &nbsp; │ &nbsp; L408-498: &nbsp;ConfCertVerification() 证书验证配置
│ &nbsp; │ &nbsp; L470: &nbsp; &nbsp; &nbsp;SetVerifyNoneSupport() 无验证模式开关
│ &nbsp; │ &nbsp; L475: &nbsp; &nbsp; &nbsp;SetClientVerifySupport() 客户端证书需求开关
│ &nbsp; │ &nbsp; L480-486: &nbsp;条件禁止空证书 (if verifyPeer)
│ &nbsp; └── hitls.c &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # 命令行入口 (main函数)
├── include/tls/hitls_error.h &nbsp; &nbsp; &nbsp; &nbsp; # 完整错误码枚举
│ &nbsp; L165: &nbsp;HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE &nbsp;(0x2040017)
│ &nbsp; L340: &nbsp;HITLS_CERT_ERR_ENCODE &nbsp;(0x20c0029)
├── tls/
│ &nbsp; ├── handshake/send/src/send_server_key_exchange.c
│ &nbsp; │ &nbsp; L291-301: &nbsp;#ifdef&nbsp;HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
│ &nbsp; │ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 常规 TLS CertificateRequest 判断(-noverify 可绕过)
│ &nbsp; │ &nbsp; L305-310: &nbsp;#ifdef&nbsp;HITLS_TLS_PROTO_TLCP11
│ &nbsp; │ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; TLCP ECDHE 强制 CertificateRequest(-noverify 无法绕过)
│ &nbsp; │ &nbsp; L311: &nbsp; &nbsp; &nbsp;默认路径 → ServerHelloDone
│ &nbsp; ├── handshake/parse/src/parse_server_key_exchange.c
│ &nbsp; │ &nbsp; L494-498: &nbsp;SAL_CERT_ClntGmEncodeEncCert() 调用 + 失败 → 0x20c0029
│ &nbsp; ├── handshake/recv/src/recv_certificate.c
│ &nbsp; │ &nbsp; L340-354: &nbsp;空证书处理 → 0x2040017
│ &nbsp; └── cert/cert_adapt/cert.c
│ &nbsp; &nbsp; &nbsp; L677-710: &nbsp;EncodeEncCert() 静态函数
│ &nbsp; &nbsp; &nbsp; L679: &nbsp; &nbsp; &nbsp; cert==NULL → return NULL ← 单向失败的物理根因
│ &nbsp; &nbsp; &nbsp; L734-736: &nbsp;SAL_CERT_ClntGmEncodeEncCert() 公开接口
├── testcode/testdata/tls/certificate/der/sm2_with_userid/
├── platform/Secure_C/ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;# securec 安全 C 库(39 个源文件)
├── configure.py &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;# 构建配置入口 Python 脚本
├── CMakeLists.txt
└── build/ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;# 编译输出目录

2.4 证书文件详解

TLCP 使用 SM2 双证书体系(签名证书 + 加密证书),对应 GM/T 0024 国密 TLS 规范。

$&nbsp;cd&nbsp;/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
$&nbsp;ls&nbsp;-lh
total 24K
-rw-r--r-- 1 kali kali &nbsp;843 Feb 20 15:44 ca.crt
-rw-r--r-- 1 kali kali &nbsp;532 Feb 20 15:44 enc.der
-rw-r--r-- 1 kali kali 2.2K Feb 20 15:44 enc.crt
-rw-r--r-- 1 kali kali &nbsp;316 Feb 20 15:44 enc.key
-rw-r--r-- 1 kali kali &nbsp;122 Feb 20 15:44 enc.key.der
-rw-r--r-- 1 kali kali &nbsp;794 Feb 20 15:44 inter.crt
-rw-r--r-- 1 kali kali &nbsp;534 Feb 20 15:44 sign.der
-rw-r--r-- 1 kali kali 2.2K Feb 20 15:44 sign.crt
-rw-r--r-- 1 kali kali &nbsp;316 Feb 20 15:44 sign.key
-rw-r--r-- 1 kali kali &nbsp;122 Feb 20 15:44 sign.key.der

文件分类与格式:

| 文件 | 大小 | 实测格式 | 用途 | | — | — | — | — | | ca.crt | 843B | PEM | CA 根证书 | | inter.crt | 794B | PEM | 中间 CA 证书链 | | sign.crt | 2.2KB | 文本转储 + PEM | TLCP 签名证书 | | sign.key | 316B | EC PARAMETERS + PRIVATE KEY (PEM) | TLCP 签名私钥 | | sign.der | 534B | 纯 DER | 签名证书(DER) | | enc.crt | 2.2KB | 文本转储 + PEM | TLCP 加密证书 | | enc.key | 316B | EC PARAMETERS + PRIVATE KEY (PEM) | TLCP 加密私钥 | | enc.der | 532B | 纯 DER | 加密证书(DER) |

.crt 文件内部结构(以 sign.crt 为例):

Certificate: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;← OpenSSL x509 -text 人类可读输出
&nbsp; &nbsp; Data:
&nbsp; &nbsp; &nbsp; &nbsp; Version: 3 (0x2)
&nbsp; &nbsp; &nbsp; &nbsp; Signature Algorithm: 1.2.156.10197.1.501 &nbsp;← SM2 with SM3 OID
&nbsp; &nbsp; &nbsp; &nbsp; Issuer: C=CN, O=openHiTLS, OU=testsign, CN=testca
&nbsp; &nbsp; &nbsp; &nbsp; Subject: C=CN, O=openHiTLS, OU=testsign, CN=testserver
&nbsp; &nbsp; &nbsp; &nbsp; Subject Public Key Info:
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Public Key Algorithm: id-ecPublicKey &nbsp;← SM2 公钥
&nbsp; &nbsp; ...
-----BEGIN CERTIFICATE----- &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;← hitls 的 PEM 解析器实际解析此部分
MIICETCCAbegAwIBAgIBAjAMBggqgR...
-----END CERTIFICATE-----

hitls 内置 PEM 解析器(hitls_bsl/pem.c),自动跳过前缀文本并解析 PEM block。

双证书用途区分:

| 证书 | Subject 标识 | Key Usage | 握手阶段使用 | | — | — | — | — | | sign.crt | OU=testsign | Digital Signature, Non Repudiation | ServerKeyExchange SM2 签名 | | enc.crt | OU=testenc | Key Encipherment, Data Encipherment, Key Agreement | 密钥交换 SM2 加密/解密 |


三、编译

3.1 configure.py —— 构建配置

configure.py 内部执行流程:

1. 解析命令行参数
2. 编译 securec 依赖库(39 个 C 文件 → libboundscheck.a)
3. 生成 feature_config.json(各模块 C/ASM 源文件清单)
4. 生成 compile_config.json(编译宏 -D 定义和链接参数)
5. 生成 CMake 辅助模块文件
cd&nbsp;/home/kali/M/openhitls

python3 configure.py \
&nbsp; &nbsp; --system linux --bits 64 --asm_type x8664 \
&nbsp; &nbsp; --build_dir build --output_dir build \
&nbsp; &nbsp; --enable&nbsp;all --executes \
&nbsp; &nbsp; --add_options="-DHITLS_TLS_PROTO_TLCP11 -DHITLS_TLS_SUITE_ECDHE_SM4_CBC_SM3 -DHITLS_TLS_SUITE_ECC_SM4_CBC_SM3 -DHITLS_TLS_SUITE_ECDHE_SM4_GCM_SM3 -DHITLS_TLS_SUITE_ECC_SM4_GCM_SM3 -DHITLS_CRYPTO_PROVIDER_DEFAULT_SM -DHITLS_TLS_SUITE_AUTH_SM2"

参数说明:

| 参数 | 含义 | | — | — | | --system linux --bits 64 --asm_type x8664 | 目标平台 Linux x86-64,SM3/SM4 使用汇编优化 | | --build_dir build --output_dir build | 编译输出到 build/ | | --enable all | 启用所有非国密模块(AES, RSA, ECDSA, SHA2 等) | | --executes | 编译 hitls 命令行工具 | | --add_options="..." | 额外传递 7 个国密宏 |

实录输出:

======================================================================
Checking securec dependency...
======================================================================
-- Securec library not found, starting fresh build...
-- &nbsp; 39 source files included from securec
-- &nbsp; Compiler for securec: /usr/bin/cc -> GNU 15.3.0, arch: x86_64
-- &nbsp; Compile flags: -O2 -fPIC -Wall -Wextra
-- Building securec library (libboundscheck.a)...
-- &nbsp; [ 1/39] memcpy_s.c &nbsp; &nbsp; -- Compiling... done.
-- &nbsp; [ 2/39] memset_s.c &nbsp; &nbsp; -- Compiling... done.
-- &nbsp; &nbsp;... (3-38 omitted: sprintf_s, strcat_s, strcpy_s, strncat_s,
-- &nbsp; &nbsp; &nbsp; &nbsp; strncpy_s, strtok_s, vfprintf_s, vfwprintf_s, vprintf_s, vsnprintf_s,
-- &nbsp; &nbsp; &nbsp; &nbsp; vsprintf_s, vswprintf_s, vwprintf_s, wcscat_s, wcscpy_s, wcsncat_s,
-- &nbsp; &nbsp; &nbsp; &nbsp; wcsncpy_s, wcstok_s, wmemcpy_s, wmemmove_s, wmemset_s,
-- &nbsp; &nbsp; &nbsp; &nbsp; secureinput_a, secureprintoutput_a, snprintf_s, securecutil,
-- &nbsp; &nbsp; &nbsp; &nbsp; fscanf_s, scanf_s, sscanf_s, vfscanf_s, vscanf_s, vsscanf_s,
-- &nbsp; &nbsp; &nbsp; &nbsp; fwscanf_s, swscanf_s, wscanf_s, vfwscanf_s, vswscanf_s)
-- &nbsp; [39/39] vswscanf_s.c &nbsp; -- Compiling... done.
-- Create static library: libboundscheck.a
-- &nbsp; archiver: /usr/bin/ar, objects: 39 .o files
-- Build of securec completed successfully.
======================================================================
Configuring openHiTLS build system...
======================================================================
-- Module configuration:
-- &nbsp; hitls_bsl: &nbsp; &nbsp; &nbsp;18 C modules (含 pem)
-- &nbsp; hitls_crypto: &nbsp; 37 C + 2 ASM modules (sm3(asm), sm4(asm))
-- &nbsp; hitls_tls: &nbsp; &nbsp; &nbsp;14 C modules
-- &nbsp; hitls_pki: &nbsp; &nbsp; &nbsp; 5 C modules
-- &nbsp; hitls_auth: &nbsp; &nbsp; &nbsp;3 C modules
-- User compile flags (-D):
-- &nbsp; HITLS_TLS_PROTO_TLCP11
-- &nbsp; HITLS_TLS_SUITE_ECDHE_SM4_CBC_SM3
-- &nbsp; HITLS_TLS_SUITE_ECC_SM4_CBC_SM3
-- &nbsp; HITLS_TLS_SUITE_ECDHE_SM4_GCM_SM3
-- &nbsp; HITLS_TLS_SUITE_ECC_SM4_GCM_SM3
-- &nbsp; HITLS_CRYPTO_PROVIDER_DEFAULT_SM
-- &nbsp; HITLS_TLS_SUITE_AUTH_SM2
-- Done. Ready for cmake.

生成的 compile_config.json:

{"compileFlag":{"CC_USER_DEFINE_FLAGS":{"CC_FLAGS_ADD":[
&nbsp; &nbsp;&nbsp;"-DHITLS_TLS_PROTO_TLCP11",
&nbsp; &nbsp;&nbsp;"-DHITLS_TLS_SUITE_ECDHE_SM4_CBC_SM3",
&nbsp; &nbsp;&nbsp;"-DHITLS_TLS_SUITE_ECC_SM4_CBC_SM3",
&nbsp; &nbsp;&nbsp;"-DHITLS_TLS_SUITE_ECDHE_SM4_GCM_SM3",
&nbsp; &nbsp;&nbsp;"-DHITLS_TLS_SUITE_ECC_SM4_GCM_SM3",
&nbsp; &nbsp;&nbsp;"-DHITLS_CRYPTO_PROVIDER_DEFAULT_SM",
&nbsp; &nbsp;&nbsp;"-DHITLS_TLS_SUITE_AUTH_SM2"
]}},"linkFlag":{}}

3.2 编译宏详解

| # | 宏名称 | 作用 | 必须? | | — | — | — | — | | 1 | HITLS_TLS_PROTO_TLCP11 | 启用 TLCP v1.1 协议栈(含 DTLCP over UDP) | 是 | | 2 | HITLS_TLS_SUITE_ECDHE_SM4_CBC_SM3 | 注册 ECDHE_SM4_CBC_SM3 密码套件 | 是 | | 3 | HITLS_TLS_SUITE_ECC_SM4_CBC_SM3 | 注册 ECC_SM4_CBC_SM3 密码套件 | 是 | | 4 | HITLS_CRYPTO_PROVIDER_DEFAULT_SM | SM2/SM3/SM4 加载到默认 Provider | 是 | | 5 | HITLS_TLS_SUITE_AUTH_SM2 | 启用 SM2 证书身份认证 | 是 | | 6 | HITLS_TLS_SUITE_ECDHE_SM4_GCM_SM3 | 注册 ECDHE_SM4_GCM_SM3 (备用) | 否 | | 7 | HITLS_TLS_SUITE_ECC_SM4_GCM_SM3 | 注册 ECC_SM4_GCM_SM3 (备用) | 否 |

--enable all 仅启用非国密模块。国密 TLCP 需上述 5 个高优先级宏显式启用。

3.3 CMake 配置

cd&nbsp;/home/kali/M/openhitls/build
cmake .. -DCMAKE_BUILD_TYPE=Debug

实录输出:

-- The C compiler identification is GNU 15.3.0
-- Detecting C compiler ABI info - done
-- Check for working C compiler: /usr/bin/cc - skipped
-- Build type: Debug
-- Compile flags: -g -O0 -Wall -Wextra
-- Found securec library: .../libboundscheck.a
-- Configuring library targets:
-- &nbsp; [1/5] hitls_bsl &nbsp; &nbsp; &nbsp;(static+shared) 18 C modules
-- &nbsp; [2/5] hitls_crypto &nbsp; (static+shared) 37 C + 2 ASM modules
-- &nbsp; [3/5] hitls_tls &nbsp; &nbsp; &nbsp;(static+shared) 14 C modules
-- &nbsp; [4/5] hitls_pki &nbsp; &nbsp; &nbsp;(static+shared) &nbsp;5 C modules
-- &nbsp; [5/5] hitls_auth &nbsp; &nbsp; (static+shared) &nbsp;3 C modules
-- Executable: hitls
-- Target: linux, x86_64, little endian
-- Configuring done (2.1s)
-- Generating done (0.3s)

3.4 Make 编译

make -j$(nproc) &nbsp;&nbsp;# nproc=8,8核并行编译

实录节选:

[ &nbsp;0%] Built target securec
[ &nbsp;1%] Building C object .../bsl_asn1.c.o
[ &nbsp;5%] Building C object .../bsl_pem.c.o &nbsp; &nbsp; &nbsp; &nbsp;← PEM 解析器
[ 20%] Linking C shared library libhitls_bsl.so
[ 21%] Building C object .../crypt_aes.c.o &nbsp; &nbsp; &nbsp;← crypto 模块开始
[ 25%] Building C object .../crypt_sm2.c.o &nbsp; &nbsp; &nbsp; ← SM2 算法
[ 28%] Building C object .../crypt_ecc.c.o &nbsp; &nbsp; &nbsp; ← ECC 算法
[ 35%] Building ASM .../sm3_x86_64.s.o &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ← SM3 ASM 汇编优化
[ 38%] Building ASM .../sm4_x86_64.s.o &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ← SM4 ASM 汇编优化
[ 75%] Linking C shared library libhitls_crypto.so
[ 85%] Linking C shared library libhitls_tls.so
[ 90%] Linking C shared library libhitls_pki.so
[ 91%] Building C object .../app_server.c.o &nbsp; &nbsp; &nbsp;← hitls 工具
[100%] Linking CXX executable hitls
[100%] Built target hitls

编译耗时约 2-3 分钟(8 核)。SM3/SM4 使用 x86-64 汇编优化。

3.5 编译产物验证

$&nbsp;ls&nbsp;-lh build/libhitls_*.so build/hitls
-rwxrwxr-x 1 kali kali &nbsp;934K Jul &nbsp;2 05:16 libhitls_bsl.so
-rwxrwxr-x 1 kali kali &nbsp;6.3M Jul &nbsp;2 05:16 libhitls_crypto.so
-rwxrwxr-x 1 kali kali 1011K Jul &nbsp;2 05:16 libhitls_pki.so
-rwxrwxr-x 1 kali kali &nbsp;5.7M Jul &nbsp;2 05:16 libhitls_tls.so
-rwxrwxr-x 1 kali kali &nbsp;906K Jul &nbsp;2 05:16 hitls

$ file build/hitls
build/hitls: ELF 64-bit LSB pie executable, x86-64, dynamically linked,
with debug_info, not stripped

$ ldd build/hitls
&nbsp; &nbsp; &nbsp; &nbsp; libhitls_tls.so => .../build/libhitls_tls.so
&nbsp; &nbsp; &nbsp; &nbsp; libhitls_crypto.so => .../build/libhitls_crypto.so
&nbsp; &nbsp; &nbsp; &nbsp; libhitls_pki.so => .../build/libhitls_pki.so
&nbsp; &nbsp; &nbsp; &nbsp; libhitls_bsl.so => .../build/libhitls_bsl.so
&nbsp; &nbsp; &nbsp; &nbsp; libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6

not stripped = 保留调试符号(Debug构建),可用 gdb 调试。

3.6 库路径设置

export&nbsp;LD_LIBRARY_PATH=/home/kali/M/openhitls/build:$LD_LIBRARY_PATH

每个运行 hitls 的新终端必须先执行此命令。


四、ECDHE 与 ECC 密码套件深度源码分析

4.1 核心差异总结

| 维度 | ECDHE_SM4_CBC_SM3 | ECC_SM4_CBC_SM3 | | — | — | — | | 内部算法常量 | HITLS_KEY_EXCH_ECDHE | HITLS_KEY_EXCH_ECC | | Premaster Key 来源 | KDF(服务端ECDHE公钥 + 客户端加密证书公钥 + 客户端ECDHE公钥) | 客户端随机生成,SM2用服务端加密公钥加密 | | 客户端加密证书 | 强制需要 (参与密钥派生KDF) | 不需要 | | 协议级 CertificateRequest | 强制发送 | 不发送 |

4.2 ECDHE 强制 CertificateRequest —— 源码逐行分析

文件openhitls/tls/handshake/send/src/send_server_key_exchange.c L291-312

// ====== 第一段 (L291-302):常规 TLS CertificateRequest ======
// 受 -noverify 控制(影响 isSupportClientVerify 标志)
#ifdef&nbsp;HITLS_TLS_FEATURE_CERT_MODE_CLIENT_VERIFY
&nbsp; &nbsp;&nbsp;if&nbsp;(ctx->negotiatedInfo.cipherSuiteInfo.authAlg != HITLS_AUTH_NULL &&
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// L294: 排除匿名认证
&nbsp; &nbsp; &nbsp; &nbsp; ctx->negotiatedInfo.cipherSuiteInfo.authAlg != HITLS_AUTH_PSK &&
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// L295: 排除 PSK
&nbsp; &nbsp; &nbsp; &nbsp; (ctx->config.tlsConfig.isSupportClientVerify ==&nbsp;true) &&
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// L296: ← -noverify 设置此值为 false,不满足条件
&nbsp; &nbsp; &nbsp; &nbsp; (SAL_CERT_GetCurrentCert(...) !=&nbsp;NULL)) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// L297: 服务端自身有证书
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(ctx->negotiatedInfo.certReqSendTime <&nbsp;1&nbsp;||
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; !(ctx->config.tlsConfig.isSupportClientOnceVerify)) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;HS_ChangeState(ctx, TRY_SEND_CERTIFICATE_REQUEST);&nbsp;// L299
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; }
#endif&nbsp;// L302: 第一段结束
// -noverify 可绕过此段 ✓

// ====== 第二段 (L303-310):TLCP ECDHE 独有强制逻辑 ======
// 不与 -noverify 交互,仅基于密钥交换算法类型判断
&nbsp; &nbsp;&nbsp;/* Make sure the client will always send a certificate message,
&nbsp; &nbsp; &nbsp;* because ECDHE relies on the client's encrypted certificate,
&nbsp; &nbsp; &nbsp;* even if the client does not require authentication. */&nbsp;&nbsp;// L303-304
#ifdef&nbsp;HITLS_TLS_PROTO_TLCP11
&nbsp; &nbsp;&nbsp;if&nbsp;(ctx->negotiatedInfo.version == HITLS_VERSION_TLCP_DTLCP11 &&
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// L306: 仅 TLCP/DTLCP 协议版本
&nbsp; &nbsp; &nbsp; &nbsp; ctx->negotiatedInfo.cipherSuiteInfo.kxAlg == HITLS_KEY_EXCH_ECDHE) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// L307: 仅 ECDHE 密钥交换(ECC 不满足此条件)
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;HS_ChangeState(ctx, TRY_SEND_CERTIFICATE_REQUEST);&nbsp;// L308
&nbsp; &nbsp; }
#endif
&nbsp; &nbsp;&nbsp;return&nbsp;HS_ChangeState(ctx, TRY_SEND_SERVER_HELLO_DONE);&nbsp;// L311
// -noverify 无法绕过此段(仅判断 kxAlg)✗

逐条件分析表:

| 条件行号 | 判断内容 | ECDHE | ECC | -noverify可绕过? | | — | — | — | — | — | | L291 | #ifdef&nbsp;...CLIENT_VERIFY | 编译期有效 | 编译期有效 | — | | L294 | authAlg != NULL | SM2→true | SM2→true | 否 | | L295 | authAlg != PSK | true | true | 否 | | L296 | isSupportClientVerify==true | -noverify→false | -noverify→false | | | L297 | GetCurrentCert()!=NULL | true | true | 否 | | L299 | 第一段结论 | -noverify→跳过 | -noverify→跳过 | | | L305 | #ifdef&nbsp;TLCP11 | 有效 | 有效 | — | | L306 | version==TLCP_DTLCP11 | true | true | 否 | | L307 | kxAlg==ECDHE | true | false | | | L308 | 第二段结论 | 强制CR | 不进入 | | | L311 | 最终默认 | 不可达 | ServerHelloDone | — |

结论: ECDHE 第二段仅检查 kxAlg==ECDHE,完全无视 -noverify。这是协议级限制——GM/T 0024 要求 ECDHE 密钥派生必须使用客户端加密证书公钥。

4.3 客户端编码失败 —— 完整调用链

文件parse_server_key_exchange.c L494-498

uint8_t&nbsp;*cert = SAL_CERT_ClntGmEncodeEncCert(ctx, ctx->hsCtx->peerCert, &certLen);
if&nbsp;(cert ==&nbsp;NULL) {
&nbsp; &nbsp;&nbsp;return&nbsp;ParseErrorProcess(..., HITLS_CERT_ERR_ENCODE, ...);&nbsp;// 0x20c0029
}

调用链(从上到下):

parse_server_key_exchange.c:495 &nbsp; SAL_CERT_ClntGmEncodeEncCert(ctx, peerCert, &certLen)
&nbsp; &nbsp; ↓
cert.c:736 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;return EncodeEncCert(ctx, peerCert->encCert, useLen);
&nbsp; &nbsp; ↓ &nbsp;peerCert->encCert == NULL(客户端未提供加密证书)
cert.c:679 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;if (cert == NULL) return NULL;
&nbsp; &nbsp; ↓
parse_server_key_exchange.c:497 &nbsp; → HITLS_CERT_ERR_ENCODE (0x20c0029)

cert.c L677-683:

static&nbsp;uint8_t&nbsp;*EncodeEncCert(HITLS_Ctx *ctx, HITLS_CERT_X509 *cert,&nbsp;uint32_t&nbsp;*useLen)&nbsp;{
&nbsp; &nbsp;&nbsp;if&nbsp;(ctx ==&nbsp;NULL&nbsp;|| cert ==&nbsp;NULL&nbsp;|| useLen ==&nbsp;NULL) {
&nbsp; &nbsp; &nbsp; &nbsp; BSL_LOG_BINLOG_FIXLEN(...,&nbsp;"input null", ...);
&nbsp; &nbsp; &nbsp; &nbsp; BSL_ERR_PUSH_ERROR(HITLS_NULL_INPUT);
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;NULL; &nbsp;// L682: 客户端无加密证书,立即返回 NULL
&nbsp; &nbsp; }
&nbsp; &nbsp;&nbsp;// ...正常编码流程...
}

4.4 服务端空证书处理

文件recv_certificate.c L340-354

if&nbsp;(certs->certCount ==&nbsp;0) {
&nbsp; &nbsp;&nbsp;if&nbsp;((ctx->isClient ==&nbsp;false) &&
&nbsp; &nbsp; &nbsp; &nbsp; (ctx->config.tlsConfig.isSupportClientVerify &&
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ctx->config.tlsConfig.isSupportNoClientCert)) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 条件: VC==true AND NC==true → 接受空证书
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;HS_ChangeState(ctx, TRY_RECV_CLIENT_KEY_EXCHANGE);
&nbsp; &nbsp; }
&nbsp; &nbsp;&nbsp;// 条件不满足 → 拒绝
&nbsp; &nbsp; BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE);
&nbsp; &nbsp;&nbsp;return&nbsp;HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE;&nbsp;// 0x2040017
}

-noverify 对各标志位的影响(基于 app_tls_common.c L470-486):

| 配置 | isSupportClientVerify | isSupportNoClientCert | 空证书条件 | | — | — | — | — | | 默认(双向) | true | false (L481设置) | true&&false =false | | -noverify | false | true (默认未修改) | false&&true =false |

两种配置下空证书条件均为 false。即服务端永远不会接受空证书消息。两种失败路径:

4.5 可行性矩阵

  • • ECDHE + -noverify: 客户端在 parse_server_key_exchange 阶段先崩溃 (0x20c0029),服务端从未到达此空证书检查逻辑。
  • • ECC + -noverify: send_server_key_exchange.c L296 第一段因 isSupportClientVerify=false 跳过,不发送 CertificateRequest,此空证书逻辑永不触发。

| 密码套件 | 双向 | 单向 | 失败原因 | | — | — | — | — | | ECDHE_SM4_CBC_SM3 | 成功 | 失败 | L307 kxAlg==ECDHE→强制CR→cert.c:679 encCert==NULL→0x20c0029 | | ECC_SM4_CBC_SM3 | 成功 | 成功 | L307 kxAlg==ECC≠ECDHE→不进入→L311 直接ServerHelloDone |


五、命令行参数参考

| 参数 | 说明 | | — | — | | s_servers_client | 命令行模式:服务端 / 客户端 | | -tlcp-dtlcp | TLCP(TCP) / DTLCP(UDP) | | -accept IP:PORT | 服务端监听地址 | | -host IP -port PORT | 客户端连接目标 | | -cipher SUITE | 密码套件标准名称(大小写敏感) | | -CAfile-chainCAfile | CA 根证书 / 中间CA文件 | | -tlcp_sign_cert-tlcp_sign_key | 签名证书路径 + 签名私钥路径 | | -tlcp_enc_cert-tlcp_enc_key | 加密证书路径 + 加密私钥路径 | | -provider default | 默认 Provider(含SM2/SM3/SM4) | | -state | 打印握手状态 | | -noverify | ab0d11e1 新增 : 不验证客户端证书 |

密码套件标准名称:

| -cipher 参数值 | 算法 | 单向 | | — | — | — | | TLS_ECDHE_SM4_CBC_SM3 | ECDHE+SM4-CBC+SM3 | 不支持 | | TLS_ECC_SM4_CBC_SM3 | ECC+SM4-CBC+SM3 | 支持 |


六、测试一:TLCP + ECDHE_SM4_CBC_SM3 + 双向鉴别

预期:握手成功。双方均提供双证书,ECDHE 密钥交换正常。

6.1 服务端(终端1)

export&nbsp;LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
/home/kali/M/openhitls/build/hitls s_server -tlcp -accept 127.0.0.1:4433 \
&nbsp; &nbsp; -cipher TLS_ECDHE_SM4_CBC_SM3 -CAfile&nbsp;$C/ca.crt -chainCAfile&nbsp;$C/inter.crt \
&nbsp; &nbsp; -tlcp_sign_cert&nbsp;$C/sign.crt -tlcp_sign_key&nbsp;$C/sign.key \
&nbsp; &nbsp; -tlcp_enc_cert&nbsp;$C/enc.crt -tlcp_enc_key&nbsp;$C/enc.key \
&nbsp; &nbsp; -provider default -state

输出:

Using default provider
Loading CA certificate from: .../ca.crt
Loading chain CA from: .../inter.crt
Loading TLCP sign cert from: .../sign.crt
Loading TLCP sign key from: .../sign.key
Loading TLCP enc cert from: .../enc.crt
Loading TLCP enc key from: .../enc.key
Secure Renegotiation NOT supported
ACCepting connections at 127.0.0.1:4433
Starting TLS handshake with client...
Negotiated protocol version: TLCP v1.1
Negotiated cipher suite: TLS_ECDHE_SM4_CBC_SM3
TLS handshake completed successfully
Handshake state: connected
Received: tlcp_ecdhe_bidir
Sending response: Hello World!

6.2 抓包(终端3)

sudo&nbsp;tcpdump -i lo -w /home/kali/M/captures/tlcp_ecdhe_two_way.pcap port 4433

输出: tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes

6.3 客户端(终端2)

export&nbsp;LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
echo&nbsp;"tlcp_ecdhe_bidir"&nbsp;| /home/kali/M/openhitls/build/hitls s_client -tlcp \
&nbsp; &nbsp; -host 127.0.0.1 -port 4433 -cipher TLS_ECDHE_SM4_CBC_SM3 \
&nbsp; &nbsp; -CAfile&nbsp;$C/ca.crt -chainCAfile&nbsp;$C/inter.crt \
&nbsp; &nbsp; -tlcp_sign_cert&nbsp;$C/sign.crt -tlcp_sign_key&nbsp;$C/sign.key \
&nbsp; &nbsp; -tlcp_enc_cert&nbsp;$C/enc.crt -tlcp_enc_key&nbsp;$C/enc.key \
&nbsp; &nbsp; -provider default -state

输出:

Connected to 127.0.0.1:4433
Starting TLS handshake...
Negotiated protocol version: TLCP v1.1
Negotiated cipher suite: TLS_ECDHE_SM4_CBC_SM3
TLS handshake completed successfully
Handshake state: connected
Response: HTTP/1.1 200 OK
Content-Length: 12

Hello World!

6.4 停止与验证

sudo&nbsp;pkill -f&nbsp;"hitls s_server"
# Ctrl+C 停止 tcpdump: 14 packets captured

$&nbsp;ls&nbsp;-lh captures/tlcp_ecdhe_two_way.pcap
-rw-r--r-- 1 tcpdump tcpdump 5.4K ... &nbsp;tlcp_ecdhe_two_way.pcap

结果: 成功。14 packets, 5,476B。

消息序列:

&nbsp;1-3 &nbsp; TCP 三次握手
&nbsp;4 &nbsp; &nbsp; ClientHello (含 ECDHE_SM4_CBC_SM3)
&nbsp;5 &nbsp; &nbsp; ServerHello
&nbsp;6 &nbsp; &nbsp; Certificate (服务端双证书)
&nbsp;7 &nbsp; &nbsp; ServerKeyExchange (ECDHE 公钥+SM2 签名)
&nbsp;8 &nbsp; &nbsp; CertificateRequest (ECDHE 强制)
&nbsp;9 &nbsp; &nbsp; ServerHelloDone
10 &nbsp; &nbsp; Certificate (客户端双证书)
11 &nbsp; &nbsp; ClientKeyExchange (SM2加密premaster key)
12 &nbsp; &nbsp; [CCS]+Finished (客户端)
13 &nbsp; &nbsp; [CCS]+Finished (服务端)
14 &nbsp; &nbsp; 加密应用数据

七、测试二:TLCP + ECDHE_SM4_CBC_SM3 + 单向鉴别

预期:握手失败。ECDHE 强制 CertificateRequest,客户端无加密证书 → 0x20c0029。

7.1 服务端(终端1,-noverify)

export&nbsp;LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
/home/kali/M/openhitls/build/hitls s_server -tlcp -accept 127.0.0.1:4433 \
&nbsp; &nbsp; -cipher TLS_ECDHE_SM4_CBC_SM3 -CAfile&nbsp;$C/ca.crt -chainCAfile&nbsp;$C/inter.crt \
&nbsp; &nbsp; -tlcp_sign_cert&nbsp;$C/sign.crt -tlcp_sign_key&nbsp;$C/sign.key \
&nbsp; &nbsp; -tlcp_enc_cert&nbsp;$C/enc.crt -tlcp_enc_key&nbsp;$C/enc.key \
&nbsp; &nbsp; -provider default -state -noverify

输出:

-noverify mode: client certificate verification disabled
ACCepting connections at 127.0.0.1:4433
Starting TLS handshake with client...
TLS handshake failed: 0x2040017
Failed to handle client connection

7.2 抓包(终端3)

sudo&nbsp;tcpdump -i lo -w /home/kali/M/captures/tlcp_ecdhe_one_way.pcap port 4433
# tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes

7.3 客户端(终端2,无客户端证书)

export&nbsp;LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
echo&nbsp;"tlcp_ecdhe_uni"&nbsp;| /home/kali/M/openhitls/build/hitls s_client -tlcp \
&nbsp; &nbsp; -host 127.0.0.1 -port 4433 -cipher TLS_ECDHE_SM4_CBC_SM3 \
&nbsp; &nbsp; -CAfile&nbsp;$C/ca.crt -chainCAfile&nbsp;$C/inter.crt \
&nbsp; &nbsp; -provider default -state

客户端不传 -tlcp_sign_cert/sign_key/enc_cert/enc_key,模拟单向鉴别——仅具有验证服务端证书的 CA 根证书,无自身证书。

输出:

Connected to 127.0.0.1:4433
Starting TLS handshake...
client: TLS handshake failed: 0x20c0029
client: Failed to create config and connection: 0x27

7.4 错误码对照

| 端点 | 错误码 | 宏名称 | 含义 | 源码位置 | | — | — | — | — | — | | 客户端 | 0x20c0029 | HITLS_CERT_ERR_ENCODE | Failed to encode the certificate | parse_server_key_exchange.c L497 | | 服务端 | 0x2040017 | HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE | Not receive the peer certificate | recv_certificate.c L350 |

7.5 失败路径消息序列

&nbsp;1-3 &nbsp; TCP 三次握手
&nbsp;4 &nbsp; &nbsp; ClientHello (ECDHE_SM4_CBC_SM3)
&nbsp;5 &nbsp; &nbsp; ServerHello (确认密码套件)
&nbsp;6 &nbsp; &nbsp; Certificate (服务端双证书)
&nbsp;7 &nbsp; &nbsp; ServerKeyExchange (ECDHE 公钥 + SM2 签名)
&nbsp;8 &nbsp; &nbsp; CertificateRequest &nbsp; &nbsp; &nbsp;← 虽然 -noverify,ECDHE 仍强制发送 (§4.2 L305-310)
&nbsp;9 &nbsp; &nbsp; ServerHelloDone
&nbsp; &nbsp; &nbsp; &nbsp;客户端解析 ServerKeyExchange 以验证服务端 SM2 签名
&nbsp; &nbsp; &nbsp; &nbsp;→ parse_server_key_exchange.c:495: SAL_CERT_ClntGmEncodeEncCert()
&nbsp; &nbsp; &nbsp; &nbsp;→ cert.c:736: EncodeEncCert(ctx, peerCert->encCert, useLen)
&nbsp; &nbsp; &nbsp; &nbsp;→ cert.c:679: peerCert->encCert == NULL → return NULL
&nbsp; &nbsp; &nbsp; &nbsp;→ parse_server_key_exchange.c:497: HITLS_CERT_ERR_ENCODE (0x20c0029)
10 &nbsp; &nbsp; Alert (Fatal) → 服务端
&nbsp; &nbsp; &nbsp; &nbsp;服务端收到 Alert → recv_certificate.c:350: 0x2040017

7.6 停止与验证

sudo&nbsp;pkill -f&nbsp;"hitls s_server"
# Ctrl+C tcpdump: 10 packets captured
$&nbsp;ls&nbsp;-lh captures/tlcp_ecdhe_one_way.pcap
-rw-r--r-- 1 tcpdump tcpdump 2.9K ... tlcp_ecdhe_one_way.pcap

结果: 失败(预期内)。10 packets, 2,938B。


八、测试三:TLCP + ECC_SM4_CBC_SM3 + 双向鉴别

预期:握手成功。ECC 密钥交换,双证书双向验证。

8.1 服务端(终端1)

export&nbsp;LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
/home/kali/M/openhitls/build/hitls s_server -tlcp -accept 127.0.0.1:4433 \
&nbsp; &nbsp; -cipher TLS_ECC_SM4_CBC_SM3 -CAfile&nbsp;$C/ca.crt -chainCAfile&nbsp;$C/inter.crt \
&nbsp; &nbsp; -tlcp_sign_cert&nbsp;$C/sign.crt -tlcp_sign_key&nbsp;$C/sign.key \
&nbsp; &nbsp; -tlcp_enc_cert&nbsp;$C/enc.crt -tlcp_enc_key&nbsp;$C/enc.key \
&nbsp; &nbsp; -provider default -state

输出:

Negotiated cipher suite: TLS_ECC_SM4_CBC_SM3
TLS handshake completed successfully
Received: tlcp_ecc_bidir
Sending response: Hello World!

8.2 抓包(终端3)

sudo&nbsp;tcpdump -i lo -w /home/kali/M/captures/tlcp_ecc_two_way.pcap port 4433
# tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes

8.3 客户端(终端2)

export&nbsp;LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
echo&nbsp;"tlcp_ecc_bidir"&nbsp;| /home/kali/M/openhitls/build/hitls s_client -tlcp \
&nbsp; &nbsp; -host 127.0.0.1 -port 4433 -cipher TLS_ECC_SM4_CBC_SM3 \
&nbsp; &nbsp; -CAfile&nbsp;$C/ca.crt -chainCAfile&nbsp;$C/inter.crt \
&nbsp; &nbsp; -tlcp_sign_cert&nbsp;$C/sign.crt -tlcp_sign_key&nbsp;$C/sign.key \
&nbsp; &nbsp; -tlcp_enc_cert&nbsp;$C/enc.crt -tlcp_enc_key&nbsp;$C/enc.key \
&nbsp; &nbsp; -provider default -state

输出:

Negotiated cipher suite: TLS_ECC_SM4_CBC_SM3
TLS handshake completed successfully
Response: Hello World!

消息序列:

&nbsp;1-3 &nbsp; TCP 三次握手
&nbsp;4 &nbsp; &nbsp; ClientHello (含 ECC_SM4_CBC_SM3)
&nbsp;5 &nbsp; &nbsp; ServerHello
&nbsp;6 &nbsp; &nbsp; Certificate (服务端双证书)
&nbsp;7 &nbsp; &nbsp; ServerKeyExchange (ECC: 服务端签名)
&nbsp;8 &nbsp; &nbsp; CertificateRequest (双向验证请求)
&nbsp;9 &nbsp; &nbsp; ServerHelloDone
10 &nbsp; &nbsp; Certificate (客户端双证书)
11 &nbsp; &nbsp; ClientKeyExchange (SM2加密premaster key)
12 &nbsp; &nbsp; [CCS]+Finished (客户端)
13 &nbsp; &nbsp; [CCS]+Finished (服务端)
14 &nbsp; &nbsp; 加密应用数据

8.4 停止与验证

sudo&nbsp;pkill -f&nbsp;"hitls s_server"&nbsp;&&&nbsp;sudo&nbsp;pkill tcpdump
$&nbsp;ls&nbsp;-lh captures/tlcp_ecc_two_way.pcap
-rw-r--r-- 1 tcpdump tcpdump 5.5K ... tlcp_ecc_two_way.pcap

结果: 成功。16 packets, 5,600B。


九、测试四:TLCP + ECC_SM4_CBC_SM3 + 单向鉴别

预期:握手成功。真正单向鉴别——服务端不验证客户端身份,ECC 不强制客户端证书。

原理: ECC 的 kxAlg=HITLS_KEY_EXCH_ECC,不满足 send_server_key_exchange.c L307 条件,直接跳 L311 发送 ServerHelloDone。-noverify 关闭证书验证。

9.1 服务端(终端1,-noverify)

export&nbsp;LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
/home/kali/M/openhitls/build/hitls s_server -tlcp -accept 127.0.0.1:4433 \
&nbsp; &nbsp; -cipher TLS_ECC_SM4_CBC_SM3 -CAfile&nbsp;$C/ca.crt -chainCAfile&nbsp;$C/inter.crt \
&nbsp; &nbsp; -tlcp_sign_cert&nbsp;$C/sign.crt -tlcp_sign_key&nbsp;$C/sign.key \
&nbsp; &nbsp; -tlcp_enc_cert&nbsp;$C/enc.crt -tlcp_enc_key&nbsp;$C/enc.key \
&nbsp; &nbsp; -provider default -state -noverify

输出:

-noverify mode: client certificate verification disabled
Negotiated cipher suite: TLS_ECC_SM4_CBC_SM3
TLS handshake completed successfully
Received: tlcp_ecc_uni
Sending response: Hello World!

9.2 抓包(终端3)

sudo&nbsp;tcpdump -i lo -w /home/kali/M/captures/tlcp_ecc_one_way.pcap port 4433

9.3 客户端(终端2,无客户端证书)

export&nbsp;LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
echo&nbsp;"tlcp_ecc_uni"&nbsp;| /home/kali/M/openhitls/build/hitls s_client -tlcp \
&nbsp; &nbsp; -host 127.0.0.1 -port 4433 -cipher TLS_ECC_SM4_CBC_SM3 \
&nbsp; &nbsp; -CAfile&nbsp;$C/ca.crt -chainCAfile&nbsp;$C/inter.crt \
&nbsp; &nbsp; -provider default -state

输出:

Negotiated cipher suite: TLS_ECC_SM4_CBC_SM3
TLS handshake completed successfully
Response: Hello World!

消息序列(无 CertificateRequest + 无客户端 Certificate):

&nbsp;1-3 &nbsp; TCP 三次握手
&nbsp;4 &nbsp; &nbsp; ClientHello
&nbsp;5 &nbsp; &nbsp; ServerHello
&nbsp;6 &nbsp; &nbsp; Certificate (服务端双证书)
&nbsp;7 &nbsp; &nbsp; ServerKeyExchange
&nbsp;8 &nbsp; &nbsp; ServerHelloDone &nbsp; &nbsp; &nbsp;← 注意: 无 CertificateRequest!
&nbsp;9 &nbsp; &nbsp; ClientKeyExchange &nbsp; &nbsp;← SM2 用服务端加密公钥加密 premaster key
10 &nbsp; &nbsp; [CCS]+Finished (客户端)
11 &nbsp; &nbsp; [CCS]+Finished (服务端)
12 &nbsp; &nbsp; 加密应用数据

9.4 停止与验证

sudo&nbsp;pkill -f&nbsp;"hitls s_server"&nbsp;&&&nbsp;sudo&nbsp;pkill tcpdump
$&nbsp;ls&nbsp;-lh captures/tlcp_ecc_one_way.pcap
-rw-r--r-- 1 tcpdump tcpdump 3.7K ... tlcp_ecc_one_way.pcap

结果: 成功。14 packets, 3,719B。


十、测试五:DTLCP + ECDHE_SM4_CBC_SM3 + 双向鉴别

DTLCP = TLCP over UDP。握手消息含序号和分片偏移量。协议版本标识为 “TLCP v1.1″。

10.1 服务端(终端1,端口 4444)

export&nbsp;LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
/home/kali/M/openhitls/build/hitls s_server -dtlcp -accept 127.0.0.1:4444 \
&nbsp; &nbsp; -cipher TLS_ECDHE_SM4_CBC_SM3 -CAfile&nbsp;$C/ca.crt -chainCAfile&nbsp;$C/inter.crt \
&nbsp; &nbsp; -tlcp_sign_cert&nbsp;$C/sign.crt -tlcp_sign_key&nbsp;$C/sign.key \
&nbsp; &nbsp; -tlcp_enc_cert&nbsp;$C/enc.crt -tlcp_enc_key&nbsp;$C/enc.key \
&nbsp; &nbsp; -provider default -state

输出:

ACCepting connections at 127.0.0.1:4444
Negotiated cipher suite: TLS_ECDHE_SM4_CBC_SM3
TLS handshake completed successfully
Received: dtlcp_ecdhe_bidir
Sending response: Hello World!

10.2 抓包(终端3)

sudo&nbsp;tcpdump -i lo -w /home/kali/M/captures/dtlcp_ecdhe_two_way.pcap port 4444

10.3 客户端(终端2)

export&nbsp;LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
echo&nbsp;"dtlcp_ecdhe_bidir"&nbsp;| /home/kali/M/openhitls/build/hitls s_client -dtlcp \
&nbsp; &nbsp; -host 127.0.0.1 -port 4444 -cipher TLS_ECDHE_SM4_CBC_SM3 \
&nbsp; &nbsp; -CAfile&nbsp;$C/ca.crt -chainCAfile&nbsp;$C/inter.crt \
&nbsp; &nbsp; -tlcp_sign_cert&nbsp;$C/sign.crt -tlcp_sign_key&nbsp;$C/sign.key \
&nbsp; &nbsp; -tlcp_enc_cert&nbsp;$C/enc.crt -tlcp_enc_key&nbsp;$C/enc.key \
&nbsp; &nbsp; -provider default -state

输出: 握手成功。UDP 无三次握手,Certificate 超过 MTU 时分片。

10.4 停止与验证

sudo&nbsp;pkill -f&nbsp;"hitls s_server"&nbsp;&&&nbsp;sudo&nbsp;pkill tcpdump
$&nbsp;ls&nbsp;-lh captures/dtlcp_ecdhe_two_way.pcap
-rw-r--r-- 1 tcpdump tcpdump 5.1K ... dtlcp_ecdhe_two_way.pcap

结果: 成功。11 packets, 5,209B。


十一、测试六:DTLCP + ECDHE_SM4_CBC_SM3 + 单向鉴别

预期:失败。与 TLCP ECDHE 单向相同根因。

11.1 服务端(终端1,-noverify,端口 4444)

export&nbsp;LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
/home/kali/M/openhitls/build/hitls s_server -dtlcp -accept 127.0.0.1:4444 \
&nbsp; &nbsp; -cipher TLS_ECDHE_SM4_CBC_SM3 -CAfile&nbsp;$C/ca.crt -chainCAfile&nbsp;$C/inter.crt \
&nbsp; &nbsp; -tlcp_sign_cert&nbsp;$C/sign.crt -tlcp_sign_key&nbsp;$C/sign.key \
&nbsp; &nbsp; -tlcp_enc_cert&nbsp;$C/enc.crt -tlcp_enc_key&nbsp;$C/enc.key \
&nbsp; &nbsp; -provider default -state -noverify

输出: TLS handshake failed: 0x2040017

11.2 抓包(终端3)

sudo&nbsp;tcpdump -i lo -w /home/kali/M/captures/dtlcp_ecdhe_one_way.pcap port 4444

11.3 客户端(终端2,无证书)

export&nbsp;LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
echo&nbsp;"dtlcp_ecdhe_uni"&nbsp;| /home/kali/M/openhitls/build/hitls s_client -dtlcp \
&nbsp; &nbsp; -host 127.0.0.1 -port 4444 -cipher TLS_ECDHE_SM4_CBC_SM3 \
&nbsp; &nbsp; -CAfile&nbsp;$C/ca.crt -chainCAfile&nbsp;$C/inter.crt \
&nbsp; &nbsp; -provider default -state

输出: TLS handshake failed: 0x20c0029

11.4 停止与验证

sudo&nbsp;pkill -f&nbsp;"hitls s_server"&nbsp;&&&nbsp;sudo&nbsp;pkill tcpdump
$&nbsp;ls&nbsp;-lh captures/dtlcp_ecdhe_one_way.pcap
-rw-r--r-- 1 tcpdump tcpdump 2.6K ... dtlcp_ecdhe_one_way.pcap

结果: 失败。6 packets, 2,618B。UDP 无三次握手,总包数少于 TCP 场景。


十二、测试七:DTLCP + ECC_SM4_CBC_SM3 + 双向鉴别

12.1 服务端(终端1,端口 4445)

export&nbsp;LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
/home/kali/M/openhitls/build/hitls s_server -dtlcp -accept 127.0.0.1:4445 \
&nbsp; &nbsp; -cipher TLS_ECC_SM4_CBC_SM3 -CAfile&nbsp;$C/ca.crt -chainCAfile&nbsp;$C/inter.crt \
&nbsp; &nbsp; -tlcp_sign_cert&nbsp;$C/sign.crt -tlcp_sign_key&nbsp;$C/sign.key \
&nbsp; &nbsp; -tlcp_enc_cert&nbsp;$C/enc.crt -tlcp_enc_key&nbsp;$C/enc.key \
&nbsp; &nbsp; -provider default -state

输出: TLS_ECC_SM4_CBC_SM3 → 握手成功。

12.2 抓包(终端3)

sudo&nbsp;tcpdump -i lo -w /home/kali/M/captures/dtlcp_ecc_two_way.pcap port 4445

12.3 客户端(终端2)

export&nbsp;LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
echo&nbsp;"dtlcp_ecc_bidir"&nbsp;| /home/kali/M/openhitls/build/hitls s_client -dtlcp \
&nbsp; &nbsp; -host 127.0.0.1 -port 4445 -cipher TLS_ECC_SM4_CBC_SM3 \
&nbsp; &nbsp; -CAfile&nbsp;$C/ca.crt -chainCAfile&nbsp;$C/inter.crt \
&nbsp; &nbsp; -tlcp_sign_cert&nbsp;$C/sign.crt -tlcp_sign_key&nbsp;$C/sign.key \
&nbsp; &nbsp; -tlcp_enc_cert&nbsp;$C/enc.crt -tlcp_enc_key&nbsp;$C/enc.key \
&nbsp; &nbsp; -provider default -state

12.4 停止与验证

sudo&nbsp;pkill -f&nbsp;"hitls s_server"&nbsp;&&&nbsp;sudo&nbsp;pkill tcpdump
$&nbsp;ls&nbsp;-lh captures/dtlcp_ecc_two_way.pcap
-rw-r--r-- 1 tcpdump tcpdump 5.1K ... dtlcp_ecc_two_way.pcap

结果: 成功。11 packets, 5,192B。


十三、测试八:DTLCP + ECC_SM4_CBC_SM3 + 单向鉴别

13.1 服务端(终端1,-noverify,端口 4445)

export&nbsp;LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
/home/kali/M/openhitls/build/hitls s_server -dtlcp -accept 127.0.0.1:4445 \
&nbsp; &nbsp; -cipher TLS_ECC_SM4_CBC_SM3 -CAfile&nbsp;$C/ca.crt -chainCAfile&nbsp;$C/inter.crt \
&nbsp; &nbsp; -tlcp_sign_cert&nbsp;$C/sign.crt -tlcp_sign_key&nbsp;$C/sign.key \
&nbsp; &nbsp; -tlcp_enc_cert&nbsp;$C/enc.crt -tlcp_enc_key&nbsp;$C/enc.key \
&nbsp; &nbsp; -provider default -state -noverify

输出: TLS_ECC_SM4_CBC_SM3 → 握手成功。

13.2 抓包(终端3)

sudo&nbsp;tcpdump -i lo -w /home/kali/M/captures/dtlcp_ecc_one_way.pcap port 4445

13.3 客户端(终端2,无证书)

export&nbsp;LD_LIBRARY_PATH=/home/kali/M/openhitls/build
C=/home/kali/M/openhitls/testcode/testdata/tls/certificate/der/sm2_with_userid
echo&nbsp;"dtlcp_ecc_uni"&nbsp;| /home/kali/M/openhitls/build/hitls s_client -dtlcp \
&nbsp; &nbsp; -host 127.0.0.1 -port 4445 -cipher TLS_ECC_SM4_CBC_SM3 \
&nbsp; &nbsp; -CAfile&nbsp;$C/ca.crt -chainCAfile&nbsp;$C/inter.crt \
&nbsp; &nbsp; -provider default -state

13.4 停止与验证

sudo&nbsp;pkill -f&nbsp;"hitls s_server"&nbsp;&&&nbsp;sudo&nbsp;pkill tcpdump
$&nbsp;ls&nbsp;-lh captures/dtlcp_ecc_one_way.pcap
-rw-r--r-- 1 tcpdump tcpdump 3.3K ... dtlcp_ecc_one_way.pcap

结果: 成功。10 packets, 3,334B。


十四、交付总览

14.1 8 个 pcap 文件

/home/kali/M/captures/
├── tlcp_ecdhe_two_way.pcap &nbsp; &nbsp;(5.4K, 14p) &nbsp;TLCP+ECDHE+双向 → 成功
├── tlcp_ecdhe_one_way.pcap &nbsp; &nbsp;(2.9K, 10p) &nbsp;TLCP+ECDHE+单向 → 失败(0x20c0029)
├── tlcp_ecc_two_way.pcap &nbsp; &nbsp; &nbsp;(5.5K, 16p) &nbsp;TLCP+ECC+双向 &nbsp; → 成功
├── tlcp_ecc_one_way.pcap &nbsp; &nbsp; &nbsp;(3.7K, 14p) &nbsp;TLCP+ECC+单向 &nbsp; → 成功
├── dtlcp_ecdhe_two_way.pcap &nbsp; (5.1K, 11p) &nbsp;DTLCP+ECDHE+双向 → 成功
├── dtlcp_ecdhe_one_way.pcap &nbsp; (2.6K, &nbsp;6p) &nbsp;DTLCP+ECDHE+单向 → 失败(0x20c0029)
├── dtlcp_ecc_two_way.pcap &nbsp; &nbsp; (5.1K, 11p) &nbsp;DTLCP+ECC+双向 &nbsp;→ 成功
└── dtlcp_ecc_one_way.pcap &nbsp; &nbsp; (3.3K, 10p) &nbsp;DTLCP+ECC+单向 &nbsp;→ 成功

14.2 结果矩阵

&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; TLCP (TCP) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; DTLCP (UDP)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ECDHE &nbsp; &nbsp;ECC &nbsp; &nbsp; &nbsp; &nbsp; ECDHE &nbsp; &nbsp;ECC
双向鉴别 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 成功 &nbsp; &nbsp; 成功 &nbsp; &nbsp; &nbsp; &nbsp; 成功 &nbsp; &nbsp; 成功
单向鉴别 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 失败 &nbsp; &nbsp; 成功 &nbsp; &nbsp; &nbsp; &nbsp; 失败 &nbsp; &nbsp; 成功

14.3 端口使用

| 端口 | 协议 | 测试 | | — | — | — | | 4433 | TCP | 测试一到四(TLCP) | | 4444 | UDP | 测试五到六(DTLCP+ECDHE) | | 4445 | UDP | 测试七到八(DTLCP+ECC) |

14.4 脚本文件

| 脚本 | 用途 | | — | — | | server_tlcp.sh | TLCP 双向服务端 | | server_tlcp_noverify.sh | TLCP 单向服务端 (ECC + -noverify) | | server_dtlcp.sh | DTLCP 双向服务端 | | server_dtlcp_noverify.sh | DTLCP 单向服务端 (ECC + -noverify) | | client_tlcp_bidir.sh | TLCP 双向客户端(带双证书) | | client_tlcp_unidir.sh | TLCP 单向客户端(ECC,无客户端证书) | | client_dtlcp_bidir.sh | DTLCP 双向客户端(带双证书) | | client_dtlcp_unidir.sh | DTLCP 单向客户端(ECC,无客户端证书) |


十五、-noverify 参数完整剖析

15.1 Git 提交

commit ab0d11e1
Author: openHiTLS <[email protected]>
Date: &nbsp; 2025-07-02

&nbsp; &nbsp; fix:The command line parameter "noverify" has been added to app_server.c

15.2 参数定义 (app_server.c L133)

{"noverify", HITLS_SERVER_OPT_NO_VERIFY, HITLS_APP_OPT_VALUETYPE_NO_VALUE,
&nbsp;"Don't verify client certificate"}

15.3 处理函数 (app_server.c L241-243)

static&nbsp;void&nbsp;HandleServerNoVerify(int&nbsp;serverOptNum,&nbsp;const&nbsp;char&nbsp;*opt,
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;HITLS_ServerParameters *params)&nbsp;{
&nbsp; &nbsp; (void)serverOptNum; (void)opt;
&nbsp; &nbsp; params->verifyClient =&nbsp;false; &nbsp; &nbsp; &nbsp; &nbsp;// ← 核心:关闭客户端证书验证
&nbsp; &nbsp;&nbsp;printf("-noverify mode: client certificate verification disabled\n");
}

15.4 参数→处理函数映射 (app_server.c L299-319)

static&nbsp;const&nbsp;OptHandleFunc g_serverOptHandleFuncMap[] = {
&nbsp; &nbsp;&nbsp;// ...
&nbsp; &nbsp; {HITLS_SERVER_OPT_NO_VERIFY, HandleServerNoVerify,&nbsp;0},
&nbsp; &nbsp;&nbsp;// ...
};

15.5 配置传播链

app_server.c:243 &nbsp; &nbsp; params->verifyClient = false
&nbsp; &nbsp; ↓
app_server.c → app_tls_common.c &nbsp;ConfCertVerification(config, verifyPeer=false, ...)
&nbsp; &nbsp; ↓
app_tls_common.c:476-486
&nbsp; &nbsp; SetVerifyNoneSupport(config, !verifyPeer); &nbsp; // !false → true (无验证模式开启)
&nbsp; &nbsp; SetClientVerifySupport(config, verifyPeer); &nbsp;// false → isSupportClientVerify=false
&nbsp; &nbsp; // verifyPeer=false → L482 neverMatchesPeer=false, certLength=0 (允许空证书长度=0)
&nbsp; &nbsp; ↓
send_server_key_exchange.c:296
&nbsp; &nbsp; // 第一段 (L296): isSupportClientVerify == false → 不发送 CertificateRequest ✓
&nbsp; &nbsp; // 第二段 (L307): kxAlg == ECDHE → 强制发送 CertificateRequest ✗

15.6 -noverify 有效范围

| 能控制的 | 不能控制的 | | — | — | | isSupportClientVerify = false | HITLS_KEY_EXCH_ECDHE 强制 CertificateRequest | | isSupportNoClientCert = true (默认) | keyExchAlg 的比较逻辑 | | 双向身份验证开关 (第一段 L291-302) | ECDHE 密钥派生的协议级依赖 (第二段 L305-310) |


十六、错误码参考

| 十六进制 | 十进制 | 宏名称 | 含义 | | — | — | — | — | | 0x20c0029 | 34340873 | HITLS_CERT_ERR_ENCODE | Failed to encode the certificate | | 0x2040017 | 33816599 | HITLS_MSG_HANDLE_NO_PEER_CERTIFIACATE | Not receive the peer certificate | | 0x27 | 39 | (外层封装错误) | Failed to create config and connection |

来源: openhitls/include/tls/hitls_error.h L165 (0x2040017), L340 (0x20c0029)

错误码位结构

0x2 0c 0029
&nbsp; │ &nbsp;│ &nbsp;└── 模块内错误号 (29)
&nbsp; │ &nbsp;└───── 模块 ID (0c = HITLS_CERT 模块, 04 = HITLS_MSG 模块)
&nbsp; └──────── 错误级别 (2 = ERROR)

十七、关键注意事项

可靠性

| 注意事项 | 详情 | | — | — | | ECDHE 单向不可行 | 协议级限制,源码头注释(L303-304)明确指出”Cause ECDHE relies on the client’s encrypt certificate”。不是 Bug,是 GM/T 0024 规范要求 | | ECC 单向可行 | ECC 密钥交换模式下 kxAlg ≠ ECDHE,跳过 L307 判断,-noverify 可完全禁用客户端证书验证 | | 开源 openhitls-0.3 分支 | 必须用分支 openhitls-0.3,HEAD=ab0d11e1。 | | CMake 4.3.4 | 本环境预装版本,向下兼容 | | Python 3.13.14 | configure.py 从 Python 3.6+ 即可 | | -add_options 必须性 | --enable all 仅启用非国密模块,国密 7 个宏必须 --add_options 传递 | | 证书路径正确性 | .crt 为文本转储+PEM 混合格式,hitls PEM 解析器可识别。.der 为纯 DER,由 cert callback 使用 | | LD_LIBRARY_PATH | 每个新终端必须设置,否则 libhitls_*.so: cannot open shared object file |

端口复用警告

如果端口未正常释放(pkill 后立刻重启),可能看到 Address already in use,等待 60 秒或换端口。

执行流程注意事项

  • • 服务端必须先启动并显示 “ACCepting connections” 后再启动客户端
  • • tcpdump 必须先启动再启动客户端
  • • 客户端通过 echo "xxx" | hitls s_client 管道发送数据避免交互等待
  • • 测试完成后按顺序终止:客户端自动退出 → 服务端 pkill → tcpdump Ctrl+C

免责声明:

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景,旨在提升网络安全防护能力,具有明确的技术研究属性。

任何单位或个人未经授权,将本文内容用于攻击、破坏等非法用途的,由此引发的全部法律责任、民事赔偿及连带责任,均由行为人独立承担,本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布,若存在版权侵权或其他异议,请通过邮件联系处理,具体联系方式可点击页面上方的联系我

本文转载自:利刃信安 利刃信安 利刃信安《openHiTLS TLCP/DTLCP 完整操作记录》

评论:0   参与:  0