There is very little detailed documentation on this aspect of openssl application programming. I learned and combined the man document to understand its basic structure by carefully analyzing the sample code in the openssl source package. The SSL communication model is a standard C/S structure. Except for transmission over the TCP layer, there is no significant difference from general communication. Below I will make a simple analysis of the process of establishing a secure TCP connection with SSL.
One, digital certificate preparation
Usually our server needs
server-side private key server.key file
server-side certificate server.crt file
For two-way authentication connection, you need to use the client's private key client.key file
client certificate client.crt file
for one-way authentication connection, you do not need to use the client certificate file
< b> Second,
Program structure
The header files related to ssl are placed in the openssl directory, usually need to use these:
#include /* SSLeay stuff */and RSA Some definitions related to the algorithm
#include /*Encryption library interface*/
#include /*Certificate file related*/
#include
#include
#include
1
, some necessary initialization for
OPENSSL
SSL_load_error_strings(); /* Initialization of error information, not required, if To print using OpenSSL error messages, call it */
SSLeay_add_ssl_algorithms(); /*Load the SSL algorithm library*/
/* You can also load the SSL algorithm library in two ways:
SSL_library_init( Void); OpenSSL_add_ssl_algor Ithms();
*/
Create SSL upper and lower environment
meth = SSLv23_server_method();
/*Client mode:
SSL_METHOD* TLSv1_client_method(void); TLSv1.0 protocol SSL_METHOD* SSLv2_client_method(void); SSLv2 protocol SSL_METHOD* SSLv3_client_method(void); SSLv3 protocol SSL_METHOD* SSLv23_client_method(void); SSLv2/v3 protocol
Server mode:
SSL_METHOD* TLSv1_server_method(void); SSL_METHOD* SSLv2_server_method (void); SSL_METHOD* SSLv3_server_method(void); SSL_METHOD* SSLv23_server_method(void);
*/
ctx = SSL_CTX_new (meth); /* In the application, the client and server must be in the same mode*/
ctx is a pointer to the current SSL session environment. We set it according to our needs:
void SSL_CTX_set_verify(SSL_CTX*, int, int* (int, X509_STORE_CTX*));
Settings The way the certificate is verified. The first parameter is the current CTX pointer, and the second is the authentication method. If you want to verify the other party, use SSL_VERIFY_PEER. If you don't need it, use SSL_VERIFY_NONE. In general, the client needs to authenticate the other party, but the server does not. The third parameter is the callback function that handles the validation. If there is no special need, use a null pointer.
void SSL_CTX_load_verify_locations(SSL_CTX*, const char*, const char*);
Load the certificate, the first parameter is the same as above, the second parameter is the name of the certificate file, and the third parameter is the path of the certificate file; >int SSL_CTX_use_certificate_file(SSL_CTX* ctx, const char* file, int type);
Load local certificate; type specifies the structure type of the certificate file; fail returns -1
SSL_CTX_set_default_passwd_cb_userdata(ctx, "123456");
Set the password of the certificate to be loaded by SSL. If you do not set it, you will be prompted to enter the password when loading the certificate. This is more troublesome to use in the program. This function saves the password in advance and automatically uses it when reading the certificate. .
int SSL_CTX_use_PrivateKey_file(SSL_CTX* ctx, const char* file, int type);
Load your own private key; type parameter specifies the structure type of the private key file; failure returns -1. Once the certificate and file are loaded, you can verify that the private key matches the certificate:
int SSL_CTX_check_private_key(SSL_CTX*);
Example:
if (SSL_CTX_use_certificate_file (ctx, server.crt, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(3);
}
SSL_CTX_set_default_passwd_cb_userdata(ctx, "123456789");
if (SSL_CTX_use_PrivateKey_file(ctx, server.key, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(4);
}
if (!SSL_CTX_check_private_key(ctx)) {
fprintf(stderr,"Private key does not match the certificate public key/n");
exit(5);
}
2
, Association
tcp
Socket
SSL connection is dependent on the socket socket, so the secure connection must be associated with the corresponding socket. The SSL communication process is performed after the tcp connection is established, so the socket establishment process is no different from the normal socket programming, and is not described here.
ssl = SSL_new (ctx); //Request SSL Sockets
SSL_set_fd (ssl, sd); //Bind and Write Sockets
The above call will connect successfully TCP sockets with SSL association.
3
Starting secure communication
For server-side calls
err = SSL_accept (ssl);
Listing client requests, calling for client
err = SSL_connect (ssl);
Initiate a connection. After success, both parties can communicate securely by calling
int SSL_read(SSL* ssl, char* buf, int num); int SSL_write(SSL* ssl, char* buf, int num);
.
At this point, both parties can obtain the certificate information of the other party by calling X509* SSL_get_peer_certificate(SSL* ssl)
Example:
client_cert = SSL_get_peer_certificate (ssl);
if (client_cert != NULL) {
printf ("Client certificate:/n");
str = X509_NAME_oneline (X509_get_subject_name (client_cert), 0, 0);
CHK_NULL(str) ;
printf ("/t subject: %s/n", str);
OPENSSL_free (str);
str = X509_NAME_oneline (X509_get_issuer_name (client_cert), 0, 0);
CHK_NULL (str);
printf ("/t issuer: %s/n", str);
OPENSSL_free (str);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
X509_free (client_cert);
} else
printf ("Client does not have certificate./n");
4
, the communication is over, you need to release the previous application
SSL
resource
int SSL_shutdown(SSL* ssl); close the SSL socket; void SSL_free(ssl); Free SSL socket; void SSL_CTX_free(ctx); free SSL environment;