Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1074267
  • 博文数量: 77
  • 博客积分: 821
  • 博客等级: 军士长
  • 技术积分: 1905
  • 用 户 组: 普通用户
  • 注册时间: 2011-10-23 16:17
个人简介

学校:上海交通大学软件工程 学历:硕士 行业:从事流媒体移动开发 QQ: 412595942 邮箱:yiikai1987910@gmail.com

文章分类

全部博文(77)

文章存档

2016年(4)

2015年(15)

2014年(16)

2013年(12)

2012年(21)

2011年(9)

分类: C/C++

2015-07-29 15:40:34

     最近项目需要,花了三天研究了下openssl,这里做个记录
    SSL的具体内容网上多的事,可以自行google,这里主要记录自己的理解
    SSL的具体任务可以有两点:
    1.证书的验证
    2.加密套件和加密信息的协商
    解释1: 所谓证书的验证,就是说,在SSL进行握手的时候,客户端和服务端相互证明自己身份的一种方式。
    举个例子,我和小三需要进行沟通,那我需要和她协商一个我们两个都知道的方式(或者是加密方法)让她能将我发给她的信息进行解密,而让别的人看到了不知道我们在说什么。这个就是第2点的解释。那小三在接受到了我的消息并解密后,她时怎么知道这个信息就是由我给她的呢,难道不会是我老婆逼问我加密信息后用我的手机给她发的吗? 所以这个时候就需要证书验证这个步骤,来验证我是我。那这时候我就会比如和她之前商量好,从我们两个都信任的一个人那里拿了一件信物,只有我和她在交换信息之前,把这个发给她,她看到后,才能确定这个发给她信息的人就是我。
   解释2: 第2点就是我上一点中所提到到,这次对于加密套件不做解释,以后有机会研究深入再做总结
   
   看下图:

   从图上看,服务端把证书发给了客户端,客户端对服务端的证书进行验证,验证过程就是查看服务端的证书链中的证书客户端本地是不是承认它。发现所有的证书和root证书时客户端认可的之后,就可以拿这个服务端的公钥进行数据的加密发送给服务端(这里的加密不是最终的加密信息,这里就牵涉到ssl的加密套件协商,以后有机会再详解下这块)

  以上就是ssl进行证书验证的原理了。接下来用openssl这个工具来实现下证书的认证:
  直接上代码:
  

点击(此处)折叠或打开

  1. int main(int argc,char **argv)
  2. {
  3.     int socketfd;
  4.     struct sockaddr_in dest;

  5.     SSL_CTX *ctx;
  6.     SSL *ssl;

  7.     SSL_library_init();
  8.     OpenSSL_add_all_algorithms();
  9.     SSL_load_error_strings();
  10.     ctx = SSL_CTX_new(SSLv23_client_method());
  11.     if(ctx == NULL)
  12.     {
  13.         ERR_print_errors_fp(stdout);
  14.         exit(1);
  15.     }
  16.     
  17.     int num = SSL_CTX_load_verify_locations(ctx,“./cer/cafile.pem”,NULL);
  18.     if(num != 1)
  19.     {
  20.         std::cout<<"Load locations error"<<std::endl;
  21.         return 0;
  22.     }
  23.     printf("num is %d\n",num);

  24.     if((socketfd = socket(AF_INET,SOCK_STREAM,0)) < 0)
  25.     {
  26.         perror("Socket");
  27.         exit(errno);
  28.     }
  29.     printf("Socket create\n");

  30.     char str[32] = {0};
  31.     struct hostent* m_host = NULL;
  32.     m_host = gethostbyname("google.com.hk");
  33.     //m_host = gethostbyname("msl2.visualon.local");
  34.     //m_host = gethostbyname("hls.ftgroup-devices.com");
  35.     char **pptr = m_host->h_addr_list;
  36.     if(pptr == NULL)
  37.     {
  38.         std::cout<<"get addr_list error"<<std::endl;
  39.     }
  40.     for(;*pptr != NULL;pptr++)
  41.     {
  42.         inet_ntop(m_host->h_addrtype, *pptr, str, sizeof(str));
  43.     }
  44.     std::cout<<"ip address is "<<str<<std::endl;
  45.     memset(&dest,0,sizeof(dest));
  46.     dest.sin_family = AF_INET;
  47.     dest.sin_addr.s_addr = inet_addr(str);
  48.     dest.sin_port = htons(443);
  49.     socklen_t len = sizeof(dest);
  50.     printf("address creat\n");
  51.     
  52.     if(connect(socketfd,(struct sockaddr*)(&dest),len) != 0)
  53.     {
  54.         perror("Connect ");
  55.         exit(errno);
  56.     }
  57.     printf("Server Connected\n");


  58.     ssl = SSL_new(ctx);
  59.     SSL_set_fd(ssl,socketfd);
  60.     if(SSL_connect(ssl) == -1)
  61.     {
  62.         ERR_print_errors_fp(stderr);
  63.     }
  64.     else
  65.     {
  66.         printf("Connected with %s encryption\n",SSL_get_cipher(ssl));
  67.     }
  68.     int ret = SSL_get_verify_result(ssl);
  69.     std::cout<<"crt verify data is "<<ret<<std::endl;
  70.     int geterror = ERR_get_error();
  71.     std::cout<<"geterror is "<<geterror<<std::endl;
  72.     
  73. }
运行结果:

crt verify data is 0


点击(此处)折叠或打开

  1. crt verify data is 0
可以看出验证通过了。
    想要看看具体的验证过程我们可以用openssl的命令行工具进行测试:
    

点击(此处)折叠或打开

  1. ./openssl s_client -connect www.google.com:443 -CAfile ../TestCase/cer/cafile.pem
    这里cafile.pem是什么文件我们稍后再说,先看结果:
   

点击(此处)折叠或打开

  1. CONNECTED(00000003)
  2. depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
  3. verify return:1
  4. depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
  5. verify return:1
  6. depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
  7. verify return:1
  8. depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = www.google.com
  9. verify return:1
  10. ---
  11. Certificate chain
  12.  0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
  13.    i:/C=US/O=Google Inc/CN=Google Internet Authority G2
  14.  1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
  15.    i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
  16.  2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
  17.    i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
  18. ---
  19. Server certificate
  20. -----BEGIN CERTIFICATE-----
  21. MIIEdjCCA16gAwIBAgIIB1Qnfj/zM4IwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
  22. BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
  23. cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwNjAzMDkyNjAxWhcNMTUwOTAxMDAwMDAw
  24. WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
  25. TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
  26. Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChruJu
  27. 4vl1I+x9Ypzejv0NsDYfAChaaOH4jjjv33IhuYkJsh8yyjCKBj6I2z2eCBwctzoT
  28. Wcv73rUwGI+nyevtksAWemIbWssurCfwg9su/8TIg4i61T7R7RefnrVzbNcTiVsD
  29. 73wcItdJdJHSef9rjmISeEUOVl8Bf0jJ9FcJ7fOAvZ1FI5QBCKZqaThqw/Yueseh
  30. ZJVjK//XYZJXNJzx3u+Esjctqk/+qyOiPkAWdpr/hkIfO6+94lfWqNTu1tnscPXt
  31. hUtFJI0g5O3IY3iQKZArfP9Z4CnJewBR4YZWh5ON5Kl8f3qz/MZkluxcpPXNi81C
  32. 5VIGfIQX24iiISihAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
  33. KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
  34. XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
  35. MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
  36. A1UdDgQWBBQbxIwppiAAgZarS9XPgPHhburQJDAMBgNVHRMBAf8EAjAAMB8GA1Ud
  37. IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYKKwYBBAHW
  38. eQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB
  39. RzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBcNNydftmGqg/r2wtLrvGJMG9fkLAT
  40. Fl0SaUFAPzdbUrOF+TEmub8TA8RJVcZC7qrpyHOIbi92Fku1IFTzbMoWicxTxriY
  41. JRyz7genbKaNjUY/2eiGS41zuVB+LDNg5k9UBKrPtJtI8g3myg/aq6N+e348RAfD
  42. wrpt/cYJw1oli1Qr93Wdqnb7sG8jk1f2W8TFK/0D2/5mQsr8SExDR9vLehC6kf4u
  43. TleWRVLvKFFcCPd/mhnlD7zTl6p77q/+7kpOJiEYigBiv0Yax769MG6r6YuEPjlB
  44. GEOKUhNxGbmLSVRrmfedg3RpYQFoZmN2ML8YANX3JWwE7lDpWSCRVo0z
  45. -----END CERTIFICATE-----
  46. subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
  47. issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
  48. ---
  49. No client certificate CA names sent
  50. ---
  51. SSL handshake has read 3719 bytes and written 445 bytes
  52. ---
  53. New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
  54. Server public key is 2048 bit
  55. Secure Renegotiation IS supported
  56. Compression: NONE
  57. Expansion: NONE
  58. SSL-Session:
  59.     Protocol : TLSv1.2
  60.     Cipher : ECDHE-RSA-AES128-GCM-SHA256
  61.     Session-ID: 4A0A7F5444A07A452BF76BA0C62F970D3C10007B0D358228358CA7B44B725909
  62.     Session-ID-ctx:
  63.     Master-Key: C1DA57F55CBB39EA24AE26CFD32778AD9B7BF0F09518822DB98047DFD937BEF3A0D88484BFC11C2EA5532C310B26EB58
  64.     Key-Arg : None
  65.     PSK identity: None
  66.     PSK identity hint: None
  67.     SRP username: None
  68.     TLS session ticket lifetime hint: 100800 (seconds)
  69.     TLS session ticket:
  70.     0000 - 3d e6 41 7f 62 28 49 ae-41 d8 19 29 21 07 80 fe =.A.b(I.A..)!...
  71.     0010 - 40 b0 ea 1b 2c e7 96 64-e9 0b c5 b3 4d 40 94 01 @...,..d....M@..
  72.     0020 - 0a 09 71 af 24 f1 d1 55-fb c2 ac ea 8d 38 ee 6e ..q.$..U.....8.n
  73.     0030 - 62 5f cd fe 07 38 56 31-69 48 cd 73 78 7b 4f d3 b_...8V1iH.sx{O.
  74.     0040 - 3b 13 d7 92 8f 86 9b 5e-75 5a 6b 92 70 c5 de f5 ;......^uZk.p...
  75.     0050 - 89 5d 4b c9 ad a9 ab 10-76 3d c6 a9 1b 20 2d 45 .]K.....v=... -E
  76.     0060 - aa f9 ed e0 85 f3 25 3a-52 ca 00 f2 49 5e 7c da ......%:R...I^|.
  77.     0070 - f2 46 e2 e7 29 e1 49 a2-1b 55 48 cb 9d aa f1 95 .F..).I..UH.....
  78.     0080 - ff de fa e2 c1 e5 3e a0-fc 6d 7a 69 6b 51 0f ef ......>..mzikQ..
  79.     0090 - 00 77 98 13 dc a2 cd 89-0e b6 d8 20 7e cb 06 0b .w......... ~...
  80.     00a0 - 52 95 00 e3 R...

  81.     Start Time: 1434079554
  82.     Timeout : 300 (sec)
  83.     Verify return code: 0 (ok)
  84. ---
    从结果
  1. depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
  2. verify return:1
  3. depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
  4. verify return:1
  5. depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
  6. verify return:1
  7. depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = www.google.com
  8. verify return:1
可以看到,验证是将服务器的证书一层层的验证的,


阅读(5708) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~