网站规划和建设进度,做网站需要哪几个板块,seo外链要做些什么,宿迁新站seo内容介绍
国密的双证书体系#xff0c;将证书按照使用目的的不同划分为加密证书和签名证书两种#xff0c;也就是两对公私钥#xff0c;二者本质一致#xff0c;均为SM2密钥对#xff0c;区别仅体现在用法国密CA体系中#xff0c;加密密钥对由CA产生#xff0c;签名密钥…内容介绍
国密的双证书体系将证书按照使用目的的不同划分为加密证书和签名证书两种也就是两对公私钥二者本质一致均为SM2密钥对区别仅体现在用法国密CA体系中加密密钥对由CA产生签名密钥对由用户自己产生那么加密密钥涉及到的 私钥是如何通过安全的方式由CA传递到用户侧呢使用数字信封的机理从道理上来说两个密钥具有不同的属性逻辑上应该分开处理。其实最主要的原因是国家要保证必要的时候有能力对某些通讯进行监控如果采用单证书除了自己谁也无法解密理论上如此不利于国家安全。因此某些国家法律规定使用双证书。如果拥有加密证书的私钥可以进行实时监控。使用过wireshark抓HTTPS包的朋友应该知道如果配置了RSA密钥可以解密出HTTPS通信中的加密信息。
加密证书和私钥的生成过程
用户产生签名密钥对生成签名证书的请求发送签名证书给CACA验证用户的签名密钥对产生加密证书CA生成对称密钥使用用户的签名公钥加密对称密钥生成对称秘钥的密文CA使用对称密钥对称加密 加密证书所对应的私钥输出加密私钥的密文CA将加密证书、对称密钥密文和加密私钥的密文 返还给 用户用户使用签名私钥解密对称密钥的密文得到对称密钥用户使用对称密钥解密加密私钥得到加密私钥的明文
国标文档
《GMT 0024-2014 SSL VPN 技术规范》文档的下载地址 GMSSL - 国密SSL实验室对证书的介绍注意事项
双证书与标准TLS报文格式一样但至少要包含两个证书签名证书在前加密证书在后。如果牵扯到证书链问题就复杂了而且协议这里也没有规定清楚。是签名证书 证书链 加密证书还是签名证书 加密证书 证书链在实现中发现TASSL采用的是前者而沃通测试网站采用后者。在编码时请注意最好是两者都兼容。
参考链接
国密SSL协议之双证书体系_国密二三事的博客-CSDN博客_国密双证书啥双证书_云水木石的博客-CSDN博客新手入坑GMSSL二GMSSL双证书生成_JagnDC的博客-CSDN博客_gmssl 双证书新手入坑GMSSL三GMSSL双证书与360国密浏览器通讯_JagnDC的博客-CSDN博客请问一个国密双证书握手的问题 · Issue #274 · guanzhi/GmSSL · GitHubhttps://github.com/guanzhi/GmSSL/issues/33https://www.codeleading.com/article/21625213349/
最关键的参考链接
gmssl使用双证书双向认证的gmtl协议报错crypto/sm2/sm2_sign.c 510: sm2_do_verifySSL3 alert write:fatal:decrypt error_MY CUP OF TEA的博客-CSDN博客
命令行 模式
新手入坑GMSSL二GMSSL双证书生成_JagnDC的博客-CSDN博客_gmssl 双证书gmssl 国密ssl流程测试_viqjeee的博客-CSDN博客_gmssl s_serverGmSSL实现gmtls协议也就是双证书协议(签名和加密双证书)涉及到双证书的文章中一般都基于TASSL这个项目它是由北京江南天安科技有限公司提出的支持国密证书和协议的项目GitHub - jntass/TASSL: 已升级到TASSL-1.1.1k下载链接https://github.com/jntass/TASSL-1.1.1k生成根证书、服务器和客户端的签名和加密证书使用的脚本如下TASSL/SM2certgen.sh at master · jntass/TASSL · GitHub证书的名字和类型 CA.key.pem和CA.cert.pem分别是CA私钥和CA证书。CE.cert.pem和CE.key.pem分别是客户端的加密证书和对应的私钥。CS.cert.pem和CS.key.pem分别是客户端的签名证书和对应的私钥。SE.cert.pem和SE.key.pem分别是服务器的加密证书和对应的私钥。SS.cert.pem和SS.key.pem分别是服务器的签名证书和对应的私钥。官方的接口说明openssl s_server的参数中的-cert和-key分别用于指定证书和私钥但是还有个参数-dcert和-dkey参考链接和官方解释如下/docs/man1.0.2/man1/openssl-s_server.html-dcert filename, -dkey keyname specify an additional certificate and private key, these behave in the same manner as the -cert and -key options except there is no default if they are not specified (no additional certificate and key is used). As noted above some cipher suites require a certificate containing a key of a certain type. Some cipher suites need a certificate carrying an RSA key and some a DSS (DSA) key. By using RSA and DSS certificates and keys a server can support clients which only support RSA or DSS cipher suites by using an appropriate certificate. -dcert文件名-dkey密钥名 指定一个额外的证书和私钥它们的行为方式与-cert和-key选项相同除非没有指定它们否则没有默认值(不使用额外的证书和密钥)。如上所述一些密码套件需要包含特定类型密钥的证书。一些密码套件需要携带RSA密钥和一些DSS (DSA)密钥的证书。通过使用RSA和DSS证书和密钥服务器可以通过使用适当的证书来支持仅支持RSA或DSS密码套件的客户端。 双证书双向认证
服务端
在设置双证书时需要先设置签名证书然后再设置加密证书具体可参考源码。服务端执行命令 需要在指定的文件下执行必须要有 verifyverify是开启gmtls双向证书认证的关键也就是对等证书验证客户端也会验证服务端的证书gmssl s_server -gmtls -accept 44330 -key SS.key.pem -cert SS.cert.pem -dkey SE.key.pem -dcert SE.cert.pem -CAfile CA.cert.pem -state -verify 1
chy-cpabeubuntu:~/GMSSL_certificate/sm2Certs$ gmssl s_server -gmtls -accept 44330 -key SS.key.pem -cert SS.cert.pem -dkey SE.key.pem -dcert SE.cert.pem -CAfile CA.cert.pem -state -verify 1
verify depth is 1
Using default temp DH parameters
[GMTLS_DEBUG] set sm2 signing certificate
[GMTLS_DEBUG] set sm2 signing private key
[GMTLS_DEBUG] set sm2 encryption certificate
[GMTLS_DEBUG] set sm2 decryption private key
ACCEPT
SSL_accept:before SSL initialization
SSL_accept:before SSL initialization
SSL_accept:SSLv3/TLS read client hello
SSL_accept:SSLv3/TLS write server hello
SSL_accept:SSLv3/TLS write certificate
SSL_accept:SSLv3/TLS write key exchange
SSL_accept:SSLv3/TLS write certificate request
SSL_accept:SSLv3/TLS write server done
SSL_accept:SSLv3/TLS write server done
depth1 C CN, ST BJ, L HaiDian, O Beijing JNTA Technology LTD., OU SORB of TASS, CN Test CA (SM2)
verify return:1
depth0 C CN, ST BJ, L HaiDian, O Beijing JNTA Technology LTD., OU BSRC of TASS, CN client sign (SM2)
verify return:1
SSL_accept:SSLv3/TLS read client certificate
ssl_get_algorithm2f227000008x
SSL_accept:SSLv3/TLS read client key exchange
SSL_accept:SSLv3/TLS read certificate verify
SSL_accept:SSLv3/TLS read change cipher spec
SSL_accept:SSLv3/TLS read finished
SSL_accept:SSLv3/TLS write change cipher spec
SSL_accept:SSLv3/TLS write finished
-----BEGIN SSL SESSION PARAMETERS-----
MIICmAIBAQICAQEEAuATBCAWcAdtfPyMiEJmINUd/e/AmYdNqNTalV1AAbACRSQE
CgQwtuURXPYQpQ7gQIZ3fWRd9QpsP0Zi57oDT1D/X1xVBL3wy9yrr/BOpRw2afsu
4DH3oQYCBGMw/gSiBAICHCCjggIfMIICGzCCAcGgAwIBAgIJAIVjxdwZIdmMAoG
CCqBHM9VAYN1MIGCMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
FTATBgNVBAsMDFNPUkIgb2YgVEFTUzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAe
Fw0yMDA2MjAxMDE4MjZaFw0yNDA3MjkxMDE4MjZaMIGGMQswCQYDVQQGEwJDTjEL
MAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcg
Sk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDEJTUkMgb2YgVEFTUzEaMBgG
A1UEAwwRY2xpZW50IHNpZ24gKFNNMikwWTATBgcqhkjOPQIBBggqgRzPVQGCLQNC
AARV/eII1n2NVqYjwt9r9A5Eh6Z0iGWUpsw4sGxhfKL0vr0OKcur6DZqjqLDSCr
ZEhU6yuntNtaWpexPblqXAroxowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIGwDAK
BggqgRzPVQGDdQNIADBFAiEAiXPoCNW/n9SDbv6/oNyCCV/7kBgunc7w5b7xGm
4RICIBMDlLjPZE2ACYhu1Wjqph23PfMPMgae4Gtd7wzFz2UpAYEBAEAAAA
-----END SSL SESSION PARAMETERS-----
Client certificate
-----BEGIN CERTIFICATE-----
MIICGzCCAcGgAwIBAgIJAIVjxdwZIdmMAoGCCqBHM9VAYN1MIGCMQswCQYDVQQG
EwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJl
aWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDFNPUkIgb2YgVEFT
UzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAeFw0yMDA2MjAxMDE4MjZaFw0yNDA3
MjkxMDE4MjZaMIGGMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
FTATBgNVBAsMDEJTUkMgb2YgVEFTUzEaMBgGA1UEAwwRY2xpZW50IHNpZ24gKFNN
MikwWTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAARV/eII1n2NVqYjwt9r9A5Eh6Z0
iGWUpsw4sGxhfKL0vr0OKcur6DZqjqLDSCrZEhU6yuntNtaWpexPblqXAroxow
GDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIGwDAKBggqgRzPVQGDdQNIADBFAiEAiXP
oCNW/n9SDbv6/oNyCCV/7kBgunc7w5b7xGm4RICIBMDlLjPZE2ACYhu1Wjqph23
PfMPMgae4Gtd7wzFz2U
-----END CERTIFICATE-----
subject/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUBSRC of TASS/CNclient sign (SM2)
issuer/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUSORB of TASS/CNTest CA (SM2)
Shared ciphers:SM9-WITH-SMS4-SM3:SM9DHE-WITH-SMS4-SM3:SM2-WITH-SMS4-SM3:SM2DHE-WITH-SMS4-SM3:RSA-WITH-SMS4-SHA1:RSA-WITH-SMS4-SM3
CIPHER is SM2-WITH-SMS4-SM3
Secure Renegotiation IS supported客户端
客户端执行代码和执行结果 gmssl s_client -gmtls -connect localhost:44330 -key CS.key.pem -cert CS.cert.pem -dkey CE.key.pem -dcert CE.cert.pem -CAfile CA.cert.pem -state -showcerts
chy-cpabeubuntu:~/GMSSL_certificate/sm2Certs$ gmssl s_client -gmtls -connect localhost:44330 -key CS.key.pem -cert CS.cert.pem -dkey CE.key.pem -dcert CE.cert.pem -CAfile CA.cert.pem -state -showcerts
[GMTLS_DEBUG] set sm2 signing certificate
[GMTLS_DEBUG] set sm2 signing private key
[GMTLS_DEBUG] set sm2 encryption certificate
[GMTLS_DEBUG] set sm2 decryption private key
CONNECTED(00000003)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
depth1 C CN, ST BJ, L HaiDian, O Beijing JNTA Technology LTD., OU SORB of TASS, CN Test CA (SM2)
verify return:1
depth0 C CN, ST BJ, L HaiDian, O Beijing JNTA Technology LTD., OU BSRC of TASS, CN server sign (SM2)
verify return:1
SSL_connect:SSLv3/TLS read server certificate
ZBCDCCB61AADD790C076DAC60ED09DDD5285A906A4025DD748DA2FB5816464C58
C00021E3082021A308201C0A0030201020209008563C7E770648765300A06082A811CCF55018375308182310B300906035504061302434E310B300906035504080C02424A3110300E06035504070C074861694469616E31253023060355040A0C1C4265696A696E67204A4E544120546563686E6F6C6F6779204C54442E31153013060355040B0C0C534F5242206F6620544153533116301406035504030C0D546573742043412028534D3229301E170D3230303632303130313832365A170D3234303732393130313832365A308185310B300906035504061302434E310B300906035504080C02424A3110300E06035504070C074861694469616E31253023060355040A0C1C4265696A696E67204A4E544120546563686E6F6C6F6779204C54442E31153013060355040B0C0C42535243206F6620544153533119301706035504030C1073657276657220656E632028534D32293059301306072A8648CE3D020106082A811CCF5501822D03420004B999853302F02CC522CC4CCA287019E86B901FC24E3CCF9A61B93BB177B28C2CE8E23C5C522DF73C23F7AC36FF688CB2E685A3FA4770103F7C99EFC32D06C11FA31A301830090603551D1304023000300B0603551D0F040403020338300A06082A811CCF550183750348003045022100EC4368F400870BED441817AF4D359BDC61A9EDFDDEE54AB0C185084B450C46B902206E0C3A08BC584590046DC85603CD4E8A51F97D9669B1ACA3E2A3627BE61D49A2
SSL_connect:SSLv3/TLS read server key exchange
SSL_connect:SSLv3/TLS read server certificate request
SSL_connect:SSLv3/TLS read server done
SSL_connect:SSLv3/TLS write client certificate
SSL_connect:SSLv3/TLS write client key exchange
ssl_get_algorithm23268600008x
SSL_connect:SSLv3/TLS write certificate verify
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS read change cipher spec
SSL_connect:SSLv3/TLS read finished
---
Certificate chain0 s:/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUBSRC of TASS/CNserver sign (SM2)i:/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUSORB of TASS/CNTest CA (SM2)
-----BEGIN CERTIFICATE-----
MIICGjCCAcGgAwIBAgIJAIVjxdwZIdkMAoGCCqBHM9VAYN1MIGCMQswCQYDVQQG
EwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJl
aWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDFNPUkIgb2YgVEFT
UzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAeFw0yMDA2MjAxMDE4MjVaFw0yNDA3
MjkxMDE4MjVaMIGGMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
FTATBgNVBAsMDEJTUkMgb2YgVEFTUzEaMBgGA1UEAwwRc2VydmVyIHNpZ24gKFNN
MikwWTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAAS0lHzt7CkOzCtyf6VwCqoT2PYD
CL/AJrCsHa6lE8wDZ7DShI2bvfmrpavndEW67CHQOlO0q6/aoEB0PoAgpopoxow
GDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIGwDAKBggqgRzPVQGDdQNHADBEAiB06JWp
uxFbGBfvG9juhe2Umu/auI1H2XeMdvDjbOtfuQIgMXT8jewkzq9TR3OPzRTkZCRH
3HxKEb8r8JsEEStwaU
-----END CERTIFICATE-----1 s:/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUBSRC of TASS/CNserver enc (SM2)i:/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUSORB of TASS/CNTest CA (SM2)
-----BEGIN CERTIFICATE-----
MIICGjCCAcCgAwIBAgIJAIVjxdwZIdlMAoGCCqBHM9VAYN1MIGCMQswCQYDVQQG
EwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJl
aWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDFNPUkIgb2YgVEFT
UzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAeFw0yMDA2MjAxMDE4MjZaFw0yNDA3
MjkxMDE4MjZaMIGFMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
FTATBgNVBAsMDEJTUkMgb2YgVEFTUzEZMBcGA1UEAwwQc2VydmVyIGVuYyAoU00y
KTBZMBMGByqGSM49AgEGCCqBHM9VAYItA0IABLmZhTMC8CzFIsxMyihwGehrkB/C
TjzPmmG5O7F3sows6OI8XFIt9zwj96w2/2iMsuaFo/pHcBA/fJnvwy0GwRjGjAY
MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgM4MAoGCCqBHM9VAYN1A0gAMEUCIQDsQ2j0
AIcL7UQYF69NNZvcYant/d7lSrDBhQhLRQxGuQIgbgw6CLxYRZAEbchWA81OilH5
fZZpsayj4qNieYdSaI
-----END CERTIFICATE-----2 s:/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUSORB of TASS/CNTest CA (SM2)i:/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUSORB of TASS/CNTest CA (SM2)
-----BEGIN CERTIFICATE-----
MIICWjCCAgCgAwIBAgIJAP5W2mLaOWq5MAoGCCqBHM9VAYN1MIGCMQswCQYDVQQG
EwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJl
aWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDFNPUkIgb2YgVEFT
UzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAeFw0yMDA2MjAxMDE4MjVaFw0yNDA3
MjkxMDE4MjVaMIGCMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
FTATBgNVBAsMDFNPUkIgb2YgVEFTUzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTBZ
MBMGByqGSM49AgEGCCqBHM9VAYItA0IABArjN7agH8D12eqXJpMeTOR9m3sB2RC
ojH7fZPB77SDfHZb9g1lcqUhrug0nw2F8wBMsLfjvsK3wQn/ryi3YvSjXTBbMB0G
A1UdDgQWBBRCcBGiEpd09qSpUlkiGkZqCFbDAfBgNVHSMEGDAWgBRCcBGiEpd0
9qSpUlkiGkZqCFbDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAKBggqgRzP
VQGDdQNIADBFAiBjdylWVsUoTRcHu9DoMHv4lgtYJMf2xHAGLoJUjmbizAIhAOFD
i3EmFVUgGVdgbnztFZcBLxtBzIAh/Q4Q3dm3/MFu
-----END CERTIFICATE-----
---
Server certificate
subject/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUBSRC of TASS/CNserver sign (SM2)
issuer/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUSORB of TASS/CNTest CA (SM2)
---
Acceptable client certificate CA names
/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUSORB of TASS/CNTest CA (SM2)
Client Certificate Types: RSA sign, DSA sign
---
SSL handshake has read 2121 bytes and written 2115 bytes
Verification: OK
---
New, GMTLSv1.1, Cipher is SM2-WITH-SMS4-SM3
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:Protocol : GMTLSv1.1Cipher : SM2-WITH-SMS4-SM3Session-ID: 1670076D7CFC8C88426620D51DFDEFC099874DA8D4DA955D4001B0024524040ASession-ID-ctx: Master-Key: B6E5115CF610A50EE04086777D645DF50A6C3F4662E7BA034F50FF5F5C5504BDF0CBDCABAFF04EA51C3669FB2EE031F7PSK identity: NonePSK identity hint: NoneSRP username: NoneStart Time: 1664155140Timeout : 7200 (sec)Verify return code: 0 (ok)Extended master secret: no
---双证书单向认证
同时指定签名和加密证书 且 采用双证书单向认证服务端执行代码gmssl s_server -gmtls -accept 44330 -key SS.key.pem -cert SS.cert.pem -dkey SE.key.pem -dcert SE.cert.pem -CAfile CA.cert.pem -state只需要将verify删除就由双向认证变成了单项认证-state参数表示打印跟多信息方便调试s_server: Cannot open input file gmcrt/2_sign.crt, No such file or directory
s_server: Use -help for summary.
chy-cpabeubuntu:~/test_double_ssl/GMSSL双证书demo/sm2Certs$ ls
CA.cert.pem CA.key.pem CA.pem CE.cert.pem CE.key.pem CE.pem CS.cert.pem CS.key.pem CS.pem SE.cert.pem SE.key.pem SE.pem SS.cert.pem SS.key.pem SS.pem
chy-cpabeubuntu:~/test_double_ssl/GMSSL双证书demo/sm2Certs$ gmssl s_server -gmtls -accept 44330 -key SS.key.pem -cert SS.cert.pem -dkey SE.key.pem -dcert SE.cert.pem -CAfile CA.cert.pem -state
Using default temp DH parameters
[GMTLS_DEBUG] set sm2 signing certificate
[GMTLS_DEBUG] set sm2 signing private key
[GMTLS_DEBUG] set sm2 encryption certificate
[GMTLS_DEBUG] set sm2 decryption private key
ACCEPT
SSL_accept:before SSL initialization
SSL_accept:before SSL initialization
ssl_get_algorithm22b81000008x
SSL_accept:SSLv3/TLS read client hello
SSL_accept:SSLv3/TLS write server hello
SSL_accept:SSLv3/TLS write certificate
SSL_accept:SSLv3/TLS write key exchange
SSL_accept:SSLv3/TLS write server done
SSL_accept:SSLv3/TLS write server done
SSL_accept:SSLv3/TLS read client key exchange
SSL_accept:SSLv3/TLS read change cipher spec
SSL_accept:SSLv3/TLS read finished
SSL_accept:SSLv3/TLS write change cipher spec
SSL_accept:SSLv3/TLS write finished
-----BEGIN SSL SESSION PARAMETERS-----
MHUCAQECAgEBBALgEwQg4tsFtm05e9thEdmOsDjCdEY797x1PAcVaGWd8chdLuoE
MDqjvlXZek3vSlC1qaYT7NA40D6C7sbR0gNowPIhMfVan396kWxthLUmXIgz3t1
5qEGAgRjAfsxogQCAhwgpAYEBAEAAAA
-----END SSL SESSION PARAMETERS-----
Shared ciphers:SM9-WITH-SMS4-SM3:SM9DHE-WITH-SMS4-SM3:SM2-WITH-SMS4-SM3:SM2DHE-WITH-SMS4-SM3:RSA-WITH-SMS4-SHA1:RSA-WITH-SMS4-SM3
CIPHER is SM2-WITH-SMS4-SM3
Secure Renegotiation IS supported客户端执行代码gmssl s_client -gmtls -connect localhost:44330 -key CS.key.pem -cert CS.cert.pem -dkey CE.key.pem -dcert CE.cert.pem -CAfile CA.cert.pem -state可以看出现在使用的协议已经变成gmtlsv1.1SSL-Session: Protocol : GMTLSv1.1[GMTLS_DEBUG] set sm2 signing certificate
[GMTLS_DEBUG] set sm2 signing private key
[GMTLS_DEBUG] set sm2 encryption certificate
[GMTLS_DEBUG] set sm2 decryption private key
CONNECTED(00000003)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
depth1 C CN, ST BJ, L HaiDian, O Beijing JNTA Technology LTD., OU SORB of TASS, CN Test CA (SM2)
verify return:1
depth0 C CN, ST BJ, L HaiDian, O Beijing JNTA Technology LTD., OU BSRC of TASS, CN server sign (SM2)
verify return:1
SSL_connect:SSLv3/TLS read server certificate
ZBCDCCB61AADD790C076DAC60ED09DDD5285A906A4025DD748DA2FB5816464C58
C00021E3082021A308201C0A0030201020209008563C7E770648765300A06082A811CCF55018375308182310B300906035504061302434E310B300906035504080C02424A3110300E06035504070C074861694469616E31253023060355040A0C1C4265696A696E67204A4E544120546563686E6F6C6F6779204C54442E31153013060355040B0C0C534F5242206F6620544153533116301406035504030C0D546573742043412028534D3229301E170D3230303632303130313832365A170D3234303732393130313832365A308185310B300906035504061302434E310B300906035504080C02424A3110300E06035504070C074861694469616E31253023060355040A0C1C4265696A696E67204A4E544120546563686E6F6C6F6779204C54442E31153013060355040B0C0C42535243206F6620544153533119301706035504030C1073657276657220656E632028534D32293059301306072A8648CE3D020106082A811CCF5501822D03420004B999853302F02CC522CC4CCA287019E86B901FC24E3CCF9A61B93BB177B28C2CE8E23C5C522DF73C23F7AC36FF688CB2E685A3FA4770103F7C99EFC32D06C11FA31A301830090603551D1304023000300B0603551D0F040403020338300A06082A811CCF550183750348003045022100EC4368F400870BED441817AF4D359BDC61A9EDFDDEE54AB0C185084B450C46B902206E0C3A08BC584590046DC85603CD4E8A51F97D9669B1ACA3E2A3627BE61D49A2
SSL_connect:SSLv3/TLS read server key exchange
SSL_connect:SSLv3/TLS read server done
SSL_connect:SSLv3/TLS write client key exchange
SSL_connect:SSLv3/TLS write change cipher spec
ssl_get_algorithm22790100008x
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS read change cipher spec
SSL_connect:SSLv3/TLS read finished
---
Certificate chain0 s:/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUBSRC of TASS/CNserver sign (SM2)i:/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUSORB of TASS/CNTest CA (SM2)1 s:/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUBSRC of TASS/CNserver enc (SM2)i:/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUSORB of TASS/CNTest CA (SM2)2 s:/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUSORB of TASS/CNTest CA (SM2)i:/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUSORB of TASS/CNTest CA (SM2)
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICGjCCAcGgAwIBAgIJAIVjxdwZIdkMAoGCCqBHM9VAYN1MIGCMQswCQYDVQQG
EwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJl
aWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDFNPUkIgb2YgVEFT
UzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAeFw0yMDA2MjAxMDE4MjVaFw0yNDA3
MjkxMDE4MjVaMIGGMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
FTATBgNVBAsMDEJTUkMgb2YgVEFTUzEaMBgGA1UEAwwRc2VydmVyIHNpZ24gKFNN
MikwWTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAAS0lHzt7CkOzCtyf6VwCqoT2PYD
CL/AJrCsHa6lE8wDZ7DShI2bvfmrpavndEW67CHQOlO0q6/aoEB0PoAgpopoxow
GDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIGwDAKBggqgRzPVQGDdQNHADBEAiB06JWp
uxFbGBfvG9juhe2Umu/auI1H2XeMdvDjbOtfuQIgMXT8jewkzq9TR3OPzRTkZCRH
3HxKEb8r8JsEEStwaU
-----END CERTIFICATE-----
subject/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUBSRC of TASS/CNserver sign (SM2)
issuer/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUSORB of TASS/CNTest CA (SM2)
---
No client certificate CA names sent
---
SSL handshake has read 1973 bytes and written 320 bytes
Verification: OK
---
New, GMTLSv1.1, Cipher is SM2-WITH-SMS4-SM3
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:Protocol : GMTLSv1.1Cipher : SM2-WITH-SMS4-SM3Session-ID: E24D8195A9D25F9A6B877C63A85979492FA5199E58FA512A95915E33BA7A418BSession-ID-ctx: Master-Key: 2ED26139965074A55F65D011A370DF7A4672A0FC7BBB4A0ED991DCD55A6231E92B5A09225BFE9F1ABD0546F1F75885A2PSK identity: NonePSK identity hint: NoneSRP username: NoneStart Time: 1661073328Timeout : 7200 (sec)Verify return code: 0 (ok)Extended master secret: no
---
客户端命令gmssl s_client -gmtls -connect localhost:44330 -key CS.key.pem -cert CS.cert.pem -dkey CE.key.pem -dcert CE.cert.pem -CAfile CA.cert.pem -state
gmssl s_client -gmtls -connect localhost:44330 -key CS.key.pem -cert CS.cert.pem -dkey CE.key.pem -dcert CE.cert.pem -CAfile CA.cert.pem -state
[GMTLS_DEBUG] set sm2 signing certificate
[GMTLS_DEBUG] set sm2 signing private key
[GMTLS_DEBUG] set sm2 encryption certificate
[GMTLS_DEBUG] set sm2 decryption private key
CONNECTED(00000003)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
depth1 C CN, ST BJ, L HaiDian, O Beijing JNTA Technology LTD., OU SORB of TASS, CN Test CA (SM2)
verify return:1
depth0 C CN, ST BJ, L HaiDian, O Beijing JNTA Technology LTD., OU BSRC of TASS, CN server sign (SM2)
verify return:1
SSL_connect:SSLv3/TLS read server certificate
ZBCDCCB61AADD790C076DAC60ED09DDD5285A906A4025DD748DA2FB5816464C58
C00021E3082021A308201C0A0030201020209008563C7E770648765300A06082A811CCF55018375308182310B300906035504061302434E310B300906035504080C02424A3110300E06035504070C074861694469616E31253023060355040A0C1C4265696A696E67204A4E544120546563686E6F6C6F6779204C54442E31153013060355040B0C0C534F5242206F6620544153533116301406035504030C0D546573742043412028534D3229301E170D3230303632303130313832365A170D3234303732393130313832365A308185310B300906035504061302434E310B300906035504080C02424A3110300E06035504070C074861694469616E31253023060355040A0C1C4265696A696E67204A4E544120546563686E6F6C6F6779204C54442E31153013060355040B0C0C42535243206F6620544153533119301706035504030C1073657276657220656E632028534D32293059301306072A8648CE3D020106082A811CCF5501822D03420004B999853302F02CC522CC4CCA287019E86B901FC24E3CCF9A61B93BB177B28C2CE8E23C5C522DF73C23F7AC36FF688CB2E685A3FA4770103F7C99EFC32D06C11FA31A301830090603551D1304023000300B0603551D0F040403020338300A06082A811CCF550183750348003045022100EC4368F400870BED441817AF4D359BDC61A9EDFDDEE54AB0C185084B450C46B902206E0C3A08BC584590046DC85603CD4E8A51F97D9669B1ACA3E2A3627BE61D49A2
SSL_connect:SSLv3/TLS read server key exchange
SSL_connect:SSLv3/TLS read server certificate request
SSL_connect:SSLv3/TLS read server done
SSL_connect:SSLv3/TLS write client certificate
SSL_connect:SSLv3/TLS write client key exchange
ssl_get_algorithm23c3f900008x
SSL_connect:SSLv3/TLS write certificate verify
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
SSL3 alert read:fatal:decrypt error
SSL_connect:error in SSLv3/TLS write finished
140016949239808:error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:ssl/record/rec_layer_s3.c:1385:SSL alert number 51
---
Certificate chain0 s:/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUBSRC of TASS/CNserver sign (SM2)i:/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUSORB of TASS/CNTest CA (SM2)1 s:/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUBSRC of TASS/CNserver enc (SM2)i:/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUSORB of TASS/CNTest CA (SM2)2 s:/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUSORB of TASS/CNTest CA (SM2)i:/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUSORB of TASS/CNTest CA (SM2)
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICGjCCAcGgAwIBAgIJAIVjxdwZIdkMAoGCCqBHM9VAYN1MIGCMQswCQYDVQQG
EwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJl
aWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDFNPUkIgb2YgVEFT
UzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAeFw0yMDA2MjAxMDE4MjVaFw0yNDA3
MjkxMDE4MjVaMIGGMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
FTATBgNVBAsMDEJTUkMgb2YgVEFTUzEaMBgGA1UEAwwRc2VydmVyIHNpZ24gKFNN
MikwWTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAAS0lHzt7CkOzCtyf6VwCqoT2PYD
CL/AJrCsHa6lE8wDZ7DShI2bvfmrpavndEW67CHQOlO0q6/aoEB0PoAgpopoxow
GDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIGwDAKBggqgRzPVQGDdQNHADBEAiB06JWp
uxFbGBfvG9juhe2Umu/auI1H2XeMdvDjbOtfuQIgMXT8jewkzq9TR3OPzRTkZCRH
3HxKEb8r8JsEEStwaU
-----END CERTIFICATE-----
subject/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUBSRC of TASS/CNserver sign (SM2)
issuer/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUSORB of TASS/CNTest CA (SM2)
---
Acceptable client certificate CA names
/CCN/STBJ/LHaiDian/OBeijing JNTA Technology LTD./OUSORB of TASS/CNTest CA (SM2)
Client Certificate Types: RSA sign, DSA sign
---
SSL handshake has read 2037 bytes and written 2116 bytes
Verification: OK
---
New, GMTLSv1.1, Cipher is SM2-WITH-SMS4-SM3
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:Protocol : GMTLSv1.1Cipher : SM2-WITH-SMS4-SM3Session-ID: 12664AE82CE989580C27B14AFF7487B19FF1C159C94291A0B76AA5F80D28317FSession-ID-ctx: Master-Key: AD4D5164B7F54B9FA1F74A7A569C6B6E75CFD96967AB7519658C33E9C6FB8851EBCF1B10E175E736E9C7127E5FA8D32DPSK identity: NonePSK identity hint: NoneSRP username: NoneStart Time: 1661074697Timeout : 7200 (sec)Verify return code: 0 (ok)Extended master secret: no
---双证书双向认证-代码实现 参考链接
GmSSL编程实现gmtls协议C/S通信(BIO版本)_叶之香的博客-CSDN博客GmSSL编程实现gmtls协议C/S通信(非BIO版本)_叶之香的博客-CSDN博客注意事项 基于TASSL开源项目中的Tassl_demo/mk_tls_cert 下的 SM2certgen.sh 脚本共生成 15 个 PEM 文件即根证书、服务端和客户端的签名和加密证书上述参考链接里面的下面这句话是错误的服务端都不验证客户端身份了还叫双向认证嘛修改后代码如下// 是否要求校验对方证书 此处不验证客户端身份所以为 SSL_VERIFY_NONESSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
如果报sm2_do_verify的错误信息参考下面链接修改源码重新编译gmssl使用双证书双向认证的gmtl协议报错crypto/sm2/sm2_sign.c 510: sm2_do_verifySSL3 alert write:fatal:decrypt error_MY CUP OF TEA的博客-CSDN博客 服务端代码
#include cstdio
#include cstdlib
#include cerrno
#include cstring
#include netinet/in.h
#include sys/socket.h
#include unistd.h
#include arpa/inet.h
#include openssl/ssl.h
#include openssl/err.h#define MAXBUF 1500//#define CA_CERT_FILE /home/chy-cpabe/GMSSL_certificate/sm2Certs/CA.cert.pem
//#define SIGN_CERT_FILE /home/chy-cpabe/GMSSL_certificate/sm2Certs/SS.cert.pem
//#define SIGN_KEY_FILE /home/chy-cpabe/GMSSL_certificate/sm2Certs/SS.key.pem
//#define ENCODE_CERT_FILE /home/chy-cpabe/GMSSL_certificate/sm2Certs/SE.cert.pem
//#define ENCODE_KEY_FILE /home/chy-cpabe/GMSSL_certificate/sm2Certs/SE.key.pem#define CA_CERT_FILE /home/chy-cpabe/tmp/second/rootcert.pem
#define SIGN_CERT_FILE /home/chy-cpabe/tmp/second/sign.pem
#define SIGN_KEY_FILE /home/chy-cpabe/tmp/second/sign.key
#define ENCODE_CERT_FILE /home/chy-cpabe/tmp/second/encrypt.pem
#define ENCODE_KEY_FILE /home/chy-cpabe/tmp/second/encrypt.keyvoid ShowCerts(SSL * ssl)
{X509 *cert;char *line;cert SSL_get_peer_certificate(ssl);// SSL_get_verify_result()是重点SSL_CTX_set_verify()只是配置启不启用并没有执行认证调用该函数才会真证进行证书认证// 如果验证不通过那么程序抛出异常中止连接if(SSL_get_verify_result(ssl) X509_V_OK){printf(证书验证通过\n);}if (cert ! nullptr) {printf(数字证书信息:\n);line X509_NAME_oneline(X509_get_subject_name(cert), nullptr, 0);printf(证书: %s\n, line);free(line);line X509_NAME_oneline(X509_get_issuer_name(cert), nullptr, 0);printf(颁发者: %s\n, line);free(line);X509_free(cert);} elseprintf(无证书信息\n);
}int main(int argc, char **argv) {int listen_fd -1; /* TCP监听套接字 */int accept_fd -1; /* 已连接TCP套接字 */struct sockaddr_in server_addr, client_addr;bzero(server_addr, sizeof(server_addr));SSL_CTX *ctx nullptr; /* SSL会话环境 */SSL *ssl nullptr; /* SSL安全套接字 */socklen_t len;char buf[MAXBUF]{0}; /* 服务器接收数据buffer */if( 3!argc ){printf(argcment wrong:ip port\n);}SSL_library_init(); /* SSL 库初始化 */SSLeay_add_ssl_algorithms();OpenSSL_add_all_algorithms(); /* 载入所有 SSL 算法 */SSL_load_error_strings(); /* 载入所有 SSL 错误消息 */
// ERR_load_BIO_strings();//TCP服务器创建、绑定、监听if ((listen_fd socket(PF_INET, SOCK_STREAM, 0)) -1) {perror(socket create wrong\n);exit(1);} elseprintf(socket created\n);server_addr.sin_family PF_INET;server_addr.sin_port htons(atoi(argv[2]));server_addr.sin_addr.s_addr inet_addr(argv[1]);;if (bind(listen_fd, (struct sockaddr *) server_addr, sizeof(struct sockaddr)) -1) {perror(bind wrong\n);exit(1);} elseprintf(binded success\n);int lisnum 2;do{//使用SSL_CTX_new()创建会话环境建立连接时要使用协议由TLS_server_method()来定。如果这一步出错需要查看错误栈来查看原因if(nullptr (ctx SSL_CTX_new( GMTLS_server_method()))) //using sm3, TLSv1_2_method{ERR_print_errors_fp(stderr);break;}
// SSL_CTX_set_security_level(ctx,0);// 双向验证// SSL_VERIFY_PEER---要求对证书进行认证没有证书也会放行// SSL_VERIFY_FAIL_IF_NO_PEER_CERT---要求客户端需要提供证书但验证发现单独使用没有证书也会放行SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);// 设置信任根证书if(SSL_CTX_load_verify_locations(ctx, CA_CERT_FILE, nullptr) ! 1){printf(SSL_CTX_load_verify_locations error\n);ERR_print_errors_fp(stderr);break;}// 签名证书和对应私钥if( 0SSL_CTX_use_certificate_file(ctx, SIGN_CERT_FILE, SSL_FILETYPE_PEM/*SSL_FILETYPE_ASN1*/) ) /* 为SSL会话加载用户证书 */{printf(SSL_CTX_use_certificate_file error!\n);ERR_print_errors_fp(stderr);break;}if( 0SSL_CTX_use_PrivateKey_file(ctx, SIGN_KEY_FILE, SSL_FILETYPE_PEM/*SSL_FILETYPE_ASN1*/) ) /* 为SSL会话加载用户私钥 */{printf(SSL_CTX_use_PrivateKey_file error!\n);ERR_print_errors_fp(stderr);break;}// 加密证书和对应私钥if(SSL_CTX_use_certificate_file(ctx, ENCODE_CERT_FILE, SSL_FILETYPE_PEM) 0){printf(SSL_CTX_use_certificate_file error!\n);ERR_print_errors_fp(stderr);return -1;}if(SSL_CTX_use_PrivateKey_file(ctx, ENCODE_KEY_FILE, SSL_FILETYPE_PEM) 0){printf(SSL_CTX_use_PrivateKey_file error!\n);ERR_print_errors_fp(stderr);return -1;}/* 检查用户私钥是否正确 */if(!SSL_CTX_check_private_key(ctx)) /* 验证私钥和证书是否相符 */{printf(SSL_CTX_check_private_key error!\n);ERR_print_errors_fp(stderr);break;}if (listen(listen_fd, lisnum) -1) {perror(listen wrong\n);exit(1);} elseprintf(begin listen\n);len sizeof(struct sockaddr);/* 等待客户端连上来 */if ((accept_fd accept(listen_fd, (struct sockaddr *) client_addr, len)) -1) {perror(accept wrong\n);exit(errno);} else{printf(server: got connection from %s, port %d, socket %d\n,inet_ntoa(client_addr.sin_addr), ntohs(client_addr.sin_port),accept_fd);}ssl SSL_new(ctx); /* 基于 ctx 产生一个新的 SSL */SSL_set_fd(ssl, accept_fd); /* 将连接用户的 socket 加入到 SSL *//* 建立 SSL 连接 */if (SSL_accept(ssl) -1) {perror(accept wrong\n);SSL_shutdown(ssl);SSL_free(ssl);ssl nullptr;close(accept_fd);accept_fd-1;break;}ShowCerts(ssl);/* 开始处理每个新连接上的数据收发 */bzero(buf, MAXBUF 1);strcpy(buf, server-client);/* 发消息给客户端 */len SSL_write(ssl, buf, strlen(buf));if (len 0) {printf(消息%s发送失败错误代码是%d错误信息是%s\n, buf, errno,strerror(errno));goto finish;} elseprintf(消息%s发送成功共发送了%d个字节\n, buf, len);bzero(buf, MAXBUF 1);/* 接收客户端的消息 */len SSL_read(ssl, buf, MAXBUF);if (len 0)printf(接收消息成功:%s共%d个字节的数据\n, buf, len);elseprintf(消息接收失败错误代码是%d错误信息是%s\n,errno, strerror(errno));/* 处理每个新连接上的数据收发结束 */finish:/* 关闭 SSL 连接 */SSL_shutdown(ssl);/* 释放 SSL */SSL_free(ssl);ssl nullptr;/* 关闭 socket */close(accept_fd);accept_fd -1;}while(1);/* 关闭监听的 socket */close(listen_fd);listen_fd -1;/* 释放 CTX */SSL_CTX_free(ctx);ctx nullptr;return 0;
} 客户端代码
#include cstdio
#include cstring
#include cerrno
#include sys/socket.h
#include cstdlib
#include netinet/in.h
#include arpa/inet.h
#include unistd.h
#include openssl/ssl.h
#include openssl/err.h#define MAXBUF 1024
//#define CA_CERT_FILE /home/chy-cpabe/GMSSL_certificate/sm2Certs/CA.cert.pem
//#define CS_CERT_FILE /home/chy-cpabe/GMSSL_certificate/sm2Certs/CS.cert.pem
//#define CS_KEY_FILE /home/chy-cpabe/GMSSL_certificate/sm2Certs/CS.key.pem
//#define CE_CERT_FILE /home/chy-cpabe/GMSSL_certificate/sm2Certs/CE.cert.pem
//#define CE_KEY_FILE /home/chy-cpabe/GMSSL_certificate/sm2Certs/CE.key.pem#define CA_CERT_FILE /home/chy-cpabe/tmp/first/rootcert.pem
#define CS_CERT_FILE /home/chy-cpabe/tmp/first/sign.pem
#define CS_KEY_FILE /home/chy-cpabe/tmp/first/sign.key
#define CE_CERT_FILE /home/chy-cpabe/tmp/first/encrypt.pem
#define CE_KEY_FILE /home/chy-cpabe/tmp/first/encrypt.key
void ShowCerts(SSL * ssl)
{X509 *cert;char *line;cert SSL_get_peer_certificate(ssl);// SSL_get_verify_result()是重点SSL_CTX_set_verify()只是配置启不启用并没有执行认证调用该函数才会真证进行证书认证// 如果验证不通过那么程序抛出异常中止连接if(SSL_get_verify_result(ssl) X509_V_OK){printf(证书验证通过\n);}if (cert ! nullptr) {printf(数字证书信息:\n);line X509_NAME_oneline(X509_get_subject_name(cert), nullptr, 0);printf(证书: %s\n, line);free(line);line X509_NAME_oneline(X509_get_issuer_name(cert), nullptr, 0);printf(颁发者: %s\n, line);free(line);X509_free(cert);} elseprintf(无证书信息\n);
}static void PrintData(char *p, char *buf,int len,char *filename)
{char *namep;printf(%s[%d]:\n,p,len);for (pbuf; p p-buflen;)printf(%02x%c,(unsigned char)p[-1],(!((p-buf)%16) || p-buflen)?\n: );
// if (filename) FileWrite(name,buf,len,filename);
}int main(int argc, char **argv)
{int sock_fd -1; /* TCP套接字 */int len 0; /* SSL会话环境 */SSL *ssl nullptr; /* SSL安全套接字 */struct sockaddr_in ser_addr; /* 服务器地址 */bzero(ser_addr, sizeof(ser_addr));SSL_CTX *ctx nullptr;char buffer[MAXBUF 1];if( argc ! 3 ){printf(argcment wrong:ip port content\n);exit(0);}/* SSL 库初始化参看 ssl-server.c 代码 */SSL_library_init();SSLeay_add_ssl_algorithms();OpenSSL_add_all_algorithms();SSL_load_error_strings();
// ERR_load_BIO_strings();do{/* 申请SSL会话环境 */if( nullptr(ctxSSL_CTX_new(GMTLS_client_method())) ) //使用SSL_CTX_new()创建会话环境建立连接时要使用协议由TLS_client_method()来定服务器由对应的TLS_server_method()来定。如果这一步出错需要查看错误栈来查看原因{printf(SSL_CTX_new error!\n);ERR_print_errors_fp(stderr);break;}// 双向验证// SSL_VERIFY_PEER---要求对证书进行认证没有证书也会放行// SSL_VERIFY_FAIL_IF_NO_PEER_CERT---要求客户端需要提供证书但验证发现单独使用没有证书也会放行SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
// if(SSL_CTX_set_cipher_list(ctx, ECC-SM2-WITH-SM4-SM3) 0){
// printf(SSL_CTX_set_cipher_list error!\n);
// ERR_print_errors_fp(stderr);
// exit(1);
// }// 设置信任根证书if(SSL_CTX_load_verify_locations(ctx, CA_CERT_FILE, nullptr) ! 1){printf(SSL_CTX_load_verify_locations error!\n);ERR_print_errors_fp(stderr);exit(1);}// 签名证书和对应私钥if (SSL_CTX_use_certificate_file(ctx, CS_CERT_FILE, SSL_FILETYPE_PEM) 0){printf(SSL_CTX_use_certificate_file error!\n);ERR_print_errors_fp(stderr);exit(1);}if (SSL_CTX_use_PrivateKey_file(ctx, CS_KEY_FILE, SSL_FILETYPE_PEM) 0){printf(SSL_CTX_use_PrivateKey_file error!\n);ERR_print_errors_fp(stderr);exit(1);}// 加密证书和对应私钥if(SSL_CTX_use_certificate_file(ctx, CE_CERT_FILE, SSL_FILETYPE_PEM) 0){printf(SSL_CTX_use_certificate_file error!\n);ERR_print_errors_fp(stderr);return -1;}if(SSL_CTX_use_PrivateKey_file(ctx, CE_KEY_FILE, SSL_FILETYPE_PEM) 0){printf(SSL_CTX_use_PrivateKey_file error!\n);ERR_print_errors_fp(stderr);return -1;}//判定私钥是否正确if (!SSL_CTX_check_private_key(ctx)) {printf(SSL_CTX_check_private_key error!\n);ERR_print_errors_fp(stderr);exit(1);}
// SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);/* 创建一个 socket 用于 tcp 通信 */if(-1(sock_fdsocket(AF_INET, SOCK_STREAM, 0)) ){printf(creat socket wrong\n);break;}printf(socket created\n);/* 初始化服务器端对方的地址和端口信息 */ser_addr.sin_family AF_INET;ser_addr.sin_port htons(atoi(argv[2]));ser_addr.sin_addr.s_addr inet_addr(argv[1]);printf(address created\n);//建立连接if( -1(connect(sock_fd, (struct sockaddr *)ser_addr, sizeof(ser_addr))) ){printf(connect wrong\n);break;}printf(server connected\n);/* 基于 ctx 产生一个新的 SSL */ssl SSL_new(ctx);SSL_set_fd(ssl, sock_fd);/* 建立 SSL 连接 */if (SSL_connect(ssl) -1)ERR_print_errors_fp(stderr);else {printf(The relevant information is as follows:\n);printf(--ssl version %s\n,SSL_get_version(ssl));printf(--ssleay version %s\n,SSLeay_version(0));printf(--Connected with %s encryption\n, SSL_get_cipher(ssl));ShowCerts(ssl);}//导出key和saltunsigned char buf[16];int err -1;err SSL_export_keying_material(ssl, buf, 16, nullptr,0, nullptr, 0, 1);if(err ! 1){printf(SSL_export_keying_material error,err%d\n,err);}else{PrintData(SSL_export_keying_material, (char*)buf, 16, nullptr);}/* 接收对方发过来的消息最多接收 MAXBUF 个字节 */bzero(buffer, MAXBUF 1);/* 接收服务器来的消息 */len SSL_read(ssl, buffer, MAXBUF);if (len 0)printf(接收消息成功:%s共%d个字节的数据\n,buffer, len);else {printf(消息接收失败错误代码是%d错误信息是%s\n,errno, strerror(errno));goto finish;}bzero(buffer, MAXBUF 1);strcpy(buffer, from client-server);/* 发消息给服务器 */len SSL_write(ssl, buffer, strlen(buffer));if (len 0)printf(消息%s发送失败错误代码是%d错误信息是%s\n,buffer, errno, strerror(errno));elseprintf(消息%s发送成功共发送了%d个字节\n,buffer, len);/* 处理每个新连接上的数据收发结束 */finish:/* 关闭 SSL 连接 */SSL_shutdown(ssl);/* 释放 SSL */SSL_free(ssl);ssl nullptr;}while(0);/* 关闭socket */close(sock_fd);sock_fd -1;/* 释放 CTX */SSL_CTX_free(ctx);ctx nullptr;return 0;
} 注意事项
GitHub - jntass/TASSL: 已升级到TASSL-1.1.1k下载链接https://github.com/jntass/TASSL-1.1.1kGitHub - jntass/TASSL-1.1.1k 目前最新的版本TASSL为了支持国密双证书体系添加了很多函数
