linux下openssl-1.0.0c编写openssl服务器和客户端

linux下openssl-1.0.0c编写openssl服务器和客户端

 ca.crt为自签名证书；
server.crt，server.key为服务器端的证书和私钥文件；
proxy.crt，proxy.key为代理服务器端的证书和私钥文件；
client.crt，client.key为客户端的证书和私钥文件。

#产生CA自签名证书
openssl genrsa -out ./private/ca.key -rand ./private/.rnd -des 2048
openssl req -new -x509 -days 3650 -key ./private/ca.key -out ./private/ca.crt -config openssl.cnf
openssl x509 -in ./private/ca.crt -noout -text

#产生server的证书过程
openssl genrsa -out ./private/server.key 1024
openssl req -new -key ./private/server.key -out ./newcerts/server.csr -config openssl.cnf
openssl ca -in ./newcerts/server.csr -cert ./private/ca.crt -keyfile ./private/ca.key -config openssl.cnf -policy policy_anything -out ./certs/server.crt
openssl x509 -in ./certs/server.crt -noout -text

#产生proxy的证书过程
openssl genrsa -out ./private/proxy.key 1024
openssl req -new -key ./private/proxy.key -out ./newcerts/proxy.csr -config openssl.cnf
openssl ca -in ./newcerts/proxy.csr -cert ./private/ca.crt -keyfile ./private/ca.key -config openssl.cnf -policy policy_anything -out ./certs/proxy.crt
openssl x509 -in ./certs/proxy.crt -noout -text

#产生client的证书过程
openssl genrsa -out ./private/client.key 1024
openssl req -new -key ./private/client.key -out ./newcerts/client.csr -config openssl.cnf
openssl ca -in ./newcerts/client.csr -cert ./private/ca.crt -keyfile ./private/ca.key -config openssl.cnf -policy policy_anything -out ./certs/client.crt
openssl x509 -in ./certs/client.crt -noout -text

//client #include <openssl/rand.h>#include <stdio.h>#include <string.h>#include <errno.h>#include <sys/socket.h>#include <resolv.h>#include <stdlib.h>#include <netinet/in.h>#include <arpa/inet.h>#include <unistd.h>#include <openssl/ssl.h>#include <openssl/err.h>#include <errno.h>#include <curses.h>#define PORT 443#define SERVER "127.0.0.1"#define CACERT "./private/ca.crt"#define MYCERTF "./certs/proxy.crt"#define MYKEYF "./private/proxy.key"#define MSGLENGTH 1024intmain (){struct sockaddr_in sin;int seed_int[100];SSL *ssl;SSL_METHOD *meth;SSL_CTX *ctx;int i;OpenSSL_add_ssl_algorithms ();SSL_load_error_strings ();meth = (SSL_METHOD *) TLSv1_client_method ();ctx = SSL_CTX_new (meth);if (NULL == ctx)exit (1);SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER, NULL);SSL_CTX_load_verify_locations (ctx, CACERT, NULL);if (0 == SSL_CTX_use_certificate_file (ctx, MYCERTF, SSL_FILETYPE_PEM)){ERR_print_errors_fp (stderr);exit (1);}if (0 == SSL_CTX_use_PrivateKey_file (ctx, MYKEYF, SSL_FILETYPE_PEM)){ERR_print_errors_fp (stderr);exit (1);}if (!SSL_CTX_check_private_key (ctx)){printf ("Private key does not match the certificate public key/n");exit (1);}srand ((unsigned) time (NULL));for (i = 0; i < 100; i++)seed_int[i] = rand ();RAND_seed (seed_int, sizeof (seed_int));SSL_CTX_set_cipher_list (ctx, "RC4-MD5");SSL_CTX_set_mode (ctx, SSL_MODE_AUTO_RETRY);int sock;printf ("Begin tcp socket.../n");sock = socket (AF_INET, SOCK_STREAM, 0);if (sock == -1){printf ("SOCKET error. /n");}memset (&sin, '/0', sizeof (sin));sin.sin_family = AF_INET;sin.sin_addr.s_addr = inet_addr (SERVER); /* Server IP */sin.sin_port = htons (PORT); /* Server Port number */int icnn = connect (sock, (struct sockaddr *) &sin, sizeof (sin));if (icnn == -1){printf ("can not connect to server,%s/n", strerror (errno));exit (1);}ssl = SSL_new (ctx);if (NULL == ssl)exit (1);if (0 >= SSL_set_fd (ssl, sock)){printf ("Attach to Line fail!/n");exit (1);}int k = SSL_connect (ssl);if (0 == k){printf ("%d/n", k);printf ("SSL connect fail!/n");exit (1);}printf ("connect to server/n");char sendmsg[MSGLENGTH] = "/0";char revmsg[MSGLENGTH] = "/0";int err = SSL_read (ssl, revmsg, sizeof (revmsg));revmsg[err] = '/0';printf ("%s/n", revmsg);while (1){printf ("please input the data to send:/n");scanf ("%s", sendmsg);SSL_write (ssl, sendmsg, strlen (sendmsg));printf ("send message ' %s ' success/n", sendmsg);}SSL_shutdown (ssl);SSL_free (ssl);SSL_CTX_free (ctx);close (sock);getch ();return 0;}//server #include <stdio.h>#include <openssl/x509.h>#include <openssl/ssl.h>#include <openssl/err.h>#include <stdlib.h>#include <errno.h>#include <string.h>#include <sys/types.h>#include <netinet/in.h>#include <sys/socket.h>#include <sys/wait.h>#include <unistd.h>#include <arpa/inet.h>#include <openssl/ssl.h>#include <openssl/err.h>#include <curses.h>#define MSGLENGTH 1024#define PORT 443#define CACERT "./private/ca.crt"#define SVRCERTF "./certs/server.crt"#define SVRKEYF "./private/server.key"intmain (){int sock;SSL_METHOD *meth;SSL_CTX *ctx;SSL *ssl;OpenSSL_add_ssl_algorithms ();SSL_load_error_strings ();meth = (SSL_METHOD *) TLSv1_server_method ();ctx = SSL_CTX_new (meth);if (NULL == ctx)exit (1);SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER, NULL);SSL_CTX_load_verify_locations (ctx, CACERT, NULL);if (0 == SSL_CTX_use_certificate_file (ctx, SVRCERTF, SSL_FILETYPE_PEM)){ERR_print_errors_fp (stderr);exit (1);}if (0 == SSL_CTX_use_PrivateKey_file (ctx, SVRKEYF, SSL_FILETYPE_PEM)){ERR_print_errors_fp (stderr);exit (1);}if (!SSL_CTX_check_private_key (ctx)){printf ("Private key does not match the certificate public key/n");exit (1);}SSL_CTX_set_cipher_list (ctx, "RC4-MD5");SSL_CTX_set_mode (ctx, SSL_MODE_AUTO_RETRY);printf ("Begin tcp socket.../n");sock = socket (AF_INET, SOCK_STREAM, 0);if (sock == -1){printf ("SOCKET error! /n");return 0;}struct sockaddr_in addr;memset (&addr, '/0', sizeof (addr));addr.sin_family = AF_INET;addr.sin_port = htons (PORT); /* Server Port number */addr.sin_addr.s_addr = INADDR_ANY;int nResult = bind (sock, (struct sockaddr *) &addr, sizeof (addr));if (nResult == -1){printf ("bind socket error/n");return 0;}printf ("server start successfully,port:%d/nwaiting for connections/n",PORT);struct sockaddr_in sa_cli;int err = listen (sock, 5);if (-1 == err)exit (1);int client_len = sizeof (sa_cli);int ss = accept (sock, (struct sockaddr *) &sa_cli, &client_len);if (ss == -1){exit (1);}close (sock);printf ("Connection from %d, port %d/n", sa_cli.sin_addr.s_addr,sa_cli.sin_port);ssl = SSL_new (ctx);if (NULL == ssl)exit (1);if (0 == SSL_set_fd (ssl, ss)){printf ("Attach to Line fail!/n");exit (1);}int k = SSL_accept (ssl);if (0 == k){printf ("%d/n", k);printf ("SSL connect fail!/n");exit (1);}X509 *client_cert;client_cert = SSL_get_peer_certificate (ssl);printf ("find a customer to try to connect/n");if (client_cert != NULL){printf ("Client certificate:/n");char *str =X509_NAME_oneline (X509_get_subject_name (client_cert), 0, 0);if (NULL == str){printf ("auth error!/n");exit (1);}printf ("subject: %s/n", str);str = X509_NAME_oneline (X509_get_issuer_name (client_cert), 0, 0);if (NULL == str){printf ("certificate name is null/n");exit (1);}printf ("issuer: %s/n", str);printf ("connect successfully/n");X509_free (client_cert);OPENSSL_free (str);}else{printf ("can not find the customer's certificate/n");exit (1);}char buf[MSGLENGTH];SSL_write (ssl, "Server is connect to you!/n",strlen ("Server is connect to you!/n"));printf ("Listen to the client: /n");while (1){err = SSL_read (ssl, buf, sizeof (buf));buf[err] = '/0';printf ("%s/n", buf);}SSL_shutdown (ssl);SSL_free (ssl);SSL_CTX_free (ctx);getch ();return 0;}

makefile
all:client.c server.c
gcc -Wall -o client client.c -I/usr/openssl-1.0.0c/include /usr/openssl-1.0.0c/libssl.a /usr/openssl-1.0.0c/libcrypto.a -ldl
gcc -Wall -o server server.c -I/usr/openssl-1.0.0c/include /usr/openssl-1.0.0c/libssl.a /usr/openssl-1.0.0c/libcrypto.a -ldl
clean::
rm -f client server