我正在编写一个接受SSL连接的服务器。我已经生成了一个自签名证书:
openssl req -new -x509 -days 365 -nodes -out self.pem -keyout self.pem -subj "/CN=myhostname"
SSL_accept
因此消息失败:
140121764049248:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1417:
以下是服务器代码的一部分:
sslCtx = (SSL_CTX_new(SSLv23_server_method());
if (!sslCtx){
ERR_print_errors_fp(stderr);
throw runtime_error("SSL_CTX_new failed");
}
ssl = SSL_new(sslCtx);
if (!ssl)
throw runtime_error("SSL_new failed");
if (SSL_CTX_use_PrivateKey_file(sslCtx, keyFile.c_str(),
SSL_FILETYPE_PEM) != 1)
throw runtime_error("Unable to load private key file" + keyFile);
if (SSL_CTX_use_certificate_file(sslCtx, certFile.c_str(),
SSL_FILETYPE_PEM) != 1)
throw runtime_error("Unable to load certificate file" + certFile);
if (SSL_set_fd(ssl, socket) != 1)
throw runtime_error("SSL_set_fd failed");
if (SSL_accept(ssl) != 1){
ERR_print_errors_fp(stderr);
throw runtime_error("SSL_accept failed");
}
我尝试测试服务器:
openssl s_client -cipher RSA -connect myhostname:33221 -tls1 -CApath . -servername myhostname
得到了
CONNECTED(00000003)
139898773520408:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1487:SSL alert number 40
139898773520408:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1496232544
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
我使用的是OpenSSL 1.0.2g。
答案 0 :(得分:0)
仅在完全设置上下文后尝试SSL_new
,并确保在程序开头有OpenSSL_add_ssl_algorithms
。 1.0.2文档说它“继承”,但不确定这是否有效意味着它在那时复制设置并且不会应用进一步的更改。
https://www.openssl.org/docs/man1.0.2/ssl/SSL_new.html
上还有一个例子新结构继承了底层上下文ctx的设置:连接方法(SSLv2 / v3 / TLSv1),选项,验证设置,超时设置。
没有错误处理的是:
// General initialisation
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
// Context for a server socket
ctx = SSL_CTX_new(SSLv23_server_method ()); //Note SSLv23_server_method in example is deprecated in favour of TLS_server_method for new versions. TLSv1_2_server_method will force TLS 1.2.
SSL_CTX_set_ecdh_auto(ctx, 1);
SSL_CTX_use_certificate_file(ctx, "cert.pem", SSL_FILETYPE_PEM);
SSL_CTX_use_PrivateKey_file(ctx, "key.pem", SSL_FILETYPE_PEM);
// Only after all certificates, and other config is set
ssl = SSL_new(ctx);
SSL_set_fd(ssl, client_socket);
SSL_accept(ssl);
// Use SSL_write and SSL_read
SSL_free(ssl);
close(client_socket);
// OpenSSL cleanup
EVP_cleanup();