Shulou(Shulou.com)06/01 Report--

SSL connection to build a network security road

What is a SSL connection

SSL connection, the current version is 3.1 (SSL3.1 is TLS1.0). It has been widely used in authentication and encrypted data transmission between Web browsers and servers. It is located between TCP/IP protocol and various application layer protocols and provides security support for data communication. SSL protocol can be divided into two layers: SSL recording Protocol (SSL Record Protocol): it is based on reliable transport protocols (such as TCP) and provides support for high-level protocols such as data encapsulation, compression, encryption and other basic functions. SSL handshake Protocol (SSL Handshake Protocol): it is based on the SSL recording protocol and is used for identity authentication, negotiation of encryption algorithms, exchange of encryption keys, etc., before the actual data transmission begins.

SSL connection establishment process

(take OpenSSL API as an example)

OpenSSL is an open source SSL suite, and its function library is written in C language, which realizes the basic data encryption function of the transport layer. This software is developed on the basis of SSLeay written by two Canadians, Eric A. Young and Tim J. Hudson, and SSLeay stopped development as the two men went to work for RSA. In 1998, the OpenSSL project team took over the development of OpenSSL and launched version 0.9.1 of OpenSSL. So far, the algorithm of OpenSSL has been very perfect, supporting SSL2.0, SSL3.0 and TLS1.0.

OpenSSL also implements the development interface between the client and the server, and the general process of secure communication using OpenSSL is shown in the following figure.

1. OpenSSL API

The SSL communication model adopts the standard Cramp S structure, so the OpenSSL-based program can be divided into two parts: Client and Server. The figure above is a schematic diagram of the process for establishing SSL communications, illustrating the following important steps to be followed by OpenSSL-based programs:

(1) OpenSSL initialization

OpenSSL must be initialized before it is used. The prototype of the function to complete the initialization function is:

Void SSL_load_error_strings (void); / / initialization of error messages

Int SSL_library_int (void); / / initialize the SSL algorithm library function (load the algorithm to be used), which must be called before calling the SSL function

Before establishing a SSL connection, specify the protocol and its version for this connection for Client and Server, respectively. Currently, the available protocol versions include SSLv2, SSLv3, SSLv2/v3, and TLSv1.0. For a SSL connection to be established properly, Client and Server must use a mutually compatible protocol.

(2) create CTX

In OpenSSL, CTX refers to the SSL session environment. Different protocols are used to establish a connection, and the CTX is also different. The following OpenSSL functions are used in the process of creating a CTX:

/ / both the client and the server need to call

SSL_CTX_new () / / apply for SSL session environment

/ / if you need to verify the other party's certificate, you need to call

SSL_CTX_set_verify () / / specify the certificate verification method

SSL_CTX_load_verify_location () / / loads a list of trusted CA certificates that should have been used for the SSL session environment

/ / if you need to load a certificate, you need to call

SSL_CTX_use_certificate_file () / / load the certificate of this application for the SSL session

SSL_CTX_use_certificate_chain_file () / / the certificate chain to which the certificate of this application is loaded for the SSL session

SSL_CTX_use_PrivateKey_file () / / load the private key of this application for the SSL session

SSL_CTX_check_private_key () / / verify whether the loaded private key and certificate match

(3) create SSL sockets

Before that, you need to create a normal stream socket, complete the TCP three-way handshake, and establish a normal TCP connection. Then create a SSL socket and bind it to the stream socket. The following functions are used in this process:

SSL * SSl_new (SSL_CTX * ctx); / / create a SSL socket

Int SSL_set_fd (SSL * ssl,int fd); / / bind stream sockets in read-write mode

Int SSL_set_rfd (SSL * ssl,int fd); / / bind stream sockets in read-only mode

Int SSL_set_wfd (SSL * ssl,int fd); / / bind stream sockets in write-only mode

(4) complete the SSL handshake

In this step, we need to establish a TCP connection based on a normal SSL connection. Similar to the process of establishing a connection with a normal stream socket: Client uses the function SSL_connect () [similar to connect () used in stream sockets] to initiate a handshake, while Server uses the function SSL_ accept () [similar to accept () used in stream sockets] to respond to the handshake, thus completing the handshake process. The prototype of the two functions is as follows:

Int SSL_connect (SSL * ssl)

Int SSL_accept (SSL * ssl)

After the handshake process is complete, the Client usually asks the Server to send certificate information to authenticate the Server. The following two functions are used in its implementation:

X509 * SSL_get_peer_certificate (SSL * ssl); / / get the certificate information from the SSL socket

X509_NAME * X509_get_subject_name (X509 * a); / / get the name of the person who used the certificate

(5) data transmission

After a series of previous processes, secure data transmission can be carried out. In the data transfer phase, SSL_read () and SSL_write () need to be used to replace the read () and write () functions used by ordinary stream sockets to complete the read and write operation of SSL sockets. The prototypes of the two new functions are as follows:

Int SSL_read (SSL * ssl,void * buf,int num); / / read data from SSL sockets

Int SSL_write (SSL * ssl,const void * buf,int num); / / write data to SSL sockets

(6) end of session

When the communication process between Client and Server is complete, use the following function to release the SSL resources requested in the previous procedure:

Int SSL_shutdown (SSL * ssl); / / close the SSL socket

Void SSl_free (SSL * ssl); / / release SSL sockets

Void SSL_CTX_free (SSL_CTX * ctx); / / release the SSL session environment

Global trusted CA institutions

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.