Shulou(Shulou.com)06/02 Report--

This article mainly explains how to achieve two-way authentication of Openssl, the content is clear, interested partners can learn, I believe that after reading it will be helpful.

I. background note

1.1 facing problems

A recent product inspection report recommends the use of pki-based authentication. Since the product has implemented https, it is considered that it means to use two-way authentication to handle man-in-the-middle attacks.

"Information Security Engineering" has come into contact with two-way authentication, but there are two problems.

The first is that at that time, the final course design client is the browser, the server is tomcat two-way authentication only need to configure both and do not need their own implementation code.

The second is that although the course also has implementation code close to two-way authentication, but at that time, the Java+JCE environment now uses the C+++OpenSSL environment, the overall meaning is still about the same, but there are still many differences in specific functions and parameters.

So at present, there are: the idea of certificate generation + the idea of two-way authentication. For readers, it is assumed that they have a basic understanding of several concepts such as certificates, SSL/TSL, socket programming, and so on. This article will not cover them in detail.

Based on this, the problem to be solved in this paper is: openssl specific how to generate certificates + openssl how to achieve two-way authentication.

The key points of two-way authentication are the following functions (both the server and the client are the same). For more information, please see the code comments:

SSL_CTX_set_verify---- configuration enables two-way authentication

SSL_CTX_load_verify_locations---- loads trusted root certificate

SSL_CTX_use_certificate_file---- loads its own certificate

SSL_CTX_use_PrivateKey_file---- loads its own private key

SSL_get_verify_result---- really verifies. Be sure to call this function, or the first four optical configurations will not do two-way verification.

Second, the realization of two-way authentication program

2.1 install openssl and develop api

Apt-get install libssl-dev

2.2 Server code

# include # define MAXBUF 1024void ShowCerts (SSL * ssl) {X509 * cert; char * line; cert = SSL_get_peer_certificate (ssl) / / SSL_get_verify_result () is the key point. SSL_CTX_set_verify () only configures whether or not to enable and does not perform authentication. Calling this function will authenticate the certificate / if the verification fails, the program throws an exception to abort the connection if (SSL_get_verify_result (ssl) = = X509_V_OK) {printf ("Certificate verification passed\ n"). } if (cert! = NULL) {printf ("Digital Certificate Information:\ n"); line = X509_NAME_oneline (X509_get_subject_name (cert), 0,0); printf ("Certificate:% s\ n", line); free (line); line = X509_NAME_oneline (X509_get_issuer_name (cert), 0,0); printf ("issuer:% s\ n", line); free (line) X509_free (cert);} else printf ("No certificate information! \ n ");} int main (int argc, char * * argv) {int sockfd, new_fd; socklen_t len; struct sockaddr_in my_addr, their_addr; unsigned int myport, lisnum; char buf [MAXBUF + 1]; SSL_CTX * ctx; if (argv [1]) myport = atoi (argv [1]); else myport = 7838; if (argv [2]) lisnum = atoi (argv [2]); else lisnum = 2 / * SSL library initialization * / SSL_library_init (); / * load all SSL algorithms * / OpenSSL_add_all_algorithms (); / * load all SSL error messages * / SSL_load_error_strings (); / * generate a SSL_CTX in a SSL V2 and V3 compatible manner, that is, SSL Content Text * / ctx = SSL_CTX_new (SSLv23_server_method ()) / * you can also use SSLv2_server_method () or SSLv3_server_method () to represent V2 or V3 alone * / if (ctx = = NULL) {ERR_print_errors_fp (stdout); exit (1) } / / two-way verification / / SSL_VERIFY_PEER--- requires authentication of the certificate. It will be released without a certificate. / / SSL_VERIFY_FAIL_IF_NO_PEER_CERT--- requires the client to provide a certificate, but verification finds that SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL) will be released if used alone without a certificate. / / set trust root certificate if (SSL_CTX_load_verify_locations (ctx, "ca.crt", NULL)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.