Linux OpenSSL Basic Introduction _ Server

The current online banking and electronic commerce, such as large-scale online trading system is commonly used in combination of HTTP and SSL approach. The server side uses a Web server that supports SSL, and the client uses SSL-enabled browsers to implement secure communications.
SSL is an abbreviation for Secure Socket Layer (Secure Sockets Layer protocol) that provides covert transmission over the Internet. Netscape introduced the first web browser at the same time, proposed the SSL protocol standards, currently has 3.0 version. SSL uses public key technology. The goal is to ensure the confidentiality and reliability of communication between two applications, which can be supported both on the server side and on the client side. Currently, the SSL protocol using public key technology has become the industrial standard of confidential communication on Internet. This article focuses on the SSL protocol and the SSL program to discuss the author's understanding of SSL.
A preliminary introduction to SSL protocol
The Secure Sockets Layer protocol enables the communication between user/server applications not to be tapped by the attacker, and always authenticates the server, optionally authenticating the user. The SSL protocol requires the establishment of a reliable Transport Layer protocol (TCP). The advantage of the SSL protocol is that it is independent of the application layer protocol, and the High-level Application layer protocol (e.g., http,ftp,telnet, etc.) can be transparently built on the SSL protocol. The SSL protocol has already completed the encryption algorithm, the communication key negotiation and the server authentication before the application layer protocol communication. After this, the data transmitted by the application layer protocol will be encrypted, thus ensuring the privacy of the communication.
As described above, the SSL protocol provides a secure channel with the following three features:
1. Confidentiality of data
Information encryption means that the input file of plaintext is converted to encrypted file by encryption algorithm to achieve the confidentiality of data. The encryption process requires the encryption key to encrypt the data and then decrypt it. The encrypted data cannot be undone without the key. After data is encrypted, only the key is sent in a secure way. Encrypted data can be transmitted publicly.
2. Consistency of data
Encryption also guarantees the consistency of the data. For example: The Message Authentication Code (MAC), can verify the user provides the encryption information, the receiver may use the MAC to verify the encrypted data, guarantees the data in the transmission process has not been tampered with.
3. Security verification
Another use of encryption is used as a personal identity, and the user's key can be used as the identification of his security authentication.
SSL is an encrypted communication protocol that utilizes public key cryptography (RSA) as a client-side and server-side to transmit confidential information. Currently, most Web servers and browsers are widely supported by SSL technology. When the browser attempts to connect to a server with SSL-authenticated encryption, an SSL session is awakened, and the browser checks for authentication, which must have the following three conditions:
1 There is an authority to issue certificates, of course, can create a self signed certificate (x509 structure).
2) The certificate cannot expire.
3 The certificate belongs to the server to which it is connected.
Only the three conditions are fully available for the browser to successfully complete the certification. With these three conditions, users can confirm that their browsers are connected to the correct server, rather than to a bogus server that wants to steal important information such as user passwords.
In today's E-commerce, there is also a widely used security protocol is the set protocol. The SET (Secure Electronic Transaction, security electronic Transactions) Agreement was jointly introduced by Visa and MasterCard's two major credit card companies in May 1997. Set can provide greater trust, more complete transaction information, higher security, and less fraud in electronic trading links. The set transaction is conducted in three stages: the user buys to the merchant and determines the payment, the merchant and the bank verify, and the bank pays the merchant for the goods. Each phase involves RSA encryption of data and RSA digital signatures. Using set protocol, in a transaction, to complete multiple encryption and decryption operations, it has a high security, but the set protocol is more complex than the SSL protocol, businesses and banks need to transform the system to achieve interoperability.
Under Linux, the more popular support for SSL authentication is the OpenSSL server. The OpenSSL project is a collaborative project to develop a robust, business-grade, complete, open source toolkit with powerful cryptographic algorithms to secure the socket layer (secure Sockets layer,ssl v2/ V3) and Transport Layer Security (transport Layer SECURITY,TLS v1). This project is managed and developed by volunteers around the world to manage and develop OpenSSL kits and related documentation.
How to configure the OpenSSL server under Linux, First, download and install the OPENSSL-VERSION.TAR.GZ software package from OpenSSL's homepage () and work with the Apache server to build a Web server that supports SSL, and you can use a signed certificate for authentication, about how to compile, To install the OpenSSL server, refer to the OpenSSL howto documentation.
A preliminary introduction to SSL programming
SSL communication model for the standard C/s structure, in addition to the TCP layer on the transmission, and the general communication there is no obvious difference. Here, we mainly introduce how to use OpenSSL for secure Communication program design. For more information on OpenSSL, please refer to the official home page of OpenSSL.
Before you can use OpenSSL, you must initialize OpenSSL, and the following three functions are optional:
Ssl_library_init (void);
Openssl_add_ssl_algorithms ();
Ssleay_add_ssl_algorithms ();
In fact, the next two functions are just the macros of the first function.
If you want to use the OpenSSL error message, use Ssl_load_error_strings (void) to initialize the error message. You can later use void Err_print_errors_fp (FILE *fp) to print SSL error messages.
An SSL connection session typically applies to an SSL environment first, and the basic process is:
1. Ssl_method* meth = Tlsv1_client_method (); The protocol used to create this session connection, if the client can use the
ssl_method* tlsv1_client_method (void); TLSv1.0 protocol
ssl_method* sslv2_client_method (void); SSLV2 protocol
ssl_method* sslv3_client_method (void); SSLV3 protocol
ssl_method* sslv23_client_method (void); SSLV2/V3 protocol
The server also needs to create the protocol used for this session:
Ssl_method *tlsv1_server_method (void);
Ssl_method *sslv2_server_method (void);
Ssl_method *sslv3_server_method (void);
Ssl_method *sslv23_server_method (void);
It is to be noted that the client and the server need to use the same protocol.
2. The environment for requesting an SSL session is CTX, and a different protocol is used for the session. The OpenSSL function to request an SSL session environment is
sslk_ctx* ssl_ctx_new (ssl_method*); The parameter is the SSL communication method that we have applied before. Returns a pointer to the current SSL connection environment.
Then set the CTX properties according to your needs, typically by setting the authentication method for the SSL handshake phase certificate and loading your own certificate.
void Ssl_ctx_set_verify (ssl_ctx*, int, int* (int, x509_store_ctx*))
Set the way certificates are validated.
The first parameter is the current CTX pointer, the second is the authentication method, and if you want to verify the other person's words, use Ssl_verify_peer. Use Ssl_verify_none If you don't need it. In general, the client needs to authenticate the other, and the server does not need to. The third parameter is the callback function that handles validation, and if there is no special need, use a null pointer.
void Ssl_ctx_load_verify_locations (ssl_ctx*, const char*, const char*);
Load certificate;
The first parameter is the same as the name of the certificate file, and the third is the path of the certificate file;
int Ssl_ctx_use_certificate_file (ssl_ctx *ctx, const char *file, int type);
Loading a local certificate; Type indicates the structure type of the certificate file; failed return-1
int Ssl_ctx_use_privatekey_file (ssl_ctx *ctx, const char *file, int type);
Loads its own private key; The type parameter indicates the structure of the private key file; failure returns-1
After you have loaded the certificates and files, you can verify that the private key and the certificate match:
BOOl Ssl_ctx_check_private_key (ssl_ctx*);
3. Since SSL uses the TCP protocol, it is of course necessary to attach SSL to a socket that is already connected:
ssl* ssl_new (ssl_ctx*); Apply for an SSL sockets word;
int SSL_SET_RFD (ssl*); Binding read-only sockets
int SSL_SET_WFD (ssl*); Binding write-only sockets
int ssl_set_fd (ssl*); Binding Read and Write sockets
The binding returns 1 successfully, and the failure returns 0;
4. The next step is the SSL handshake.
int Ssl_connect (ssl*); Failure return-1
5. After the handshake is successful, you can communicate, using Ssl_read and ss_write to read and write SSL sockets instead of the traditional read, write
int Ssl_read (SSL *ssl, char *buf, int num);
int Ssl_write (SSL *ssl, char *buf, int num);
If it is a server, use ssl_accept instead of the traditional accept call
int ssl_accept (SSL *ssl);
6. End of communication, need to release previously requested SSL resources
int Ssl_shutdown (SSL *ssl); Turn off the SSL socket;
void Ssl_free (SSL); Releases the SSL socket;
void Ssl_ctx_free (CTX); Releasing the SSL environment;
Although OpenSSL has developed to version 0.9.96, its documentation is still very small, and even the most basic man function manual has not been completed. Therefore, this paper is a very close to the use of OpenSSL to design the framework. More detailed information can refer to the OpenSSL documentation or the Apache mod_ssl documentation.
Through the above introduction, I think the reader has a certain understanding of the SSL protocol, the author has the opportunity to continue to introduce the SSL protocol other aspects of the content.
(Author: Zhang Yunfan)