TLS协议
来源:互联网 发布:mac电脑笔记本 编辑:程序博客网 时间:2024/05/17 06:22
TLS简介
TLS协议基于面向连接的TCP协议,它可被看作由两个主要部分组成:TLS记录协议(TLS Record Protocol)和TLS握手协议(TLS Handshake Protocol)。它可以实现传输应用数据前的通信双方身份的认证,加密套件(对称加密算法,签名算法等)的协商,会话密钥的协商,以及握手完成后的数据加密、压缩传输、以及数据完整性的校验。
TLS握手具体的过程
1.TCP三次握手
TCP的三次握手过程,建立TCP连接。
2.TLS握手过程
(1)TLS的握手是建立在TCP连接之上的。
(2)客户端向服务器发送client hello数据包。
在client hello数据包中说明了客户端使用的协议版本号、随机数、加密套件以及其他的扩展。wireshark抓包结果如下图:
(3)服务器收到client hello后向客户端发送server hello数据包。
在server hello中包含了协议版本号、随机数、服务器选择的加密套件以及其他的扩展。wireshark抓包结果如下图:
(4)服务器向客户端发送证书。wireshark抓包结果如下图:
(5)服务器向客户端发送server key exchange,其中包含了pubkey,wireshark抓包结果如下图:
(6)服务器向客户端发送server hello done,wireshark抓包结果如下图:
(7)客户端向服务器发送client key exchange、change cipher spec,wireshark抓包结果如下图:
(8)服务器向客户端发送new session ticket,wireshark抓包结果如下图:
(9)服务器向客户端发送change cipher spec, wireshark抓包结果如下图:
(10)服务器向客户端发送hello request, wireshark抓包结果如下图:
服务器向客户端发送change cipher spec, wireshark抓包结果如下图:
(11)客户端向服务器发送数据,wireshark抓包结果如下图:
openssl实现TLS
1.证书准备
在tls的通信中可以设置,双方认证和单向认证。如果需要双向的认证,需要有通信双方的证书。通过openssl的提供的应用程序功能可以搭建自己的简单的CA,从而颁发证书。
2.基于openssl的TLS实现
客户端程序
#include <stdio.h>#include <string.h>#include <errno.h>#include <sys/socket.h>#include <resolv.h>#include <stdlib.h>#include <netinet/in.h>#include <arpa/inet.h>#include <unistd.h>#include <openssl/ssl.h>#include <openssl/err.h>#define MAXBUF 1024#define CA_FILE "/home/xx/桌面/Untitled Folder/CA/ca.crt"#define CLIENT_KEY "/home/xx/桌面/Untitled Folder/Client/client.key"#define CLIENT_CERT "/home/xx/桌面/Untitled Folder/Client/client.crt"/*打印对方主体和颁发者信息*/void ShowCerts(SSL * ssl){ X509 *cert; char *line; cert = SSL_get_peer_certificate(ssl); if (cert != NULL) { printf("数字证书信息:\n"); line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0); printf("证书: %s\n", line); free(line); line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0); printf("颁发者: %s\n", line); free(line); X509_free(cert); } else { printf("无证书信息!\n"); }}int main(int argc, char **argv){ int sockfd, len; long int result = LONG_MAX; struct sockaddr_in dest; char buffer[MAXBUF + 1]; SSL_CTX *ctx; SSL *ssl; const SSL_METHOD *method; /*初始化工作*/ SSL_library_init(); SSL_load_error_strings(); OpenSSL_add_all_algorithms(); method = TLSv1_2_client_method(); ctx = SSL_CTX_new(method); if (!ctx) { printf("create ctx is failed.\n"); } /*设置会话的握手方式*/ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); /*加载CA FILE*/ if (SSL_CTX_load_verify_locations(ctx, CA_FILE, 0) != 1) { SSL_CTX_free(ctx); printf("Failed to load CA file %s", CA_FILE); } if (SSL_CTX_set_default_verify_paths(ctx) != 1) { SSL_CTX_free(ctx); printf("Call to SSL_CTX_set_default_verify_paths failed"); } /*设置证书链的最大深度*/ SSL_CTX_set_verify_depth(ctx,1); /*加载客户端证书*/ if (SSL_CTX_use_certificate_file(ctx, CLIENT_CERT, SSL_FILETYPE_PEM) != 1) { SSL_CTX_free(ctx); printf("Failed to load client certificate from %s", CLIENT_KEY); } /*加载客户端私钥*/ if (SSL_CTX_use_PrivateKey_file(ctx, CLIENT_KEY, SSL_FILETYPE_PEM) != 1) { SSL_CTX_free(ctx); printf("Failed to load client private key from %s", CLIENT_KEY); } /*验证私钥*/ if (SSL_CTX_check_private_key(ctx) != 1) { SSL_CTX_free(ctx); printf("SSL_CTX_check_private_key failed"); } /*处理握手多次*/ SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); /*创建tcp套接字*/ if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){ perror("Socket"); exit(errno); } bzero(&dest, sizeof(dest)); dest.sin_family = AF_INET; dest.sin_port = htons(atoi(argv[2])); if (inet_aton(argv[1], (struct in_addr *) &dest.sin_addr.s_addr) == 0{ perror(argv[1]); exit(errno); } if (connect(sockfd, (struct sockaddr *) &dest, sizeof(dest)) != 0) { perror("Connect "); exit(errno); } /*创建SSL*/ ssl = SSL_new(ctx); if (ssl == NULL) { printf("SSL_new error.\n"); } /*将fd添加到ssl层*/ SSL_set_fd(ssl, sockfd); /*TLS握手*/ if (SSL_connect(ssl) == -1) { printf("SSL_connect fail.\n"); ERR_print_errors_fp(stderr); } else { printf("Connected with %s encryption\n", SSL_get_cipher(ssl)); ShowCerts(ssl); } result=SSL_get_verify_result(ssl); if(result != X509_V_OK) { printf("There are some mistakes in verification:error %ld\n",result); } else { printf("Verification success!\n"); } bzero(buffer, MAXBUF + 1); len = SSL_read(ssl, buffer, MAXBUF); if (len > 0) { printf("接收消息成功:'%s',共%d个字节的数据\n", buffer, len); } else { printf("消息接收失败!错误代码是%d,错误信息是'%s'\n", errno, strerror(errno)); goto exit; } bzero(buffer, MAXBUF + 1); strcpy(buffer, "from client->server"); len = SSL_write(ssl, buffer, strlen(buffer)); if (len < 0) { printf("消息'%s'发送失败!错误代码是%d,错误信息是'%s'\n", buffer, errno, strerror(errno)); } else { printf("消息'%s'发送成功,共发送了%d个字节!\n", buffer, len); }exit SSL_shutdown(ssl); SSL_free(ssl); close(sockfd); SSL_CTX_free(ctx); return 0;}
服务器端程序
#include <stdio.h>#include <stdlib.h>#include <errno.h>#include <string.h>#include <sys/types.h>#include <netinet/in.h>#include <sys/socket.h>#include <sys/wait.h>#include <unistd.h>#include <arpa/inet.h>#include <openssl/ssl.h>#include <openssl/err.h>#define MAXBUF 1024#define CA_FILE "/home/xx/桌面/Untitled Folder/CA/ca.crt"#define SERVER_KEY "/home/xx/桌面/Untitled Folder/Server/server.key"#define SERVER_CERT "/home/xx/桌面/Untitled Folder/Server/server.crt"void ShowCerts(SSL * ssl) { X509 *cert; char *line; cert = SSL_get_peer_certificate(ssl); if (cert != NULL) { printf("num cert messsage:\n"); line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0); printf("cert: %s\n", line); free(line); line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0); printf("Issuer: %s\n", line); free(line); X509_free(cert); } else printf("no cert message \n"); } int main(int argc, char **argv){ int sockfd, new_fd; int reuse = 0; long int result = LONG_MAX; socklen_t len; struct sockaddr_in my_addr, their_addr; unsigned int myport, lisnum; char buf[MAXBUF + 1]; SSL_CTX *ctx; const SSL_METHOD *method; if (argv[1]) { myport = atoi(argv[1]); } else { myport = 7838; } if (argv[2]) { lisnum = atoi(argv[2]); } else { lisnum = 2; } SSL_library_init(); OpenSSL_add_all_algorithms(); SSL_load_error_strings(); method = TLSv1_2_server_method(); ctx = SSL_CTX_new(method); if (ctx == NULL) { ERR_print_errors_fp(stdout); exit(1); } /*设置认证方式,要求认证客户端,实现双向认证*/ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0); /*加载CA FILE*/ if (SSL_CTX_load_verify_locations(ctx, CA_FILE, 0) != 1) { SSL_CTX_free(ctx); printf("Failed to load CA file %s", CA_FILE); } /*加载服务端证书*/ if (SSL_CTX_use_certificate_file(ctx, SERVER_CERT, SSL_FILETYPE_PEM) <= 0) { ERR_print_errors_fp(stdout); exit(1); } /*加载服务端私钥*/ if (SSL_CTX_use_PrivateKey_file(ctx, SERVER_KEY, SSL_FILETYPE_PEM) <= 0) { printf("use private key fail.\n"); ERR_print_errors_fp(stdout); exit(1); } /*验证私钥*/ if (!SSL_CTX_check_private_key(ctx)) { ERR_print_errors_fp(stdout); exit(1); } //处理握手多次 SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) { perror("socket"); exit(1); } else { printf("socket created\n"); } if (setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &reuse, sizeof(reuse)) < 0){ printf("setsockopet error\n"); return -1; } bzero(&my_addr, sizeof(my_addr)); my_addr.sin_family = PF_INET; my_addr.sin_port = htons(myport); my_addr.sin_addr.s_addr = INADDR_ANY; if (bind(sockfd, (struct sockaddr *) &my_addr, sizeof(struct sockaddr)) == -1) { perror("bind"); exit(1); } printf("Server bind success.\n"); if (listen(sockfd, lisnum) == -1) { perror("listen"); exit(1); } printf("Server begin to listen\n"); while (1) { SSL *ssl; len = sizeof(struct sockaddr); if ((new_fd = accept(sockfd, (struct sockaddr *) &their_addr, &len)) == -1) { perror("accept"); exit(errno); } printf("Server: receive a connection from %s, port %d, socket %d\n", inet_ntoa(their_addr.sin_addr), ntohs(their_addr.sin_port), new_fd); ssl = SSL_new(ctx); if (ssl == NULL) { printf("SSL_new error.\n"); } SSL_set_fd(ssl, new_fd); if (SSL_accept(ssl) == -1) { perror("accept"); ERR_print_errors_fp(stderr); close(new_fd); break; } printf("Server with %s encryption\n", SSL_get_cipher(ssl)); ShowCerts(ssl); result=SSL_get_verify_result(ssl); if(result != X509_V_OK) { printf("There are some mistakes in verification:error %ld\n",result); } else { printf("Verification success!\n"); } bzero(buf, MAXBUF + 1); strcpy(buf, "server->client"); len = SSL_write(ssl, buf, strlen(buf)); if (len <= 0) { printf("消息'%s'发送失败!错误代码是%d,错误信息是'%s'\n", buf, errno, strerror(errno)); goto exit; } else { printf("消息'%s'发送成功,共发送了%d个字节!\n", buf, len); } bzero(buf, MAXBUF + 1); len = SSL_read(ssl, buf, MAXBUF); if (len > 0) { printf("接收消息成功:'%s',共%d个字节的数据\n", buf, len); } else { printf("消息接收失败!错误代码是%d,错误信息是'%s'\n", errno, strerror(errno)); }exit: SSL_shutdown(ssl); SSL_free(ssl); close(new_fd); } close(sockfd); SSL_CTX_free(ctx); return 0;}
参考
http://blog.csdn.net/liangyihuai/article/details/53098482
- TLS协议
- SSL 和TLS协议
- TLS协议简介
- SSL/TLS 协议详解
- SSL/TLS 协议详解
- SSL和TLS协议
- 图解SSL/TLS协议
- SSL/TLS 协议详解
- 图解SSL/TLS协议
- SSL/TLS协议详解
- SSL/TLS协议运行机制
- 图解SSL/TLS协议
- SSL/TLS 协议详解
- 图解SSL/TLS协议
- SSL/TLS 协议详解
- 图解SSL/TLS协议
- 图解SSL/TLS协议
- 图解SSL/TLS协议
- windows自动切换网关
- TreeMap实现原理
- D
- 近似法(激活法)求截止频率
- [初学笔记] matlab报错 Maximum recursion limit of 500 reached. Use set(0,'RecursionLimit',N)
- TLS协议
- missing: CURL_LIBRARY CURL_INCLUDE_DIR
- Eclipse Action与Command的区别
- Scala 常用命令
- python3.6使用 urllib完成下载
- select2选中第一项无法显示问题
- Linux基本操作、命令
- 常用正则表达式
- 不同浏览器私有属性