C++ 使用sslc/c++;-SSL协议don';t工作
我正在尝试使用SSL客户机/服务器示例:使用SSLv3创建安全连接。我在服务器端请求证书时做了一些更改,通信工作正常,双方都能理解。因此,我的问题是,当客户端连接到服务器时,协议通信SSLv3不工作,我使用wirkeshark进行验证,并且在协议字段中仅显示TCP或IPA(RSL格式错误的数据包),有人可以帮助我吗?谢谢 我已经按照教程创建了我的证书 这是我的客户代码:C++ 使用sslc/c++;-SSL协议don';t工作,c++,c,sockets,openssl,ssl-certificate,C++,C,Sockets,Openssl,Ssl Certificate,我正在尝试使用SSL客户机/服务器示例:使用SSLv3创建安全连接。我在服务器端请求证书时做了一些更改,通信工作正常,双方都能理解。因此,我的问题是,当客户端连接到服务器时,协议通信SSLv3不工作,我使用wirkeshark进行验证,并且在协议字段中仅显示TCP或IPA(RSL格式错误的数据包),有人可以帮助我吗?谢谢 我已经按照教程创建了我的证书 这是我的客户代码: //SSL-Client.c #include <stdio.h> #include <errno.h>
//SSL-Client.c
#include <stdio.h>
#include <errno.h>
#include <unistd.h>
#include <malloc.h>
#include <string.h>
#include <sys/socket.h>
#include <resolv.h>
#include <netdb.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#define FAIL -1
//Added the LoadCertificates how in the server-side makes.
void LoadCertificates(SSL_CTX* ctx, char* CertFile, char* KeyFile)
{
/* set the local certificate from CertFile */
if ( SSL_CTX_use_certificate_file(ctx, CertFile, SSL_FILETYPE_PEM) <= 0 )
{
ERR_print_errors_fp(stderr);
abort();
}
/* set the private key from KeyFile (may be the same as CertFile) */
if ( SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0 )
{
ERR_print_errors_fp(stderr);
abort();
}
/* verify private key */
if ( !SSL_CTX_check_private_key(ctx) )
{
fprintf(stderr, "Private key does not match the public certificate\n");
abort();
}
}
int OpenConnection(const char *hostname, int port)
{ int sd;
struct hostent *host;
struct sockaddr_in addr;
if ( (host = gethostbyname(hostname)) == NULL )
{
perror(hostname);
abort();
}
sd = socket(PF_INET, SOCK_STREAM, 0);
bzero(&addr, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr.s_addr = *(long*)(host->h_addr);
if ( connect(sd, (struct sockaddr*)&addr, sizeof(addr)) != 0 )
{
close(sd);
perror(hostname);
abort();
}
return sd;
}
SSL_CTX* InitCTX(void)
{ SSL_METHOD *method;
SSL_CTX *ctx;
OpenSSL_add_all_algorithms(); /* Load cryptos, et.al. */
SSL_load_error_strings(); /* Bring in and register error messages */
method = SSLv3_client_method(); /* Create new client-method instance */
ctx = SSL_CTX_new(method); /* Create new context */
if ( ctx == NULL )
{
ERR_print_errors_fp(stderr);
abort();
}
return ctx;
}
void ShowCerts(SSL* ssl)
{ X509 *cert;
char *line;
cert = SSL_get_peer_certificate(ssl); /* get the server's certificate */
if ( cert != NULL )
{
printf("Server certificates:\n");
line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
printf("Subject: %s\n", line);
free(line); /* free the malloc'ed string */
line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
printf("Issuer: %s\n", line);
free(line); /* free the malloc'ed string */
X509_free(cert); /* free the malloc'ed certificate copy */
}
else
printf("No certificates.\n");
}
int main()
{ SSL_CTX *ctx;
int server;
SSL *ssl;
char buf[1024];
int bytes;
char hostname[]="127.0.0.1";
char portnum[]="5000";
char CertFile[] = "/home/myCA/cacert.pem";
char KeyFile[] = "/home/myCA/private/cakey.pem";
SSL_library_init();
ctx = InitCTX();
LoadCertificates(ctx, CertFile, KeyFile);
server = OpenConnection(hostname, atoi(portnum));
ssl = SSL_new(ctx); /* create new SSL connection state */
SSL_set_fd(ssl, server); /* attach the socket descriptor */
if ( SSL_connect(ssl) == FAIL ) /* perform the connection */
ERR_print_errors_fp(stderr);
else
{ char *msg = "Hello???";
printf("Connected with %s encryption\n", SSL_get_cipher(ssl));
ShowCerts(ssl); /* get any certs */
SSL_write(ssl, msg, strlen(msg)); /* encrypt & send message */
bytes = SSL_read(ssl, buf, sizeof(buf)); /* get reply & decrypt */
buf[bytes] = 0;
printf("Received: \"%s\"\n", buf);
SSL_free(ssl); /* release connection state */
}
close(server); /* close socket */
SSL_CTX_free(ctx); /* release context */
return 0;
}
//SSL Client.c
#包括
#包括
#包括
#包括
#包括
#包括
#包括
#包括
#包括
#包括
#定义失败-1
//在服务器端创建中添加了LoadCertificates how。
无效加载证书(SSL_CTX*CTX、char*CertFile、char*KeyFile)
{
/*从证书文件设置本地证书*/
如果(SSL\u CTX\u使用\u证书\u文件(CTX、CertFile、SSL\u文件类型\u PEM)0)
{
buf[字节]=0;
printf(“客户端消息:\%s\”\n),buf);
sprintf(reply,HTMLecho,buf);/*构造reply*/
SSL_write(SSL,reply,strlen(reply));/*发送回复*/
}
其他的
错误打印错误fp(stderr);
}
sd=SSL_get_fd(SSL);/*获取套接字连接*/
无SSL(SSL);/*释放SSL状态*/
关闭(sd);/*密切联系*/
}
int main()
{SSL_CTX*CTX;
int服务器;
char portnum[]=“5000”;
char CertFile[]=“/home/myCA/mycert.pem”;
char-KeyFile[]=“/home/myCA/mycert.pem”;
SSL_库_init();
ctx=InitServerCTX();/*初始化SSL*/
加载证书(ctx、证书文件、密钥文件);/*加载证书*/
server=OpenListener(atoi(portnum));/*创建服务器套接字*/
而(1)
{struct sockaddru in addr;
socklen_t len=sizeof(地址);
SSL*SSL;
int client=accept(server,(struct sockaddr*)&addr,&len);/*像往常一样接受连接*/
printf(“连接:%s:%d\n”、inet_ntoa(地址sinu地址)、ntohs(地址sinu端口));
ssl=ssl_new(ctx);/*使用上下文获取新的ssl状态*/
SSL_set_fd(SSL,客户端);/*将连接套接字设置为SSL状态*/
Servlet(ssl);/*服务连接*/
}
关闭(服务器);/*关闭服务器套接字*/
SSL_CTX_free(CTX);/*发布上下文*/
}
您必须修改代码(服务器端):
您的代码:
int main(int argc, char **argv)
{ SSL_CTX *ctx;
int server;
//char portnum[]="5000"; ---> You can pass it as an argument
char CertFile[] = "/home/myCA/mycert.pem";
char KeyFile[] = "/home/myCA/mycert.pem";
SSL_library_init();
//portnum = strings[1];
portnum = argv[1]; // ---> You can pass port number here, instead of put it in the code
相反,您应该使用以下选项:
toc@UnixServer:~$ ./ssl_client
Connected with AES256-SHA encryption
Server certificates:
Subject: /C=FR/ST=Some-State/L=PARIS/O=TOC/OU=TOC/CN=TOC/emailAddress=toc@toc.com
Issuer: /C=FR/ST=Some-State/L=PARIS/O=TOC/OU=TOC/CN=TOC/emailAddress=toc@toc.com
Received: "<html><body><pre>Hello???</pre></body></html>
"
我得到了这个输出(客户端):
当您使用ssldump之类的工具时(http://www.rtfm.com/ssldump/)(在unix box上),您可以清楚地看到发生了什么:
toc@UnixServer:~$sudo ssldump-i lo端口5000
新的TCP连接#1:localhost(59071)localhost(5000)
1 0.0012(0.0012)C>S握手
克利恩塞洛
版本3.0
密文族
未知值0xc014
未知值0xc00a
SSL_DHE_RSA_与_AES_256_CBC_SHA
SSL_DHE_DSS_与_AES_256_CBC_SHA
未知值0x88
未知值0x87
未知值0xc00f
未知值0xc005
SSL_RSA_与_AES_256_CBC_SHA
未知值0x84
未知值0xc012
未知值0xc008
SSL\u DHE\u RSA\u与CBC\u SHA
SSL\u DHE\u DSS\u与CBC\u SHA
未知值0xc00d
未知值0xc003
SSL_RSA_与_3DES_EDE_CBC_SHA
未知值0xc013
未知值0xc009
SSL_DHE_RSA_与_AES_128_CBC_SHA
SSL_DHE_DSS_与_AES_128_CBC_SHA
未知值0x9a
未知值0x99
未知值0x45
未知值0x44
未知值0xc00e
未知值0xc004
SSL_RSA_与_AES_128_CBC_SHA
未知值0x96
未知值0x41
未知值0xc011
未知值0xc007
未知值0xc00c
未知值0xc002
SSL_RSA_与_RC4_128_SHA
SSL_RSA_与_RC4_128_MD5
SSL_DHE_RSA_与_DES_CBC_SHA
SSL_DHE_DSS_与_DES_CBC_SHA
SSL_RSA_与_DES_CBC_SHA
SSL\U DHE\U RSA\U导出\U DES40\U CBC\U SHA
SSL_DHE_DSS_导出_与_DES40_CBC_SHA
SSL_RSA_导出_与_DES40_CBC_SHA
SSL_RSA_导出_与_RC2_CBC_40_MD5
SSL\u RSA\u导出\u与\u RC4\u 40\u MD5
未知值0xff
压缩方法
未知值
无效的
1.2 0.0019(0.0006)S>C握手
服务器你好
版本3.0
会话号[32]=
13 e2 5a f0 10 93 18 56 c8 66 54 94 29 ab 8b 2d
7b c6 9c 3b 7b ea c7 54 e6 86 7d 3a 56 8c 96 14
密码套件SSL\U RSA\U带AES\U 256\U CBC\U SHA
压缩法未知值
1 3 0.0019(0.0000)S>C握手
证明书
1 4 0.0019(0.0000)S>C握手
证书申请
证书类型rsa签名
证书类型dss标志
海龙石
1 5 0.0155(0.0136)C>S握手
证明书
1 6 0.0155(0.0000)C>S握手
客户密钥交换
1 7 0.0155(0.0000)C>S握手
认证
签名[128]=
ac 94 31 89 64 75 20 5f 4f 00 73 4e e8 de 51 b7
f1 bb 16 da 63 b1 8d e9 15 9b af f8 32 d7 84 f5
b5 7d 4f 48 1c 2b 41 58 81 d3 a8 50 40 25 90 95
44 de 9d bb c4 79 5c 64 a8 a9 28 f4 16 7c 0e 17
b2 77 cf b0 8c a9 90 50 34 a5 76 a2 57 39 8d 37
12 d8 a5 8d f4 08 3a 1e 83 7e 6c 0a e9 75 ec 85
3d 56 f2 2e 4a 7d 71 88 29 26 99 40 43 4e f3 29
26 bf eb 15 be 36 22 72 f3 d9 be 4a e3 c9 0b cc
1.8 0.0155(0.0000)C>S更改密码规范
19 0.0155(0.0000)C>S握手
1 10 0.0245(0.0089)S>C变更规格
1110.0245(0.0000)S>C握手
1 12 0.0250(0.0005)C>S应用程序数据
1 13 0
int main(int argc, char **argv)
{ SSL_CTX *ctx;
int server;
//char portnum[]="5000"; ---> You can pass it as an argument
char CertFile[] = "/home/myCA/mycert.pem";
char KeyFile[] = "/home/myCA/mycert.pem";
SSL_library_init();
//portnum = strings[1];
portnum = argv[1]; // ---> You can pass port number here, instead of put it in the code
toc@UnixServer:~$ ./ssl_client
Connected with AES256-SHA encryption
Server certificates:
Subject: /C=FR/ST=Some-State/L=PARIS/O=TOC/OU=TOC/CN=TOC/emailAddress=toc@toc.com
Issuer: /C=FR/ST=Some-State/L=PARIS/O=TOC/OU=TOC/CN=TOC/emailAddress=toc@toc.com
Received: "<html><body><pre>Hello???</pre></body></html>
"
Connection: 127.0.0.1:59066
Server certificates:
Subject: /C=FR/ST=Some-State/L=PARIS/O=TOC/OU=TOC/CN=TOC/emailAddress=toc@toc.com
Issuer: /C=FR/ST=Some-State/L=PARIS/O=TOC/OU=TOC/CN=TOC/emailAddress=toc@toc.com
Client msg: "Hello???"
toc@UnixServer:~$sudo ssldump -i lo port 5000
New TCP connection #1: localhost(59071) <-> localhost(5000)
1 1 0.0012 (0.0012) C>S Handshake
ClientHello
Version 3.0
cipher suites
Unknown value 0xc014
Unknown value 0xc00a
SSL_DHE_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_DSS_WITH_AES_256_CBC_SHA
Unknown value 0x88
Unknown value 0x87
Unknown value 0xc00f
Unknown value 0xc005
SSL_RSA_WITH_AES_256_CBC_SHA
Unknown value 0x84
Unknown value 0xc012
Unknown value 0xc008
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Unknown value 0xc00d
Unknown value 0xc003
SSL_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0xc013
Unknown value 0xc009
SSL_DHE_RSA_WITH_AES_128_CBC_SHA
SSL_DHE_DSS_WITH_AES_128_CBC_SHA
Unknown value 0x9a
Unknown value 0x99
Unknown value 0x45
Unknown value 0x44
Unknown value 0xc00e
Unknown value 0xc004
SSL_RSA_WITH_AES_128_CBC_SHA
Unknown value 0x96
Unknown value 0x41
Unknown value 0xc011
Unknown value 0xc007
Unknown value 0xc00c
Unknown value 0xc002
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SSL_RSA_EXPORT_WITH_RC4_40_MD5
Unknown value 0xff
compression methods
unknown value
NULL
1 2 0.0019 (0.0006) S>C Handshake
ServerHello
Version 3.0
session_id[32]=
13 e2 5a f0 10 93 18 56 c8 66 54 94 29 ab 8b 2d
7b c6 9c 3b 7b ea c7 54 e6 86 7d 3a 56 8c 96 14
cipherSuite SSL_RSA_WITH_AES_256_CBC_SHA
compressionMethod unknown value
1 3 0.0019 (0.0000) S>C Handshake
Certificate
1 4 0.0019 (0.0000) S>C Handshake
CertificateRequest
certificate_types rsa_sign
certificate_types dss_sign
ServerHelloDone
1 5 0.0155 (0.0136) C>S Handshake
Certificate
1 6 0.0155 (0.0000) C>S Handshake
ClientKeyExchange
1 7 0.0155 (0.0000) C>S Handshake
CertificateVerify
Signature[128]=
ac 94 31 89 64 75 20 5f 4f 00 73 4e e8 de 51 b7
f1 bb 16 da 63 b1 8d e9 15 9b af f8 32 d7 84 f5
b5 7d 4f 48 1c 2b 41 58 81 d3 a8 50 40 25 90 95
44 de 9d bb c4 79 5c 64 a8 a9 28 f4 16 7c 0e 17
b2 77 cf b0 8c a9 90 50 34 a5 76 a2 57 39 8d 37
12 d8 a5 8d f4 08 3a 1e 83 7e 6c 0a e9 75 ec 85
3d 56 f2 2e 4a 7d 71 88 29 26 99 40 43 4e f3 29
26 bf eb 15 be 36 22 72 f3 d9 be 4a e3 c9 0b cc
1 8 0.0155 (0.0000) C>S ChangeCipherSpec
1 9 0.0155 (0.0000) C>S Handshake
1 10 0.0245 (0.0089) S>C ChangeCipherSpec
1 11 0.0245 (0.0000) S>C Handshake
1 12 0.0250 (0.0005) C>S application_data
1 13 0.0250 (0.0000) C>S application_data
1 14 0.0258 (0.0007) S>C application_data
1 15 0.0258 (0.0000) S>C application_data
1 0.0261 (0.0002) C>S TCP FIN
1 0.0275 (0.0013) S>C TCP FIN
To add a certificate in the simple PEM or DER file formats to the
list of CAs trusted on the system:
Copy it to the
/etc/pki/ca-trust/source/anchors/
subdirectory, and run the
update-ca-trust
command.
If your certificate is in the extended BEGIN TRUSTED file format,
then place it into the main source/ directory instead.