SSL Secure sockets for Linux 20160704

Before using SSL, there is a basic TCP socket connection. See Demo code

Ssl_library_init ();//The appropriate protocol initialization must be done before using OpenSSL

Openssl_add_all_algorithms ();///* load all SSL algorithms */

Ssl_load_error_strings (); * * Load all SSL error messages */

Const Ssl_method *meth = Sslv23_client_method (); the protocol used to create this session connection, if the client can use the

Psockinfo->psslctx = ssl_ctx_new (meth);//Request SSL Session Environment

/* Generates a SSL_CTX in SSL V2 and V3 standard compatibility mode, i.e. SSL Content Text */

Psockinfo->pssl = Ssl_new (psockinfo->psslctx); apply for an SSL socket;

SSL_SET_FD (Psockinfo->pssl, PSOCKINFO->SOCKFD); Attach SSL to a connected socket

ret = Ssl_connect (PSOCKINFO->PSSL);//After successfully creating an SSL socket, the client should use the function ssl_connect () instead of the traditional function connect ()

To complete the handshake process

debugprintf ("Connected with%s encryption\n", Ssl_get_cipher (Psockinfo->pssl));//;///* printing information for all cryptographic algorithms (optional) */

/* SSL Library initialization */

Ssl_library_init ();

/* Load all SSL algorithms */

Openssl_add_all_algorithms ();

/* Load all SSL error messages */

Ssl_load_error_strings ();

/* Generates a SSL_CTX in SSL V2 and V3 standard compatibility mode, i.e. SSL Content Text */

CTX = Ssl_ctx_new (Sslv23_server_method ());

/* You can also use Sslv2_server_method () or Sslv3_server_method () to represent the V2 or V3 standard separately */

Detailed Description:

The current internet banking and e-commerce and other large-scale online trading system is generally used in combination of HTTP and SSL. The server side uses the SSL-enabled Web server, and the client uses the SSL-enabled browser for secure communication.

SSL is an abbreviation for the Secure Socket Layer protocol, which provides covert transmission over the Internet. Netscape Company introduced the SSL protocol standard at the same time as the first web browser, there are now 3.0 versions. SSL employs public key technology. The goal is to ensure the confidentiality and reliability of communication between two applications, enabling simultaneous support both on the server side and on the client side. At present, the SSL protocol using public key technology has become the industry standard of secure communication on the Internet. This article focuses on the SSL protocol and SSL programming two aspects of the author's understanding of SSL.

Preliminary Introduction to SSL protocol

The Secure Sockets Layer protocol enables communication between user/server applications to be intercepted by attackers, always authenticating the server, and optionally authenticating users. The SSL protocol is required to be based on a reliable Transport Layer protocol (TCP). The advantage of the SSL protocol is that it is independent of the application-layer protocol, and that high-level application-layer protocols (such as http,ftp,telnet, etc.) can be transparently built on top of the SSL protocol. The SSL protocol has completed the encryption algorithm, the communication key negotiation and the server authentication work before the application layer protocol communication. After this, the data transmitted by the application layer protocol will be encrypted, thus guaranteeing the privacy of the communication.

As described above, the SSL protocol provides a secure channel with the following three features:

1. Confidentiality of data

Information encryption is to convert the plaintext input file into an encrypted file using an encryption algorithm to achieve the confidentiality of the data. The encryption process requires a key to encrypt the data and then decrypt it. Without the key, you cannot unlock the encrypted data. After the data is encrypted, only the key must be transmitted in a secure way. Encrypted data can be transmitted in a public manner.

2. Consistency of data

Encryption also ensures consistency of data. For example: Message verification Code (MAC), the ability to verify user-provided encryption information, the receiver can use the MAC to verify the encrypted data, to ensure that the data has not been tampered with during transmission.

3. Security verification

Another use of encryption is used as a personal identity, and the user's key can be used as the identity of his security verification.

SSL is a cryptographic protocol that leverages public key cryptography (RSA) as the encrypted communication protocol between the client and server when transmitting confidential information. Currently, most Web servers and browsers support SSL technology extensively. When a browser tries to connect to a server with SSL authentication encryption, it wakes up an SSL session and the browser checks for authentication, which must have the following three conditions:

1) There is an authority to issue certificates, of course, you can create a self-signed certificate (x509 structure).

2) The certificate cannot expire.

3) The certificate belongs to the server to which it is connected.

Only if all of these three conditions are in place will the browser successfully complete the certification. With these three conditions, users can confirm that their browser is connected to the correct server, instead of connecting to a bogus server that wants to steal important information such as user passwords.

In today's e-commerce there is also a widely used security protocol is the set protocol. The SET (secure Electronic Transaction, secured electronic transactions) Agreement was jointly introduced by the two major credit card companies of Visa and MasterCard in May 1997. Set can provide greater trust, more complete transaction information, higher security, and less likelihood of fraud on the electronic trading chain. Set trading is conducted in three stages: the user purchases The merchant and determines the payment, the merchant checks with the bank, and the bank pays the merchant. Each phase involves RSA encryption of data, and RSA digital signatures. Using the set protocol, in a single transaction, to complete multiple encryption and decryption operations, it is very high security, but the set protocol is more complex than the SSL protocol, businesses and banks need to transform the system to achieve interoperability.

Under Linux, the more popular support for SSL authentication is the OpenSSL server. The OpenSSL project is a collaborative project that develops a robust, commercial-grade, complete open-source toolkit with robust cryptographic algorithms for secure Socket layers (secure Sockets layer,ssl v2/ V3) and Transport Layer Security (Transport layer SECURITY,TLS v1). This project is managed and developed by volunteers worldwide for the OpenSSL toolkit and related documentation.

How to configure the OpenSSL server under Linux, First download the OPENSSL-VERSION.TAR.GZ software package from the OpenSSL home page () to compile the installation, work with the Apache server to build a Web server that supports SSL, and you can use a self-signed certificate for authentication, about how to compile, To install the OpenSSL server, refer to the OpenSSL howto documentation.

Preliminary Introduction to SSL programming

The SSL communication model is the standard C/s structure, except for the transmission over the TCP layer, there is no obvious difference from the general communication. Here, we mainly describe how to use OpenSSL for secure communication programming. For more information about OpenSSL, please refer to the official homepage of OpenSSL.

Before using OpenSSL, you must initialize OpenSSL first, and the following three functions are optional:

Ssl_library_init (void);

Openssl_add_ssl_algorithms ();

Ssleay_add_ssl_algorithms ();

In fact, the next two functions are just the first macro of a function.

If you want to use OpenSSL's error message, use Ssl_load_error_strings (void) to initialize the error message. You can later use void Err_print_errors_fp (FILE *fp) to print the SSL error message.

An SSL connection session typically applies to an SSL environment first, and the basic process is:

1. Ssl_method* meth = Tlsv1_client_method (); The protocol that is used to create this session connection, if the client can use the

ssl_method* tlsv1_client_method (void); TLSv1.0 protocol

ssl_method* sslv2_client_method (void); SSLV2 protocol

ssl_method* sslv3_client_method (void); SSLV3 protocol

ssl_method* sslv23_client_method (void); SSLV2/V3 protocol

The server also needs to create the protocol used for this session:

Ssl_method *tlsv1_server_method (void);

Ssl_method *sslv2_server_method (void);

Ssl_method *sslv3_server_method (void);

Ssl_method *sslv23_server_method (void);

It is important to note that both the client and the server need to use the same protocol.

2. The environment in which you request an SSL session, CTX, uses a different protocol for the session, and its environment is different. The OpenSSL function that applies for the SSL session environment is

sslk_ctx* ssl_ctx_new (ssl_method*); The parameter is the SSL communication method we requested earlier. Returns a pointer to the current SSL connection environment.

The properties of CTX are then set according to your needs, typically by setting the SSL handshake phase certificate and loading your own certificate.

void Ssl_ctx_set_verify (ssl_ctx*, int, int* (int, x509_store_ctx*))

Sets the way certificates are validated.

The first parameter is the current CTX pointer, the second is the authentication method, and if you want to verify the other, use Ssl_verify_peer. If not, use Ssl_verify_none. In general, the client needs to verify the other party, and the server does not need it. The third parameter is a callback function that handles validation, and if there is no special need, use a null pointer.

void Ssl_ctx_load_verify_locations (ssl_ctx*, const char*, const char*);

Load the certificate;

The first parameter is the same, parameter two is the name of the certificate file, and the parameter is the path of the certificate file;

int Ssl_ctx_use_certificate_file (ssl_ctx *ctx, const char *file, int type);

Load the local certificate, type indicates the structure type of the certificate file; failure returns-1

int Ssl_ctx_use_privatekey_file (ssl_ctx *ctx, const char *file, int type);

Load your own private key; The type parameter indicates the structure of the private key file; failure returns-1

After the certificates and files have been loaded, you can verify that the private key and certificate match:

BOOl Ssl_ctx_check_private_key (ssl_ctx*);

3. Since SSL uses the TCP protocol, of course, SSL must be attach to the connected sockets:

ssl* ssl_new (ssl_ctx*); Apply for an SSL sleeve word;

int SSL_SET_RFD (ssl*); Binding read-only sockets

int SSL_SET_WFD (ssl*); Binding write-only sockets

int ssl_set_fd (ssl*); Binding read-write sockets

The binding returned 1 successfully, and the failure returned 0;

4. Next up is the SSL handshake action.

int Ssl_connect (ssl*); Failed return-1

5. After the handshake is successful, communication is possible, using Ssl_read and ss_write to read and write SSL sockets instead of the traditional read, write

int Ssl_read (SSL *ssl, char *buf, int num);

int Ssl_write (SSL *ssl, char *buf, int num);

If it is a server, use ssl_accept instead of the traditional accept call

int ssl_accept (SSL *ssl);

6. End of communication, need to release the previously requested SSL resources

int Ssl_shutdown (SSL *ssl); Turn off SSL sockets;

void Ssl_free (SSL); Release SSL sockets;

void Ssl_ctx_free (CTX); Release the SSL environment;

OpenSSL has evolved to 0.9.96, but it has few documents, even the most basic man function manual. Therefore, this article closely describes the use of OpenSSL to design the framework. More detailed information can be found in the OpenSSL documentation or the Apache mod_ssl documentation.

Through the above introduction, I think the reader has a certain understanding of the SSL protocol, the author has the opportunity to continue to introduce other aspects of the SSL protocol content.

Frame diagram:

SSL Secure sockets for Linux 20160704