C 如何正确使用API和初始化openssl? 如何正确使用API和初始化openssl?
我必须让OPEVN与俄罗斯的加密标准GOST一起工作。 我知道有一些现有的产品提供了这个机会。我浏览了他们的网站,发现他们在演示版中使用了openssl版本0.9.8。我试过了。它可以工作,但需要共享库和过时的openssl和opevpn版本 实际的openssl版本现在已经是了,我想使用静态libssl和libscripto(如果可能的话)。正如我在openssl中所读到的,从版本1.0.0开始,库支持GOST加密,(fyi由cryptocom实现)C 如何正确使用API和初始化openssl? 如何正确使用API和初始化openssl?,c,api,ssl,encryption,openssl,C,Api,Ssl,Encryption,Openssl,我必须让OPEVN与俄罗斯的加密标准GOST一起工作。 我知道有一些现有的产品提供了这个机会。我浏览了他们的网站,发现他们在演示版中使用了openssl版本0.9.8。我试过了。它可以工作,但需要共享库和过时的openssl和opevpn版本 实际的openssl版本现在已经是了,我想使用静态libssl和libscripto(如果可能的话)。正如我在openssl中所读到的,从版本1.0.0开始,库支持GOST加密,(fyi由cryptocom实现) 我所做的 我下载并编译了openssl-
我所做的 我下载并编译了openssl-1.0.1c,如下所示:
mkdir ~/test
cd ~/test
wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
...
tar xzf openssl-1.0.1c.tar.gz
cd openssl-1.0.1c
./config enable-gost -fPIC no-shared
...
make
...
我已经编写了配置文件来启用GOST加密算法~/test/openssl.cnf
openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
gost = gost_section
[gost_section]
engine_id = gost
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
# man ca(1SSL)
[ ca ]
default_ca = CA_default
# man ca(1SSL)
[ CA_default ]
dir = ./CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_match
# man ca(1SSL)
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# man req(1SSL)
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
# man req(1SSL)
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = RU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Moscow
localityName = Locality Name (eg, city)
localityName_default = Moscow
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Company Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Organisation Unit
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# man req(1SSL)
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
# man x509v3_config(5SSL)
[ usr_cert ]
basicConstraints = CA:FALSE
nsCertType = client, email, objsign
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
nsComment = "Some company OpenSSL Generated Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
# man x509v3_config(5SSL)
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
然后我查看了受支持的TLS密码:
OPENSSL_CONF=~/test/openssl.cnf ./apps/openssl ciphers -tls1
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:GOST2001-GOST89-GOST89:GOST94-GOST89-GOST89:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
找到了戈斯特
我的问题是关于: 我想使用openssl API(我指的是libscripto和libssl)获取TLS密码列表。我编写了一个小程序,输出openssl提供的TLS密码~/test/test.c:
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <stdio.h>
void show_available_tls_ciphers (void)
{
SSL_CTX *ctx;
SSL *ssl;
int i;
const char *cipher_name;
int priority = 0;
ctx = SSL_CTX_new(TLSv1_method());
if (!ctx) {
ERR_print_errors_fp(stderr);
return;
}
ssl = SSL_new (ctx);
if (!ssl) {
ERR_print_errors_fp(stderr);
SSL_CTX_free(ctx);
}
STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
if(!sk) {
ERR_print_errors_fp(stderr);
SSL_CTX_free(ctx);
SSL_free(ssl);
return;
}
for(i=0; i< sk_SSL_CIPHER_num(sk); ++i) {
printf("%s\n",sk_SSL_CIPHER_value(sk,i)->name);
}
printf ("\n");
SSL_free (ssl);
SSL_CTX_free (ctx);
}
int main(void) {
CRYPTO_malloc_init();
SSL_library_init();
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
ENGINE_load_builtin_engines();
OpenSSL_add_ssl_algorithms();
SSL_load_error_strings();
show_available_tls_ciphers();
return 0;
}
但是我的结果不同于上面的OPENSSL\u CONF=~/test/OPENSSL.cnf./apps/OPENSSL ciphers-tls11
输出,不包括GOST:
OPENSSL_CONF=~/test/openssl.cnf ./a.out
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
SRP-DSS-AES-256-CBC-SHA
SRP-RSA-AES-256-CBC-SHA
DHE-DSS-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA256
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
DHE-DSS-CAMELLIA256-SHA
ECDH-RSA-AES256-GCM-SHA384
ECDH-ECDSA-AES256-GCM-SHA384
ECDH-RSA-AES256-SHA384
ECDH-ECDSA-AES256-SHA384
ECDH-RSA-AES256-SHA
ECDH-ECDSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
CAMELLIA256-SHA
PSK-AES256-CBC-SHA
ECDHE-RSA-DES-CBC3-SHA
ECDHE-ECDSA-DES-CBC3-SHA
SRP-DSS-3DES-EDE-CBC-SHA
SRP-RSA-3DES-EDE-CBC-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
ECDH-RSA-DES-CBC3-SHA
ECDH-ECDSA-DES-CBC3-SHA
DES-CBC3-SHA
PSK-3DES-EDE-CBC-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
SRP-DSS-AES-128-CBC-SHA
SRP-RSA-AES-128-CBC-SHA
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-DSS-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
DHE-RSA-SEED-SHA
DHE-DSS-SEED-SHA
DHE-RSA-CAMELLIA128-SHA
DHE-DSS-CAMELLIA128-SHA
ECDH-RSA-AES128-GCM-SHA256
ECDH-ECDSA-AES128-GCM-SHA256
ECDH-RSA-AES128-SHA256
ECDH-ECDSA-AES128-SHA256
ECDH-RSA-AES128-SHA
ECDH-ECDSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
SEED-SHA
CAMELLIA128-SHA
IDEA-CBC-SHA
PSK-AES128-CBC-SHA
ECDHE-RSA-RC4-SHA
ECDHE-ECDSA-RC4-SHA
ECDH-RSA-RC4-SHA
ECDH-ECDSA-RC4-SHA
RC4-SHA
RC4-MD5
PSK-RC4-SHA
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5
为了编写本文,我使用了openssl-1.0.1c/apps/ciphers.c文件中的代码和openssl初始化顺序
为什么我不能在
a.out
输出中看到GOST,我做错了什么?我应该如何编写代码,才能正确地使用openssl来查看测试程序输出中的GOST?简而言之,您不是在调用设置配置的东西
查看您获取的openssl包中apps/open ssl.c的源代码(chipers.c是基于$0链接的代码,您在“openssl密码”中运行该代码)
注意下面的一点:
p=getenv("OPENSSL_CONF");
if (p == NULL)
p=getenv("SSLEAY_CONF");
if (p == NULL)
p=to_free=make_config_name();
default_config_file=p;
然后再往下走:
config=NCONF_new(NULL);
i=NCONF_load(config,p,&errline);
if (i == 0) ...
这就是它在配置中的作用
Dw.简而言之,您没有调用设置配置的东西 查看您获取的openssl包中apps/open ssl.c的源代码(chipers.c是基于$0链接的代码,您在“openssl密码”中运行该代码) 注意下面的一点:
p=getenv("OPENSSL_CONF");
if (p == NULL)
p=getenv("SSLEAY_CONF");
if (p == NULL)
p=to_free=make_config_name();
default_config_file=p;
然后再往下走:
config=NCONF_new(NULL);
i=NCONF_load(config,p,&errline);
if (i == 0) ...
这就是它在配置中的作用
Dw.您应该在第一条指令中调用此命令以加载默认配置:
OPENSSL_config(NULL);
将从配置加载所有密码,包括gost。
您也可以在加载配置后设置:
'#define CIPHER_LIST "GOST2001-NULL-GOST94"//GOST2001-GOST89-GOST89 (chose one)
SSL_CTX_set_cipher_list(ctx, CIPHER_LIST)
您将只获得此芯片。您应该在第一条指令中调用此命令以加载默认配置:
OPENSSL_config(NULL);
将从配置加载所有密码,包括gost。
您也可以在加载配置后设置:
'#define CIPHER_LIST "GOST2001-NULL-GOST94"//GOST2001-GOST89-GOST89 (chose one)
SSL_CTX_set_cipher_list(ctx, CIPHER_LIST)
你只会得到这个芯片。很好。如果上述方法有效,请接受答案;让其他人知道要依靠它。如果没有,希望看到解决方案。谢谢,它不起作用。这还不够。我稍后会在这里发布正确的解决方案。如果上述方法有效,请接受答案;让其他人知道要依靠它。如果没有,希望看到解决方案。谢谢,它不起作用。这还不够。稍后我会在这里发布正确的解决方案