Openssl客户端没有';不要发送证书
从很多天以来,我一直尝试在Linux服务器和Windows/Linux客户机之间实现TCPs通信 通信正常,但证书交换不正常,服务器正在等待从未发送的客户端证书 使用OpenSSL 1.0.2n运行的客户端和服务器 证书已安装在Windows应用商店(.pfx)上 服务器代码:Openssl客户端没有';不要发送证书,ssl,openssl,client-certificates,Ssl,Openssl,Client Certificates,从很多天以来,我一直尝试在Linux服务器和Windows/Linux客户机之间实现TCPs通信 通信正常,但证书交换不正常,服务器正在等待从未发送的客户端证书 使用OpenSSL 1.0.2n运行的客户端和服务器 证书已安装在Windows应用商店(.pfx)上 服务器代码: void LoadCertificates(SSL_CTX* ctx, char* CertFile, char* KeyFile, char* CAFile) { // set the local certif
void LoadCertificates(SSL_CTX* ctx, char* CertFile, char* KeyFile, char* CAFile)
{
// set the local certificate from CertFile
if (SSL_CTX_use_certificate_file(ctx, CertFile, SSL_FILETYPE_PEM) <= 0)
{ ERR_print_errors_fp(stderr);abort(); }
// set the private key from KeyFile (may be the same as CertFile)
if (SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0)
{ ERR_print_errors_fp(stderr); abort(); }
// verify private key
if (!SSL_CTX_check_private_key(ctx))
{ printf(stderr, "Private key does not match the public certificate\n"); abort(); }
SSL_CTX_set_ecdh_auto(ctx, 1);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
SSL_CTX_set_verify_depth(ctx,4);
if (SSL_CTX_load_verify_locations(ctx, CAFile, NULL) != 1)
{ printf("SSL_CTX_load_verify_locations failed\n"); ERR_print_errors_fp(stderr); }
}
void Servlet(SSL* ssl) /* Serve the connection -- threadable */
{ char buf[1024];
char reply[1024];
int sd, bytes;
const char* HTMLecho="<html><body><pre>%s</pre></body></html>\n\n";
if ( SSL_accept(ssl) == FAIL ) /* do SSL-protocol accept */
ERR_print_errors_fp(stderr);
else
{
bytes = SSL_read(ssl, buf, sizeof(buf)); /* get request */
if ( bytes > 0 )
{
buf[bytes] = 0;
printf("Client msg: \"%s\"\n", buf);
sprintf(reply, HTMLecho, buf); /* construct reply */
SSL_write(ssl, reply, strlen(reply)); /* send reply */
}
else
ERR_print_errors_fp(stderr);
}
sd = SSL_get_fd(ssl); /* get socket connection */
SSL_free(ssl); /* release SSL state */
close(sd); /* close connection */
}
int main(int count, char *strings[])
{ SSL_CTX *ctx;
int server;
struct sockaddr_in addr;
char CertFile[] = "/opt/doamin.cer";char KeyFile[] = "/opt/doamin.key"; char CAFile[] = "doamin-ca.crt";
SSL_library_init();
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
ctx = SSL_CTX_new(TLSv1_2_server_method());
SSL_CTX_set_options(ctx,SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_COMPRESSION);
LoadCertificates(ctx, CertFile, KeyFile,CAFile); /* load certs */
server = socket(PF_INET, SOCK_STREAM, 0);
bzero(&addr, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr.s_addr = INADDR_ANY;
if ( bind(server, (struct sockaddr*)&addr, sizeof(addr)) != 0 )
{ perror("can't bind port"); abort(); }
if ( listen(server, 10) != 0 )
{ perror("Can't configure listening port");abort();}
while (1)
{ struct sockaddr_in addr;
socklen_t len = sizeof(addr);
SSL *ssl;
int client = accept(server, (struct sockaddr*)&addr, &len); /* accept connection as usual */
printf("Connection: %s:%d\n",inet_ntoa(addr.sin_addr), ntohs(addr.sin_port));
ssl = SSL_new(ctx); /* get new SSL state with context */
SSL_set_fd(ssl, client); /* set connection socket to SSL state */
Servlet(ssl); /* service connection */
}
close(server); /* close server socket */
SSL_CTX_free(ctx); /* release context */
}
CONNECTED(000001A0)
depth=2 C = FR, O = compagny, OU = 0002 999999999, CN = AC compagny Root
verify return:1
depth=1 C = FR, O = compagny, OU = 0002 998888888, CN = AC compagny
verify return:1
depth=0 C = FR, ST = France, L = Paris, O = compagny, OU = TRA, CN = *.sub.domain.fr
verify return:1
---
Certificate chain
0 s:/C=FR/ST=France/L=Paris/O=compagny/OU=TRA/CN=*.sub.domain.fr
i:/C=FR/O=compagny/OU=0002 998888888/CN=AC compagny
1 s:/C=FR/O=compagny/OU=0002 998888888/CN=AC compagny
i:/C=FR/O=compagny/OU=0002 999999999/CN=AC compagny Root
2 s:/C=FR/O=compagny/OU=0002 999999999/CN=AC compagny Root
i:/C=FR/O=compagny/OU=0002 999999999/CN=AC compagny Root
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/C=FR/ST=France/L=Paris/O=compagny/OU=TRA/CN=*.sub.doamin.fr
issuer=/C=FR/O=compagny/OU=0002 88888888/CN=AC compagny
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 7208 bytes and written 5569 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: FBF6E85A99787BFEA2088948841E03EFABD831D1D809CEB21DCB2C7CF3710997
Session-ID-ctx:
Master-Key: 16C1400E26554260B5921C305382BBFC098915CEBE54F5F9BB58D29715AFF94F7EDC5F88432887E4A8EA8487C8D9E939
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
[...]
Start Time: 1523882730
Timeout : 300 (sec)
Verify return code: 0 (ok)
非常感谢您的帮助,我尝试了很多方法,但现在我不知道在哪里继续,客户端没有一个既受服务器信任又使用服务器指定算法的证书。我看不到对SSL\u CTX\u use\u certificate或类似的调用,也看不到客户端对密钥的匹配调用。您希望客户端如何知道要使用哪个证书和密钥?ClientApp返回:OpenSSL:Loaded CA cert:subject='/C=FR/O=compagny/CN=AC compagny Root'OpenSSL:Loaded CA cert:subject='/C=FR/ST=France/L=Paris/O=compagny/OU=TRA/CN=*.sub.domain.FR'>subject='/C=FR/O=compagny/CN=AC compagny'[]SSL\u获取\u验证\u结果正常我了解d2i\u X509/X509\u存储\u添加\u证书函数从存储加载CA和证书。我希望在客户端使用已安装的证书,而不是文件。这就是为什么我没有使用SSL\u CTX\u使用的证书签名算法是sha256RSA。我将尝试在服务器上指定它。您显示的输出似乎与您显示的客户端代码不匹配,但您的“根”存储似乎包含非根的证书,并且OpenSSL X509_存储不能包含具有私钥的证书。必须在SSL_CTX或SSL级别配置客户端或服务器自己的证书和匹配的私钥。(任何连锁证书都应该存在,但可以从X509_商店中搜索。)OpenSSL已经接受sha256+RSA;请查看日志中显示的列表。谢谢!它使用PFXExportCertStoreEx、SSL_use_证书和SSL_use_私钥函数在Windows客户端上工作。现在我将对linux客户机应用程序做同样的事情
OpenSSL: Loaded CA cert : subject='/C=FR/O=compagny/CN=AC compagny Root'
OpenSSL: Loaded CA cert : subject='/C=FR/ST=France/L=Paris/O=compagny/OU=TRA/CN=*.sub.domain.fr' : ( From certmgr : With Private key for this domain )
OpenSSL: Loaded CA cert : subject='/C=FR/O=compagny/CN=AC compagny'
[...]
SSL_get_verify_result OK
CONNECTED(000001A0)
depth=2 C = FR, O = company, OU = 0002 518888888, CN = AC company Root
verify error:num=19:self signed certificate in certificate chain
14220:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure: .\ssl\s3_pkt.c:1500:SSL alert number 40
14220:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:.\ssl\s23_lib.c:177:
---
Certificate chain
0 s:/C=FR/ST=France/L=Paris/O=company/OU=TRA/CN=*.sub.domain.fr
i:/C=FR/O=company/OU=0002 999999999/CN=AC company
1 s:/C=FR/O=company/OU=0002 999999999/CN=AC company
i:/C=FR/O=company/OU=0002 518888888/CN=AC Ccompany
2 s:/C=FR/O=company/OU=0002 518888888/CN=AC company
i:/C=FR/O=company/OU=0002 518888888/CN=AC company
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/C=FR/ST=France/L=Paris/O=company/OU=TRA/CN=*.sub.domain.fr
issuer=/C=FR/O=company/OU=0002 999999999/CN=AC company
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5325 bytes and written 138 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: 8EB904862A6D7FB954F5A2AB701429D9D066852A0C7A40832EEC9AD3A56B66AE786D485BF8AFF8D37C4D27629A41D5F3
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1523868440
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
CONNECTED(000001A0)
depth=2 C = FR, O = compagny, OU = 0002 999999999, CN = AC compagny Root
verify return:1
depth=1 C = FR, O = compagny, OU = 0002 998888888, CN = AC compagny
verify return:1
depth=0 C = FR, ST = France, L = Paris, O = compagny, OU = TRA, CN = *.sub.domain.fr
verify return:1
---
Certificate chain
0 s:/C=FR/ST=France/L=Paris/O=compagny/OU=TRA/CN=*.sub.domain.fr
i:/C=FR/O=compagny/OU=0002 998888888/CN=AC compagny
1 s:/C=FR/O=compagny/OU=0002 998888888/CN=AC compagny
i:/C=FR/O=compagny/OU=0002 999999999/CN=AC compagny Root
2 s:/C=FR/O=compagny/OU=0002 999999999/CN=AC compagny Root
i:/C=FR/O=compagny/OU=0002 999999999/CN=AC compagny Root
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/C=FR/ST=France/L=Paris/O=compagny/OU=TRA/CN=*.sub.doamin.fr
issuer=/C=FR/O=compagny/OU=0002 88888888/CN=AC compagny
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 7208 bytes and written 5569 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: FBF6E85A99787BFEA2088948841E03EFABD831D1D809CEB21DCB2C7CF3710997
Session-ID-ctx:
Master-Key: 16C1400E26554260B5921C305382BBFC098915CEBE54F5F9BB58D29715AFF94F7EDC5F88432887E4A8EA8487C8D9E939
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
[...]
Start Time: 1523882730
Timeout : 300 (sec)
Verify return code: 0 (ok)