Question

我需要创建一个libcurl应用程序来从https服务器下载URL（身份验证机制是PSK）。所以我刚从下面的链接下载了TLS-PSK支持的cURL代码。 https://github.com/curl/curl/tree/d2f8bbf2600d5da577ab75a4fd7ba3e129aba4be （根据我的理解，目前发布的cURL并不支持TLS-PSK。如果我错了，请纠正我。）

但是在执行我的示例应用程序时，它会显示ssl错误：＆＃34; sslv3 alert bad record mac＆＃34;。

其实我是新手，我对TLS / SSL和卷曲都不太了解。如果有人能为此提供解决方案，那将非常有帮助。

下面我还附上了我的src代码，日志和测试结果以供参考。

Samplecurl.cpp

int main()
{
    CURL *curl = curl_easy_init();
    if(curl)
    {
        curl_easy_setopt(curl, CURLOPT_URL, "https://localhost:1440/");
        curl_easy_setopt(curl, CURLOPT_SSL_PSK, "client_id:fcc56e7668194a4775e5b36e2735551a");
        curl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST, "PSK-AES256-CBC-SHA");
        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
        curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
        CURLcode res = curl_easy_perform(curl);
        /* Check for errors */
        if (res != CURLE_OK) {
                fprintf(stderr, "curl_easy_perform() failed: %s\n",
                    curl_easy_strerror(res));
        }
    }
    return 0;
}

步骤1：使用openssl命令启动服务器（openssl version is- OpenSSL 1.0.2g）

openssl s_server -psk fcc56e7668194a4775e5b36e2735551a -accept 1440 -cipher PSK-AES256-CBC-SHA -nocert

步骤2：使用下载的源代码构建Samplecurl.cpp并获得以下错误

*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 1440 (#0)
* ALPN, offering http/1.1
* Cipher selection: PSK-AES256-CBC-SHA
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac
* Closing connection 0
curl_easy_perform() failed: SSL connect error

***使用curl命令行也会发生同样的错误。

卷曲命令：

curl -v --tls-psk Client_identity：fcc56e7668194a4775e5b36e2735551a -k https://localhost:1440/ - 学生PSK-AES256-CBC-SHA

*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 1440 (#0)
* ALPN, offering http/1.1
* Cipher selection: PSK-AES256-CBC-SHA
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac
* Closing connection 0
curl: (35) error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac

请注意，使用openssl client命令，与服务器的连接成功。命令如下。

openssl s_client -connect localhost:1440 -psk fcc56e7668194a4775e5b36e2735551a

执行上述命令后，终端显示以下内容

>> CONNECTED(00000003)

>> no peer certificate available

>> No client certificate CA names sent

>> SSL handshake has read 338 bytes and written 414 bytes

>> New, TLSv1/SSLv3, Cipher is PSK-AES256-CBC-SHA
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> No ALPN negotiated
>> SSL-Session:
    >> Protocol  : TLSv1.2
    >> Cipher    : PSK-AES256-CBC-SHA
    >> Session-ID: AC3096F9E9AAC227B4FE4DFD59CBD3B9A2EA230B22A83289323EF5F2F8C7DAE5
    >> Session-ID-ctx: 
    >> Master-Key: 07314810B7A54B94EA9F8497736F383733290EB5BFC64A557D0B3A780F518FC9CF55BFC408C5361B91D92A1B4786E314
    >> Key-Arg   : None
    >> PSK identity: Client_identity
    >> PSK identity hint: None
    >> SRP username: None
    >> TLS session ticket lifetime hint: 300 (seconds)
    >> TLS session ticket:
    0000 - b4 92 80 4f ec 7b f2 17-c3 59 03 6f 62 63 62 5b   ...O.{...Y.obcb[
    0010 - 30 d4 d4 9d 5f 5f 07 df-8f 7d 4f f8 98 fa af 41   0...__...}O....A
    0020 - 2a 11 53 1a c4 16 86 f1-24 38 b7 bf 9c 1c 7d 5a   *.S.....$8....}Z
    0030 - e3 bd 94 b4 01 e1 a7 75-95 b0 a1 c5 be 71 51 45   .......u.....qQE
    0040 - 74 0b cb 7a a5 b8 ac 42-64 dc 06 c5 23 23 de 33   t..z...Bd...##.3
    0050 - 0e 94 87 cc ed 65 f1 e4-da bc 4f 5e 3d e9 46 96   .....e....O^=.F.
    0060 - ae 0e 4c d4 98 2e 01 9d-e3 6e 54 f2 c2 08 13 a9   ..L......nT.....
    0070 - 1a 33 46 08 90 12 17 5b-e5 62 ca 23 24 93 97 1c   .3F....[.b.#$...
    0080 - 39 70 a6 4d 2c 12 6e 9c-53 e7 08 b5 ad 90 02 0d   9p.M,.n.S.......
    0090 - 6c e8 ef e3 9b 76 f5 2a-ae 64 47 b5 84 a0 08 26   l....v.*.dG....&
    00a0 - ec 1f 32 1c 5d 25 9e d0-cf c5 a2 8d 6b 2e de e1   ..2.]%......k...
Start Time: 1528369235
Timeout   : 300 (sec)
Verify return code: 0 (ok)

cURL

0 个答案: