Chinaunix首页 | 论坛 | 博客
  • 博客访问: 2174083
  • 博文数量: 352
  • 博客积分: 1241
  • 博客等级: 中尉
  • 技术积分: 4812
  • 用 户 组: 普通用户
  • 注册时间: 2011-01-27 06:48
个人简介

下死功夫,动活脑筋;读好书,交益友

文章分类

全部博文(352)

文章存档

2019年(7)

2018年(23)

2017年(67)

2016年(45)

2015年(51)

2014年(58)

2013年(53)

2012年(42)

2011年(6)

分类: 网络与安全

2015-03-03 15:15:51

对于sni的基础知识,就不再多少了,自己google去.
使用openssl,客户端 ,在初始化SSL connection之前,调用SSL_set_tlsext_host_name(ssl, servername).
对于服务器端
每一个证书,都要调用SSL_CTX(),
在SSL_CTX()中调用SSL_CTX_set_tlsext_servername_callback()函数
在回调函数中,使用SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name),得到hostname
openssl 源码目录apps/s_client.c 和s_server.c 是最好的例子.
可以使用命令行 servername  设置 TLS extension servername
openssl s_client -connect myweb.address.com:443 -servername myweb.address.com
openssl s_server -accept 443 -cert normal_cert.pem -key normal_key.ky -servername xyz.com -cert2 sni_cert.pem -key2 sni_key.ky
也可以不用域名
openssl s_client -servername xyz.com -connect ip:port


在nginx源码目录 src/http/modules/ngx_http_ssl_module.c

点击(此处)折叠或打开

  1. #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME

  2.     if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
  3.                                                ngx_http_ssl_servername)
  4.         == 0)
  5.     {
  6.         ngx_log_error(NGX_LOG_WARN, cf->log, 0,
  7.             "nginx was built with SNI support, however, now it is linked "
  8.             "dynamically to an OpenSSL library which has no tlsext support, "
  9.             "therefore SNI is not available");
  10.     }

  11. #endif

其中ngx_http_ssl_servername在src/http/ngx_http_request.c中定义

点击(此处)折叠或打开

  1. #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME

  2. int
  3. ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
  4. {
  5.     ngx_str_t host;
  6.     const char *servername;
  7.     ngx_connection_t *c;
  8.     ngx_http_connection_t *hc;
  9.     ngx_http_ssl_srv_conf_t *sscf;
  10.     ngx_http_core_loc_conf_t *clcf;
  11.     ngx_http_core_srv_conf_t *cscf;

  12.     servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);

  13.     if (servername == NULL) {
  14.         return SSL_TLSEXT_ERR_NOACK;
  15.     }

  16.     c = ngx_ssl_get_connection(ssl_conn);

  17.     ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
  18.                    "SSL server name: \"%s\"", servername);

  19.     host.len = ngx_strlen(servername);

  20.     if (host.len == 0) {
  21.         return SSL_TLSEXT_ERR_NOACK;
  22.     }

  23.     host.data = (u_char *) servername;

  24.     if (ngx_http_validate_host(&host, c->pool, 1) != NGX_OK) {
  25.         return SSL_TLSEXT_ERR_NOACK;
  26.     }

  27.     hc = c->data;

  28.     if (ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host,
  29.                                      NULL, &cscf)
  30.         != NGX_OK)
  31.     {
  32.         return SSL_TLSEXT_ERR_NOACK;
  33.     }

  34.     hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
  35.     if (hc->ssl_servername == NULL) {
  36.         return SSL_TLSEXT_ERR_NOACK;
  37.     }

  38.     *hc->ssl_servername = host;

  39.     hc->conf_ctx = cscf->ctx;

  40.     clcf = ngx_http_get_module_loc_conf(hc->conf_ctx, ngx_http_core_module);

  41.     ngx_http_set_connection_log(c, clcf->error_log);

  42.     sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);

  43.     if (sscf->ssl.ctx) {
  44.         SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx);

  45.         /*
  46.          * SSL_set_SSL_CTX() only changes certs as of 1.0.0d
  47.          * adjust other things we care about
  48.          */

  49.         SSL_set_verify(ssl_conn, SSL_CTX_get_verify_mode(sscf->ssl.ctx),
  50.                        SSL_CTX_get_verify_callback(sscf->ssl.ctx));

  51.         SSL_set_verify_depth(ssl_conn, SSL_CTX_get_verify_depth(sscf->ssl.ctx));

  52. #ifdef SSL_CTRL_CLEAR_OPTIONS
  53.         /* only in 0.9.8m+ */
  54.         SSL_clear_options(ssl_conn, SSL_get_options(ssl_conn) &
  55.                                     ~SSL_CTX_get_options(sscf->ssl.ctx));
  56. #endif

  57.         SSL_set_options(ssl_conn, SSL_CTX_get_options(sscf->ssl.ctx));
  58.     }

  59.     return SSL_TLSEXT_ERR_OK;
  60. }

  61. #endif


阅读(1529) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~
评论热议
请登录后评论。

登录 注册