Linux OpenSSL Basics

Source: Internet
Author: User
Tags ssl connection


Currently, large online transaction systems such as online banking and e-commerce generally adopt the combination of HTTP and SSL. The server uses a web server that supports SSL, and the client uses a browser that supports SSL for secure communication.
SSL is the abbreviation of Secure Socket Layer (Secure Sockets Layer Protocol). It can provide confidential transmission over the Internet. Netscape released the first web browser and put forward the SSL protocol standard, which currently has version 3.0. SSL uses public key technology. The goal is to ensure the confidentiality and reliability of communications between two applications, and support can be achieved at the same time on the server side and the client side. Currently, the SSL protocol using public key technology has become an industrial standard for secure communication on the Internet. This article focuses on the SSL protocol and SSL Program DESIGN: Let's talk about the author's understanding of SSL.
SSL Protocol Introduction
The Secure Sockets Layer Protocol keeps the communication between users and server applications from being eavesdropped by attackers, and always authenticates the server. You can also choose to authenticate the user. The SSL protocol must be built on a reliable transport layer protocol (TCP. The advantage of the SSL protocol is that it is independent from the application layer protocol. The High-level application layer protocol (such as HTTP, FTP, and telnet) can be transparently built on the SSL protocol. The SSL protocol is encrypted before the application layer protocol communication. Algorithm Communication Key Negotiation and server authentication. After that, the data transmitted by the application layer protocol will be encrypted to ensure the privacy of the communication.
As described above, the secure channel provided by the SSL protocol has the following three features:
1. Data Confidentiality
Information Encryption is to convert plaintext input files into encrypted files using encryption algorithms to keep data confidential. The key is used to encrypt the data before decryption. Without a key, the encrypted data cannot be unlocked. After the data is encrypted, only the key must be transmitted in a safe way. Encrypted data can be publicly transmitted.
2. Data Consistency
Encryption can also ensure data consistency. For example, the message Verification Code (MAC) can verify the encrypted information provided by the user. the receiver can use Mac to verify the encrypted data to ensure that the data has not been tampered with during transmission.
3. Security Verification
Another purpose of encryption is to be used as a personal identity, and the user's key can be used as his security authentication identity.
SSL uses public key encryption technology (RSA) as the encrypted communication protocol between the client and the server when transmitting confidential data. Currently, most web servers and browsers support SSL technology extensively. When a browser tries to connect to a server with SSL authentication and encryption, it will wake up an SSL session. The browser checks the authentication and must meet the following three conditions:
1) there is an authority issuing certificates. Of course, you can create self-signed certificates (X509 structure ).
2) The certificate cannot expire.
3) The certificate belongs to the server it is connected.
Only when all three conditions are met can the browser successfully complete authentication. With these three conditions, you can confirm that your browser is connected to the correct server, instead of connecting to a false server that wants to steal important information such as user passwords.
In today's e-commerce, another widely used security protocol is the SET protocol. The Set (Secure Electronic Transaction, Secure Electronic Transaction) protocol is a specification jointly launched by Visa and MasterCard in May 1997. Set can provide greater trust, more complete transaction information, higher security, and less fraud in electronic transactions. The SET transaction is carried out in three phases: the user makes a purchase to the merchant and confirms the payment; the merchant verifies the payment with the bank; and the bank pays the payment to the merchant. Each stage involves RSA Data Encryption and RSA digital signature. The SET protocol requires multiple encryption and decryption operations in one transaction, which ensures high security. However, the SET protocol is more complex than the SSL protocol, both sellers and banks need to transform their systems for interoperability.
In Linux, OpenSSL servers are popular for SSL authentication. The OpenSSL Project is a cooperative project that develops a robust, business-level, and complete open Source code The toolkit uses powerful encryption algorithms to implement Secure Socket Layer (Secure Sockets Layer, SSL v2/v3) and Transport Layer Security (Transport Layer Security, TLS v1 ). This project is managed and developed by volunteers around the world OpenSSL Toolkit and related documents.
The ghost software package is used for compilation and installation. In combination with the Apache server, you can create a web server that supports SSL, and use self-signed certificates for authentication. For how to compile and install the OpenSSL server, refer to the OpenSSL howto document.
Preliminary introduction to SSL Program Design
The SSL communication model is a standard C/S structure. In addition to the transmission over the TCP layer, it is similar to general communication. Here, we mainly introduce how to use OpenSSL for secure communication program design. For more information about OpenSSL, see the official OpenSSL homepage.
Before using OpenSSL, you must initialize OpenSSL. Choose one of the following three functions:
Ssl_library_init (void );
Openssl_add_ssl_algorithms ();
Ssleay_add_ssl_algorithms ();
In fact, the following two functions are only the macros of the first function.
If you want to use OpenSSL error information, use ssl_load_error_strings (void) to initialize the error information. In the future, you can use void err_print_errors_fp (File * FP) to print SSL error messages.
For an SSL connection session, you must first apply for an SSL environment. The basic process is as follows:
1. ssl_method * meth = tlsv1_client_method (); The Protocol used to create this session connection.
Ssl_method * tlsv1_client_method (void); tlsv1.0 Protocol
Ssl_method * sslv2_client_method (void); SSLv2 protocol
Ssl_method * sslv3_client_method (void); SSLv3 Protocol
Ssl_method * sslv23_client_method (void); SSLv2/V3 Protocol
The server also needs to create the protocol used for this session:
Ssl_method * tlsv1_server_method (void );
Ssl_method * sslv2_server_method (void );
Ssl_method * sslv3_server_method (void );
Ssl_method * sslv23_server_method (void );
Note that the client and server must use the same protocol.
2. The environment for applying for an SSL session CTX uses different protocols for the session. The environment is also different. The OpenSSL function used to apply for an SSL session environment is
Sslk_ctx * ssl_ctx_new (ssl_method *); the parameter is the previously applied SSL communication method. Returns the pointer to the current SSL connection environment.
Then, set the CTX Attribute Based on your needs. Typically, set the SSL handshake certificate authentication method and load your own certificate.
Void ssl_ctx_set_verify (ssl_ctx *, Int, int * (INT, x509_store_ctx *))
Set the certificate authentication method.
The first parameter is the current CTX pointer, and the second is the verification method. If you want to verify the other party, use ssl_verify_peer. If not, use ssl_verify_none. Generally, the client needs to verify the other party, but the server does not. The third parameter is the callback function for processing verification. If there is no special need, use a null pointer.
Void ssl_ctx_load_verify_locations (ssl_ctx *, const char *, const char *);
Load the certificate;
The first parameter is the same as above. The second parameter is the name of the Certificate file, and the third parameter is the path of the Certificate file;
Int ssl_ctx_use_certificate_file (ssl_ctx * CTX, const char * file, int type );
Load the local certificate. type indicates the structure type of the Certificate file.-1 is returned if the certificate fails to be loaded.
Int ssl_ctx_use_privatekey_file (ssl_ctx * CTX, const char * file, int type );
Load your own private key. The type parameter specifies the structure type of the private key file. If the file fails to be loaded,-1 is returned.
After the certificate and file are loaded, you can verify that the private key and certificate are consistent:
Bool ssl_ctx_check_private_key (ssl_ctx *);
3. Since SSL uses the TCP protocol, you must attach the SSL to the connected socket:
SSL * ssl_new (ssl_ctx *); apply for an SSL set of characters;
Int ssl_set_rfd (SSL *); bind a read-only socket
Int ssl_set_wfd (SSL *); binding write-only socket
Int ssl_set_fd (SSL *); bound to a read/write socket
If the binding succeeds, 1 is returned. If the binding fails, 0 is returned;
4. The next step is the SSL handshake action.
Int ssl_connect (SSL *);-1 is returned if an error occurs.
5. After the handshake is successful, you can communicate. Use ssl_read and ss_write to read and write SSL sockets instead of the traditional read and write
Int ssl_read (SSL * SSL, char * Buf, int num );
Int ssl_write (SSL * SSL, char * Buf, int num );
If it is a server, use ssl_accept instead of the traditional accept call.
Int ssl_accept (SSL * SSL );
6. After the communication ends, you need to release the previously applied SSL resources.
Int ssl_shutdown (SSL * SSL); disable SSL socket;
Void ssl_free (SSL); releases an SSL socket;
Void ssl_ctx_free (CTX); release the SSL environment;
OpenSSL has been developed to version 0.9.96, but its documentation is still rare, and even the most basic man function manual has not been completed. Therefore, this article focuses on the framework for Program Design Using OpenSSL. For more detailed information, see the OpenSSL document or the Apache mod_ssl document.
Through the above introduction, I think you have some knowledge about the SSL protocol. The author has the opportunity to continue to introduce other aspects of the SSL protocol.
(Author: Zhang yunfan)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.