2018/06 追記
å¤ã„記事ã§ã™ãŒã¡ã‚‡ã“ã¡ã‚‡ã“アクセスã„ãŸã ã„ã¦ã„ã‚‹ã®ã§æ›´æ–°ã€‚
最近ã¯å¸¸æ™‚SSLã€IPv4枯渇ã€CDNå°Žå…¥ãªã©ã®ç†ç”±ã§SNIãŒè‰¯ã使ã‚れるよã†ã«ãªã£ã¦ãã¦ã„ã¾ã™ãŒ
ã“ã®å ´åˆã€ãƒ›ã‚¹ãƒˆå(URL全体ã§ã¯ãªã„)ã¯å¹³æ–‡ã§é€ä¿¡ã•ã‚Œã¾ã™ã€‚
client å´ã§ã‚ャプãƒãƒ£ã—ãŸãƒ‘ケット
curl -k https://sni.example.com/hogehoge
$ sudo ngrep -d en3 -q -W byline port 443 and host 192.0.2.1 interface: en3 (192.168.6.0/255.255.255.0) filter: (ip or ip6) and ( port 443 and host 192.0.2.1 ) T 192.168.6.108:55460 -> 192.0.2.1:443 [AP] ...........[1.K.gr8%.k...*MY.n.........SR....D...,.+.$.#. .....0./.(.'...........k.g.9.3.......=.<.5./. .............S.........sni.example.com.
SNIã¨ã¯
- 一ã¤ã®IPã«è¤‡æ•°ã®è¨¼æ˜Žæ›¸ã‚’é©ç”¨
- ワイルドカード/マルãƒãƒ‰ãƒ¡ã‚¤ãƒ³ã§ã¯ãªãã€å€‹åˆ¥ã®è¨¼æ˜Žæ›¸ã‚’複数é©ç”¨
- https://ja.wikipedia.org/wiki/Server_Name_Indication
追記終ã‚ã‚Š
æš—å·åŒ–ã•ã‚Œã‚‹æ´¾ã¨æš—å·åŒ–ã•ã‚Œãªã„æ´¾ã«åˆ¥ã‚Œã¦ã¦ã€èžã‹ã‚ŒãŸã®ã§ã€‚
タイトルã®ã‚ˆã†ãªå•ã„æ–¹ã ã¨å°‘ã—曖昧ãªã®ã§ã€ç”ãˆæ–¹ã«ã‚ˆã£ã¦åˆ¥ã‚Œã‚‹ã®ã‹ãªã€‚
- HTTPS通信ä¸ã®URLæƒ…å ±ã¯æš—å·åŒ–ã•ã‚Œã‚‹
- ç›—è´ã•ã‚Œã¦ã‚‚URLã¯ã°ã‚Œãªã„
- web serverã®ãƒã‚°ã«ã¯URLã¯å¾©å·ã•ã‚Œã¦è¨˜éŒ²ã•ã‚Œã‚‹
- ãƒã‚°ã‚’残ã™ã‹ã¯è¨å®šæ¬¡ç¬¬
(web serverã£ã¦æ›¸ã„ã¦ãŠããªãŒã‚‰apacheã®ã“ã¨ã—ã‹è€ƒãˆã¦ã„ã¾ã›ã‚“。ã§ã‚‚ãŸã¶ã‚“ä»–ã®httpdã§ã‚‚åŒã˜ã ã¨æ€ã†)
冒é ã®èº«è¿‘ãªäººãŸã¡ã«ã¯ã€HTTPS通信ä¸ã®URLã‚‚æš—å·åŒ–ã•ã‚Œãªã„æ´¾ãŒã„ãŸã®ã§ã€â†“ã®å†…容ã§èª¬æ˜Žã—ãŸã€‚
httpsã®ãƒ•ãƒãƒ¼ã¨ã—ã¦ã¯
- clientãŒserverã®tcp 443 portã«æŽ¥ç¶š
- serverã¯è¨¼æ˜Žæ›¸ã¨å…¬é–‹éµã‚’clientã«é€ä¿¡
- clientã¯serverã®è¨¼æ˜Žæ›¸ã‚’検証
- 検証ã§ããŸã‚‰(or è¦å‘ŠãŒå‡ºã¦ã‚‚無視ã™ã‚Œã°)共通éµã‚’生æˆã—ã€serverã®å…¬é–‹éµã§æš—å·åŒ–ã—ã¦serverã«é€ä¿¡
- serverã¯è‡ªèº«ã®ç§˜å¯†éµã‚’用ã„ã¦ã€æš—å·åŒ–ã•ã‚ŒãŸå…±é€šéµã‚’復å·
- client - serverã§æš—å·åŒ–ã®ã‚»ãƒƒã‚·ãƒ§ãƒ³ãŒç¢ºç«‹ã—ã€ä»¥é™å…±é€šéµã§æš—å·åŒ–ã—ã¦HTTP over SSL通信ãŒè¡Œã‚れる (ã“ã“ã§URLã¨HTTPヘッダã€ãƒœãƒ‡ã‚£ãŒé€ã‚‰ã‚Œã‚‹)
ã¨ã„ã†ã“ã¨ã ã¨æ€ã†ã®ã§HTTPS通信ä¸ã®URLã¯æš—å·åŒ–ã•ã‚Œã‚‹ã¨ã€‚試ã—ã«mod_sslãŒå‹•ã„ã¦ã„ã‚‹apacheã§ãƒ‘ケットã‚ャプãƒãƒ£ã—ã¤ã¤ã€clientã§ssl接続ã™ã‚‹ã¨æš—å·åŒ–ã•ã‚Œã¦ã‚‹ã®ãŒã‚ã‹ã‚‹ã€‚
- http
client
$ curl -I http://192.168.0.1/hoge
server: ngrep (tcpdump) ã§ã‚ャプãƒãƒ£ã™ã‚‹ã€‚
URLã ã‘ã§ãªãã¦ã€HTTP Request全体ãŒå¹³æ–‡ã§ã¿ãˆã¦ã‚‹ã€‚
# ngrep -q -W byline dst\ port 80 and host 192.168.0.10 interface: eth0 (192.168.0.0/255.255.255.0) filter: (ip) and ( dst port 80 and host 192.168.0.10 ) T 192.168.0.10:25007 -> 192.168.0.1:80 [AP] HEAD /hoge HTTP/1.1. User-Agent: curl/7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15. Host: 192.168.0.1. Accept: */*. .
client # オレオレ証明書使ã£ã¦ã„ã‚‹ã®ã§-k を付ã‘ã‚‹
$ curl -k -I https://192.168.0.1/hoge
server: ngrep (tcpdump) ã§ã‚ャプãƒãƒ£ã€‚æš—å·åŒ–ã•ã‚Œã¦ã„ã¦HTTP Request全体ãŒãƒ†ã‚ストã§è¦‹ãˆãªããªã£ã¦ã‚‹ã€‚
# ngrep -q -W byline dst\ port 443 and host 192.168.0.10
interface: eth0 (192.168.0.0/255.255.255.0)
filter: (ip) and ( dst port 443 and host 192.168.0.10 )
T 192.168.0.10:15168 -> 192.168.0.1:443 [AP]
....e...a..O........*3.t...!\.m=.V...(>
:t...(.9.8.5.....
.3.2./....................................192.168.0.1
T 192.168.0.10:15168 -> 192.168.0.1:443 [AP]
.............nG.n..Z.\.v..\\F..2..A.T.b....*h;.....:zk.....T.?I../..)...jVl.VW......H.)....H.Fv.V......J."......*...........g....RF..L..W............0F...k......4.....]<.@.*9d.\.&...5.k...#."6..Fe..
T 192.168.0.10:15168 -> 192.168.0.1:443 [AP]
......+..L..&.&.Tn....4JC..9..Ta
.j.{...S.p9....+A+i..J..t.Zebva~....."[email protected]...)...eU.....sb.....]....M....b...R..W..URo.Ko]&..*^5.g.xw...{q...8..W.~h...sz......,;h...r.{T+.B
T 192.168.0.10:15168 -> 192.168.0.1:443 [AP]
.... ...r..rB.O.......;..+......H,B.+冒é ã«ã‚‚書ã„ãŸã‘ã©ã€httpsã§ã‚¢ã‚¯ã‚»ã‚¹ã—ã¦ã‚‚ãƒã‚°ã«ã¯URLã¯å¹³æ–‡ã§æ®‹ã‚‹ã€‚POSTデータもapacheã®mod_dumpioã¨ã‹ã‚¢ãƒ—リケーションã§å¹³æ–‡ã§ãƒã‚°ã«æ®‹ã›ã‚‹ã®ã§ã€é€ä¿¡ã—ãŸæƒ…å ±ãŒå®‰å…¨ã«ä½¿ã‚れるã‹ã©ã†ã‹ã¯çµå±€ã‚µãƒ¼ãƒå´ã®é‹å–¶æ¬¡ç¬¬ã£ã¦ã„ã†ã€‚ã‚ã¨å½“然ã€SSLã®ç§˜å¯†éµã‚’ç›—ã¾ã‚ŒãŸã‚Šã™ã‚‹ã¨ç›—è´ï¼†å¾©å·ã•ã‚Œã‚‹ã¨ä¸èº«ã¯ãƒãƒ¬ã‚‹ã€‚ã£ã¦ä½•ãŒè¨€ã„ãŸã„ã®ã‹ã‚ã‹ã‚“ãªããªã£ã¦ãã¡ã‚ƒã£ãŸã€‚
