1. website
SSL(secure Socket Layer)
TLS(transport Layer Security) - SSL3.0基础之上提出的安全通信标准,目前版本是1.0
openssl 主页 -> http://www.openssl.org/
openssl 中文文档 -> http://www.chinaunix.net/jh/13/478901.html
2. 如何编译OpenSSL in Windows?
a) 下载openssl -> openssl-0.9.8i
b) 下载perl -> http://downloads.activestate.com/ActivePerl/Windows/5.8/ActivePerl-5.8.8.822-MSWin32-x86-280952.zip
c) 安装perl -> ActivePerl-5.8.8.822-MSWin32-x86-280952/Installer.bat (之前先运行vcvars32.bat,需要运行perf Configure VC-WIN32来设置环境变量)
d) 使windows支持nmake -> C:\Program Files\Microsoft Visual Studio 10.0\VC\bin\vcvars32.bat
e) 进入openssl路径 -> cd C:\devdiv\openssl-0.9.8i (工作路径)
f) 创建Makefile文件: ms\do_ms (出现%osversion% is not defined的错误忽略即可)
g) 编译动态库: nmake -f ms\ntdll.mak
编译静态库: nmake -f ms\nt.mak
测试动态库: nmake -f ms\ntdll.mak test
测试静态库: nmake -f ms\nt.mak test
安装动态库: nmake -f ms\ntdll.mak install
安装静态库: nmake -f ms\nt.mak install
清除上次动态库的编译,以便重新编译: nmake -f ms\ntdll.mak clean
清除上次静态库的编译,以便重新编译: nmake -f ms\nt.mak clean
3. 如何使用openssl?
a) library path -> C:\devdiv\openssl-0.9.8i\out32
b) include path -> C:\devdiv\openssl-0.9.8i\include
c) 库文件 -> libeay32.lib, ssleay32.lib
4. 配置文件在哪里?
C:\devdiv\openssl-0.9.8i\apps\openssl.cnf
5. 关于key:
key一般分为public key和private key,在openssl中,private key中包含了public key的信息,所以public key不需要单独创建. 如何创建一个RSA key?
openssl.exe genrsa -des3 -out privatekey.pem 2048 (需要添加密码保护)
openssl.exe genrsa -out privatekey.pem 2048
6. 关于certificates(证书文件), 如何创建一个证书呢?
一般流程是:
a. 创建一个private key
b. 创建一个certificate signing request(证书请求), 这个需要a#中创建的private key.因为证书中需要包含public key,
创建的priavate key中有这些信息.
(openssl.exe req -new -key privatekey.pem-out cacert.csr)
c. 把创建好的证书请求拿到CA(certificate authority)证书认证机构审批.
7. 如何做一个自签名的证书呢?
openssl.exe req -new -x509 -key privatekey.pem -out cacert.pem -days 1095
(Note: privatekey.pem需要自己创建)
8. Demo: 来自openssl自带的demo,略做修改.
Server:
#include <openssl/rsa.h> /* SSLeay stuff */2
#include <openssl/crypto.h>3
#include <openssl/x509.h>4
#include <openssl/pem.h>5
#include <openssl/ssl.h>6
#include <openssl/err.h>7
8
9
#include <iostream>10
#include <winsock2.h>11
12
#define SERVER_PORT 500313
14
// certificate & key 的存放路径15
// Note: 必须是全路径, 否则SSL_CTX_use_certificate_file等函数16
// 无法找到文件在windows平台上.17
// How to:18
// #privatekey.pem19
// openssl.exe genrsa -out privatekey.pem 204820
// #cacert.pem21
// openssl.exe req -new -x509 -key privatekey.pem -out cacert.pem -days 1095 -config openssl.cnf22
//23
#define SERVER_CERTIFICATE "c:\\config\\cacert.pem" 24
#define SERVER_KEY "c:\\config\\privatekey.pem"25
26
#pragma comment( lib, "ws2_32.lib" )27
#pragma comment( lib, "libeay32.lib" )28
#pragma comment( lib, "ssleay32.lib" )29
30
int main( int argc, char* argv[] ) {31
int ret;32
33
////////////34
// 初始化 //35
////////////36
SSL_CTX* ctx;37
SSL_METHOD *meth;38
39
SSL_load_error_strings();40
SSLeay_add_ssl_algorithms();41
meth = SSLv23_server_method(); 42
43
ctx = SSL_CTX_new (meth);44
if (!ctx) {45
ERR_print_errors_fp(stderr);46
std::cout<<"SSL_CTX_new error."<<std::endl;47
return -1;48
}49
50
if (SSL_CTX_use_certificate_file(ctx, SERVER_CERTIFICATE, SSL_FILETYPE_PEM) <= 0) {51
ERR_print_errors_fp(stderr);52
std::cout<<"SSL_CTX_use_certificate_file error."<<std::endl;53
return -1;54
}55
if (SSL_CTX_use_PrivateKey_file(ctx, SERVER_KEY, SSL_FILETYPE_PEM) <= 0) {56
ERR_print_errors_fp(stderr);57
std::cout<<"SSL_CTX_use_PrivateKey_file error."<<std::endl;58
return -1;59
}60
61
if (!SSL_CTX_check_private_key(ctx)) {62
ERR_print_errors_fp(stderr);63
std::cout<<"SSL_CTX_check_private_key error."<<std::endl;64
return -1;65
}66
67
///////////////////////68
// 建立原始的TCP连接 //69
///////////////////////70
WSADATA wsaData;71
SOCKET listen_socket;72
SOCKET accept_socket;73
struct sockaddr_in addr_server;74
struct sockaddr_in addr_client;75
int addr_client_len;76
77
ret = WSAStartup( MAKEWORD(2, 2), &wsaData );78
if ( ret != 0 ) {79
std::cout<<"WSAStartup error."<<std::endl;80
return -1;81
}82
83
listen_socket = socket (AF_INET, SOCK_STREAM, 0); 84
if( listen_socket == INVALID_SOCKET ) {85
std::cout<<"socket error."<<std::endl;86
return -1;87
}88
89
memset (&addr_server, 0, sizeof(addr_server));90
addr_server.sin_family = AF_INET;91
addr_server.sin_addr.S_un.S_addr = INADDR_ANY;92
addr_server.sin_port = htons (SERVER_PORT); 93
94
ret = bind(listen_socket, (struct sockaddr*)&addr_server, sizeof(addr_server) ); 95
if( ret == SOCKET_ERROR ) {96
std::cout<<"bind error."<<std::endl;97
return -1;98
}99
100
ret = listen (listen_socket, 5); 101
if( ret == SOCKET_ERROR ) {102
std::cout<<"listen error."<<std::endl;103
return -1;104
}105
106
addr_client_len = sizeof(addr_client);107
accept_socket = accept (listen_socket, (struct sockaddr*) &addr_client, &addr_client_len);108
if( accept_socket == INVALID_SOCKET ) {109
std::cout<<"accept error."<<std::endl;110
return -1;111
}112
closesocket(listen_socket);113
std::cout<<" Connection from "<<addr_client.sin_addr.S_un.S_addr<<":"<<addr_client.sin_port<<std::endl;114
115
/////////////////////////////////////116
// TCP连接已经建立,执行Server SSL //117
/////////////////////////////////////118
SSL* ssl;119
X509* client_certificate;120
char* str;121
122
ssl = SSL_new (ctx); 123
if( ssl == NULL ) {124
std::cout<<"SSL_new error."<<std::endl;125
return -1;126
} 127
SSL_set_fd (ssl, accept_socket);128
ret = SSL_accept (ssl); 129
if( ret == -1 ) {130
std::cout<<"SSL_accept error."<<std::endl;131
return -1;132
}133
134
// 获取cipher135
std::cout<<"SSL connection using: "<<SSL_get_cipher(ssl)<<std::endl;136
137
// 获取客户端的证书138
client_certificate = SSL_get_peer_certificate (ssl);139
if (client_certificate != NULL) {140
std::cout<<"Client certificate:"<<std::endl;141
142
str = X509_NAME_oneline (X509_get_subject_name (client_certificate), 0, 0);143
if( str == NULL ) {144
std::cout<<"X509_NAME_oneline error."<<std::endl;145
} else {146
std::cout<<"subject: "<<str<<std::endl;147
OPENSSL_free (str);148
}149
150
str = X509_NAME_oneline (X509_get_issuer_name (client_certificate), 0, 0);151
if( str == NULL ) {152
std::cout<<"X509_NAME_oneline error."<<std::endl;153
} else {154
std::cout<<"issuer: "<<str<<std::endl;155
OPENSSL_free (str);156
}157
158
X509_free (client_certificate);159
} else {160
std::cout<<"Client does not have certificate. "<<std::endl;161
}162
163
////////////////164
// 数据交换 //165
////////////////166
char buf [4096];167
168
ret = SSL_read (ssl, buf, sizeof(buf) - 1); 169
if( ret == -1 ) {170
std::cout<<"SSL_read error."<<std::endl;171
return -1;172
}173
buf[ret] = '\0';174
std::cout<<buf<<std::endl;175
176
ret = SSL_write (ssl, "I hear you.", strlen("I hear you.")); 177
if( ret == -1 ) {178
std::cout<<"SSL_write error."<<std::endl;179
return -1;180
}181
182
/////////////183
// Cleanup //184
/////////////185
closesocket(accept_socket);186
SSL_free (ssl);187
SSL_CTX_free (ctx);188
WSACleanup();189
return 0;190
}Client:
#include <openssl/rsa.h> /* SSLeay stuff */2
#include <openssl/crypto.h>3
#include <openssl/x509.h>4
#include <openssl/pem.h>5
#include <openssl/ssl.h>6
#include <openssl/err.h>7
8
9
#include <iostream>10
#include <winsock2.h>11
12
#define SERVER_IP "127.0.0.1"13
#define SERVER_PORT 500314
15
#pragma comment( lib, "ws2_32.lib" )16
#pragma comment( lib, "libeay32.lib" )17
#pragma comment( lib, "ssleay32.lib" )18
19
20
int main( int argc, char* argv[] ) {21
int ret;22
////////////23
// 初始化 //24
////////////25
SSL_CTX* ctx;26
SSL_METHOD *meth;27
28
SSL_load_error_strings();29
SSLeay_add_ssl_algorithms();30
meth = SSLv23_client_method();31
32
ctx = SSL_CTX_new (meth);33
if (!ctx) {34
ERR_print_errors_fp(stderr);35
std::cout<<"SSL_CTX_new error."<<std::endl;36
return -1;37
}38
39
///////////////////////40
// 建立原始的TCP连接 //41
///////////////////////42
WSADATA wsaData;43
SOCKET client_socket;44
struct sockaddr_in addr_server;45
46
ret = WSAStartup( MAKEWORD(2, 2), &wsaData );47
if ( ret != 0 ) {48
std::cout<<"WSAStartup error."<<std::endl;49
return -1;50
}51
client_socket = socket (AF_INET, SOCK_STREAM, 0); 52
if( client_socket == INVALID_SOCKET ) {53
std::cout<<"socket error."<<std::endl;54
return -1;55
}56
57
memset (&addr_server, 0, sizeof(addr_server));58
addr_server.sin_family = AF_INET;59
addr_server.sin_addr.S_un.S_addr = inet_addr(SERVER_IP);60
addr_server.sin_port = htons (SERVER_PORT);61
62
ret = connect(client_socket, (struct sockaddr*) &addr_server, sizeof(addr_server)); 63
if( client_socket == SOCKET_ERROR ) {64
std::cout<<"connect error."<<std::endl;65
return -1;66
}67
68
/////////////////////////////////////69
// TCP连接已经建立,执行Client SSL //70
/////////////////////////////////////71
SSL* ssl;72
X509* server_certificate;73
char* str;74
75
ssl = SSL_new (ctx); 76
if( ssl == NULL ) {77
std::cout<<"SSL_new error."<<std::endl;78
return -1;79
} 80
SSL_set_fd (ssl, client_socket);81
ret = SSL_connect (ssl); 82
if( ret == -1 ) {83
std::cout<<"SSL_accept error."<<std::endl;84
return -1;85
}86
87
// 接下来的获取密码和获取服务器端证书的两部是可选的,不会影响数据交换88
89
// 获取cipher90
std::cout<<"SSL connection using: "<<SSL_get_cipher(ssl)<<std::endl;91
92
// 获取服务器端的证书93
server_certificate = SSL_get_peer_certificate (ssl); 94
if( server_certificate != NULL ) {95
std::cout<<"Server certificate:"<<std::endl;96
97
str = X509_NAME_oneline (X509_get_subject_name (server_certificate),0,0);98
if( str == NULL ) {99
std::cout<<"X509_NAME_oneline error."<<std::endl;100
} else {101
std::cout<<"subject: "<<str<<std::endl;102
OPENSSL_free (str);103
}104
105
str = X509_NAME_oneline (X509_get_issuer_name (server_certificate),0,0);106
if( str == NULL ) {107
std::cout<<"X509_NAME_oneline error."<<std::endl;108
} else {109
std::cout<<"issuer: "<<str<<std::endl;110
OPENSSL_free (str);111
}112
113
X509_free (server_certificate);114
} else {115
std::cout<<"Server does not have certificate. we sould Esc!"<<std::endl;116
return -1;117
}118
119
////////////////120
// 数据交换 //121
////////////////122
char buf [4096];123
124
ret = SSL_write (ssl, "Hello World!", strlen("Hello World!")); 125
if( ret == -1 ) {126
std::cout<<"SSL_write error."<<std::endl;127
return -1;128
}129
ret = SSL_read (ssl, buf, sizeof(buf) - 1); 130
if( ret == -1 ) {131
std::cout<<"SSL_read error."<<std::endl;132
return -1;133
}134
buf[ret] = '\0';135
std::cout<<buf<<std::endl;136
SSL_shutdown(ssl); /* send SSL/TLS close_notify */137
138
/////////////139
// Cleanup //140
/////////////141
closesocket(client_socket);142
SSL_free (ssl);143
SSL_CTX_free (ctx);144
WSACleanup();145
return 0;146
}最后的输出结果:
Server-Console:
Connection from 16777343:20314
SSL connection using: AES256-SHA
Client does not have certificate.
Hello World!
Client-Console:
SSL connection using: AES256-SHA
Server certificate:
subject: /C=cn/ST=shanghai/L=shanghai/O=shanghai/OU=shanghai/CN=shanghai/emailAd
dress=ysong.lee@gmail.com
issuer: /C=cn/ST=shanghai/L=shanghai/O=shanghai/OU=shanghai/CN=shanghai/emailAdd
ress=ysong.lee@gmail.com
I hear you.