设置SSL_CTX_set_cipher_list()失败,并出现“无密码匹配”错误

时间:2019-05-23 08:28:53

标签: c++ openssl gsoap

我正在尝试使用SSL_CTX_set_cipher_list()限制我的gsoap ssl服务器中的密码列表。但是,无论我提供什么列表,该方法均返回0。不设置列表,一切正常。

我基本上和gsoap文档https://www.genivia.com/doc/guide/html/group__group__ssl.html#ga3492465cdd8aa71fe746199d3842cac7

一样
    auto err = BIO_new_fp(stderr, BIO_NOCLOSE);
    SSL_load_error_strings();
    OpenSSL_add_all_algorithms();
    OpenSSL_add_all_ciphers();
    CalculatorSoapBindingService service;
    service.soap->send_timeout = service.soap->recv_timeout = 5;
    if (useSSL) {
        soap_ssl_init();       // init SSL (just need to do this once in an application)
        if (soap_ssl_server_context(
                service.soap,
                SOAP_SSL_REQUIRE_SERVER_AUTHENTICATION | SOAP_TLSv1 | SOAP_SSL_NO_DEFAULT_CA_PATH,
                "server.pem", // server keyfile (cert+key)
                "password",   // password to read the private key in the keyfile
                nullptr,         // no cert to authenticate clients
                nullptr,         // no capath to trusted certificates
                nullptr,         // DH/RSA: use 2048 bit RSA (default with NULL)
                nullptr,         // no random data to seed randomness
                "testServer"     // no SSL session cache
        ))
        {
            service.soap_stream_fault(std::cerr);
            exit(EXIT_FAILURE);
        }
        const char allowedCiphers[] = "ALL:!aNULL";
        auto rc = SSL_CTX_set_cipher_list(service.soap->ctx, allowedCiphers);
        if (rc != 1) {
            ERR_print_errors(err);
            exit(EXIT_FAILURE);
        }
    }

根据documentation返回码0表示完全失败。 错误消息是:140347788101304:错误:1410D0B9:SSL例程:SSL_CTX_set_cipher_list:无密码匹配:ssl_lib.c:1385: 当我运行“ openssl密码”时,我会获得完整的密码列表。 有什么想法我想念的吗?上下文未正确初始化吗?

1 个答案:

答案 0 :(得分:0)

这终于解决了我的问题:

CalculatorSoapBindingService service;
service.soap->send_timeout = service.soap->recv_timeout = 5; // 5 sec socket idle timeout
if (useSSL) {
    SSL_library_init();
    BIO_new_fp(stderr, BIO_NOCLOSE);
    SSL_load_error_strings();
    if (soap_ssl_server_context(
            service.soap,
            SOAP_SSL_REQUIRE_SERVER_AUTHENTICATION | SOAP_TLSv1 | SOAP_SSL_NO_DEFAULT_CA_PATH,
            "server.pem", // server keyfile (cert+key)
            "haslerrail",   // password to read the private key in the keyfile
            nullptr,         // no cert to authenticate clients
            nullptr,         // no capath to trusted certificates
            nullptr,         // DH/RSA: use 2048 bit RSA (default with NULL)
            nullptr,         // no random data to seed randomness
            "testServer"          // no SSL session cache
    ))
    {
        service.soap_stream_fault(std::cerr);
        exit(EXIT_FAILURE);
    }
    const char allowedCiphers[] = "ECDH:!aNULL:!eNULL:!ADH:!SHA:@STRENGTH";
    auto nid = NID_X9_62_prime256v1;
    auto key = EC_KEY_new_by_curve_name(nid);
    if (key == nullptr) {
        std::cout << "Failed to create curve" << OBJ_nid2sn(nid) << std::endl;;
        exit(EXIT_FAILURE);;
    }
    SSL_CTX_set_tmp_ecdh(service.soap->ctx, key);
    EC_KEY_free(key);

    auto rc = SSL_CTX_set_cipher_list(service.soap->ctx, allowedCiphers);
    if (rc != 1) {
        std::cout << "no cipher list found " << rc << std::endl;
        ERR_print_errors(err);
        exit(EXIT_FAILURE);
    }
}