php openssl tls1.2,openssl建立tls1连接过程(s->state的变化过程)

以下是调用openssl建立tls1连接过程中,openssl内部对握手阶段的处理过程,可以对照抓包观察

以下服务端和客户端是并行进行的,只是需要接收对端消息时才会进入等待状态.为方面理解,所以将客户端和服务端的处理按顺序排好.

具体的状态转换代码请见:

server端  /ssl/s3_srvr.c的ssl3_accept方法        client端  /ssl/s3_clnt.c的ssl3_connect方法

client:  SSL_ST_OK | SSL_ST_CONNECT   //为ssl字段赋初始值

server:  SSL_ST_OK | SSL_ST_CONNECT   //为ssl字段赋初始值

client:  SSL3_ST_CW_CLNT_HELLO_A    //发送client_hello

server:  SSL3_ST_SR_CLNT_HELLO_A  //ssl3_get_client_hello(实际运行时是server运行到这里后进入等待

client_hello状态,在client BIO_flush后收到消息继续处理)

server:  SSL3_ST_SW_SRVR_HELLO_A  //ssl3_send_server_hello//组装server_hello

server:  SSL3_ST_SW_KEY_EXCH_A //ssl3_send_server_key_exchange

server:  SSL3_ST_SW_CERT_REQ_A  //ssl3_send_certificate_request//请求客户端证书

server:  SSL3_ST_SW_FLUSH  //BIO_flush 将如上待发送的消息全部发送出去,客户端将接收消息继续处理

server:  SSL3_ST_SR_CERT_A //ssl3_get_client_certificate进入等待接收客户端证书的状态

client:  SSL3_ST_CR_SRVR_HELLO_A  //ssl3_get_server_hello(实际运行时是client运行到这里后进入等待

server_hello状态,在server BIO_flush后收到消息继续处理)

client:  SSL3_ST_CR_CERT_A  //ssl3_get_server_certificate

client:  SSL3_ST_CR_KEY_EXCH_A  //ssl3_get_key_exchange

client:  SSL3_ST_CR_CERT_REQ_A  //ssl3_get_certificate_request

client:  SSL3_ST_CR_SRVR_DONE_A //ssl3_get_server_done

client: SSL3_ST_CW_CERT_A //ssl3_send_client_certificate

client:  SSL3_ST_CW_KEY_EXCH_A //ssl3_send_client_key_exchange

client:  SSL3_ST_CW_CERT_VRFY_A  //ssl_send_client_verify

client: SSL3_ST_CW_CHANGE_A  //ssl3_send_change_cipher_spec通知启动对称加密的消息

client: SSL3_ST_CW_FINISHED_A   //ssl3_send_finished

client: SSL3_ST_CW_FLUSH   //BIO_flush

client: SSL3_ST_CR_SESSION_TICKET_A //ssl3_get_new_session_ticket 进入等待接收消息状态//

server:  SSL3_ST_SR_KEY_EXCH_A  //ssl3_get_client_key_exchange

server:  SSL3_ST_SR_CERT_VRFY_A  //ssl3_get_cert_verify

server:  SSL3_ST_SR_FINISHED_A  //ssl3_get_finished

server:  SSL3_ST_SW_SESSION_TICKET_A //ssl3_send_newsession_ticket

server:  SSL3_ST_SW_CHANGE_A  //ssl3_send_change_cipher_spec通知启动对称加密的消息

server: SSL3_ST_SW_FINISHED_A   //ssl3_send_finished

server:  SSL3_ST_SW_FLUSH  //BIO_flush

server:  SSL3_ST_OK   //ssl3_cleanup_key_block   ssl_update_cache等等,至此服务端完成所有握手

client: SSL3_ST_CR_SESSION_TICKET_A //ssl3_get_new_session_ticket 继续处理

client: SSL3_ST_CR_FINISHED_A  //ssl3_get_finished

client:  SSL_ST_OK  //ssl3_cleanup_key_block   ssl_update_cache等等

连接已建立,开始对称密钥加密的通信