通过ECDSA证书发行提高asio [英] boost asio with ECDSA certificate issue

问题描述

我正在使用boost :: asio实现SSL服务器.

I am implementing SSL server using boost::asio.

上下文初始化显示在下面的代码中

The context initialization is shown in below code

    boost::asio::ssl::context_base::method SSL_version =
            static_cast<boost::asio::ssl::context_base::method>(param_values[ID_PROTOCOL_VERSION].int32_value);

    // load certificate files
    boost::shared_ptr<boost::asio::ssl::context> context_ = boost::shared_ptr<boost::asio::ssl::context>(
            new boost::asio::ssl::context(SSL_version));     
    p_ctx = boost::static_pointer_cast<void>(context_);

    context_->set_options(boost::asio::ssl::context::default_workarounds);

    context_->use_certificate_chain_file(cert_chain_file);
    context_->use_certificate_file(cert_file, boost::asio::ssl::context::pem);
    context_->use_private_key_file(cert_file, boost::asio::ssl::context::pem);

    context_->set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::ssl::verify_fail_if_no_peer_cert);
    context_->set_verify_callback(boost::bind(&verify_certificate_cb, _1, _2));

    if (param_values[ID_CIPHER_LIST].int32_value != 0)
    {
        std::string cipher_list = "";
        generate_cipher_list(param_values[ID_CIPHER_LIST].int32_value, cipher_list);
        MA5G_logger::log(PRIORITY_INFO, "Supported cipher list %s", cipher_list.c_str());
        SSL_CTX_set_cipher_list((reinterpret_cast<boost::asio::ssl::context*>(p_ctx.get()))->native_handle(),
                cipher_list.c_str());
    }

在cipher_list中，我支持以下列表

AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA

使用ECDSA证书，如果我使用上面给出的cipher_list，则客户端无法连接到服务器，并给出错误"No shared cipher".但是，如果我不提供cipher_list，则客户端可以成功连接到服务器.相同的密码列表对于RSA证书也可以正常工作.

With ECDSA certificates if I use cipher_list given above then client can not connect to the server and gives error "No shared cipher". But if I do not give cipher_list then the client can successfully connect to the server. The same cipher list works fine with RSA certificates.

如果我将openssl s_server与-cipher选项一起使用以提供受支持的cipher_list

The same ECDSA certificates work fine if I use openssl s_server with -cipher option to provide supported cipher_list

任何人都可以帮助解决这个问题吗?

Can anyone help with this issue?

推荐答案

对不起，哥们，经过大量研究，我找到了答案.

No sorry buddy I found the answer after lot of research.

问题出在密码列表上，而不是密码/证书上.

The problem is with the cipher list and not with the code / certificate.

同一证书将openssl客户端-服务器使用ECDHE-ECDSA-AES256-SHA密码，而boost asio SSL客户端-服务器使用ECDH-ECDSA-AES256-SHA密码.

The same certificate uses ECDHE-ECDSA-AES256-SHA cipher with openssl client-server while used ECDH-ECDSA-AES256-SHA cipher for boost asio SSL client-server.

无论如何都要感谢@rkyser的帮助！

Anyways thanks @rkyser for your help!

这篇关于通过ECDSA证书发行提高asio的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！