尽管curl 在“Client Hello”中显示TLSv1.3,但为什么tshark 显示“TLSv1”?

尽管curl 在“Client Hello”中显示TLSv1.3,但为什么tshark 显示“TLSv1”?

curl 的输出指示TLSv1.3 (OUT), TLS handshake, Client hello (1)。使用--tlsv1.3强制它使用TLSv1.3

$ curl -6 --tlsv1.3  --tls13-ciphers TLS_AES_256_GCM_SHA384 -vL https://icanhazip.com
*   Trying 2606:4700::6812:7261:443...
* TCP_NODELAY set
* Connected to icanhazip.com (2606:4700::6812:7261) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLS 1.3 cipher selection: TLS_AES_256_GCM_SHA384
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
*  start date: Apr  7 00:00:00 2023 GMT
*  expire date: Apr  6 23:59:59 2024 GMT
*  subjectAltName: host "icanhazip.com" matched cert's "icanhazip.com"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55eab1370300)
> GET / HTTP/2
> Host: icanhazip.com
> user-agent: curl/7.68.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200 
< date: Tue, 19 Sep 2023 15:25:06 GMT
< content-type: text/plain
< content-length: 39
< access-control-allow-origin: *
< access-control-allow-methods: GET
< set-cookie: ...; path=/; expires=Tue, 19-Sep-23 15:55:06 GMT; domain=.icanhazip.com; HttpOnly; Secure; SameSite=None
< server: cloudflare
< cf-ray: ...
< alt-svc: h3=":443"; ma=86400
< 
2001:...
* Connection #0 to host icanhazip.com left intact
$

但是,当使用 tshark 检查数据包时,最初的“Client Hello”显示为“TLSv1”。后续记录显示为 TLSv1.3:

$ tshark -i wlo1 -Y "tls"
Capturing on 'wlo1'
    6 0.104130915 <my IPv6 IP> → 2606:4700::6812:7261 TLSv1 341 Client Hello
    8 0.155371691 2606:4700::6812:7261 → <my IPv6 IP> TLSv1.3 2726 Server Hello, Change Cipher Spec, Application Data
   10 0.155931670 <my IPv6 IP> → 2606:4700::6812:7261 TLSv1.3 166 Change Cipher Spec, Application Data
   11 0.156028365 <my IPv6 IP> → 2606:4700::6812:7261 TLSv1.3 181 Application Data, Application Data
   12 0.156320000 <my IPv6 IP> → 2606:4700::6812:7261 TLSv1.3 181 Application Data, Application Data
   15 0.204002604 2606:4700::6812:7261 → <my IPv6 IP> TLSv1.3 655 Application Data, Application Data
   16 0.204002660 2606:4700::6812:7261 → <my IPv6 IP> TLSv1.3 439 Application Data
   17 0.204181004 <my IPv6 IP> → 2606:4700::6812:7261 TLSv1.3 117 Application Data
   18 0.204188232 2606:4700::6812:7261 → <my IPv6 IP> TLSv1.3 156 Application Data
   19 0.204188303 2606:4700::6812:7261 → <my IPv6 IP> TLSv1.3 117 Application Data
   21 0.204599136 <my IPv6 IP> → 2606:4700::6812:7261 TLSv1.3 110 Application Data
^C11 packets captured

为什么两个输出之间存在差异?

我最初的问题是,当我使用 时curl --tlsv1.3,我收到某个站点的 HTTP 200 响应。但是,如果没有--tlsv1.3,我会收到 HTTP 403 响应,即使curl 的输出显示TLSv1.3。我首先需要理解这种差异。

相关内容