自签名证书没有可用的对等证书

时间:2017-05-31 12:14:21

标签: c++ ssl openssl ssl-certificate

我正在编写一个接受SSL连接的服务器。我已经生成了一个自签名证书:

openssl req -new -x509 -days 365 -nodes -out self.pem -keyout self.pem -subj "/CN=myhostname"

SSL_accept因此消息失败:

140121764049248:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1417:

以下是服务器代码的一部分:

  sslCtx = (SSL_CTX_new(SSLv23_server_method());
  if (!sslCtx){
      ERR_print_errors_fp(stderr);
    throw runtime_error("SSL_CTX_new failed");
  }
  ssl = SSL_new(sslCtx);
  if (!ssl)
    throw runtime_error("SSL_new failed");

  if (SSL_CTX_use_PrivateKey_file(sslCtx, keyFile.c_str(),
                                  SSL_FILETYPE_PEM) != 1)
    throw runtime_error("Unable to load private key file" + keyFile);

  if (SSL_CTX_use_certificate_file(sslCtx, certFile.c_str(),
                                   SSL_FILETYPE_PEM) != 1)
    throw runtime_error("Unable to load certificate file" + certFile);


  if (SSL_set_fd(ssl, socket) != 1)
    throw runtime_error("SSL_set_fd failed");

  if (SSL_accept(ssl) != 1){
     ERR_print_errors_fp(stderr);
    throw runtime_error("SSL_accept failed");
  }

我尝试测试服务器:

openssl s_client -cipher RSA -connect myhostname:33221 -tls1 -CApath . -servername myhostname

得到了

CONNECTED(00000003)
139898773520408:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1487:SSL alert number 40
139898773520408:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1496232544
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

我使用的是OpenSSL 1.0.2g。

1 个答案:

答案 0 :(得分:0)

仅在完全设置上下文后尝试SSL_new,并确保在程序开头有OpenSSL_add_ssl_algorithms。 1.0.2文档说它“继承”,但不确定这是否有效意味着它在那时复制设置并且不会应用进一步的更改。

https://www.openssl.org/docs/man1.0.2/ssl/SSL_new.html

  

新结构继承了底层上下文ctx的设置:连接方法(SSLv2 / v3 / TLSv1),选项,验证设置,超时设置。

OpenSSL wiki

上还有一个例子

没有错误处理的是:

// General initialisation
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
// Context for a server socket
ctx = SSL_CTX_new(SSLv23_server_method ()); //Note SSLv23_server_method in example is deprecated in favour of TLS_server_method for new versions. TLSv1_2_server_method will force TLS 1.2.
SSL_CTX_set_ecdh_auto(ctx, 1);
SSL_CTX_use_certificate_file(ctx, "cert.pem", SSL_FILETYPE_PEM);
SSL_CTX_use_PrivateKey_file(ctx, "key.pem", SSL_FILETYPE_PEM);
// Only after all certificates, and other config is set
ssl = SSL_new(ctx);
SSL_set_fd(ssl, client_socket);
SSL_accept(ssl);
// Use SSL_write and SSL_read
SSL_free(ssl);
close(client_socket);
// OpenSSL cleanup
EVP_cleanup();