什么是boost :: asio :: ssl :: context :: load_verify_file以及如何使用它? [英] What is boost::asio::ssl::context::load_verify_file and how to work with it?

问题描述

Theare是一个小心谨慎的boost :: asio :: ssl 小型C ++教育代码基于在线.在 boost :: asio上甚至更少: :ssl :: context :: load_verify_file 所以我从此处找到了一个代码修改最少-使用boost 1.47.0编译并运行:

Theare is a wary small amount of boost::asio::ssl small C++ educational codes base online. Even less on boost::asio::ssl::context::load_verify_file So I found one from here code with minimal modifications - compiles and runs with boost 1.47.0:

#include <boost/asio.hpp>
#include <boost/asio/ssl.hpp>
#include <boost/bind.hpp>
#include <iostream>
#include <istream>
#include <ostream>
#include <string>


class client
{
public:
    client(boost::asio::io_service& io_service, boost::asio::ssl::context& context, boost::asio::ip::tcp::resolver::iterator endpoint_iterator)
        : socket_(io_service, context)
    {
        socket_.set_verify_mode(boost::asio::ssl::context::verify_none);
        socket_.set_verify_callback(boost::bind(&client::verify_certificate, this, _1, _2));

        boost::asio::async_connect(socket_.lowest_layer(), endpoint_iterator, boost::bind(&client::handle_connect, this, boost::asio::placeholders::error));
    }

    bool verify_certificate(bool preverified, boost::asio::ssl::verify_context& ctx)
    {
        char subject_name[256];
        X509* cert = X509_STORE_CTX_get_current_cert(ctx.native_handle());
        X509_NAME_oneline(X509_get_subject_name(cert), subject_name, 256);
        std::cout << "Verifying:\n" << subject_name << std::endl;

        return preverified;
    }

    void handle_connect(const boost::system::error_code& error)
    {
        if(!error){
            std::cout << "Connection OK!" << std::endl;
            socket_.async_handshake(boost::asio::ssl::stream_base::client, boost::bind(&client::handle_handshake, this, boost::asio::placeholders::error));
        }else{
            std::cout << "Connect failed: " << error.message() << std::endl;
        }
    }

    void handle_handshake(const boost::system::error_code& error)
    {
        if(!error){
            std::cout << "Sending request: " << std::endl;

            std::stringstream request_;

            request_ << "GET /api/0/data/ticker.php HTTP/1.1\r\n";
            request_ << "Host: mtgox.com\r\n";
            request_ << "Accept-Encoding: *\r\n";
            request_ << "\r\n";

            std::cout << request_.str() << std::endl;

            boost::asio::async_write(socket_, boost::asio::buffer(request_.str()), boost::bind(&client::handle_write, this, boost::asio::placeholders::error, boost::asio::placeholders::bytes_transferred));
        }else{
            std::cout << "Handshake failed: " << error.message() << std::endl;
        }
    }

    void handle_write(const boost::system::error_code& error, size_t bytes_transferred)
    {
        if (!error){
            std::cout << "Sending request OK!" << std::endl;
            boost::asio::async_read(socket_, boost::asio::buffer(reply_, bytes_transferred), boost::bind(&client::handle_read, this, boost::asio::placeholders::error, boost::asio::placeholders::bytes_transferred));
        }else{
            std::cout << "Write failed: " << error.message() << std::endl;
        }
    }

    void handle_read(const boost::system::error_code& error, size_t bytes_transferred)
    {
        if (!error){
            std::cout << "Reply: ";
            std::cout.write(reply_, bytes_transferred);
            std::cout << "\n";
        }else{
            std::cout << "Read failed: " << error.message() << std::endl;
        }
    }

private:
    boost::asio::ssl::stream<boost::asio::ip::tcp::socket> socket_;
    char reply_[0x1 << 16];
};

int main(int argc, char* argv[])
{
    try{
        boost::asio::io_service io_service;

        boost::asio::ip::tcp::resolver resolver(io_service);
        boost::asio::ip::tcp::resolver::query query("mtgox.com", "443");
        boost::asio::ip::tcp::resolver::iterator iterator = resolver.resolve(query);

        boost::asio::ssl::context context(boost::asio::ssl::context::sslv23);
        //context.load_verify_file("key.pem"); // uncomment this line

        client c(io_service, context, iterator);

        io_service.run();
    }catch (std::exception& e){
        std::cerr << "Exception: " << e.what() << "\n";
    }

    std::cin.get();
    return 0;
}

这是一条非常奇怪的台词:context.load_verify_file("key.pem");所以我对此有一些疑问:

Here is one really curious line: context.load_verify_file("key.pem"); So I'we got some questions about it:

1. 作为http客户端对我来说意味着什么?
2. 它是否已发送到服务器?
3. 如何创建此类文件?
4. 到底有什么用?
5. 代码可以编译并使用.可以吗在没有key.pem的情况下，我们与服务器的连接是否安全?
6. 我想使用google或其他大型ssl主机.我该怎么办?

1. What does it mean for me as http client?
2. Is it sent to server?
3. How to create such file?
4. What is it for anyway?
5. Code compiles and works with out it. Is it OK? Is our connection to server safe with out that key.pem?
6. I want to use google or other big ssl host. What shall I do?

推荐答案

简单来说:

.pem文件可以包含证书(公钥)，私钥或两者的组合. PEM是一种编码数据的方法，并且XEM认证的证书通常与PEM一起使用.例如，服务器读取.pem文件并将证书发送给客户端，以便客户端可以在连接之前对其进行验证.

The .pem file can contain a certificate (public key), or a private key, or a combination of both. PEM is a way to encode data, and X509 certificated are usually used with PEM. For example the server reads the .pem file and sends the certificate to a client so that the client can verify it before connecting.

具有自签名证书的服务器将在当今的浏览器中弹出警告，指出它不受信任(除非由 IETF.org 链接，因为其证书不久前就过期了:)

A server with a self-signed certificate will pop a warning on today's browsers saying that it's not trusted (unless signed by a CA, and browsers have a database of signed CA's which they use in order to verify if the certificate is "valid" or not) and you can examine the certificate details and decide if you want to trust that site or not. A good example is the IETF.org link since their certificate expired not so long ago :)

1. 作为客户，这可能意味着某些事情，但除非您有此需要，否则不需要这样做.就是说，如果服务器发送证书，则您的客户端可能希望在继续之前对其进行验证，在这种情况下，您将需要来自签署服务器证书的CA的信息，该信息可以加载从包含CA信息的.pem文件中获取.如果您的客户不关心验证，那么就不需要它.

1. As a client, it may mean something but it doesn't need to unless you need it to be. That it to say, if the server sends the certificate, your client may want to verify it before continuing and in that case you will need the information from the CA that signed the server certificate, which can be loaded from a .pem file containing the CA information. If your client doesn't care about verification then it doesn't need it.

基本上，load_verify_file()函数会加载CA信息，以便对服务器发送的证书进行验证.

Basically the load_verify_file() function loads the CA information in order to perform verification of a certificate send by the server.

您可以创建自己的CA文件并签署自己的服务器证书，然后将自己的CA文件与客户端一起使用，以验证您正在连接到自己的服务器.

You can create your own CA file and sign your own server certificate and then use your own CA file with the client in order to verify that you are connecting to your own server.

读取1.没有客户端不发送它.

read 1. No the client does not send it.

如果您想了解更多信息，请直接从这里获得指南 duckduckgo.

If you want to learn more, here is a guide straight from duckduckgo.

阅读3和这篇文章的开头.

Read 3 and the beginning of this post.

如果客户端接受服务器证书就可以了，并且由于无法验证而没有拒绝它，那就很好了.易于检查，仅启用与服务器之间的ssl连接，并查看客户端是否将连接并执行应做的工作，或者仅嗅探流量并进行查找.

If the client accept the servers certificate just fine and is not rejecting it since it can't verify it then it's fine. Easy to check, enable only ssl connection to/from the server and see if the client will connect and perform the work it should or just sniff the traffic and look it up.

不确定您的意思.购买SSL主机?如果是这样，那么您的客户端是否愿意接受连接仍然会出现问题.

Not sure what you mean there. Buying a ssl host? If so, the problem will still be with your client if it wants to accept the connection or not.

这篇关于什么是boost :: asio :: ssl :: context :: load_verify_file以及如何使用它?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！