相互身份验证总是使用OpenSSL成功 [英] Mutual authentication always succeeds with OpenSSL
问题描述
我使用openssl和zmq写入服务器和客户端。
我的客户端和服务器需要相互认证。
,但是在服务器上设置 SSL_CTX_set_verify(ssl_ctx,SSL_VERIFY_FAIL_IF_NO_PEER_CERT,NULL)后,握手始终会成功确认客户端是否发送证书。
此外, SSL_get_peer_certificate(tls-> get_ssl _())返回null和 SSL_get_verify_result(tls-> get_ssl _ / code> return 0表示 X509_V_OK 。
现在我真的很困惑和绝望。任何建议或更正?
这是我的代码的一部分:
OpenSSL_add_all_algorithms
SSL_library_init();
SSL_load_error_strings();
ERR_load_BIO_strings();
const SSL_METHOD * meth;
SSL_CTX * ssl_ctx;
// **************************客户端的一部分*********** *************
{
meth = SSLv23_client_method();
ssl_ctx = SSL_CTX_new(meth);
SSL_CTX_set_verify(ssl_ctx,SSL_VERIFY_PEER,NULL);
int rc1 = SSL_CTX_load_verify_locations(ssl_ctx,.\\demoCA\\private\\server_chain.pem,。\\demoCA\\private\ \); ///
SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx,pw);
std :: string cert_chain(。\\demoCA\\private\\client_chain.pem);
std :: string cert(。\\demoCA\\private\\client_crt.pem);
std :: string key(。\\demoCA\\private\\client_key.pem);
int code = SSL_CTX_use_certificate_chain_file(ssl_ctx,cert_chain.c_str());
if(code!= 1)
{
std :: cout<<error1\\\
;
//抛出TLSException(读取凭据失败。
}
code = SSL_CTX_use_PrivateKey_file(ssl_ctx,key.c_str(),SSL_FILETYPE_PEM);
i f(code!= 1)
{
std :: cout<<error2\\\
;
//抛出TLSException(读取凭据失败。
}
if(!SSL_CTX_check_private_key(ssl_ctx))
{
std :: cout<<key wrong;
system(pause);
exit(0);
}
}
// *****************服务器的一部分********** ******************
{
meth = SSLv23_server_method();
ssl_ctx = SSL_CTX_new(meth);
SSL_CTX_set_verify(ssl_ctx,SSL_VERIFY_FAIL_IF_NO_PEER_CERT,NULL)
SSL_CTX_set_client_CA_list(ssl_ctx,SSL_load_client_CA_file(。\\demoCA\\private\\client_chain.pem)); / /
SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx,pw);
std :: string cert_chain(。\\demoCA\\private\\server_chain.pem);
std :: string cert(。\\demoCA\\private\\server_crt.pem);
std :: string key(。\\demoCA\\private\\server_key.pem);
int rc = SSL_CTX_use_certificate_file(ssl_ctx,cert.c_str(),SSL_FILETYPE_PEM);
if(rc!= 1)
{
//抛出TLSException(读取凭据失败。
std :: cout<<error1\\\
;
}
rc = SSL_CTX_use_PrivateKey_file(ssl_ctx,key.c_str(),SSL_FILETYPE_PEM);
if(rc!= 1)
{
//抛出TLSException(读取凭据失败。
std :: cout<<error2\\\
;
}
int rcode = SSL_CTX_check_private_key(ssl_ctx);
if(rcode!= 1)
{
std :: cout<<key wrong;
system(pause);
// exit(0);
}
}
SSL_CTX_set_verify 的文档:
SSL_VERIFY_FAIL_IF_NO_PEER_CERT
服务器模式:如果客户端没有返回证书,则TLS / SSL握手立即以握手失败警报。 此标记必须与SSL_VERIFY_PEER一起使用。
您未将它与 SSL_VERIFY_PEER ,因此它没有效果。
I am using openssl and zmq to write a server and a client.
My client and server need mutual authentication.
but after I set SSL_CTX_set_verify(ssl_ctx,SSL_VERIFY_FAIL_IF_NO_PEER_CERT,NULL) on server, the handshake always successes whether the client send the certificate or not.
In addition, SSL_get_peer_certificate(tls->get_ssl_()) return null and SSL_get_verify_result(tls->get_ssl_()) return 0 which means X509_V_OK.
I am really confused and desperate now. Any suggestions or corrections?
This is part of my code:
OpenSSL_add_all_algorithms();
SSL_library_init();
SSL_load_error_strings();
ERR_load_BIO_strings();
const SSL_METHOD *meth;
SSL_CTX *ssl_ctx;
//**************************part of client************************
{
meth = SSLv23_client_method();
ssl_ctx = SSL_CTX_new(meth);
SSL_CTX_set_verify(ssl_ctx,SSL_VERIFY_PEER,NULL);
int rc1 = SSL_CTX_load_verify_locations(ssl_ctx, ".\\demoCA\\private\\server_chain.pem",".\\demoCA\\private\\");///
SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx,"pw");
std::string cert_chain(".\\demoCA\\private\\client_chain.pem");
std::string cert(".\\demoCA\\private\\client_crt.pem");
std::string key(".\\demoCA\\private\\client_key.pem");
int code = SSL_CTX_use_certificate_chain_file(ssl_ctx,cert_chain.c_str());
if (code != 1)
{
std::cout<<"error1\n";
//throw TLSException("failed to read credentials.");
}
code = SSL_CTX_use_PrivateKey_file(ssl_ctx,key.c_str(),SSL_FILETYPE_PEM);
i f (code != 1)
{
std::cout<<"error2\n";
//throw TLSException("failed to read credentials.");
}
if(!SSL_CTX_check_private_key(ssl_ctx))
{
std::cout<<"key wrong";
system("pause");
exit(0);
}
}
//*****************part of server****************************
{
meth = SSLv23_server_method();
ssl_ctx = SSL_CTX_new(meth);
SSL_CTX_set_verify(ssl_ctx,SSL_VERIFY_FAIL_IF_NO_PEER_CERT,NULL)
SSL_CTX_set_client_CA_list(ssl_ctx,SSL_load_client_CA_file(".\\demoCA\\private\\client_chain.pem"));//
SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx,"pw");
std::string cert_chain(".\\demoCA\\private\\server_chain.pem");
std::string cert(".\\demoCA\\private\\server_crt.pem");
std::string key(".\\demoCA\\private\\server_key.pem");
int rc = SSL_CTX_use_certificate_file(ssl_ctx,cert.c_str(),SSL_FILETYPE_PEM);
if (rc!=1)
{
//throw TLSException("failed to read credentials.");
std::cout<<"error1\n";
}
rc = SSL_CTX_use_PrivateKey_file(ssl_ctx,key.c_str(),SSL_FILETYPE_PEM);
if (rc!=1)
{
//throw TLSException("failed to read credentials.");
std::cout<<"error2\n";
}
int rcode = SSL_CTX_check_private_key(ssl_ctx);
if(rcode!=1)
{
std::cout<<"key wrong";
system("pause");
//exit(0);
}
}
From the documentation of SSL_CTX_set_verify:
SSL_VERIFY_FAIL_IF_NO_PEER_CERT
Server mode: if the client did not return a certificate, the TLS/SSL handshake is immediately terminated with a "handshake failure" alert. This flag must be used together with SSL_VERIFY_PEER.
You did not use it together with SSL_VERIFY_PEER as described in the documentation and thus it has no effect.
这篇关于相互身份验证总是使用OpenSSL成功的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
