通过ECDSA证书发行提高asio [英] boost asio with ECDSA certificate issue
问题描述
我正在使用boost :: asio实现SSL服务器.
I am implementing SSL server using boost::asio.
上下文初始化显示在下面的代码中
The context initialization is shown in below code
boost::asio::ssl::context_base::method SSL_version =
static_cast<boost::asio::ssl::context_base::method>(param_values[ID_PROTOCOL_VERSION].int32_value);
// load certificate files
boost::shared_ptr<boost::asio::ssl::context> context_ = boost::shared_ptr<boost::asio::ssl::context>(
new boost::asio::ssl::context(SSL_version));
p_ctx = boost::static_pointer_cast<void>(context_);
context_->set_options(boost::asio::ssl::context::default_workarounds);
context_->use_certificate_chain_file(cert_chain_file);
context_->use_certificate_file(cert_file, boost::asio::ssl::context::pem);
context_->use_private_key_file(cert_file, boost::asio::ssl::context::pem);
context_->set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::ssl::verify_fail_if_no_peer_cert);
context_->set_verify_callback(boost::bind(&verify_certificate_cb, _1, _2));
if (param_values[ID_CIPHER_LIST].int32_value != 0)
{
std::string cipher_list = "";
generate_cipher_list(param_values[ID_CIPHER_LIST].int32_value, cipher_list);
MA5G_logger::log(PRIORITY_INFO, "Supported cipher list %s", cipher_list.c_str());
SSL_CTX_set_cipher_list((reinterpret_cast<boost::asio::ssl::context*>(p_ctx.get()))->native_handle(),
cipher_list.c_str());
}
在cipher_list
中,我支持以下列表
AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA
使用ECDSA
证书,如果我使用上面给出的cipher_list
,则客户端无法连接到服务器,并给出错误"No shared cipher"
.但是,如果我不提供cipher_list
,则客户端可以成功连接到服务器.相同的密码列表对于RSA
证书也可以正常工作.
With ECDSA
certificates if I use cipher_list
given above then client can not connect to the server and gives error "No shared cipher"
. But if I do not give cipher_list
then the client can successfully connect to the server. The same cipher list works fine with RSA
certificates.
如果我将openssl s_server
与-cipher
选项一起使用以提供受支持的cipher_list
The same ECDSA certificates work fine if I use openssl s_server
with -cipher
option to provide supported cipher_list
任何人都可以帮助解决这个问题吗?
Can anyone help with this issue?
推荐答案
对不起,哥们,经过大量研究,我找到了答案.
No sorry buddy I found the answer after lot of research.
问题出在密码列表上,而不是密码/证书上.
The problem is with the cipher list and not with the code / certificate.
同一证书将openssl客户端-服务器使用ECDHE-ECDSA-AES256-SHA
密码,而boost asio SSL客户端-服务器使用ECDH-ECDSA-AES256-SHA
密码.
The same certificate uses ECDHE-ECDSA-AES256-SHA
cipher with openssl client-server while used ECDH-ECDSA-AES256-SHA
cipher for boost asio SSL client-server.
无论如何都要感谢@rkyser的帮助!
Anyways thanks @rkyser for your help!
这篇关于通过ECDSA证书发行提高asio的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!