curl 的输出指示TLSv1.3 (OUT), TLS handshake, Client hello (1)。使用--tlsv1.3强制它使用TLSv1.3:
$ curl -6 --tlsv1.3 --tls13-ciphers TLS_AES_256_GCM_SHA384 -vL https://icanhazip.com
* Trying 2606:4700::6812:7261:443...
* TCP_NODELAY set
* Connected to icanhazip.com (2606:4700::6812:7261) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLS 1.3 cipher selection: TLS_AES_256_GCM_SHA384
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
* start date: Apr 7 00:00:00 2023 GMT
* expire date: Apr 6 23:59:59 2024 GMT
* subjectAltName: host "icanhazip.com" matched cert's "icanhazip.com"
* issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55eab1370300)
> GET / HTTP/2
> Host: icanhazip.com
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< date: Tue, 19 Sep 2023 15:25:06 GMT
< content-type: text/plain
< content-length: 39
< access-control-allow-origin: *
< access-control-allow-methods: GET
< set-cookie: ...; path=/; expires=Tue, 19-Sep-23 15:55:06 GMT; domain=.icanhazip.com; HttpOnly; Secure; SameSite=None
< server: cloudflare
< cf-ray: ...
< alt-svc: h3=":443"; ma=86400
<
2001:...
* Connection #0 to host icanhazip.com left intact
$
但是,当使用 tshark 检查数据包时,最初的“Client Hello”显示为“TLSv1”。后续记录显示为 TLSv1.3:
$ tshark -i wlo1 -Y "tls"
Capturing on 'wlo1'
6 0.104130915 <my IPv6 IP> → 2606:4700::6812:7261 TLSv1 341 Client Hello
8 0.155371691 2606:4700::6812:7261 → <my IPv6 IP> TLSv1.3 2726 Server Hello, Change Cipher Spec, Application Data
10 0.155931670 <my IPv6 IP> → 2606:4700::6812:7261 TLSv1.3 166 Change Cipher Spec, Application Data
11 0.156028365 <my IPv6 IP> → 2606:4700::6812:7261 TLSv1.3 181 Application Data, Application Data
12 0.156320000 <my IPv6 IP> → 2606:4700::6812:7261 TLSv1.3 181 Application Data, Application Data
15 0.204002604 2606:4700::6812:7261 → <my IPv6 IP> TLSv1.3 655 Application Data, Application Data
16 0.204002660 2606:4700::6812:7261 → <my IPv6 IP> TLSv1.3 439 Application Data
17 0.204181004 <my IPv6 IP> → 2606:4700::6812:7261 TLSv1.3 117 Application Data
18 0.204188232 2606:4700::6812:7261 → <my IPv6 IP> TLSv1.3 156 Application Data
19 0.204188303 2606:4700::6812:7261 → <my IPv6 IP> TLSv1.3 117 Application Data
21 0.204599136 <my IPv6 IP> → 2606:4700::6812:7261 TLSv1.3 110 Application Data
^C11 packets captured
为什么两个输出之间存在差异?
我最初的问题是,当我使用 时curl --tlsv1.3,我收到某个站点的 HTTP 200 响应。但是,如果没有--tlsv1.3,我会收到 HTTP 403 响应,即使curl 的输出显示TLSv1.3。我首先需要理解这种差异。