Ssl 卷曲中的TLS-PSK支持
我需要创建一个libcurl应用程序来从https服务器下载url(身份验证机制是PSK)。 所以我刚刚从下面的链接下载了TLS-PSK支持的cURL代码。 (据我所知,当前发布的cURL不支持TLS-PSK。如果我错了,请纠正我。) 但在执行我的示例应用程序时,它显示ssl错误:“sslv3警报坏记录mac” 事实上,我是新手,对TLS/SSL和curl没有太多的了解。 如果有人能提供解决方案,这将非常有帮助 下面我还附上了src代码、日志和测试结果,以供参考 Samplecurl.cppSsl 卷曲中的TLS-PSK支持,ssl,curl,openssl,Ssl,Curl,Openssl,我需要创建一个libcurl应用程序来从https服务器下载url(身份验证机制是PSK)。 所以我刚刚从下面的链接下载了TLS-PSK支持的cURL代码。 (据我所知,当前发布的cURL不支持TLS-PSK。如果我错了,请纠正我。) 但在执行我的示例应用程序时,它显示ssl错误:“sslv3警报坏记录mac” 事实上,我是新手,对TLS/SSL和curl没有太多的了解。 如果有人能提供解决方案,这将非常有帮助 下面我还附上了src代码、日志和测试结果,以供参考 Samplecurl.cpp i
int main()
{
CURL *curl = curl_easy_init();
if(curl)
{
curl_easy_setopt(curl, CURLOPT_URL, "https://localhost:1440/");
curl_easy_setopt(curl, CURLOPT_SSL_PSK, "client_id:fcc56e7668194a4775e5b36e2735551a");
curl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST, "PSK-AES256-CBC-SHA");
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
CURLcode res = curl_easy_perform(curl);
/* Check for errors */
if (res != CURLE_OK) {
fprintf(stderr, "curl_easy_perform() failed: %s\n",
curl_easy_strerror(res));
}
}
return 0;
}
步骤1:使用openssl命令启动服务器(openssl版本为-openssl 1.0.2g)
步骤2:使用下载的源代码构建Samplecurl.cpp,并得到以下错误
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 1440 (#0)
* ALPN, offering http/1.1
* Cipher selection: PSK-AES256-CBC-SHA
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac
* Closing connection 0
curl_easy_perform() failed: SSL connect error
***对于curl命令行,也发生了相同的错误
curl命令:
curl-v--tls psk客户端_标识:fcc56e7668194a4775e5b36e2735551a-k--psk-AES256-CBC-SHA密码
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 1440 (#0)
* ALPN, offering http/1.1
* Cipher selection: PSK-AES256-CBC-SHA
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac
* Closing connection 0
curl: (35) error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac
请注意,使用openssl客户机命令,与服务器的连接成功。命令如下
openssl s_client -connect localhost:1440 -psk fcc56e7668194a4775e5b36e2735551a
在执行上述命令时,终端显示以下内容
>> CONNECTED(00000003)
>> no peer certificate available
>> No client certificate CA names sent
>> SSL handshake has read 338 bytes and written 414 bytes
>> New, TLSv1/SSLv3, Cipher is PSK-AES256-CBC-SHA
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> No ALPN negotiated
>> SSL-Session:
>> Protocol : TLSv1.2
>> Cipher : PSK-AES256-CBC-SHA
>> Session-ID: AC3096F9E9AAC227B4FE4DFD59CBD3B9A2EA230B22A83289323EF5F2F8C7DAE5
>> Session-ID-ctx:
>> Master-Key: 07314810B7A54B94EA9F8497736F383733290EB5BFC64A557D0B3A780F518FC9CF55BFC408C5361B91D92A1B4786E314
>> Key-Arg : None
>> PSK identity: Client_identity
>> PSK identity hint: None
>> SRP username: None
>> TLS session ticket lifetime hint: 300 (seconds)
>> TLS session ticket:
0000 - b4 92 80 4f ec 7b f2 17-c3 59 03 6f 62 63 62 5b ...O.{...Y.obcb[
0010 - 30 d4 d4 9d 5f 5f 07 df-8f 7d 4f f8 98 fa af 41 0...__...}O....A
0020 - 2a 11 53 1a c4 16 86 f1-24 38 b7 bf 9c 1c 7d 5a *.S.....$8....}Z
0030 - e3 bd 94 b4 01 e1 a7 75-95 b0 a1 c5 be 71 51 45 .......u.....qQE
0040 - 74 0b cb 7a a5 b8 ac 42-64 dc 06 c5 23 23 de 33 t..z...Bd...##.3
0050 - 0e 94 87 cc ed 65 f1 e4-da bc 4f 5e 3d e9 46 96 .....e....O^=.F.
0060 - ae 0e 4c d4 98 2e 01 9d-e3 6e 54 f2 c2 08 13 a9 ..L......nT.....
0070 - 1a 33 46 08 90 12 17 5b-e5 62 ca 23 24 93 97 1c .3F....[.b.#$...
0080 - 39 70 a6 4d 2c 12 6e 9c-53 e7 08 b5 ad 90 02 0d 9p.M,.n.S.......
0090 - 6c e8 ef e3 9b 76 f5 2a-ae 64 47 b5 84 a0 08 26 l....v.*.dG....&
00a0 - ec 1f 32 1c 5d 25 9e d0-cf c5 a2 8d 6b 2e de e1 ..2.]%......k...
Start Time: 1528369235
Timeout : 300 (sec)
Verify return code: 0 (ok)
你链接到的卷发补丁已经3年了,所以我会非常小心使用它。它看起来也很有限,因为在AFAICT中,CURLOPT_SSL_PSK选项希望您提供实际的(二进制)密钥…而不是密钥的十六进制表示形式。它倾向于将其使用限制在键中包含唯一可打印字符的键上……这是一个显著的限制,它会使使用该键时更加谨慎。这很可能就是它失败的原因(当您进行openssl s_服务器测试时,s_服务器-psk选项将十六进制转换为实际的二进制密钥)是的,这看起来像是一个libcurl错误…感谢您的评论。我发现了一些东西。使用ascii格式的psk密钥运行openssl s_服务器命令解决了错误的mac错误。openssl s_服务器-psk 666163646566-接受1440-密码psk-AES256-CBC-SHA-nocert客户端-带有CULLOPT_SSL_psk curl_easy_setopt(curl,CULLOPT_SSL_psk,“客户端标识:facdef”);
>> CONNECTED(00000003)
>> no peer certificate available
>> No client certificate CA names sent
>> SSL handshake has read 338 bytes and written 414 bytes
>> New, TLSv1/SSLv3, Cipher is PSK-AES256-CBC-SHA
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> No ALPN negotiated
>> SSL-Session:
>> Protocol : TLSv1.2
>> Cipher : PSK-AES256-CBC-SHA
>> Session-ID: AC3096F9E9AAC227B4FE4DFD59CBD3B9A2EA230B22A83289323EF5F2F8C7DAE5
>> Session-ID-ctx:
>> Master-Key: 07314810B7A54B94EA9F8497736F383733290EB5BFC64A557D0B3A780F518FC9CF55BFC408C5361B91D92A1B4786E314
>> Key-Arg : None
>> PSK identity: Client_identity
>> PSK identity hint: None
>> SRP username: None
>> TLS session ticket lifetime hint: 300 (seconds)
>> TLS session ticket:
0000 - b4 92 80 4f ec 7b f2 17-c3 59 03 6f 62 63 62 5b ...O.{...Y.obcb[
0010 - 30 d4 d4 9d 5f 5f 07 df-8f 7d 4f f8 98 fa af 41 0...__...}O....A
0020 - 2a 11 53 1a c4 16 86 f1-24 38 b7 bf 9c 1c 7d 5a *.S.....$8....}Z
0030 - e3 bd 94 b4 01 e1 a7 75-95 b0 a1 c5 be 71 51 45 .......u.....qQE
0040 - 74 0b cb 7a a5 b8 ac 42-64 dc 06 c5 23 23 de 33 t..z...Bd...##.3
0050 - 0e 94 87 cc ed 65 f1 e4-da bc 4f 5e 3d e9 46 96 .....e....O^=.F.
0060 - ae 0e 4c d4 98 2e 01 9d-e3 6e 54 f2 c2 08 13 a9 ..L......nT.....
0070 - 1a 33 46 08 90 12 17 5b-e5 62 ca 23 24 93 97 1c .3F....[.b.#$...
0080 - 39 70 a6 4d 2c 12 6e 9c-53 e7 08 b5 ad 90 02 0d 9p.M,.n.S.......
0090 - 6c e8 ef e3 9b 76 f5 2a-ae 64 47 b5 84 a0 08 26 l....v.*.dG....&
00a0 - ec 1f 32 1c 5d 25 9e d0-cf c5 a2 8d 6b 2e de e1 ..2.]%......k...
Start Time: 1528369235
Timeout : 300 (sec)
Verify return code: 0 (ok)