SSL双向认证之客户端Openssl双向认证客户端代码openssl是一个功能丰富且自包含的开源安全工具箱它提供的主要功能有:SSL协议实现(包括SSLv2、SSLv3和TLSv1)、大量软算法(对称/非对称/摘要)、大数运算、非对称算法密钥生成、ASN.1编解码库、证书请求(PKCS10)编解码、数字证书编解码、CRL编解码、OCSP协议、数字证书验证、PKCS7标准实现和PKCS12个人数字证书格式实现等功能 本文主要介绍openssl进行客户端-服务器双向验证的通信,客户端应该如何设置包括了如何使用openssl指令生成客户端-服务端的证书和密钥,以及使用openssl自带server端来实现简单的ssl双向认证,client端代码中也做了相应的标注和说明,提供编译的Makefile.希望对开始学习如何使用openssl进行安全连接的朋友有益1. 首先介绍如何生成客户和服务端证书(PEM)及密钥在linux环境下下载并安装openssl开发包后,通过openssl命令来建立一个SSL测试环境1) 建立自己的CA 在openssl安装目录的misc目录下,运行脚本:./CA.sh -newca,出现提示符时,直接回车。
运行完毕后会生成一个demonCA的目录,里面包含了ca证书及其私钥2) 生成客户端和服务端证书申请: openssl req -newkey rsa:1024 -out req1.pem -keyout sslclientkey.pem openssl req -newkey rsa:1024 -out req2.pem -keyout sslserverkey.pem3) 签发客户端和服务端证书openssl ca -in req1.pem -out sslclientcert.pemopenssl ca -in req2.pem -out sslservercert.pem4) 运行ssl服务端:openssl s_server -cert sslservercert.pem -key sslserverkey.pem -CAfile demoCA/cacert.pem -ssl3 当然我们也可以使用openssl自带的客户端:openssl s_client -ssl3 -CAfile demoCA/cacert.pem但这里我们为了介绍client端的设置过程,还是从一下代码来看看如何书写吧。
2. 程序实例客户端程序client.c:#include #include #include #include #include #include #include #include #include #include #include #include #include #include #define IP "172.22.14.157"#define PORT 4433#define CERT_PATH "./sslclientcert.pem"#define KEY_PATH "./sslclientkey.pem"#define CAFILE "./demoCA/cacert.pem"static SSL_CTX *g_sslctx = NULL;int connect_to_server(int fd ,char* ip,int port){ struct sockaddr_in svr; memset(&svr,0,sizeof(svr)); svr.sin_family = AF_INET; svr.sin_port = htons(port); if(inet_pton(AF_INET,ip,&svr.sin_addr) <= 0){ printf("invalid ip address!\n"); return -1; } if(connect(fd,(struct sockaddr *)&svr,sizeof(svr))){ printf("connect error : %s\n",strerror(errno)); return -1; } return 0;}//客户端证书内容输出void print_client_cert(char* path){ X509 *cert =NULL; FILE *fp = NULL; fp = fopen(path,"rb"); //从证书文件中读取证书到x509结构中,passwd为1111,此为生成证书时设置的 cert = PEM_read_X509(fp, NULL, NULL, "1111"); X509_NAME *name=NULL; char buf[8192]={0}; BIO *bio_cert = NULL; //证书持有者信息 name = X509_get_subject_name(cert); X509_NAME_oneline(name,buf,8191); printf("ClientSubjectName:%s\n",buf); memset(buf,0,sizeof(buf)); bio_cert = BIO_new(BIO_s_mem()); PEM_write_bio_X509(bio_cert, cert); //证书内容 BIO_read( bio_cert, buf, 8191); printf("CLIENT CERT:\n%s\n",buf); if(bio_cert)BIO_free(bio_cert); fclose(fp); if(cert) X509_free(cert);}//在SSL握手时,验证服务端证书时会被调用,res返回值为1则表示验证成功,否则为失败static int verify_cb(int res, X509_STORE_CTX *xs){ printf("SSL VERIFY RESULT :%d\n",res); switch (xs->error) { case X509_V_ERR_UNABLE_TO_GET_CRL: printf(" NOT GET CRL!\n"); return 1; default : break; } return res;}int sslctx_init(){#if 0 BIO *bio = NULL; X509 *cert = NULL; STACK_OF(X509) *ca = NULL; EVP_PKEY *pkey =NULL; PKCS12* p12 = NULL; X509_STORE *store =NULL; int error_code =0;#endif int ret =0; print_client_cert(CERT_PATH); //registers the libssl error strings SSL_load_error_strings(); //registers the available SSL/TLS ciphers and digests SSL_library_init(); //creates a new SSL_CTX object as framework to establish TLS/SSL g_sslctx = SSL_CTX_new(SSLv23_client_method()); if(g_sslctx == NULL){ ret = -1; goto end; } //passwd is supplied to protect the private key,when you want to read key SSL_CTX_set_default_passwd_cb_userdata(g_sslctx,"1111"); //set cipher ,when handshake client will send the cipher list to server SSL_CTX_set_cipher_list(g_sslctx,"HIGH:MEDIA:LOW:!DH"); //SSL_CTX_set_cipher_list(g_sslctx,"AES128-SHA"); //set verify ,when recive the server certificate and verify it //and verify_cb function will deal the result of verification SSL_CTX_set_verify(g_sslctx, SSL_VERIFY_PEER, verify_cb); //sets the maximum depth for the certificate chain verification that shall //be allowed for ctx SSL_CTX_set_verify_depth(g_sslctx, 10); //load the certificate for verify server certificate, CA file usually load SSL_CTX_load_verify_locations(g_sslctx,CAFILE, NULL); //load user certificate,this cert will be send to server for server verify if(SSL_CTX_use_certificate_file(g_sslctx,CERT_PATH,SSL_FILETYPE_PEM) <= 0){ printf("certificate file error!\n"); ret = -1; goto end; } //load user private key if(SSL_CTX_use_PrivateKey_file(g_sslctx,KEY_PATH,SSL_FILETYPE_PEM) <= 0){ printf("privatekey file error!\n"); ret = -1; goto end; } if(!SSL_CTX_check_private_key(g_sslctx)){ printf("Check private key failed!\n"); ret = -1; goto end; }end: return ret;}void sslctx_release(){ EVP_cleanup(); if。
