TLS或传输层安全(Transport Layer Security)是一种加密协议。它的设计使通过TLS的通信保持安全和私密。在这篇文章中,我将解释什么是TLS握手以及在遇到问题时如何修复TLS握手。(TLS)
在我们继续讨论TLS握手之前,让我们了解一下 TLS 何时发生(TLS)。每次通过HTTPS访问网站或应用程序时,都会使用TLS。当您访问电子邮件、消息甚至VOIP时,它使用TLS。你应该知道HTTPS是TLS加密的一种实现。
什么是 TLS 握手
握手是两端之间的一种协商形式。就像(Just)我们遇到人时,我们握手,然后继续其他任何事情。类似地,TLS握手是两台服务器之间的一种确认形式。
在TLS握手期间,服务器相互验证并建立加密,并交换密钥。如果一切都是真实的,并且如预期的那样,将会发生更多的数据交换。主要有四个步骤:
- 指定(Specify)将使用哪个版本的TLS进行通信。(TLS)
- 选择(Choose)将使用的加密算法
- 使用公钥和SSL证书颁发机构的数字签名验证真实性
- 生成和交换会话密钥
用外行的话来说,他们首先打招呼,然后服务器提供一个证书,客户端需要验证。验证完成后,将生成会话。创建一个密钥,通过该密钥通过会话交换数据。
阅读(Read):TLS 和 SSL 加密方法之间的区别。
如何修复 TLS 握手
如果存在服务器端问题,您将无能为力——但您的浏览器有问题,可以修复。例如,如果服务器提供了一个无法通过身份验证的证书,那么您就无法对它做任何事情。但是,如果问题是TLS协议不匹配,那么您可以从浏览器中更改它。
- 检查系统时间是否正确
- 检查中间人(Man in the middle)问题
- 在 Windows 中更改 TLS 协议
- 删除浏览器配置文件(Delete Browser Profile)或证书数据库(Certificate Database)
- 重置浏览器。
TLS握手失败的原因还有很多,具体取决于场景。所以这里有一些修复TLS的方法,但在此之前,总是使用这些规则来过滤问题。
- 检查不同的站点,如果问题仍然存在。
- 切换到多个网络连接,即WiFi或有线
- 更换(Change)网络,即连接到移动热点或不同的路由器,甚至尝试公共网络
1]检查(Check)系统时间是否正确
这是大多数时间TLS握手失败的主要原因。系统时间用于测试证书是否有效或过期。如果您的计算机和服务器上的时间不匹配,则可能会使证书看起来已过期。通过将其设置为自动来修复时间。
现在再次访问该网站,并检查是否已修复TLS握手
2]中间人问题
有一个规则,如果它发生在一个站点上,那么它的安全软件问题,但如果它发生在所有网站上,那么它是一个系统问题。
您计算机上的安全软件或浏览器扩展程序可能会拦截TLS连接并更改某些内容,从而导致TSL握手出现问题。系统上的病毒也可能导致所有TLS问题。
某些浏览器扩展更改代理设置(change proxy settings),可能会导致此问题。
无论哪种情况,您都需要修复您的计算机或安全软件。进一步验证这一点的最佳方法是使用另一台计算机并打开导致问题的相同网站或应用程序。
3]在Windows中更改TLS协议
Windows 10 和更早版本的Windows将协议设置集中在系统中。如果您需要更改TLS版本,您可以使用Internet Properties来完成。
- 在运行(Run)提示中键入inetcpl.cpl ,然后(inetcpl.cpl)按 Enter(Enter)键。
- Internet属性窗口打开后,切换到“高级(Advanced)”选项卡。
- 滚动到最后找到Security部分,您可以在此处添加或删除TLS。
- 如果网站正在寻找TLS 1.2,并且没有勾选,则需要勾选。同样,如果有人在试验TLS 1.3(with TLS 1.3),你需要检查一下。
- 申请(Apply)保存,然后尝试再次打开同一个网站。
虽然Chrome、IE 和Edge使用Windows功能,但Firefox与其证书数据库一样,可以自行管理。以下是如何在Firefox中更改(Firefox)TLS协议:
- 打开 Firefox,输入 about:config 并按 Enter
- 在搜索框中,键入TLS并找到security.tls.version.min
- 您可以将其更改为:
- 1 和 2 强制 TLS 1 和 1.1
- 3 强制 TLS 1.2
- 4 强制使用TLS 1.3的最大协议。
阅读(Read): 如何禁用 TLS 1.0(How to disable TLS 1.0)。
4]删除浏览器配置文件(Delete Browser Profile)或证书数据库(Certificate Database)
每个浏览器都维护一个证书数据库。例如,每个Firefox配置文件都有一个cert8.db文件。如果您删除该文件并重新启动修复它,则问题与本地证书数据库有关。
同样,在Windows中,当使用 IE 或Edge时,证书管理器负责,或者您可以转到edge://settings/privacy并单击 Manage HTTPS/SSL certificates and settings.删除证书并重试
如果找不到数据库,请删除配置文件,然后重试。
4]重置浏览器(4] Reset Browser)
如果您遇到其中一个浏览器的问题,这是最后的手段。您可以选择完全卸载,然后使用内置功能重新安装或重置浏览器。按照链接重置Chrome、Microsoft Edge和Firefox。
最后,即使证书无效,您也可以浏览网站,但请确保不要与网站进行任何类型的交易。您不应该使用信用卡,也不应该输入您的帐户密码。
我们希望这些提示易于遵循,并且您能够解决浏览器或计算机上的TLS问题。(TLS)我已尽力为您提供足够的解决方案,但老实说,TLS非常庞大,可能还有更多解决方案可用。
What is TLS handshake? How to fix TLS handshake?
TLS or Transport Layer Security is an encryption protocol. It is designed such that communication through TLS remains secure and private. In this post, I will explain what TLS handshake is and how to fix the TLS handshake if you face issues.
Before we go ahead and talk about the TLS handshake, let’s understand when TLS occurs. Every time you access a website or application over HTTPS, TLS is used. When you access emails, messages, and even VOIP, it uses TLS. You should know that HTTPS is an implementation of TLS encryption.
What is TLS handshake
A handshake is a form of negotiation between two ends. Just like when we meet people, we shake hands, and then go ahead with anything else. On similar lines, the TLS handshake is a form of acknowledgment between two servers.
During the TLS handshake, the servers verify each other and establish encryption, and also exchange keys. If everything is authentic, and as expected, more data exchange will take place. There are four major steps:
- Specify which version of TLS will be used for communication.
- Choose which encryption algorithms will be used
- Authenticity is verified using public key and the SSL certificate authority’s digital signature
- Session keys are generated and exchanged
In layman’s word, they first say hello, then the server offers a certificate that the client needs to verify. Once the verification is complete, a session is generated. A key is created through which data is exchanged through the session.
Read: Difference between TLS and SSL encryption methods.
How to fix TLS handshake
You cannot do anything if there is a server-side issue – but you are having a problem with the browser, it can be fixed. For example, if the server offers a certificate that cannot be authenticated, then you cannot do anything about it. However, if the problem is a mismatch of the TLS protocol, then you can change it from the browser.
- Check if the system time is correct
- Check for Man in the middle problem
- Change TLS Protocol in Windows
- Delete Browser Profile or Certificate Database
- Reset Browser.
There are many more reasons why the TLS handshake can fail, and it depends on the scenario. So here some ways to fix TLS, but before that, always use these rules to filter out the problem.
- Check with different sites, and if the problem remains.
- Switch to multiple network connections, i.e., WiFi or Wired
- Change network, i.e., connect to a mobile hotspot or different router or even try a public network
1] Check if the system time is correct
It is the top reason why the TLS handshake has failed most of the time. The system time is used to test whether the certificate valid or expired. If there is a mismatch between the time on your computer and the server, it can make certificates look expired. Fix the time by setting it to automatic.
Now visit the website again, and check if has fixed the TLS handshake
2] Man in the middle problem
There is one rule if it’s happening for one site, then its security software problem, but if it’s happening for all the websites, then its a system problem.
The security software or browser extension on your computer may be intercepting the TLS connections and changing something which results in problematic TSL handshake. It is also possible that a virus on the system is causing all the TLS problem.
Some browser extensions change proxy settings, and it may cause this problem.
In either case, you need to fix your computer or security software. The best way to further verify this is by using another computer and open the same website or application, which was causing the problem.
3] Change TLS Protocol in Windows
Windows 10 and earlier versions of Windows centralize the protocol settings in the system. If you need to change the TLS version, you can do it using Internet Properties.
- Type inetcpl.cpl in the Run prompt and hit Enter key.
- Once the Internet properties window opens, switch to the Advanced tab.
- Scroll to the end to find the Security section, and here you can add or remove TLS.
- If the website is looking for TLS 1.2, and it is not checked, you need to check it. Similarly, if someone is experimenting with TLS 1.3, you need to check it.
- Apply to save, and try opening the same website again.
While Chrome, IE, and Edge use Windows features, Firefox, like its certificate database, manages on its own. Here is how to change the TLS protocol in Firefox:
- Open Firefox, type about:config and press Enter
- In the search box, type TLS, and locate security.tls.version.min
- You can change it to:
- 1 and 2 to force TLS 1 and 1.1
- 3 to force TLS 1.2
- 4 to force a maximum protocol of TLS 1.3.
Read: How to disable TLS 1.0.
4] Delete Browser Profile or Certificate Database
Every browser maintains a database for certificates. For example, every Firefox profile has a cert8.db file. If you delete that file, and a restart fixes it, then the issue is related to the local certificate database.
Similarly, in Windows, when using IE or Edge, the Certificate Manager is responsible, or you can go to the edge://settings/privacy and click on Manage HTTPS/SSL certificates and settings. Delete certificates and try again
If you cannot find the database, delete the profile, and try again.
4] Reset Browser
It’s the last resort if you are having the issue with one of the browsers. You can choose to uninstall completely and then reinstall or reset the browser using the inbuilt feature. Follow the links to reset Chrome, Microsoft Edge, and Firefox.
Lastly, while you can browse a website even if the certificate is invalid, make sure not to perform any kind of a transaction with the website. Neither you should use a credit card, nor you should enter your account password.
We hope these tips were easy to follow, and you were able to resolve the TLS issue on your browser or your computer. I have tried my best to offer you enough solution, but honestly, TLS is extremely vast, and more solutions may be available.