如何添加到PFS插槽服务器用C语言编写和OpenSSL [英] How to add PFS to socket server written in c and openssl

问题描述

我尝试PFS（完全正向保密）添加到我的客户端 - 服务器应用程序。

I try to add PFS (perfect forward secrecy) to my client-server application.

当我运行以下命令的服务器：

When I run a server with the following command:

openssl s_server -key ./key.pem -cert ./cert.pem -accept 443 -cipher ECDHE-RSA-AES128-SHA -tls1_2

我能够与下面给出CTX我的客户端连接：

I am able to connect with my client given the following ctx:

SSL_CTX* initCTX() {
    SSL_METHOD *method;
    SSL_CTX *ctx;

    SSL_library_init();
    OpenSSL_add_all_algorithms();
    SSL_load_error_strings();
    method = TLSv1_2_client_method();
    ctx = SSL_CTX_new(method);

    if(ctx == NULL) {
            ERR_print_errors_fp(stderr);
            return NULL;
    }

    SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES128-SHA");

    return ctx;
}

当我运行下面的CTX我的服务器应用程序：

When I run my server application with the following ctx:

SSL_CTX* init_ssl_ctx() {
    SSL_METHOD const *method;
    SSL_CTX *ctx;

    SSL_library_init();
    OpenSSL_add_all_algorithms();
    SSL_load_error_strings();
    method = TLSv1_2_server_method();

    ctx = SSL_CTX_new(method);
    if(ctx == NULL) {
            ERR_print_errors_fp(stderr);
            abort();
    }
    SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
    SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES128-SHA");

    // ADDITIONAL CTX MODIFICATIONS TO ENABLE ECDHE

    SSL_CTX_use_certificate_file(ctx, "./cert.pem", SSL_FILETYPE_PEM);
    SSL_CTX_use_PrivateKey_file(ctx, "./key.pem", SSL_FILETYPE_PEM);
    return ctx;
}

和尝试与客户端连接，然后我得到一个没有共享密码错误。
私钥已与创建的OpenSSL genrsa 。

and try to connect with the client, then I get an no shared cipher error. The private key has been created with openssl genrsa.

那么我的问题是：我怎么有修改CTX添加ECDHE支持。我想我必须选择一个曲线，我可能需要为每个连接创建和交换密钥。

Well my question is: How do I have to modify the ctx to add ECDHE support. I guess that I have to select a curve and I probably need to create and exchange keys for every connection.

我还需要私钥文件？当是 - 这是什么？用

Do I still need the private key file? And when yes — what is it used for?

推荐答案

好吧我居然错过了是Diffie-Hellman参数的配置和椭圆曲线的Diffie-Hellman。如果不配置这些...

Well what I actually missed was the configuration of the Diffie-Hellman parameters and the Elliptic curve Diffie-Hellman. If you do not configure them ...

在PFS密码套件将被忽略

更多信息和如何配置，包括Diffie-Hellman参数和椭圆曲线的Diffie-Hellman在C socket服务器的例子可以在这里找到：的 http://wiki.openssl.org/index.php/Diffie-Hellman_parameters

More information and examples on how to configure and include Diffie-Hellman parameters and Elliptic curve Diffie-Hellman in your C socket server can be found here: http://wiki.openssl.org/index.php/Diffie-Hellman_parameters

这篇关于如何添加到PFS插槽服务器用C语言编写和OpenSSL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！