TLS协议

TLS简介

TLS协议基于面向连接的TCP协议，它可被看作由两个主要部分组成：TLS记录协议(TLS Record Protocol)和TLS握手协议(TLS Handshake Protocol)。它可以实现传输应用数据前的通信双方身份的认证，加密套件(对称加密算法，签名算法等)的协商，会话密钥的协商，以及握手完成后的数据加密、压缩传输、以及数据完整性的校验。

TLS握手具体的过程

1.TCP三次握手

TCP的三次握手过程，建立TCP连接。

2.TLS握手过程

(1)TLS的握手是建立在TCP连接之上的。
(2)客户端向服务器发送client hello数据包。
在client hello数据包中说明了客户端使用的协议版本号、随机数、加密套件以及其他的扩展。wireshark抓包结果如下图：

(3)服务器收到client hello后向客户端发送server hello数据包。
在server hello中包含了协议版本号、随机数、服务器选择的加密套件以及其他的扩展。wireshark抓包结果如下图：

(4)服务器向客户端发送证书。wireshark抓包结果如下图：

(5)服务器向客户端发送server key exchange，其中包含了pubkey，wireshark抓包结果如下图：

(6)服务器向客户端发送server hello done，wireshark抓包结果如下图：

(7)客户端向服务器发送client key exchange、change cipher spec，wireshark抓包结果如下图：

(8)服务器向客户端发送new session ticket，wireshark抓包结果如下图：

(9)服务器向客户端发送change cipher spec， wireshark抓包结果如下图:

(10)服务器向客户端发送hello request， wireshark抓包结果如下图:
服务器向客户端发送change cipher spec， wireshark抓包结果如下图:

(11)客户端向服务器发送数据，wireshark抓包结果如下图:

openssl实现TLS

1.证书准备

在tls的通信中可以设置，双方认证和单向认证。如果需要双向的认证，需要有通信双方的证书。通过openssl的提供的应用程序功能可以搭建自己的简单的CA，从而颁发证书。

2.基于openssl的TLS实现

客户端程序

#include <stdio.h>#include <string.h>#include <errno.h>#include <sys/socket.h>#include <resolv.h>#include <stdlib.h>#include <netinet/in.h>#include <arpa/inet.h>#include <unistd.h>#include <openssl/ssl.h>#include <openssl/err.h>#define MAXBUF 1024#define CA_FILE "/home/xx/桌面/Untitled Folder/CA/ca.crt"#define CLIENT_KEY "/home/xx/桌面/Untitled Folder/Client/client.key"#define CLIENT_CERT "/home/xx/桌面/Untitled Folder/Client/client.crt"/*打印对方主体和颁发者信息*/void ShowCerts(SSL * ssl){    X509 *cert;    char *line;    cert = SSL_get_peer_certificate(ssl);    if (cert != NULL) {        printf("数字证书信息:\n");        line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);        printf("证书: %s\n", line);        free(line);        line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);        printf("颁发者: %s\n", line);        free(line);        X509_free(cert);    } else {        printf("无证书信息！\n");    }}int main(int argc, char **argv){    int sockfd, len;    long int result = LONG_MAX;    struct sockaddr_in dest;    char buffer[MAXBUF + 1];    SSL_CTX *ctx;    SSL *ssl;    const SSL_METHOD *method;    /*初始化工作*/    SSL_library_init();    SSL_load_error_strings();    OpenSSL_add_all_algorithms();      method = TLSv1_2_client_method();    ctx = SSL_CTX_new(method);    if (!ctx) {        printf("create ctx is failed.\n");    }    /*设置会话的握手方式*/     SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);    /*加载CA FILE*/    if (SSL_CTX_load_verify_locations(ctx, CA_FILE, 0) != 1) {        SSL_CTX_free(ctx);        printf("Failed to load CA file %s", CA_FILE);    }    if (SSL_CTX_set_default_verify_paths(ctx) != 1) {        SSL_CTX_free(ctx);        printf("Call to SSL_CTX_set_default_verify_paths failed");    }    /*设置证书链的最大深度*/    SSL_CTX_set_verify_depth(ctx,1);    /*加载客户端证书*/    if (SSL_CTX_use_certificate_file(ctx, CLIENT_CERT, SSL_FILETYPE_PEM) != 1) {        SSL_CTX_free(ctx);        printf("Failed to load client certificate from %s", CLIENT_KEY);    }    /*加载客户端私钥*/    if (SSL_CTX_use_PrivateKey_file(ctx, CLIENT_KEY, SSL_FILETYPE_PEM) != 1) {        SSL_CTX_free(ctx);        printf("Failed to load client private key from %s", CLIENT_KEY);    }    /*验证私钥*/    if (SSL_CTX_check_private_key(ctx) != 1) {        SSL_CTX_free(ctx);        printf("SSL_CTX_check_private_key failed");    }    /*处理握手多次*/      SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);     /*创建tcp套接字*/    if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){        perror("Socket");        exit(errno);    }    bzero(&dest, sizeof(dest));    dest.sin_family = AF_INET;    dest.sin_port = htons(atoi(argv[2]));    if (inet_aton(argv[1], (struct in_addr *) &dest.sin_addr.s_addr) == 0{        perror(argv[1]);        exit(errno);    }    if (connect(sockfd, (struct sockaddr *) &dest, sizeof(dest)) != 0) {        perror("Connect ");        exit(errno);    }    /*创建SSL*/    ssl = SSL_new(ctx);    if (ssl == NULL) {        printf("SSL_new error.\n");    }    /*将fd添加到ssl层*/    SSL_set_fd(ssl, sockfd);    /*TLS握手*/    if (SSL_connect(ssl) == -1) {        printf("SSL_connect fail.\n");        ERR_print_errors_fp(stderr);    } else {        printf("Connected with %s encryption\n", SSL_get_cipher(ssl));        ShowCerts(ssl);    }    result=SSL_get_verify_result(ssl);    if(result != X509_V_OK)    {        printf("There are some mistakes in verification:error %ld\n",result);    }    else    {        printf("Verification success!\n");    }    bzero(buffer, MAXBUF + 1);    len = SSL_read(ssl, buffer, MAXBUF);    if (len > 0) {        printf("接收消息成功:'%s'，共%d个字节的数据\n", buffer, len);    } else {        printf("消息接收失败！错误代码是%d，错误信息是'%s'\n", errno, strerror(errno));        goto exit;    }    bzero(buffer, MAXBUF + 1);    strcpy(buffer, "from client->server");    len = SSL_write(ssl, buffer, strlen(buffer));    if (len < 0) {        printf("消息'%s'发送失败！错误代码是%d，错误信息是'%s'\n", buffer, errno, strerror(errno));    } else {        printf("消息'%s'发送成功，共发送了%d个字节！\n", buffer, len);    }exit    SSL_shutdown(ssl);    SSL_free(ssl);    close(sockfd);    SSL_CTX_free(ctx);    return 0;}

服务器端程序

#include <stdio.h>#include <stdlib.h>#include <errno.h>#include <string.h>#include <sys/types.h>#include <netinet/in.h>#include <sys/socket.h>#include <sys/wait.h>#include <unistd.h>#include <arpa/inet.h>#include <openssl/ssl.h>#include <openssl/err.h>#define MAXBUF 1024#define CA_FILE "/home/xx/桌面/Untitled Folder/CA/ca.crt"#define SERVER_KEY "/home/xx/桌面/Untitled Folder/Server/server.key"#define SERVER_CERT "/home/xx/桌面/Untitled Folder/Server/server.crt"void ShowCerts(SSL * ssl)    {        X509 *cert;        char *line;    cert = SSL_get_peer_certificate(ssl);        if (cert != NULL) {            printf("num cert messsage:\n");            line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);            printf("cert: %s\n", line);            free(line);            line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);            printf("Issuer: %s\n", line);            free(line);            X509_free(cert);        } else         printf("no cert message \n");    } int main(int argc, char **argv){    int sockfd, new_fd;    int reuse = 0;    long int result = LONG_MAX;    socklen_t len;    struct sockaddr_in my_addr, their_addr;    unsigned int myport, lisnum;    char buf[MAXBUF + 1];    SSL_CTX *ctx;    const SSL_METHOD *method;    if (argv[1]) {        myport = atoi(argv[1]);    } else {        myport = 7838;    }    if (argv[2]) {        lisnum = atoi(argv[2]);    } else {        lisnum = 2;    }    SSL_library_init();    OpenSSL_add_all_algorithms();    SSL_load_error_strings();    method = TLSv1_2_server_method();    ctx = SSL_CTX_new(method);    if (ctx == NULL) {        ERR_print_errors_fp(stdout);        exit(1);    }    /*设置认证方式，要求认证客户端，实现双向认证*/    SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0);    /*加载CA FILE*/    if (SSL_CTX_load_verify_locations(ctx, CA_FILE, 0) != 1) {        SSL_CTX_free(ctx);        printf("Failed to load CA file %s", CA_FILE);    }    /*加载服务端证书*/    if (SSL_CTX_use_certificate_file(ctx, SERVER_CERT, SSL_FILETYPE_PEM) <= 0) {        ERR_print_errors_fp(stdout);        exit(1);    }    /*加载服务端私钥*/    if (SSL_CTX_use_PrivateKey_file(ctx, SERVER_KEY, SSL_FILETYPE_PEM) <= 0) {        printf("use private key fail.\n");        ERR_print_errors_fp(stdout);        exit(1);    }    /*验证私钥*/    if (!SSL_CTX_check_private_key(ctx)) {        ERR_print_errors_fp(stdout);        exit(1);    }    //处理握手多次      SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);     if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {        perror("socket");        exit(1);    } else {        printf("socket created\n");    }    if (setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &reuse, sizeof(reuse)) < 0){        printf("setsockopet error\n");        return -1;    }    bzero(&my_addr, sizeof(my_addr));    my_addr.sin_family = PF_INET;    my_addr.sin_port = htons(myport);    my_addr.sin_addr.s_addr = INADDR_ANY;    if (bind(sockfd, (struct sockaddr *) &my_addr, sizeof(struct sockaddr)) == -1) {        perror("bind");        exit(1);    }     printf("Server bind success.\n");    if (listen(sockfd, lisnum) == -1) {        perror("listen");        exit(1);    }     printf("Server begin to listen\n");    while (1) {        SSL *ssl;        len = sizeof(struct sockaddr);        if ((new_fd = accept(sockfd, (struct sockaddr *) &their_addr, &len)) == -1) {            perror("accept");            exit(errno);        }         printf("Server: receive a connection from %s, port %d, socket %d\n", inet_ntoa(their_addr.sin_addr), ntohs(their_addr.sin_port), new_fd);        ssl = SSL_new(ctx);        if (ssl == NULL) {            printf("SSL_new error.\n");        }        SSL_set_fd(ssl, new_fd);        if (SSL_accept(ssl) == -1) {            perror("accept");            ERR_print_errors_fp(stderr);              close(new_fd);            break;        }        printf("Server with %s encryption\n", SSL_get_cipher(ssl));        ShowCerts(ssl);        result=SSL_get_verify_result(ssl);        if(result != X509_V_OK)        {            printf("There are some mistakes in verification:error %ld\n",result);        }        else        {            printf("Verification success!\n");        }        bzero(buf, MAXBUF + 1);        strcpy(buf, "server->client");        len = SSL_write(ssl, buf, strlen(buf));        if (len <= 0) {            printf("消息'%s'发送失败！错误代码是%d，错误信息是'%s'\n", buf, errno, strerror(errno));            goto exit;        } else {            printf("消息'%s'发送成功，共发送了%d个字节！\n", buf, len);        }        bzero(buf, MAXBUF + 1);        len = SSL_read(ssl, buf, MAXBUF);        if (len > 0) {            printf("接收消息成功:'%s'，共%d个字节的数据\n", buf, len);        } else {            printf("消息接收失败！错误代码是%d，错误信息是'%s'\n", errno, strerror(errno));        }exit:        SSL_shutdown(ssl);        SSL_free(ssl);        close(new_fd);    }    close(sockfd);    SSL_CTX_free(ctx);    return 0;}

参考

http://blog.csdn.net/liangyihuai/article/details/53098482