将简单的套接字转换为 SSL 套接字 [英] Turn a simple socket into an SSL socket
问题描述
我编写了使用套接字(客户端"和服务器")的简单 C 程序.(UNIX/Linux 用法)
I wrote simple C programs, which are using sockets ('client' and 'server'). (UNIX/Linux usage)
服务器端简单地创建一个套接字:
The server side simply creates a socket:
sockfd = socket(AF_INET, SOCK_STREAM, 0);
然后绑定到sockaddr:
And then binds it to sockaddr:
bind(sockfd, (struct sockaddr *) &serv_addr, sizeof(serv_addr));
并聆听(并接受并阅读):
And listens (and accepts and reads):
listen(sockfd,5);
newsockfd = accept(sockfd, (struct sockaddr *) &cli_addr, &clilen);
read(newsockfd,buffer,255);
客户端创建套接字,然后写入.
The client creates the socket, and then writes to it.
现在,我想将这个简单的连接转换成 SSL 连接,以最简单、最田园、最简洁、最快捷的方式.
Now, I want to convert this simple connection into an SSL connection, in the plainest, most idyllic, neatest and quickest way.
我尝试将 OpenSSL 添加到我的项目中,但我找不到实现我想要的东西的简单方法.
I've tried to add OpenSSL to my project, but I can't find an easy way to implement what I want.
推荐答案
使用 OpenSSL 有几个步骤.您必须制作一个 SSL 证书,其中可以包含带有私钥的证书,请务必指定证书的确切位置(此示例在根目录中).那里有很多很好的教程.
There are several steps when using OpenSSL. You must have an SSL certificate made which can contain the certificate with the private key be sure to specify the exact location of the certificate (this example has it in the root). There are a lot of good tutorials out there.
一些包括:
#include <openssl/applink.c>
#include <openssl/bio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
您需要初始化 OpenSSL:
You will need to initialize OpenSSL:
void InitializeSSL()
{
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
}
void DestroySSL()
{
ERR_free_strings();
EVP_cleanup();
}
void ShutdownSSL()
{
SSL_shutdown(cSSL);
SSL_free(cSSL);
}
现在是大部分功能.您可能想在连接上添加一个 while 循环.
Now for the bulk of the functionality. You may want to add a while loop on connections.
int sockfd, newsockfd;
SSL_CTX *sslctx;
SSL *cSSL;
InitializeSSL();
sockfd = socket(AF_INET, SOCK_STREAM, 0);
if (sockfd< 0)
{
//Log and Error
return;
}
struct sockaddr_in saiServerAddress;
bzero((char *) &saiServerAddress, sizeof(saiServerAddress));
saiServerAddress.sin_family = AF_INET;
saiServerAddress.sin_addr.s_addr = serv_addr;
saiServerAddress.sin_port = htons(aPortNumber);
bind(sockfd, (struct sockaddr *) &serv_addr, sizeof(serv_addr));
listen(sockfd,5);
newsockfd = accept(sockfd, (struct sockaddr *) &cli_addr, &clilen);
sslctx = SSL_CTX_new( SSLv23_server_method());
SSL_CTX_set_options(sslctx, SSL_OP_SINGLE_DH_USE);
int use_cert = SSL_CTX_use_certificate_file(sslctx, "/serverCertificate.pem" , SSL_FILETYPE_PEM);
int use_prv = SSL_CTX_use_PrivateKey_file(sslctx, "/serverCertificate.pem", SSL_FILETYPE_PEM);
cSSL = SSL_new(sslctx);
SSL_set_fd(cSSL, newsockfd );
//Here is the SSL Accept portion. Now all reads and writes must use SSL
ssl_err = SSL_accept(cSSL);
if(ssl_err <= 0)
{
//Error occurred, log and close down ssl
ShutdownSSL();
}
然后您就可以使用:
SSL_read(cSSL, (char *)charBuffer, nBytesToRead);
SSL_write(cSSL, "Hi :3
", 6);
更新SSL_CTX_new 应使用最适合您需求的 TLS 方法调用,以支持较新版本的安全性,而不是 SSLv23_server_method().看:OpenSSL SSL_CTX_new 描述
Update
The SSL_CTX_new should be called with the TLS method that best fits your needs in order to support the newer versions of security, instead of SSLv23_server_method(). See:
OpenSSL SSL_CTX_new description
TLS_method()、TLS_server_method()、TLS_client_method().这些是通用的版本灵活 SSL/TLS 方法.实际使用的协议版本将协商为客户端和服务器相互支持的最高版本.支持的协议有 SSLv3、TLSv1、TLSv1.1、TLSv1.2 和 TLSv1.3.
TLS_method(), TLS_server_method(), TLS_client_method(). These are the general-purpose version-flexible SSL/TLS methods. The actual protocol version used will be negotiated to the highest version mutually supported by the client and the server. The supported protocols are SSLv3, TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3.
这篇关于将简单的套接字转换为 SSL 套接字的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
