使用 IO::Socket::SSL 回答浏览器请求

【问题标题】:Answer Browser Request with IO::Socket::SSL使用 IO::Socket::SSL 回答浏览器请求
【发布时间】:2016-12-28 15:00:17
【问题描述】:

问题最后制定,先详细描述问题和我已经测试过的东西

我正在编写一些代码来向其他人展示一些基本原则。代码永远不会高效,并且旨在简化。

我的目标(与其他人不同)是编写一个使用 Web-Certificat 加密其网络流量的简单应用程序。

起点是一个加密的应用程序:

#!/usr/bin/env perl
use strict;
use warnings;
use IO::Socket::INET;

# auto-flush on socket
$| = 1;

# creating a listening socket
my $socket = new IO::Socket::INET (
    LocalAddr     => '0.0.0.0',     # local server address
    LocalPort     => '7777',        # local server port
    Listen        => 5,             # queue size for connections
    Proto         => 'tcp',         # protocol used
);
die "cannot create socket $!\n" unless $socket;
print "server waiting for client connection on port 7777\n";

while(1)
{
    # waiting for a new client connection
    my $client_socket = $socket->accept() or die "socket accept failed $!";

    # get information about a newly connected client
    my $client_address = $client_socket->peerhost();
    my $client_port    = $client_socket->peerport();
    print "connection from $client_address:$client_port\n";

    # read up to 1024 characters from the connected client
    my $client_data = '';
    sysread( $client_socket, $client_data, 1024);
    print "received data: $client_data\n";

    # write response data to the connected client
    print $client_socket "Hey $client_data!";

    # notify client that response has been sent
    shutdown($client_socket, 1);
}

END {
    $socket->close();
}

可以用这个客户端调用这个服务器应用程序:

#!/usr/bin/env perl
use IO::Socket::INET;

# auto-flush on socket
$| = 1;

# create a connecting socket
my $socket = new IO::Socket::INET (
    PeerHost    => '127.0.0.1',
    PeerPort    => '7777',
    Proto       => 'tcp',
);
die "cannot connect to the server $!\n" unless $socket;
print "connected to the server\n";

# data to send to a server
my $req = $ARGV[0] . '';
print $socket $req;

# notify server that request has been sent
shutdown($socket, 1);

# receive a response of up to 1024 characters from server
my $response = '';
sysread( $socket, $response,1024);
print "received response: $response\n";

$socket->close();

客户端和服务器的交互可能如下所示:

inet$ perl server.pl
server waiting for client connection on port 7777
connection from 127.0.0.1:40028
received data: Herbert

inet$ perl client.pl "Herbert"
connected to the server
received response: Hey Herbert!

很酷的是:服务器也可以从浏览器调用:

所以第一个结论是:代码有效并且很好地展示了简单的客户端-服务器交互的基本功能。

现在程序应该使用 SSL 进行通信

Server 和 Client 是这样写的,只需在代码中添加几行即可实现 SSL-Ability:

$ diff inet/server.pl ssl/server.pl 
7c7
< use IO::Socket::INET;
---
> use IO::Socket::SSL 'inet4';
13c13
< my $socket = new IO::Socket::INET (
---
> my $socket = IO::Socket::SSL->new (
17a18,19
>     SSL_cert_file => 'cert.pem',    # SSL certificate   
>     SSL_key_file  => 'key.pem',     # SSL certificate key

$ diff inet/client.pl ssl/client.pl 
5c5
< use IO::Socket::INET;
---
> use IO::Socket::SSL 'inet4';
11c11
< my $socket = new IO::Socket::INET (
---
> my $socket = new IO::Socket::SSL (
14a15
>     SSL_ca_file => 'cert.pem',

所以启用 SSL 的新代码是:

#!/usr/bin/env perl
use strict;
use warnings;
use IO::Socket::SSL 'inet4';

# auto-flush on socket
$| = 1;

# creating a listening socket
my $socket = IO::Socket::SSL->new (
    LocalAddr     => '0.0.0.0',     # local server address
    LocalPort     => '7777',        # local server port
    Listen        => 5,             # queue size for connections
    Proto         => 'tcp',         # protocol used
    SSL_cert_file => 'cert.pem',    # SSL certificate   
    SSL_key_file  => 'key.pem',     # SSL certificate key
);
die "cannot create socket $!\n" unless $socket;
print "server waiting for client connection on port 7777\n";

while(1)
{
    # waiting for a new client connection
    my $client_socket = $socket->accept() or die "socket accept failed $!";

    # get information about a newly connected client
    my $client_address = $client_socket->peerhost();
    my $client_port    = $client_socket->peerport();
    print "connection from $client_address:$client_port\n";

    # read up to 1024 characters from the connected client
    my $client_data = '';
    sysread( $client_socket, $client_data, 1024);
    print "received data: $client_data\n";

    # write response data to the connected client
    print $client_socket "Hey $client_data!";

    # notify client that response has been sent
    shutdown($client_socket, 1);
}

END {
    $socket->close();
}


#!/usr/bin/env perl
use IO::Socket::SSL 'inet4';

# auto-flush on socket
$| = 1;

# create a connecting socket
my $socket = new IO::Socket::SSL (
    PeerHost    => '127.0.0.1',
    PeerPort    => '7777',
    Proto       => 'tcp',
    SSL_ca_file => 'cert.pem',
);
die "cannot connect to the server $!\n" unless $socket;
print "connected to the server\n";

# data to send to a server
my $req = $ARGV[0] . '';
print $socket $req;

# notify server that request has been sent
shutdown($socket, 1);

# receive a response of up to 1024 characters from server
my $response = '';
sysread( $socket, $response,1024);
print "received response: $response\n";

$socket->close();

要运行代码,必须先创建证书:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

现在可以启动服务器和客户端并很好地交互:

ssl$ perl server.pl 
Enter PEM pass phrase:
server waiting for client connection on port 7777
connection from 127.0.0.1:40041
received data: Sabine

ssl$ perl client.pl "Sabine"
connected to the server
received response: Hey Sabine!

但是无法使用来自 Firefox 或 Chrome 等浏览器的连接,即使我使用以下方法转换了证书:

openssl pkcs12 -export -in cert.pem -inkey key.pem -out webcert.p12

我还通过其导入菜单将新创建的证书导入浏览器。

连接被拒绝。浏览器无法连接,服务器在$socket-&gt;accept() 失败没有任何有用的消息
更新:导出变量$SSL_ERROR中有一条消息:

SSL accept attempt failed error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request

我用工具analyze ssl做了一些测试

p5-ssl-tools-master$ perl analyze-ssl.pl --show-chain --all-ciphers -v3 127.0.0.1:7777
+ checking host=127.0.0.1(127.0.0.1) port=7777
* version SSLv23 no verification, ciphers= -> TLSv1_2,ECDHE-RSA-AES128-GCM-SHA256
* version SSLv23 no verification, ciphers=HIGH:ALL -> TLSv1_2,ECDHE-RSA-AES128-GCM-SHA256
* version TLSv1_2 no verification, ciphers= -> TLSv1_2,ECDHE-RSA-AES128-GCM-SHA256
* version TLSv1_2 no verification, ciphers=HIGH:ALL -> TLSv1_2,ECDHE-RSA-AES128-GCM-SHA256
* version TLSv1_1 no verification, ciphers= -> TLSv1_1,ECDHE-RSA-AES256-SHA
* version TLSv1_1 no verification, ciphers=HIGH:ALL -> TLSv1_1,ECDHE-RSA-AES256-SHA
* version TLSv1 no verification, ciphers= -> TLSv1,ECDHE-RSA-AES256-SHA
* version TLSv1 no verification, ciphers=HIGH:ALL -> TLSv1,ECDHE-RSA-AES256-SHA
* version SSLv3, no verification, ciphers= -> FAIL! SSL connect attempt failed because of handshake problems error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
+ 127.0.0.1 failed permanently 'tcp connect: Verbindungsaufbau abgelehnt', no more IP to try
tcp connect: Verbindungsaufbau abgelehnt

服务器似乎接受某些请求并最终失败,可能与浏览器相同?

ssl$ perl server.pl 
Enter PEM pass phrase:
server waiting for client connection on port 7777
connection from 127.0.0.1:40042
received data: 
connection from 127.0.0.1:40043
received data: 
connection from 127.0.0.1:40044
received data: 
connection from 127.0.0.1:40045
received data: 
connection from 127.0.0.1:40046
received data: 
connection from 127.0.0.1:40047
received data: 
connection from 127.0.0.1:40048
received data: 
connection from 127.0.0.1:40049
received data: 
socket accept failed  at server.pl line 27.

我的问题

为什么浏览器的请求不起作用? 该代码通常应支持浏览器请求,因为它无需 SSL 即可工作。 这似乎是特定于浏览器的 SSL 设置,因为 SSL-Perl-Client 没有问题。 还是将证书导入浏览器没有按预期工作? 任何人都可以在这件事上给我一个提示或解决方案吗?

更新:当我查看$SSL_ERROR 中的错误消息“SSL23”和客户端测试“SSL3”中的错误消息时,似乎 SSL 版本存在兼容性问题?我需要明确指定我想要的版本吗? (另一方面,“SSL23”的客户端测试似乎成功运行...)

非常感谢。

更新:$IO::Socket::SSL::DEBUG = 3; 的输出

ssl$ perl server.pl 
Enter PEM pass phrase:
DEBUG: .../IO/Socket/SSL.pm:2554: new ctx 42708208
server waiting for client connection on port 7777
DEBUG: .../IO/Socket/SSL.pm:799: no socket yet
DEBUG: .../IO/Socket/SSL.pm:801: accept created normal socket IO::Socket::SSL=GLOB(0x28ac158)
DEBUG: .../IO/Socket/SSL.pm:829: starting sslifying
DEBUG: .../IO/Socket/SSL.pm:873: Net::SSLeay::accept -> -1
DEBUG: .../IO/Socket/SSL.pm:1779: SSL accept attempt failed

DEBUG: .../IO/Socket/SSL.pm:1784: SSL accept attempt failed error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
socket accept failed: SSL accept attempt failed error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request at server.pl line 28.
DEBUG: .../IO/Socket/SSL.pm:2587: free ctx 42708208 open=42708208
DEBUG: .../IO/Socket/SSL.pm:2599: OK free ctx 42708208

【问题讨论】:

    标签: perl ssl


    【解决方案1】:

    ... SSL 接受尝试失败错误:1407609C:SSL 例程:SSL23_GET_CLIENT_HELLO:http 请求

    我猜你仍然使用http:// URL 来访问服务器,即使你需要使用https:// URL。这意味着浏览器向服务器发送 HTTP 请求,而不是先进行 TLS 握手,并且仅在成功握手后发送 HTTP 请求。

    除此之外,您还指望浏览器了解旧的和长期弃用的 HTTP 0.9 协议,该协议仅包含响应正文而没有任何 HTTP 标头。并非所有浏览器都能理解这一点。

    【讨论】:

    • 乌尔里希你太棒了!不过对我来说有点尴尬......我这边的一个简单错误。非常感谢您的宝贵时间。 (就像我们用德语说的那样,因为所有的树木,我可能再也看不到森林了)
    猜你喜欢
    • 2012-04-19
    • 1970-01-01
    • 1970-01-01
    • 2014-02-20
    • 1970-01-01
    • 2013-03-19
    • 1970-01-01
    • 2018-09-17
    • 2016-03-14
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode