openssl使用+Demo

1. website
SSL(secure Socket Layer)
TLS(transport Layer Security) - SSL3.0基础之上提出的安全通信标准,目前版本是1.0
openssl 主页 -> http://www.openssl.org/
openssl 中文文档 -> http://www.chinaunix.net/jh/13/478901.html

2. 如何编译OpenSSL in Windows?
a) 下载openssl -> openssl-0.9.8i
b) 下载perl -> http://downloads.activestate.com/ActivePerl/Windows/5.8/ActivePerl-5.8.8.822-MSWin32-x86-280952.zip
c) 安装perl -> ActivePerl-5.8.8.822-MSWin32-x86-280952/Installer.bat (之前先运行vcvars32.bat,需要运行perf Configure VC-WIN32来设置环境变量)
d) 使windows支持nmake -> C:\Program Files\Microsoft Visual Studio 10.0\VC\bin\vcvars32.bat
e) 进入openssl路径 -> cd C:\devdiv\openssl-0.9.8i (工作路径)
f) 创建Makefile文件: ms\do_ms (出现%osversion% is not defined的错误忽略即可)
g) 编译动态库： nmake -f ms\ntdll.mak
编译静态库： nmake -f ms\nt.mak

测试动态库： nmake -f ms\ntdll.mak test
测试静态库： nmake -f ms\nt.mak test

安装动态库： nmake -f ms\ntdll.mak install
安装静态库： nmake -f ms\nt.mak install

   清除上次动态库的编译，以便重新编译： nmake -f ms\ntdll.mak clean
   清除上次静态库的编译，以便重新编译： nmake -f ms\nt.mak clean

3. 如何使用openssl?
a) library path -> C:\devdiv\openssl-0.9.8i\out32
b) include path -> C:\devdiv\openssl-0.9.8i\include
c) 库文件 -> libeay32.lib, ssleay32.lib

4. 配置文件在哪里?
C:\devdiv\openssl-0.9.8i\apps\openssl.cnf

5. 关于key:
key一般分为public key和private key,在openssl中,private key中包含了public key的信息,所以public key不需要单独创建. 如何创建一个RSA key?
openssl.exe genrsa -des3 -out privatekey.pem 2048 (需要添加密码保护)
openssl.exe genrsa -out privatekey.pem 2048

6. 关于certificates(证书文件), 如何创建一个证书呢?
一般流程是:
a. 创建一个private key
b. 创建一个certificate signing request(证书请求), 这个需要a#中创建的private key.因为证书中需要包含public key,
创建的priavate key中有这些信息.
(openssl.exe req -new -key privatekey.pem-out cacert.csr)
c. 把创建好的证书请求拿到CA(certificate authority)证书认证机构审批.

7. 如何做一个自签名的证书呢?
openssl.exe req -new -x509 -key privatekey.pem -out cacert.pem -days 1095
(Note: privatekey.pem需要自己创建)

8. Demo: 来自openssl自带的demo,略做修改.
Server:

#include <openssl/rsa.h> /* SSLeay stuff */
2

#include <openssl/crypto.h>
3

#include <openssl/x509.h>
4

#include <openssl/pem.h>
5

#include <openssl/ssl.h>
6

#include <openssl/err.h>
7

#include <iostream>
10

#include <winsock2.h>
11

#define SERVER_PORT 5003
13

// certificate & key 的存放路径
15

// Note: 必须是全路径, 否则SSL_CTX_use_certificate_file等函数
16

// 无法找到文件在windows平台上.
17

// How to:
18

// #privatekey.pem
19

// openssl.exe genrsa -out privatekey.pem 2048
20

// #cacert.pem
21

// openssl.exe req -new -x509 -key privatekey.pem -out cacert.pem -days 1095 -config openssl.cnf
22

//
23

#define SERVER_CERTIFICATE "c:\\config\\cacert.pem"
24

#define SERVER_KEY "c:\\config\\privatekey.pem"
25

#pragma comment( lib, "ws2_32.lib" )
27

#pragma comment( lib, "libeay32.lib" )
28

#pragma comment( lib, "ssleay32.lib" )
29

int main( int argc, char* argv[] ) {
31

int ret;
32

////////////
34

// 初始化 //
35

////////////
36

SSL_CTX* ctx;
37

SSL_METHOD *meth;
38

SSL_load_error_strings();
40

SSLeay_add_ssl_algorithms();
41

meth = SSLv23_server_method();
42

ctx = SSL_CTX_new (meth);
44

if (!ctx) {
45

ERR_print_errors_fp(stderr);
46

std::cout<<"SSL_CTX_new error."<<std::endl;
47

return -1;
48

}
49

if (SSL_CTX_use_certificate_file(ctx, SERVER_CERTIFICATE, SSL_FILETYPE_PEM) <= 0) {
51

ERR_print_errors_fp(stderr);
52

std::cout<<"SSL_CTX_use_certificate_file error."<<std::endl;
53

return -1;
54

}
55

if (SSL_CTX_use_PrivateKey_file(ctx, SERVER_KEY, SSL_FILETYPE_PEM) <= 0) {
56

ERR_print_errors_fp(stderr);
57

std::cout<<"SSL_CTX_use_PrivateKey_file error."<<std::endl;
58

return -1;
59

}
60

if (!SSL_CTX_check_private_key(ctx)) {
62

ERR_print_errors_fp(stderr);
63

std::cout<<"SSL_CTX_check_private_key error."<<std::endl;
64

return -1;
65

}
66

///////////////////////
68

// 建立原始的TCP连接 //
69

///////////////////////
70

WSADATA wsaData;
71

SOCKET listen_socket;
72

SOCKET accept_socket;
73

struct sockaddr_in addr_server;
74

struct sockaddr_in addr_client;
75

int addr_client_len;
76

ret = WSAStartup( MAKEWORD(2, 2), &wsaData );
78

if ( ret != 0 ) {
79

std::cout<<"WSAStartup error."<<std::endl;
80

return -1;
81

}
82

listen_socket = socket (AF_INET, SOCK_STREAM, 0);
84

if( listen_socket == INVALID_SOCKET ) {
85

std::cout<<"socket error."<<std::endl;
86

return -1;
87

}
88

memset (&addr_server, 0, sizeof(addr_server));
90

addr_server.sin_family = AF_INET;
91

addr_server.sin_addr.S_un.S_addr = INADDR_ANY;
92

addr_server.sin_port = htons (SERVER_PORT);
93

ret = bind(listen_socket, (struct sockaddr*)&addr_server, sizeof(addr_server) );
95

if( ret == SOCKET_ERROR ) {
96

std::cout<<"bind error."<<std::endl;
97

return -1;
98

}
99

100

ret = listen (listen_socket, 5);
101

if( ret == SOCKET_ERROR ) {
102

std::cout<<"listen error."<<std::endl;
103

return -1;
104

}
105

106

addr_client_len = sizeof(addr_client);
107

accept_socket = accept (listen_socket, (struct sockaddr*) &addr_client, &addr_client_len);
108

if( accept_socket == INVALID_SOCKET ) {
109

std::cout<<"accept error."<<std::endl;
110

return -1;
111

}
112

closesocket(listen_socket);
113

std::cout<<" Connection from "<<addr_client.sin_addr.S_un.S_addr<<":"<<addr_client.sin_port<<std::endl;
114

115

/////////////////////////////////////
116

// TCP连接已经建立，执行Server SSL //
117

/////////////////////////////////////
118

SSL* ssl;
119

X509* client_certificate;
120

char* str;
121

122

ssl = SSL_new (ctx);
123

if( ssl == NULL ) {
124

std::cout<<"SSL_new error."<<std::endl;
125

return -1;
126

}
127

SSL_set_fd (ssl, accept_socket);
128

ret = SSL_accept (ssl);
129

if( ret == -1 ) {
130

std::cout<<"SSL_accept error."<<std::endl;
131

return -1;
132

}
133

134

// 获取cipher
135

std::cout<<"SSL connection using: "<<SSL_get_cipher(ssl)<<std::endl;
136

137

// 获取客户端的证书
138

client_certificate = SSL_get_peer_certificate (ssl);
139

if (client_certificate != NULL) {
140

std::cout<<"Client certificate:"<<std::endl;
141

142

str = X509_NAME_oneline (X509_get_subject_name (client_certificate), 0, 0);
143

if( str == NULL ) {
144

std::cout<<"X509_NAME_oneline error."<<std::endl;
145

} else {
146

std::cout<<"subject: "<<str<<std::endl;
147

OPENSSL_free (str);
148

}
149

150

str = X509_NAME_oneline (X509_get_issuer_name (client_certificate), 0, 0);
151

if( str == NULL ) {
152

std::cout<<"X509_NAME_oneline error."<<std::endl;
153

} else {
154

std::cout<<"issuer: "<<str<<std::endl;
155

OPENSSL_free (str);
156

}
157

158

X509_free (client_certificate);
159

} else {
160

std::cout<<"Client does not have certificate. "<<std::endl;
161

}
162

163

////////////////
164

// 数据交换 //
165

////////////////
166

char buf [4096];
167

168

ret = SSL_read (ssl, buf, sizeof(buf) - 1);
169

if( ret == -1 ) {
170

std::cout<<"SSL_read error."<<std::endl;
171

return -1;
172

}
173

buf[ret] = '\0';
174

std::cout<<buf<<std::endl;
175

176

ret = SSL_write (ssl, "I hear you.", strlen("I hear you."));
177

if( ret == -1 ) {
178

std::cout<<"SSL_write error."<<std::endl;
179

return -1;
180

}
181

182

/////////////
183

// Cleanup //
184

/////////////
185

closesocket(accept_socket);
186

SSL_free (ssl);
187

SSL_CTX_free (ctx);
188

WSACleanup();
189

return 0;
190

}

Client:

#include <openssl/rsa.h> /* SSLeay stuff */
2

#include <openssl/crypto.h>
3

#include <openssl/x509.h>
4

#include <openssl/pem.h>
5

#include <openssl/ssl.h>
6

#include <openssl/err.h>
7

#include <iostream>
10

#include <winsock2.h>
11

#define SERVER_IP "127.0.0.1"
13

#define SERVER_PORT 5003
14

#pragma comment( lib, "ws2_32.lib" )
16

#pragma comment( lib, "libeay32.lib" )
17

#pragma comment( lib, "ssleay32.lib" )
18

int main( int argc, char* argv[] ) {
21

int ret;
22

////////////
23

// 初始化 //
24

////////////
25

SSL_CTX* ctx;
26

SSL_METHOD *meth;
27

SSL_load_error_strings();
29

SSLeay_add_ssl_algorithms();
30

meth = SSLv23_client_method();
31

ctx = SSL_CTX_new (meth);
33

if (!ctx) {
34

ERR_print_errors_fp(stderr);
35

std::cout<<"SSL_CTX_new error."<<std::endl;
36

return -1;
37

}
38

///////////////////////
40

// 建立原始的TCP连接 //
41

///////////////////////
42

WSADATA wsaData;
43

SOCKET client_socket;
44

struct sockaddr_in addr_server;
45

ret = WSAStartup( MAKEWORD(2, 2), &wsaData );
47

if ( ret != 0 ) {
48

std::cout<<"WSAStartup error."<<std::endl;
49

return -1;
50

}
51

client_socket = socket (AF_INET, SOCK_STREAM, 0);
52

if( client_socket == INVALID_SOCKET ) {
53

std::cout<<"socket error."<<std::endl;
54

return -1;
55

}
56

memset (&addr_server, 0, sizeof(addr_server));
58

addr_server.sin_family = AF_INET;
59

addr_server.sin_addr.S_un.S_addr = inet_addr(SERVER_IP);
60

addr_server.sin_port = htons (SERVER_PORT);
61

ret = connect(client_socket, (struct sockaddr*) &addr_server, sizeof(addr_server));
63

if( client_socket == SOCKET_ERROR ) {
64

std::cout<<"connect error."<<std::endl;
65

return -1;
66

}
67

/////////////////////////////////////
69

// TCP连接已经建立，执行Client SSL //
70

/////////////////////////////////////
71

SSL* ssl;
72

X509* server_certificate;
73

char* str;
74

ssl = SSL_new (ctx);
76

if( ssl == NULL ) {
77

std::cout<<"SSL_new error."<<std::endl;
78

return -1;
79

}
80

SSL_set_fd (ssl, client_socket);
81

ret = SSL_connect (ssl);
82

if( ret == -1 ) {
83

std::cout<<"SSL_accept error."<<std::endl;
84

return -1;
85

}
86

// 接下来的获取密码和获取服务器端证书的两部是可选的，不会影响数据交换
88

// 获取cipher
90

std::cout<<"SSL connection using: "<<SSL_get_cipher(ssl)<<std::endl;
91

// 获取服务器端的证书
93

server_certificate = SSL_get_peer_certificate (ssl);
94

if( server_certificate != NULL ) {
95

std::cout<<"Server certificate:"<<std::endl;
96

str = X509_NAME_oneline (X509_get_subject_name (server_certificate),0,0);
98

if( str == NULL ) {
99

std::cout<<"X509_NAME_oneline error."<<std::endl;
100

} else {
101

std::cout<<"subject: "<<str<<std::endl;
102

OPENSSL_free (str);
103

}
104

105

str = X509_NAME_oneline (X509_get_issuer_name (server_certificate),0,0);
106

if( str == NULL ) {
107

std::cout<<"X509_NAME_oneline error."<<std::endl;
108

} else {
109

std::cout<<"issuer: "<<str<<std::endl;
110

OPENSSL_free (str);
111

}
112

113

X509_free (server_certificate);
114

} else {
115

std::cout<<"Server does not have certificate. we sould Esc!"<<std::endl;
116

return -1;
117

}
118

119

////////////////
120

// 数据交换 //
121

////////////////
122

char buf [4096];
123

124

ret = SSL_write (ssl, "Hello World!", strlen("Hello World!"));
125

if( ret == -1 ) {
126

std::cout<<"SSL_write error."<<std::endl;
127

return -1;
128

}
129

ret = SSL_read (ssl, buf, sizeof(buf) - 1);
130

if( ret == -1 ) {
131

std::cout<<"SSL_read error."<<std::endl;
132

return -1;
133

}
134

buf[ret] = '\0';
135

std::cout<<buf<<std::endl;
136

SSL_shutdown(ssl); /* send SSL/TLS close_notify */
137

138

/////////////
139

// Cleanup //
140

/////////////
141

closesocket(client_socket);
142

SSL_free (ssl);
143

SSL_CTX_free (ctx);
144

WSACleanup();
145

return 0;
146

}

最后的输出结果:
Server-Console:
Connection from 16777343:20314
SSL connection using: AES256-SHA
Client does not have certificate.
Hello World!

Client-Console:
SSL connection using: AES256-SHA
Server certificate:
subject: /C=cn/ST=shanghai/L=shanghai/O=shanghai/OU=shanghai/CN=shanghai/emailAd
dress=ysong.lee@gmail.com
issuer: /C=cn/ST=shanghai/L=shanghai/O=shanghai/OU=shanghai/CN=shanghai/emailAdd
ress=ysong.lee@gmail.com
I hear you.

posted on 2015-01-23 18:46 寻步阅读(5378) 评论(1) 收藏举报