openssl使用 Demo
1. website SSL(secure Socket Layer) TLS(transport Layer Security) - SSL3.0基础之上提出的安全通信标准,目前版本是1.0 openssl 主页 -> http://www.openssl.org/ openssl 中文文档 -> http://www.chinaunix.net/jh/13/478901.html
2. 如何编译OpenSSL in Windows? a) 下载openssl -> openssl-0.9.8i b) 下载perl -> http://downloads.activestate.com/ActivePerl/Windows/5.8/ActivePerl-5.8.8.822-MSWin32-x86-280952.zip c) 安装perl -> ActivePerl-5.8.8.822-MSWin32-x86-280952/Installer.bat (之前先运行vcvars32.bat,需要运行perf Configure VC-WIN32来设置环境变量) d) 使windows支持nmake -> C:Program FilesMicrosoft Visual Studio 10.0VCbinvcvars32.bat e) 进入openssl路径 -> cd C:devdivopenssl-0.9.8i (工作路径) f) 创建Makefile文件: msdo_ms (出现%osversion% is not defined的错误忽略即可) g) 编译动态库: nmake -f msntdll.mak 编译静态库: nmake -f msnt.mak
测试动态库: nmake -f msntdll.mak test 测试静态库: nmake -f msnt.mak test
安装动态库: nmake -f msntdll.mak install 安装静态库: nmake -f msnt.mak install
清除上次动态库的编译,以便重新编译: nmake -f msntdll.mak clean 清除上次静态库的编译,以便重新编译: nmake -f msnt.mak clean 3. 如何使用openssl? a) library path -> C:devdivopenssl-0.9.8iout32 b) include path -> C:devdivopenssl-0.9.8iinclude c) 库文件 -> libeay32.lib, ssleay32.lib
4. 配置文件在哪里? C:devdivopenssl-0.9.8iappsopenssl.cnf 5. 关于key: key一般分为public key和private key,在openssl中,private key中包含了public key的信息,所以public key不需要单独创建. 如何创建一个RSA key? openssl.exe genrsa -des3 -out privatekey.pem 2048 (需要添加密码保护) openssl.exe genrsa -out privatekey.pem 2048 6. 关于certificates(证书文件), 如何创建一个证书呢? 一般流程是: a. 创建一个private key b. 创建一个certificate signing request(证书请求), 这个需要a#中创建的private key.因为证书中需要包含public key, 创建的priavate key中有这些信息. (openssl.exe req -new -key privatekey.pem-out cacert.csr) c. 把创建好的证书请求拿到CA(certificate authority)证书认证机构审批. 7. 如何做一个自签名的证书呢? openssl.exe req -new -x509 -key privatekey.pem -out cacert.pem -days 1095 (Note: privatekey.pem需要自己创建) 8. Demo: 来自openssl自带的demo,略做修改.
代码语言:javascript复制#include <openssl/rsa.h> /* SSLeay stuff */
2#include <openssl/crypto.h>
3#include <openssl/x509.h>
4#include <openssl/pem.h>
5#include <openssl/ssl.h>
6#include <openssl/err.h>
7
8
9#include <iostream>
10#include <winsock2.h>
11
12#define SERVER_PORT 5003
13
14// certificate & key 的存放路径
15// Note: 必须是全路径, 否则SSL_CTX_use_certificate_file等函数
16// 无法找到文件在windows平台上.
17// How to:
18// #privatekey.pem
19// openssl.exe genrsa -out privatekey.pem 2048
20// #cacert.pem
21// openssl.exe req -new -x509 -key privatekey.pem -out cacert.pem -days 1095 -config openssl.cnf
22//
23#define SERVER_CERTIFICATE "c:\config\cacert.pem"
24#define SERVER_KEY "c:\config\privatekey.pem"
25
26#pragma comment( lib, "ws2_32.lib" )
27#pragma comment( lib, "libeay32.lib" )
28#pragma comment( lib, "ssleay32.lib" )
29
30int main( int argc, char* argv[] ) {
31 int ret;
32
33
34 // 初始化 //
35
36 SSL_CTX* ctx;
37 SSL_METHOD *meth;
38
39 SSL_load_error_strings();
40 SSLeay_add_ssl_algorithms();
41 meth = SSLv23_server_method();
42
43 ctx = SSL_CTX_new (meth);
44 if (!ctx) {
45 ERR_print_errors_fp(stderr);
46 std::cout<<"SSL_CTX_new error."<<std::endl;
47 return -1;
48 }
49
50 if (SSL_CTX_use_certificate_file(ctx, SERVER_CERTIFICATE, SSL_FILETYPE_PEM) <= 0) {
51 ERR_print_errors_fp(stderr);
52 std::cout<<"SSL_CTX_use_certificate_file error."<<std::endl;
53 return -1;
54 }
55 if (SSL_CTX_use_PrivateKey_file(ctx, SERVER_KEY, SSL_FILETYPE_PEM) <= 0) {
56 ERR_print_errors_fp(stderr);
57 std::cout<<"SSL_CTX_use_PrivateKey_file error."<<std::endl;
58 return -1;
59 }
60
61 if (!SSL_CTX_check_private_key(ctx)) {
62 ERR_print_errors_fp(stderr);
63 std::cout<<"SSL_CTX_check_private_key error."<<std::endl;
64 return -1;
65 }
66
67 ///
68 // 建立原始的TCP连接 //
69 ///
70 WSADATA wsaData;
71 SOCKET listen_socket;
72 SOCKET accept_socket;
73 struct sockaddr_in addr_server;
74 struct sockaddr_in addr_client;
75 int addr_client_len;
76
77 ret = WSAStartup( MAKEWORD(2, 2), &wsaData );
78 if ( ret != 0 ) {
79 std::cout<<"WSAStartup error."<<std::endl;
80 return -1;
81 }
82
83 listen_socket = socket (AF_INET, SOCK_STREAM, 0);
84 if( listen_socket == INVALID_SOCKET ) {
85 std::cout<<"socket error."<<std::endl;
86 return -1;
87 }
88
89 memset (&addr_server, 0, sizeof(addr_server));
90 addr_server.sin_family = AF_INET;
91 addr_server.sin_addr.S_un.S_addr = INADDR_ANY;
92 addr_server.sin_port = htons (SERVER_PORT);
93
94 ret = bind(listen_socket, (struct sockaddr*)&addr_server, sizeof(addr_server) );
95 if( ret == SOCKET_ERROR ) {
96 std::cout<<"bind error."<<std::endl;
97 return -1;
98 }
99
100 ret = listen (listen_socket, 5);
101 if( ret == SOCKET_ERROR ) {
102 std::cout<<"listen error."<<std::endl;
103 return -1;
104 }
105
106 addr_client_len = sizeof(addr_client);
107 accept_socket = accept (listen_socket, (struct sockaddr*) &addr_client, &addr_client_len);
108 if( accept_socket == INVALID_SOCKET ) {
109 std::cout<<"accept error."<<std::endl;
110 return -1;
111 }
112 closesocket(listen_socket);
113 std::cout<<" Connection from "<<addr_client.sin_addr.S_un.S_addr<<":"<<addr_client.sin_port<<std::endl;
114
115 /
116 // TCP连接已经建立,执行Server SSL //
117 /
118 SSL* ssl;
119 X509* client_certificate;
120 char* str;
121
122 ssl = SSL_new (ctx);
123 if( ssl == NULL ) {
124 std::cout<<"SSL_new error."<<std::endl;
125 return -1;
126 }
127 SSL_set_fd (ssl, accept_socket);
128 ret = SSL_accept (ssl);
129 if( ret == -1 ) {
130 std::cout<<"SSL_accept error."<<std::endl;
131 return -1;
132 }
133
134 // 获取cipher
135 std::cout<<"SSL connection using: "<<SSL_get_cipher(ssl)<<std::endl;
136
137 // 获取客户端的证书
138 client_certificate = SSL_get_peer_certificate (ssl);
139 if (client_certificate != NULL) {
140 std::cout<<"Client certificate:"<<std::endl;
141
142 str = X509_NAME_oneline (X509_get_subject_name (client_certificate), 0, 0);
143 if( str == NULL ) {
144 std::cout<<"X509_NAME_oneline error."<<std::endl;
145 } else {
146 std::cout<<"subject: "<<str<<std::endl;
147 OPENSSL_free (str);
148 }
149
150 str = X509_NAME_oneline (X509_get_issuer_name (client_certificate), 0, 0);
151 if( str == NULL ) {
152 std::cout<<"X509_NAME_oneline error."<<std::endl;
153 } else {
154 std::cout<<"issuer: "<<str<<std::endl;
155 OPENSSL_free (str);
156 }
157
158 X509_free (client_certificate);
159 } else {
160 std::cout<<"Client does not have certificate. "<<std::endl;
161 }
162
163
164 // 数据交换 //
165
166 char buf [4096];
167
168 ret = SSL_read (ssl, buf, sizeof(buf) - 1);
169 if( ret == -1 ) {
170 std::cout<<"SSL_read error."<<std::endl;
171 return -1;
172 }
173 buf[ret] = '