SChannel/SSL 实现? [英] SChannel/SSL implementation?

问题描述

我可以轻松地使用win sockets"来实现 HTTP，但是我一直在努力使用SChannel"来实现 HTTPS，至少对我来说"这几乎没有记录.如何为 HTTPS 通信建立安全连接?是否有任何安全或性能方面的注意事项?

I can implement HTTP using "win sockets" easily , but I've been struggling to implement HTTPS using "SChannel" which is pretty much poorly documented "at least for me". How can I establish a secure connection for HTTPS communication and is there any security or performance considerations I should be aware of?

推荐答案

SChannel 与 Windows 集成得很好，允许您在不询问用户凭据的情况下执行身份验证.Schannel 的工作级别低于 HTTP.它允许您打开安全的 tcp 连接(ssl 套接字).您需要实现自己的 HTTP 堆栈来发送 HTTPS 请求或查找库.要习惯 Schannel，最好的起点是了解 Microsoft 的示例，这是一个客户端-服务器示例:

SChannel integrated quite well with Windows and allows you to perform authentication without asking the user's credentials. Schannel works on a lower level than HTTP. It allows you to open secure tcp connections (ssl socket). You need to implement you own HTTP stack to send HTTPS requests or find a library. To get used to Schannel the best place to start is to understand Microsoft's samples which is a client-server example:

客户端

服务器

它们是非常简单的示例，但足以理解基础知识.

They are pretty simple examples but enough to understand the basics.

Curl 已经使用 Schannel 有一段时间了，你可以找到一些非常有用的代码用于你的练习 https://github.com/curl/curl/blob/master/lib/vtls/schannel.c.

Curl has been using Schannel for a while and you can find some very useful code for your exercise https://github.com/curl/curl/blob/master/lib/vtls/schannel.c.

安全是一个很大的话题，这就是 Schannel 的目的.您将继承操作系统的安全风险.Microsoft 通常会快速修补安全问题.如果您只针对 Windows，它是一个不错的选择，因为它与 Windows 生态系统深度集成.例如，您不必像使用 openssl 那样部署自己的 ssl 证书，Schannel 将自动读取系统证书.您还可以轻松实现 NTLM 和 Kerberos 身份验证，而无需要求凭据，Schannel 将从运行您的软件的用户那里获得凭据句柄.总的来说，它是一个非常好的库，据我所知，与其他 SSL 库相比，没有性能损失.它经过良好测试并部署到全球数百万台机器上.

Security is a big topic and that's the purpose of Schannel. You will inherit the security risks of the operating system. Microsoft usually patches security issues quickly. If you are targeting Windows only, it is a good choice because of the deep integration to the Windows ecosystem. For example, you don't have to deploy your own ssl certificates like you do with openssl, Schannel will read the system certs automatically. You can also implement NTLM and Kerberos authentication easily without having to ask for credentials, Schannel will get a credentials handle from the user running your software. In general, it is pretty good library and as far as I know there is no performance penalty compared to other SSL libraries. It well tested and deployed to millions of machines around the world.

这篇关于SChannel/SSL 实现?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！