我需要创建一个libcurl应用程序来从https服务器下载URL(身份验证机制是PSK)。 所以我刚从下面的链接下载了TLS-PSK支持的cURL代码。 https://github.com/curl/curl/tree/d2f8bbf2600d5da577ab75a4fd7ba3e129aba4be (根据我的理解,目前发布的cURL并不支持TLS-PSK。如果我错了,请纠正我。)
但是在执行我的示例应用程序时,它会显示ssl错误:" sslv3 alert bad record mac"。
其实我是新手,我对TLS / SSL和卷曲都不太了解。 如果有人能为此提供解决方案,那将非常有帮助。
下面我还附上了我的src代码,日志和测试结果以供参考。
Samplecurl.cpp
int main()
{
CURL *curl = curl_easy_init();
if(curl)
{
curl_easy_setopt(curl, CURLOPT_URL, "https://localhost:1440/");
curl_easy_setopt(curl, CURLOPT_SSL_PSK, "client_id:fcc56e7668194a4775e5b36e2735551a");
curl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST, "PSK-AES256-CBC-SHA");
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
CURLcode res = curl_easy_perform(curl);
/* Check for errors */
if (res != CURLE_OK) {
fprintf(stderr, "curl_easy_perform() failed: %s\n",
curl_easy_strerror(res));
}
}
return 0;
}
步骤1:使用openssl命令启动服务器(openssl version is- OpenSSL 1.0.2g)
openssl s_server -psk fcc56e7668194a4775e5b36e2735551a -accept 1440 -cipher PSK-AES256-CBC-SHA -nocert
步骤2:使用下载的源代码构建Samplecurl.cpp并获得以下错误
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 1440 (#0)
* ALPN, offering http/1.1
* Cipher selection: PSK-AES256-CBC-SHA
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac
* Closing connection 0
curl_easy_perform() failed: SSL connect error
***使用curl命令行也会发生同样的错误。
卷曲命令:
curl -v --tls-psk Client_identity:fcc56e7668194a4775e5b36e2735551a -k https://localhost:1440/ - 学生PSK-AES256-CBC-SHA
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 1440 (#0)
* ALPN, offering http/1.1
* Cipher selection: PSK-AES256-CBC-SHA
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac
* Closing connection 0
curl: (35) error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac
请注意,使用openssl client命令,与服务器的连接成功。命令如下。
openssl s_client -connect localhost:1440 -psk fcc56e7668194a4775e5b36e2735551a
执行上述命令后,终端显示以下内容
>> CONNECTED(00000003)
>> no peer certificate available
>> No client certificate CA names sent
>> SSL handshake has read 338 bytes and written 414 bytes
>> New, TLSv1/SSLv3, Cipher is PSK-AES256-CBC-SHA
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> No ALPN negotiated
>> SSL-Session:
>> Protocol : TLSv1.2
>> Cipher : PSK-AES256-CBC-SHA
>> Session-ID: AC3096F9E9AAC227B4FE4DFD59CBD3B9A2EA230B22A83289323EF5F2F8C7DAE5
>> Session-ID-ctx:
>> Master-Key: 07314810B7A54B94EA9F8497736F383733290EB5BFC64A557D0B3A780F518FC9CF55BFC408C5361B91D92A1B4786E314
>> Key-Arg : None
>> PSK identity: Client_identity
>> PSK identity hint: None
>> SRP username: None
>> TLS session ticket lifetime hint: 300 (seconds)
>> TLS session ticket:
0000 - b4 92 80 4f ec 7b f2 17-c3 59 03 6f 62 63 62 5b ...O.{...Y.obcb[
0010 - 30 d4 d4 9d 5f 5f 07 df-8f 7d 4f f8 98 fa af 41 0...__...}O....A
0020 - 2a 11 53 1a c4 16 86 f1-24 38 b7 bf 9c 1c 7d 5a *.S.....$8....}Z
0030 - e3 bd 94 b4 01 e1 a7 75-95 b0 a1 c5 be 71 51 45 .......u.....qQE
0040 - 74 0b cb 7a a5 b8 ac 42-64 dc 06 c5 23 23 de 33 t..z...Bd...##.3
0050 - 0e 94 87 cc ed 65 f1 e4-da bc 4f 5e 3d e9 46 96 .....e....O^=.F.
0060 - ae 0e 4c d4 98 2e 01 9d-e3 6e 54 f2 c2 08 13 a9 ..L......nT.....
0070 - 1a 33 46 08 90 12 17 5b-e5 62 ca 23 24 93 97 1c .3F....[.b.#$...
0080 - 39 70 a6 4d 2c 12 6e 9c-53 e7 08 b5 ad 90 02 0d 9p.M,.n.S.......
0090 - 6c e8 ef e3 9b 76 f5 2a-ae 64 47 b5 84 a0 08 26 l....v.*.dG....&
00a0 - ec 1f 32 1c 5d 25 9e d0-cf c5 a2 8d 6b 2e de e1 ..2.]%......k...
Start Time: 1528369235
Timeout : 300 (sec)
Verify return code: 0 (ok)