我正在尝试使用没有任何证书的SSL。我已经读过它是可能的,所以我在没有设置它的调用的情况下编写代码。 根据文档,它应该是正确的步骤列表。 你知道这是否真的可能吗?
我正在使用CENTOS 6.4。
当我跑步时,我总是收到错误
14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
以下是我的服务器代码
int main() {
int res = -1;
SSL_library_init();
SSL_load_error_strings();
SSL_CTX *sslctx = SSL_CTX_new( SSLv23_server_method());
res = SSL_CTX_set_cipher_list(sslctx,"aNULL");
if(0 == res) {
cerr << "SSL_CTX_set_cipher_list" << endl;
std::exit(EXIT_FAILURE);
}
int res = -1;
sockaddr_in addr;
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons(kPort);
memset(&addr.sin_zero,0,8);
int sfd = socket(AF_INET,SOCK_STREAM, 0);
if(sfd == -1) {
cerr << "Socket Failed" << endl;
std::exit(EXIT_FAILURE);
}
res = bind(sfd, (const sockaddr*)&addr, sizeof(addr));
if(res == -1) {
cerr << "Bind Failed" << endl;
std::exit(EXIT_FAILURE);
}
res = listen(sfd,kBackLog);
if(res == -1) {
cerr << "Listen Failed" << endl;
std::exit(EXIT_FAILURE);
}
sockaddr_in client_addr;
socklen_t client_addr_len;
int cfd = accept(sfd, (sockaddr*)&client_addr, &client_addr_len);
if(cfd == -1) {
cerr << "Accept Failed" << endl;
std::exit(EXIT_FAILURE);
}
cout << "Client Connected" << endl;
// new SSL context.
SSL *cSSL = SSL_new(sslctx);
res = SSL_set_fd(cSSL, cfd);
cout << res << endl;
if(0 == res) {
cerr << "Error on SSL_set_fd" << endl;
close(sfd);
std::exit(EXIT_FAILURE);
}
res = SSL_set_cipher_list(cSSL, "aNULL");
if(0 == res) {
cout << "failure on SSL_set_cipher_list";
close(sfd);
std::exit(EXIT_FAILURE);
}
//Here is the SSL Accept portion. Now all reads and writes must use SSL
cout << "call to SSL_accept" << endl;
res = SSL_accept(cSSL);
switch(res)
{
case 0:
case -1: {
cout << "error on SSL_accept("<< res << ")" << endl;
std::exit(EXIT_FAILURE);
}
}
char buf[4];
res = SSL_read(cSSL, (char*)buf, 4);
switch(res) {
case 0:
case -1: {
cout << "error on SSL_read("<< res << ")" << endl;
std::exit(EXIT_FAILURE);
}
}
cout << buf << endl;
}
低于客户端
int main() {
int res = -1;
SSL_library_init();
SSL_load_error_strings();
//OpenSSL_add_all_algorithms(); I didn't find this in man pages.
SSL_CTX *sslctx = SSL_CTX_new( SSLv23_client_method());
res = SSL_CTX_set_cipher_list(sslctx,"aNULL");
if(0 == res) {
cerr << "SSL_CTX_set_cipher_list" << endl;
std::exit(EXIT_FAILURE);
}
int res = -1;
int sfd = socket(AF_INET, SOCK_STREAM, 0);
CHECK(sfd,"socket");
struct sockaddr_in addr;
addr.sin_family = AF_INET;
addr.sin_port = htons(kPort);
addr.sin_addr.s_addr = inet_addr("127.0.0.1"); // #include <arpa/inet.h>
res = connect(sfd, (const sockaddr*)&addr, sizeof(addr));
CHECK(res, "connect");
if(-1 == res) {
cerr << "Error on Connect" << endl;
close(sfd);
std::exit(EXIT_FAILURE);
}
SSL *cSSL = SSL_new(sslctx);
if(NULL == cSSL) {
cerr << "Error on SSL_new" << endl;
close(sfd);
std::exit(EXIT_FAILURE);
}
res = SSL_set_fd(cSSL, sfd);
if(0 == res) {
cerr << "Error on SSL_set_fd" << endl;
close(sfd);
std::exit(EXIT_FAILURE);
}
res = SSL_set_cipher_list(cSSL, "aNULL");
if(0 == res) {
cout << "failure on SSL_set_cipher_list";
close(sfd);
std::exit(EXIT_FAILURE);
}
cout << "calling SSL connect" << endl;
res = SSL_connect(cSSL);
switch(res) {
case 0:
case -1: {
cerr << "Error on SSL_connect("<< res << ")" << endl;
print_ssl_error(cSSL, res);
close(sfd);
std::exit(EXIT_FAILURE);
}
}
cout << "SSL write" << endl;
char buf[4] = {'a','b','c','\n'};
SSL_write(cSSL, buf, 4);
sleep(10);
close(sfd);
}
答案 0 :(得分:1)
我正在尝试使用没有任何证书的SSL。
您需要使用Anonymous Diffie-Hellman(ADH)或Anonymous Elliptic Curve Diffie Hellman(AECDH)。使用匿名方案时,服务器不会发送其证书。
在SSL_connect之前致电SSL_set_cipher_list。根据{{3}},您想要的密码是aNULL。 aNULL包括ADH和AECDH。
你知道这是否真的可能吗?
是的,它可能。但使用匿名密码套件是一个坏主意,因为它们容易受到主动攻击。也就是说,他们可以成为中间人。
此外,大多数客户端和服务器都配置为通过"!aNULL"密码套件列表拒绝匿名密码套件。因此,您可能会在实践中发现,您无法真正连接任何东西。