传输层安全分片

Sat 11 October 2025

TCP 分片

每个 TCP Segment可以包含完整的应用程序消息，也可以仅包含部分消息。后者称为 TCP 分片。

==================TCP Segment====================
=   GET /index.html HTTP/1.1        =
=   host: proxyguess.bjun.tech      =
=   ...                 =
=                       =
=                       =
=================================================

            | |
            V

==================TCP Segment 1==================
=   GET /index.html HTTP/1.1        =
=   host: proxyguess            =
=                       =
=                       =
=                       =
=================================================

==================TCP Segment 2==================
=   .bjun.tech              =
=   ...                 =
=                       =
=                       =
=                       =
=================================================

一个未分片的HTTP GET 请求，2个TCP Segment。

TLS RECORD 分片

TLS 层由两个不同的层组成：TLS 消息层和 TLS 记录层。在 TLS 记录层上，每个 TLS 消息都包装在 TLS 记录结构中。最重要的是，单个 TLS 消息可以拆分到多个 TLS 记录中，从而导致 TLS 记录碎片。

==================TCP Segment======================
= =================TLS Record==================== =
= =0x010000D5                   = =
= =SNI:proxyguess.bjun.tech         = =
= =                     = =
= =                     = =
= =                     = =
= =============================================== =
===================================================

            | |
            V

==================TCP Segment======================
= =================TLS Record 1================== =
= =0x010000D5                   = =
= =SNI:proxyguess.              = =
= =                     = =
= =                     = =
= =                     = =
= =============================================== =
=                         =
= =================TLS Record 2================== =
= =bjun.tech                    = =
= =                     = =
= =                     = =
= =                     = =
= =                     = =
= =============================================== =
===================================================

            | |
            V 
================== IP PACKAGE 1======================
===================TCP Segment ======================
= = =================TLS Record 1================ = =
= = =0x010000D5                 = = =
= = =SNI:proxyguess.                = = =
= = =                       = = =
= = =                       = = =
= = =                       = = =
= = ============================================= = =
= ================================================= =
=====================================================

================== IP PACKAGE 2======================
===================TCP Segment ======================
= = =================TLS Record 1================ = =
= = =bjun.tech                  = = =
= = =                       = = =
= = =                       = = =
= = =                       = = =
= = =                       = = =
= = ============================================= = =
= ================================================= =
=====================================================

上面的部分表示一个完整的TCP Segment和TLS RECORD中的 TLS ClientHello ，中间的部分是在同个TCP Segment中包含了被分片后的TLS ClientHello 对应的两个TLS RECORD。下面的部分将分片后的TLS ClientHello 对应的两个TLS RECORD 分配到 2个IP数据包中

突破腾讯云的备案检测

client hello 被分成2个IP包，部分请求SNI 拓展位于第二个包，部分请求是刚好在SNI部分被分割。而小段分片则SNI拓展必然不会出现的第一个包中。

大费周章，还不如换个端口来的简单。

Category: 11