【发布时间】:2016-08-11 15:44:59
【问题描述】:
为了了解 OpenSSL,我一直在尝试制作一个简单的客户端/服务器回显应用程序。我一直在关注 John Viega、Matt Messier、Pravir Chandra (O'Reilly) 的 OpenSSL 网络安全。他们的例子展示了如何设置一个根证书颁发机构,一个用根 CA 签名的服务器 CA,然后用服务器 CA 签名的服务器证书,最后,一个用根 CA 签名的客户端证书,然后将它们导入 C 程序。 我对程序做了一些小改动(比如根本不使用线程),但大部分都是他们的。我的想法是在尝试时学习,但我遇到了问题。 当我尝试连接两者时,我收到一条错误消息,提示“无法获取本地颁发者证书”(错误 20)。 我还想声明“以前的版本”有效(意味着他们在他们的例子中取得了进步)。 不确定问题出在代码、证书还是两者兼而有之。 我的 OpenSSL 版本是 OpenSSL 1.0.1f 2014 年 1 月 6 日。(由 openssl version 命令返回)
目前我对这件事的了解很浅,我没有太多运气找到答案。我意识到我还有很多阅读要做,我会这样做,但这是我需要克服的问题。 int seed_prng(int bytes) 函数是我的,解决了在所有这些库中找不到 seed_prng(void) 函数的问题(也是我发现不合适的事情之一)。
也许,由于本教程已有 14 年历史(至少),它已经过时了,我应该再学习一个?如果是这样,请推荐一个详细程度较高的教程,因为根据我的经验,OpenSSL 的文档不是很友好。
下面,我提供了过程中包含的所有文件(Makefile除外)。
我用于编译的标志是:-L/usr/lib -lssl -lcrypto -Wall
common.h:
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/rand.h>
#include <openssl/ssl.h>
#include <openssl/x509v3.h>
#include <openssl/rsa.h>
#include <openssl/objects.h>
#define PORT "8081"
#define SERVER "localhost"
#define CLIENT "localhost"
#define int_error(msg) handle_error(__FILE__, __LINE__, msg)
//Do not confuse with SSL_METHOD ; TLSv1_method() is also a viable option here
#define SSL_METHOD_ SSLv23_method()
#define SEED_PRNG_() seed_prng(30)
#define DEFAULT_DEPTH_ 4
#define DATA_SIZE_ 256
void handle_error(const char *file, int lineno, const char *msg) ;
void init_OpenSSL(void) ;
int seed_prng(int bytes) ;
int verify_callback(int ok, X509_STORE_CTX *store) ;
long post_connection_check(SSL *ssl, char *host) ;
common.c:
#include "common.h"
void handle_error(const char *file, int lineno, const char *msg)
{
fprintf(stderr, "** %s:%i %s\n", file, lineno, msg);
ERR_print_errors_fp(stderr);
exit(-1);
}
void init_OpenSSL(void)
{
if (!SSL_library_init())
{
fprintf(stderr, "** OpenSSL initialization failed!\n");
exit(-1);
}
SSL_load_error_strings();
}
//Not sure if this is good idea! Have to do some research
int seed_prng(int bytes)
{
if (!RAND_load_file("/dev/urandom", bytes))
{
return 0;
}
return 1;
}
int verify_callback(int ok, X509_STORE_CTX *store)
{
char data[DATA_SIZE_];
if (!ok)
{
X509 *cert = X509_STORE_CTX_get_current_cert(store);
int depth = X509_STORE_CTX_get_error_depth(store);
int err = X509_STORE_CTX_get_error(store);
fprintf(stderr, "-Error with certificate at depth: %i\n", depth);
X509_NAME_oneline(X509_get_issuer_name(cert), data, 256);
fprintf(stderr, " issuer = %s\n", data);
X509_NAME_oneline(X509_get_subject_name(cert), data, 256);
fprintf(stderr, " subject = %s\n", data);
fprintf(stderr, " err %i:%s\n", err,
X509_verify_cert_error_string(err));
}
return ok;
}
long post_connection_check(SSL *ssl, char *host)
{
X509 *cert;
X509_NAME *subj;
char data[DATA_SIZE_];
int extcount;
int ok = 0;
if (!(cert = SSL_get_peer_certificate(ssl)) || !host)
{
if (cert)
{
X509_free(cert);
}
return X509_V_ERR_APPLICATION_VERIFICATION;
}
if ((extcount = X509_get_ext_count(cert)) > 0)
{
int i;
for (i = 0; i < extcount; i++)
{
const char *extstr;
X509_EXTENSION *ext;
ext = X509_get_ext(cert, i);
extstr = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
if (!strcmp(extstr, "subjectAltName"))
{
int j;
unsigned char *data;
STACK_OF(CONF_VALUE) *val;
CONF_VALUE *nval;
const X509V3_EXT_METHOD *meth;
if (!(meth = X509V3_EXT_get(ext)))
{
break;
}
data = ext->value->data;
val = meth->i2v(meth,(meth->d2i(NULL, (const unsigned char **)(&data), ext->value->length)), NULL);
for (j = 0; j < sk_CONF_VALUE_num(val); j++)
{
nval = sk_CONF_VALUE_value(val, j);
if (!strcmp(nval->name, "DNS") && !strcmp(nval->value, host))
{
ok = 1;
break;
}
}
}
if (ok)
{
break;
}
}
}
if (!ok && (subj = X509_get_subject_name(cert)) && X509_NAME_get_text_by_NID(subj, NID_commonName, data, DATA_SIZE_) > 0)
{
data[DEFAULT_DEPTH_ - 1] = 0;
if (strcasecmp(data, host) != 0)
{
if (cert)
{
X509_free(cert);
}
return X509_V_ERR_APPLICATION_VERIFICATION;
}
}
X509_free(cert);
return SSL_get_verify_result(ssl);
}
server.c:
#include "common.h"
#define BUF_SIZE_ 80
#define CERTFILE "certificates/serverNOKEY.pem"
#define CAFILE "certificates/rootcert.pem"
#define CADIR NULL
SSL_CTX *setup_server_ctx(void)
{
SSL_CTX *ctx;
//This specifies that either SSL or TLS can be used
//Later, we will "filter" out SSLv2
ctx = SSL_CTX_new(SSLv23_method());
//These two functions are used to load trusted CAs
if (SSL_CTX_load_verify_locations(ctx, CAFILE, CADIR) != 1)
{
int_error("Error loading CA file and/or directory");
}
if (SSL_CTX_set_default_verify_paths(ctx) != 1)
{
int_error("Error loading default CA file and/or directory");
}
//This loads a certificate from a file
if (SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) != 1)
{
int_error("Error loading certificate from file");
}
//This loads a private key (in our code, from the same file but I think that it is not necessary)
if (SSL_CTX_use_PrivateKey_file(ctx, CERTFILE, SSL_FILETYPE_PEM) != 1)
{
int_error("Error loading private key from file");
}
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback);
SSL_CTX_set_verify_depth(ctx, DEFAULT_DEPTH_);
return ctx;
}
int do_server_loop(SSL *ssl)
{
int err, nread;
char buf[BUF_SIZE_];
//I think that this reading should be redone 'cause there's something wrong
do
{
for (nread = 0; nread < sizeof(buf) - 1; nread += err)
{
err = SSL_read(ssl, buf + nread, sizeof(buf) - nread);
printf("read %d bytes\n", err);
if (err <= 0)
{
break;
}
}
fwrite(buf, sizeof(char), nread, stdout);
} while (err > 0);
return (SSL_get_shutdown(ssl) & SSL_RECEIVED_SHUTDOWN) ? 1 : 0;
}
void server_part(SSL *ssl)
{
long err;
//accepting connection from ssl object (structure)
if (SSL_accept(ssl) <= 0)
{
int_error("Error accepting SSL connection");
}
if ((err = post_connection_check(ssl, CLIENT)) != X509_V_OK)
{
fprintf(stderr, "-Error: peer certificate: %s\n",
X509_verify_cert_error_string(err));
int_error("Error checking SSL object after connection");
}
fprintf(stderr, "SSL Connection opened\n");
//As I figured, SSL_shutdown is a clean way to go but SSL_clear
//will force the closing of the communication if it wasn't closed cleanly
if (do_server_loop(ssl))
{
//See this https://www.openssl.org/docs/manmaster/ssl/SSL_shutdown.html
SSL_shutdown(ssl);
}
else
{
// https://www.openssl.org/docs/manmaster/ssl/SSL_clear.html
SSL_clear(ssl);
}
fprintf(stderr, "SSL Connection closed\n");
SSL_free(ssl);
}
int main(int argc, char *argv[])
{
BIO *acc, *client;
SSL *ssl;
SSL_CTX *ctx;
init_OpenSSL();
//This is my function, gotta investigate it and see what should be there (maybe I got it right?)
SEED_PRNG_();
ctx = setup_server_ctx();
acc = BIO_new_accept(PORT);
if (!acc)
{
int_error("Error creating server socket");
}
if (BIO_do_accept(acc) <= 0)
{
int_error("Error binding server socket");
}
for (;;)
{
if (BIO_do_accept(acc) <= 0)
{
int_error("Error accepting connection");
}
client = BIO_pop(acc);
if (!(ssl = SSL_new(ctx)))
{
int_error("Error creating SSL context");
}
SSL_set_bio(ssl, client, client);
server_part(ssl);
}
SSL_CTX_free(ctx);
BIO_free(acc);
return 0;
}
client.c:
#include "common.h"
#define BUF_SIZE_ 80
#define CERTFILE "certificates/clientNOKEY.pem"
#define CAFILE "certificates/rootcert.pem"
#define CADIR NULL
SSL_CTX *setup_client_ctx(void)
{
SSL_CTX *ctx;
ctx = SSL_CTX_new(SSL_METHOD_);
if (SSL_CTX_load_verify_locations(ctx, CAFILE, CADIR) != 1)
{
int_error("Error loading CA file and/or directory");
}
if (SSL_CTX_set_default_verify_paths(ctx) != 1)
{
int_error("Error loading default CA file and/or directory");
}
if (SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) != 1)
{
int_error("Error loading certificate from file");
}
if (SSL_CTX_use_PrivateKey_file(ctx, CERTFILE, SSL_FILETYPE_PEM) != 1)
{
int_error("Error loading private key from file");
}
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback);
SSL_CTX_set_verify_depth(ctx, DEFAULT_DEPTH_);
return ctx;
}
int do_client_loop(SSL *ssl)
{
int err, nwritten;
char buf[BUF_SIZE_];
for (;;)
{
if (!fgets(buf, sizeof(buf), stdin))
{
break;
}
//printf("ucitao: %s\n", buf);
for (nwritten = 0; nwritten < sizeof(buf); nwritten += err)
{
err = SSL_write(ssl, buf + nwritten, strlen(buf) - nwritten);
if (err <= 0)
{
return 0;
}
else
{
printf("Sent: %s\n", buf);
}
}
}
return 1;
}
int main(int argc, char *argv[])
{
BIO *conn;
SSL *ssl;
SSL_CTX *ctx;
long err;
init_OpenSSL();
SEED_PRNG_();
ctx = setup_client_ctx();
conn = BIO_new_connect(SERVER ":" PORT);
if (!conn)
{
int_error("Error creating connection BIO");
}
if (BIO_do_connect(conn) <= 0)
{
int_error("Error connecting to remote machine");
}
if (!(ssl = SSL_new(ctx)))
int_error("Error creating an SSL context");
SSL_set_bio(ssl, conn, conn);
if (SSL_connect(ssl) <= 0)
{
int_error("Error connecting SSL object");
}
if ((err = post_connection_check(ssl, SERVER)) != X509_V_OK)
{
fprintf(stderr, "-Error: peer certificate: %s\n",
X509_verify_cert_error_string(err));
int_error("Error checking SSL object after connection");
}
fprintf(stderr, "SSL Connection opened\n");
if (do_client_loop(ssl))
{
SSL_shutdown(ssl);
}
else
{
SSL_clear(ssl);
}
fprintf(stderr, "SSL Connection closed\n");
SSL_free(ssl);
SSL_CTX_free(ctx);
return 0;
}
我用来创建 CA、证书并对其进行签名的脚本:
#! /bin/bash
echo "Begin"
#the line below ensures that the script finishes after an unsuccessful command, not trying to execute any next command,
#since it's the assumption that every previous command was successful
set -e
echo "Creating the root CA"
openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem
openssl x509 -req -in rootreq.pem -sha1 -extfile myopenssl.cnf -extensions v3_ca -signkey rootkey.pem -out rootcert.pem
cat rootcert.pem rootkey.pem > root.pem
openssl x509 -subject -issuer -noout -in root.pem
echo "Creating the server CA and signing it with the root CA"
openssl req -newkey rsa:1024 -sha1 -keyout serverCAkey.pem -out serverCAreq.pem
openssl x509 -req -in serverCAreq.pem -sha1 -extfile myopenssl.cnf -extensions v3_ca -CA root.pem -CAkey root.pem -CAcreateserial -out serverCAcert.pem
cat serverCAcert.pem serverCAkey.pem rootcert.pem > serverCA.pem
openssl x509 -subject -issuer -noout -in serverCA.pem
echo "Creating the server\'s certificate and signing it with the server CA"
openssl req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out serverreq.pem
openssl x509 -req -in serverreq.pem -sha1 -extfile myopenssl.cnf -extensions usr_cert -CA serverCA.pem -CAkey serverCA.pem -CAcreateserial -out servercert.pem
cat servercert.pem serverkey.pem serverCAcert.pem rootcert.pem > server.pem
openssl x509 -subject -issuer -noout -in server.pem
echo "Creating the client certificate and signing it with the root CA"
openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out clientreq.pem
openssl x509 -req -in clientreq.pem -sha1 -extfile myopenssl.cnf -extensions usr_cert -CA root.pem -CAkey root.pem -CAcreateserial -out clientcert.pem
cat clientcert.pem clientkey.pem rootcert.pem > client.pem
openssl x509 -subject -issuer -noout -in client.pem
echo "creating dh512.pem and dh1024.pem"
openssl dhparam -check -text -5 512 -out dh512.pem
openssl dhparam -check -text -5 1024 -out dh1024.pem
echo "Making new keys which do not require passkey"
echo "Creating no passkey server key"
openssl rsa -in server.pem -out serverNOKEY.pem
openssl x509 -in server.pem >>serverNOKEY.pem
echo "serverNOKEY.pem created"
echo "Creating no passkey client key"
openssl rsa -in client.pem -out clientNOKEY.pem
openssl x509 -in client.pem >>clientNOKEY.pem
echo "clientNOKEY.pem created"
echo "Done! Success!"
【问题讨论】:
-
请原谅我的无知...您的问题或错误是什么,您的问题是什么?请你把它们说清楚好吗?
-
@jww 我说:“当我尝试连接两者时,我收到一条错误消息,提示‘无法获取本地颁发者证书’(错误 20)。我”因此,出于某种原因,证书被检查为无效,我想知道是代码还是证书一直困扰着我,或者甚至在 C 中找到一种更简单的方法来完成此操作(为了学习,制作一个简单的消息传输应用程序)。错误首先出现在客户端,也表现在服务器端。如果更清楚,我可以复制输出。谢谢!
-
“无法获取本地颁发者证书(错误 20)” - 使用
s_client来验证服务器的证书和 [可能] 它的链:openssl s_client -connect <hostname>:<port> -tls1 -servername <hostname> -CAfile <ca-root>。如果它以Verify OK (error 0)结束,那么问题出在您的客户端。如果它以unable to get local issuer certificate (error 20)结束,那么问题出在您的服务器上。 -
ctx = SSL_CTX_new(SSLv23_method());- 你应该看看 OpenSSL wiki 上的 TLS Client。您应该设置一些上下文选项。openssl dhparam -check -text -5 512 -out dh512.pem- 你应该避免这些小的模数。一些客户端在使用弱参数时拒绝连接。另见Weak Diffie-Hellman and the Logjam Attack -
@jww 我还不确定
dhparam的用途。感谢您的选择。我还将继续阅读这些书籍并阅读更多建议。你认为这可以吗,因为这本书已经有 14 年历史了?改变了多少?而且,关于密钥大小,我必须对其进行测试,因为我将不得不在运行 openwrt 的路由器上运行此服务器,并且我还需要考虑速度。
标签: c ssl openssl ssl-certificate