1. website
SSL(secure Socket Layer)
TLS(transport Layer Security) - SSL3.0基礎(chǔ)之上提出的安全通信標(biāo)準(zhǔn),目前版本是1.0
openssl 主頁(yè) -> http://www.openssl.org/
openssl 中文文檔 -> http://www.chinaunix.net/jh/13/478901.html
2. 如何編譯OpenSSL in Windows?
a) 下載openssl -> openssl-0.9.8i
b) 下載perl -> http://downloads.activestate.com/ActivePerl/Windows/5.8/ActivePerl-5.8.8.822-MSWin32-x86-280952.zip
c) 安裝perl -> ActivePerl-5.8.8.822-MSWin32-x86-280952/Installer.bat (之前先運(yùn)行vcvars32.bat,需要運(yùn)行perf Configure VC-WIN32來(lái)設(shè)置環(huán)境變量)
d) 使windows支持nmake -> C:\Program Files\Microsoft Visual Studio 10.0\VC\bin\vcvars32.bat
e) 進(jìn)入openssl路徑 -> cd C:\devdiv\openssl-0.9.8i (工作路徑)
f) 創(chuàng)建Makefile文件: ms\do_ms (出現(xiàn)%osversion% is not defined的錯(cuò)誤忽略即可)
g) 編譯動(dòng)態(tài)庫(kù): nmake -f ms\ntdll.mak
編譯靜態(tài)庫(kù): nmake -f ms\nt.mak
測(cè)試動(dòng)態(tài)庫(kù): nmake -f ms\ntdll.mak test
測(cè)試靜態(tài)庫(kù): nmake -f ms\nt.mak test
安裝動(dòng)態(tài)庫(kù): nmake -f ms\ntdll.mak install
安裝靜態(tài)庫(kù): nmake -f ms\nt.mak install
清除上次動(dòng)態(tài)庫(kù)的編譯,以便重新編譯: nmake -f ms\ntdll.mak clean
清除上次靜態(tài)庫(kù)的編譯,以便重新編譯: nmake -f ms\nt.mak clean
3. 如何使用openssl?
a) library path -> C:\devdiv\openssl-0.9.8i\out32
b) include path -> C:\devdiv\openssl-0.9.8i\include
c) 庫(kù)文件 -> libeay32.lib, ssleay32.lib
4. 配置文件在哪里?
C:\devdiv\openssl-0.9.8i\apps\openssl.cnf
5. 關(guān)于key:
key一般分為public key和private key,在openssl中,private key中包含了public key的信息,所以public key不需要單獨(dú)創(chuàng)建. 如何創(chuàng)建一個(gè)RSA key?
openssl.exe genrsa -des3 -out privatekey.pem 2048 (需要添加密碼保護(hù))
openssl.exe genrsa -out privatekey.pem 2048
6. 關(guān)于certificates(證書文件), 如何創(chuàng)建一個(gè)證書呢?
一般流程是:
a. 創(chuàng)建一個(gè)private key
b. 創(chuàng)建一個(gè)certificate signing request(證書請(qǐng)求), 這個(gè)需要a#中創(chuàng)建的private key.因?yàn)樽C書中需要包含public key,
創(chuàng)建的priavate key中有這些信息.
(openssl.exe req -new -key privatekey.pem-out cacert.csr)
c. 把創(chuàng)建好的證書請(qǐng)求拿到CA(certificate authority)證書認(rèn)證機(jī)構(gòu)審批.
7. 如何做一個(gè)自簽名的證書呢?
openssl.exe req -new -x509 -key privatekey.pem -out cacert.pem -days 1095
(Note: privatekey.pem需要自己創(chuàng)建)
8. Demo: 來(lái)自openssl自帶的demo,略做修改.
Server:
1
#include <openssl/rsa.h> /**//* SSLeay stuff */
2
#include <openssl/crypto.h>
3#include <openssl/x509.h>
4#include <openssl/pem.h>
5#include <openssl/ssl.h>
6#include <openssl/err.h>
7
8
9#include <iostream>
10#include <winsock2.h>
11
12#define SERVER_PORT 5003
13
14// certificate & key 的存放路徑
15// Note: 必須是全路徑, 否則SSL_CTX_use_certificate_file等函數(shù)
16// 無(wú)法找到文件在windows平臺(tái)上.
17// How to:
18// #privatekey.pem
19// openssl.exe genrsa -out privatekey.pem 2048
20// #cacert.pem
21// openssl.exe req -new -x509 -key privatekey.pem -out cacert.pem -days 1095 -config openssl.cnf
22//
23#define SERVER_CERTIFICATE "c:\\config\\cacert.pem"
24#define SERVER_KEY "c:\\config\\privatekey.pem"
25
26#pragma comment( lib, "ws2_32.lib" )
27#pragma comment( lib, "libeay32.lib" )
28#pragma comment( lib, "ssleay32.lib" )
29
30int main( int argc, char* argv[] ) 
{
31
int ret;
32
33
/**/////////////
34 // 初始化 //
35 /**/////////////
36 SSL_CTX* ctx;
37 SSL_METHOD *meth;
38
39 SSL_load_error_strings();
40 SSLeay_add_ssl_algorithms();
41 meth = SSLv23_server_method();
42
43 ctx = SSL_CTX_new (meth);
44 if (!ctx) {
45 ERR_print_errors_fp(stderr);
46 std::cout<<"SSL_CTX_new error."<<std::endl;
47 return -1;
48
}
49
50 if (SSL_CTX_use_certificate_file(ctx, SERVER_CERTIFICATE, SSL_FILETYPE_PEM) <= 0) {
51 ERR_print_errors_fp(stderr);
52 std::cout<<"SSL_CTX_use_certificate_file error."<<std::endl;
53 return -1;
54 }
55 if (SSL_CTX_use_PrivateKey_file(ctx, SERVER_KEY, SSL_FILETYPE_PEM) <= 0) {
56 ERR_print_errors_fp(stderr);
57 std::cout<<"SSL_CTX_use_PrivateKey_file error."<<std::endl;
58 return -1;
59 }
60
61 if (!SSL_CTX_check_private_key(ctx)) {
62 ERR_print_errors_fp(stderr);
63 std::cout<<"SSL_CTX_check_private_key error."<<std::endl;
64 return -1;
65 }
66
67 /**////////////////////////
68 // 建立原始的TCP連接 //
69 /**////////////////////////
70 WSADATA wsaData;
71 SOCKET listen_socket;
72 SOCKET accept_socket;
73 struct sockaddr_in addr_server;
74 struct sockaddr_in addr_client;
75 int addr_client_len;
76
77 ret = WSAStartup( MAKEWORD(2, 2), &wsaData );
78 if ( ret != 0 ) {
79 std::cout<<"WSAStartup error."<<std::endl;
80 return -1;
81 }
82
83 listen_socket = socket (AF_INET, SOCK_STREAM, 0);
84 if( listen_socket == INVALID_SOCKET ) {
85 std::cout<<"socket error."<<std::endl;
86 return -1;
87 }
88
89 memset (&addr_server, 0, sizeof(addr_server));
90 addr_server.sin_family = AF_INET;
91 addr_server.sin_addr.S_un.S_addr = INADDR_ANY;
92 addr_server.sin_port = htons (SERVER_PORT);
93
94 ret = bind(listen_socket, (struct sockaddr*)&addr_server, sizeof(addr_server) );
95 if( ret == SOCKET_ERROR ) {
96 std::cout<<"bind error."<<std::endl;
97 return -1;
98 }
99
100 ret = listen (listen_socket, 5);
101 if( ret == SOCKET_ERROR ) {
102 std::cout<<"listen error."<<std::endl;
103 return -1;
104 }
105
106 addr_client_len = sizeof(addr_client);
107 accept_socket = accept (listen_socket, (struct sockaddr*) &addr_client, &addr_client_len);
108 if( accept_socket == INVALID_SOCKET ) {
109 std::cout<<"accept error."<<std::endl;
110 return -1;
111 }
112 closesocket(listen_socket);
113 std::cout<<" Connection from "<<addr_client.sin_addr.S_un.S_addr<<":"<<addr_client.sin_port<<std::endl;
114
115 /**//////////////////////////////////////
116 // TCP連接已經(jīng)建立,執(zhí)行Server SSL //
117 /**//////////////////////////////////////
118 SSL* ssl;
119 X509* client_certificate;
120 char* str;
121
122 ssl = SSL_new (ctx);
123 if( ssl == NULL ) {
124 std::cout<<"SSL_new error."<<std::endl;
125 return -1;
126 }
127 SSL_set_fd (ssl, accept_socket);
128 ret = SSL_accept (ssl);
129 if( ret == -1 ) {
130 std::cout<<"SSL_accept error."<<std::endl;
131 return -1;
132 }
133
134 // 獲取cipher
135 std::cout<<"SSL connection using: "<<SSL_get_cipher(ssl)<<std::endl;
136
137 // 獲取客戶端的證書
138 client_certificate = SSL_get_peer_certificate (ssl);
139 if (client_certificate != NULL) {
140 std::cout<<"Client certificate:"<<std::endl;
141
142 str = X509_NAME_oneline (X509_get_subject_name (client_certificate), 0, 0);
143 if( str == NULL ) {
144 std::cout<<"X509_NAME_oneline error."<<std::endl;
145 } else {
146 std::cout<<"subject: "<<str<<std::endl;
147 OPENSSL_free (str);
148 }
149
150 str = X509_NAME_oneline (X509_get_issuer_name (client_certificate), 0, 0);
151 if( str == NULL ) {
152 std::cout<<"X509_NAME_oneline error."<<std::endl;
153 } else {
154 std::cout<<"issuer: "<<str<<std::endl;
155 OPENSSL_free (str);
156 }
157
158 X509_free (client_certificate);
159 } else {
160 std::cout<<"Client does not have certificate. "<<std::endl;
161 }
162
163 /**/////////////////
164 // 數(shù)據(jù)交換 //
165 /**/////////////////
166 char buf [4096];
167
168 ret = SSL_read (ssl, buf, sizeof(buf) - 1);
169 if( ret == -1 ) {
170 std::cout<<"SSL_read error."<<std::endl;
171 return -1;
172 }
173 buf[ret] = '\0';
174 std::cout<<buf<<std::endl;
175
176 ret = SSL_write (ssl, "I hear you.", strlen("I hear you."));
177 if( ret == -1 ) {
178 std::cout<<"SSL_write error."<<std::endl;
179 return -1;
180 }
181
182 /**//////////////
183 // Cleanup //
184 /**//////////////
185 closesocket(accept_socket);
186 SSL_free (ssl);
187 SSL_CTX_free (ctx);
188 WSACleanup();
189 return 0;
190
}
Client:
1#include <openssl/rsa.h> /**//* SSLeay stuff */
2#include <openssl/crypto.h>
3#include <openssl/x509.h>
4#include <openssl/pem.h>
5#include <openssl/ssl.h>
6#include <openssl/err.h>
7
8
9#include <iostream>
10#include <winsock2.h>
11
12#define SERVER_IP "127.0.0.1"
13#define SERVER_PORT 5003
14
15#pragma comment( lib, "ws2_32.lib" )
16#pragma comment( lib, "libeay32.lib" )
17#pragma comment( lib, "ssleay32.lib" )
18
19
20int main( int argc, char* argv[] ) {
21 int ret;
22 /**/////////////
23 // 初始化 //
24 /**/////////////
25 SSL_CTX* ctx;
26 SSL_METHOD *meth;
27
28 SSL_load_error_strings();
29 SSLeay_add_ssl_algorithms();
30 meth = SSLv23_client_method();
31
32 ctx = SSL_CTX_new (meth);
33 if (!ctx) {
34 ERR_print_errors_fp(stderr);
35 std::cout<<"SSL_CTX_new error."<<std::endl;
36 return -1;
37 }
38
39 /**////////////////////////
40 // 建立原始的TCP連接 //
41 /**////////////////////////
42 WSADATA wsaData;
43 SOCKET client_socket;
44 struct sockaddr_in addr_server;
45
46 ret = WSAStartup( MAKEWORD(2, 2), &wsaData );
47 if ( ret != 0 ) {
48 std::cout<<"WSAStartup error."<<std::endl;
49 return -1;
50 }
51 client_socket = socket (AF_INET, SOCK_STREAM, 0);
52 if( client_socket == INVALID_SOCKET ) {
53 std::cout<<"socket error."<<std::endl;
54 return -1;
55 }
56
57 memset (&addr_server, 0, sizeof(addr_server));
58 addr_server.sin_family = AF_INET;
59 addr_server.sin_addr.S_un.S_addr = inet_addr(SERVER_IP);
60 addr_server.sin_port = htons (SERVER_PORT);
61
62 ret = connect(client_socket, (struct sockaddr*) &addr_server, sizeof(addr_server));
63 if( client_socket == SOCKET_ERROR ) {
64 std::cout<<"connect error."<<std::endl;
65 return -1;
66 }
67
68 /**//////////////////////////////////////
69 // TCP連接已經(jīng)建立,執(zhí)行Client SSL //
70 /**//////////////////////////////////////
71 SSL* ssl;
72 X509* server_certificate;
73 char* str;
74
75 ssl = SSL_new (ctx);
76 if( ssl == NULL ) {
77 std::cout<<"SSL_new error."<<std::endl;
78 return -1;
79 }
80 SSL_set_fd (ssl, client_socket);
81 ret = SSL_connect (ssl);
82 if( ret == -1 ) {
83 std::cout<<"SSL_accept error."<<std::endl;
84 return -1;
85 }
86
87 // 接下來(lái)的獲取密碼和獲取服務(wù)器端證書的兩部是可選的,不會(huì)影響數(shù)據(jù)交換
88
89 // 獲取cipher
90 std::cout<<"SSL connection using: "<<SSL_get_cipher(ssl)<<std::endl;
91
92 // 獲取服務(wù)器端的證書
93 server_certificate = SSL_get_peer_certificate (ssl);
94 if( server_certificate != NULL ) {
95 std::cout<<"Server certificate:"<<std::endl;
96
97 str = X509_NAME_oneline (X509_get_subject_name (server_certificate),0,0);
98 if( str == NULL ) {
99 std::cout<<"X509_NAME_oneline error."<<std::endl;
100 } else {
101 std::cout<<"subject: "<<str<<std::endl;
102 OPENSSL_free (str);
103 }
104
105 str = X509_NAME_oneline (X509_get_issuer_name (server_certificate),0,0);
106 if( str == NULL ) {
107 std::cout<<"X509_NAME_oneline error."<<std::endl;
108 } else {
109 std::cout<<"issuer: "<<str<<std::endl;
110 OPENSSL_free (str);
111 }
112
113 X509_free (server_certificate);
114 } else {
115 std::cout<<"Server does not have certificate. we sould Esc!"<<std::endl;
116 return -1;
117 }
118
119 /**/////////////////
120 // 數(shù)據(jù)交換 //
121 /**/////////////////
122 char buf [4096];
123
124 ret = SSL_write (ssl, "Hello World!", strlen("Hello World!"));
125 if( ret == -1 ) {
126 std::cout<<"SSL_write error."<<std::endl;
127 return -1;
128 }
129 ret = SSL_read (ssl, buf, sizeof(buf) - 1);
130 if( ret == -1 ) {
131 std::cout<<"SSL_read error."<<std::endl;
132 return -1;
133 }
134 buf[ret] = '\0';
135 std::cout<<buf<<std::endl;
136 SSL_shutdown(ssl); /**//* send SSL/TLS close_notify */
137
138 /**//////////////
139 // Cleanup //
140 /**//////////////
141 closesocket(client_socket);
142 SSL_free (ssl);
143 SSL_CTX_free (ctx);
144 WSACleanup();
145 return 0;
146}
最后的輸出結(jié)果:
Server-Console:
Connection from 16777343:20314
SSL connection using: AES256-SHA
Client does not have certificate.
Hello World!
Client-Console:
SSL connection using: AES256-SHA
Server certificate:
subject: /C=cn/ST=shanghai/L=shanghai/O=shanghai/OU=shanghai/CN=shanghai/emailAd
dress=ysong.lee@gmail.com
issuer: /C=cn/ST=shanghai/L=shanghai/O=shanghai/OU=shanghai/CN=shanghai/emailAdd
ress=ysong.lee@gmail.com
I hear you.