SSL programming
OpenSSL is a product implementation of an open source SSL protocol that uses the C language as the development language with cross-system performance. The function that calls OpenSSL can implement an SSL-encrypted secure data transfer channel, which protects the security between the client and the server.
Header file:
#include <openssl/ssl.h>
#include <openssl/err.h>
The OpenSSL-based program follows several steps:
(1) OpenSSL initialization
Before using OpenSSL, the appropriate protocol initialization must be done, which can be achieved by the following function:
int ssl_library_int (void);
(2) Select Session protocol
Before starting an SSL session with OpenSSL, the protocols used for this session need to be developed for both the client and the server, including TLSv1.0, SSLv2, SSLv3, Sslv2/v3.
It is important to note that the client and server must use mutually compatible protocols, otherwise SSL sessions will not work properly.
(3) Create a session environment
The SSL session environment created in OpenSSL, called CTX, uses different protocol sessions, and its environment is not the same.
The OpenSSL functions that request an SSL session environment are:
Ssl_ctx *ssl_ctx_new (Ssl_method * METHOD);
When the SSL session environment request succeeds, the properties of CTX are set according to the actual needs, and the usual setting is to specify the authentication method of the SSL handshake phase certificate and to load its own certificate.
The functions that make certificate validation methods are:
int ssl_ctx_set_verify (ssl_ctx *ctx,int mode,int (*verify_callback), int (X509_STORE_CTX *));
The functions that load the CA certificate for the SSL session environment are:
Ssl_ctx_load_verify_location (ssl_ctx *ctx,const char *cafile,const char *capath);
The functions for loading user certificates for SSL sessions are:
Ssl_ctx_use_certificate_file (Ssl_ctx *ctx, const char *file,int type);
The functions that load the user's private key for an SSL session are:
Ssl_ctx_use_privatekey_file (ssl_ctx *ctx,const char* file,int type);
After the certificate and private key are loaded into the SSL session environment, you can call the following function to verify that the private key and certificate match:
int Ssl_ctx_check_private_key (Ssl_ctx *ctx);
(4) Setting up SSL sockets
SSL sockets are based on a common TCP socket, and some of the following functions can be used when establishing an SSL socket:
SSL *ssl_new (Ssl_ctx *ctx);
Request an SSL socket
int ssl_set_fd (SSL *ssl,int FD);)
Binding read-write sockets
int ssl_set_rfd (SSL *ssl,int FD);
Binding read-only sockets
int ssl_set_wfd (SSL *ssl,int FD);
Binding write-only sockets
(5) Completing the SSL handshake
After the SSL sockets have been successfully created, the client should use function Ssl_connect () instead of the traditional function connect () to complete the handshake process:
int Ssl_connect (SSL *ssl);
For the server, you should use the function Ssl_ accept () instead of the traditional function accept () to complete the handshake process:
int ssl_accept (SSL *ssl);
After the handshake process is complete, it is often necessary to ask the certificate information of both sides of the communication for the corresponding validation, which can be achieved by the following function:
X509 *ssl_get_peer_certificate (SSL *ssl);
The function can extract the certificate information from the SSL socket, which has been verified by SSL.
X509_name *x509_get_subject_name (X509 *a);
The function gets the name of the person who used the certificate.
(6) for data transmission
When the SSL handshake is complete, secure data transfer is possible, and in the data transfer phase, Ssl_read () and Ssl_write () are used instead of the traditional read () and write () functions to complete the read and write operation of the socket:
int Ssl_read (SSL *ssl,void *buf,int num);
int Ssl_write (SSL *ssl,const void *buf,int num);
(7) End SSL communication
After the data communication between the client and the server is complete, call the following function to release the SSL resource that has been requested:
int Ssl_shutdown (SSL *ssl);
Turn off SSL sockets
void Ssl_free (SSl *ssl);
Release SSL sockets
void Ssl_ctx_free (Ssl_ctx *ctx);
Releasing the SSL session environment
OpenSSL application Programming Framework:
1. The framework of the client program is:
Meth = Sslv23_client_method ();
CTX = ssl_ctx_new (meth);
SSL = Ssl_new (CTX);
FD = socket ();
Connect ();
SSL_SET_FD (SSL,FD);
Ssl_connect (SSL);
Ssl_write (SSL, "Hello World", strlen ("Hello world!"));
2. The framework of the service-side program is:
Meth = Sslv23_server_method ();
CTX = ssl_ctx_new (meth);
SSL = Ssl_new (CTX);
FD = socket ();
Bind ();
Listen ();
Accept ();
SSL_SET_FD (SSL,FD);
Ssl_connect (SSL);
Ssl_read (SSL, buf, sizeof (BUF));
For the program, OpenSSL uses a pair of functions to represent the entire handshake process, that is, the client's ssl_connect and the server's ssl_accept. Then the application layer data exchange is done with Ssl_read and Ssl_write.
Design of SSL Secure communication based on OpenSSL under Linux
This program is free to use, please comply with the GPL specification.
The SSL secure communication in OpenSSL can be divided into two classes, essentially the same as two classes, one is to use bio to read and write after the SSL environment is established, and the other is to establish the SSL context directly on the socket. This paper mainly discusses the establishment of an SSL environment on the socket to achieve secure communication. You first need to generate a pair of client and server certificates, which can be implemented using OpenSSL's commands. Using the Zhao Chunping predecessor's OpenSSL programming book to establish an SSL test environment command, you can build a simulated CA to generate a digital certificate. As follows: