c++ - 带有 TLS 1.3 的“nghttp2::asio_http2::client” - SSL_CTX_set_cipher_list 不在密码套件中添加密码套件

Question

我将 nghttp2 asio_http2_client 与 TLS 1.3 协议一起使用，但是当我尝试通过 SSL_CTX_get_ciphers 函数在密码套件列表中添加其他套件时，我的客户端问候消息中没有任何变化。即密码套件列表保持不变。

我的代码示例：

#include <nghttp2/asio_http2_client.h>

#include <iostream>

using boost::asio::ip::tcp;

using namespace nghttp2::asio_http2;
using namespace nghttp2::asio_http2::client;

int main(int argc, char* argv[])
{
    boost::system::error_code ec;
    boost::asio::io_service io_service;

    boost::asio::ssl::context tls(boost::asio::ssl::context::tlsv13_client);
    tls.set_verify_mode(boost::asio::ssl::verify_peer);

    // https://testssl.sh/openssl-iana.mapping.html
    auto rc = SSL_CTX_set_cipher_list(
        tls.native_handle(),
        R"(TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-OLD:ECDHE-RSA-CHACHA20-POLY1305-OLD:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA)");
    if (rc != 1) {
        std::cout << "no cipher list found " << rc << std::endl;
    }

    auto ciph = SSL_CTX_get_ciphers(tls.native_handle());
    printf("after SSL_CTX_set_ciphersuites()\n");
    for (size_t i = 0; i < sk_SSL_CIPHER_num(ciph); i++)
        printf("%s%s", i != 0 ? ":" : "", SSL_CIPHER_get_name(sk_SSL_CIPHER_value(ciph, i)));


    //    return 1;
    configure_tls_context(ec, tls);

    // connect to
    session sess(io_service, tls, "www.google.com", "443");

    sess.on_connect([&sess](tcp::resolver::iterator endpoint_it) {
        boost::system::error_code ec;

        std::cerr << "Connected!" << std::endl;
    });


    sess.on_error([](const boost::system::error_code& ec) {
        std::cerr << "error: " << ec.message() << std::endl;
    });

    io_service.run();
}

在wireshark中我看到以下输出（4个密码套件，但SSL_CTX_set_cipher_list参数中有更多密码套件）：

我用 SSL_CTX_set_cipher_list 做了一个实验，并注释掉了下一行：

    auto rc = SSL_CTX_set_cipher_list(
        tls.native_handle(),
        R"(TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-OLD:ECDHE-RSA-CHACHA20-POLY1305-OLD:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA)");
    if (rc != 1) {
        std::cout << "no cipher list found " << rc << std::endl;
    }

    auto ciph = SSL_CTX_get_ciphers(tls.native_handle());
    printf("after SSL_CTX_set_ciphersuites()\n");
    for (size_t i = 0; i < sk_SSL_CIPHER_num(ciph); i++)
        printf("%s%s", i != 0 ? ":" : "", SSL_CIPHER_get_name(sk_SSL_CIPHER_value(ciph, i)));

但密码套件列表保持不变。怎么了？

Answer 1

如果您转到SSL_CTX_get_ciphers的文档，它会指出：

SSL_CTX_set_cipher_list() 设置可用密码列表（TLSv1.2 及以下）

和

此功能不影响 TLSv1.3 密码套件。使用 SSL_CTX_set_ciphersuites() 来配置这些。

因此，您需要阅读SSL_CTX_set_cipher_list API，因为 v1.3 密码列表与 v1.2 密码列表有很大不同并且要小得多。