设置支持SNI的TLS1.2连接 [英] Setting up TLS1.2 connection which supports SNI
问题描述
我们正在尝试设置TLS1.2连接。已经在Macbook中下载了最新的OpenSSL。使用此代码创建TLS1.2连接。
但是这条特定的线路可能会导致这个问题。它使用TLSv1。
We are trying to setup TLS1.2 connection. Have downloaded the latest OpenSSL in the Macbook. Using this code to create the TLS1.2 connection.
However this particular line is possibly causing the issue. It uses TLSv1.
/* ---------------------------------------------------------- *
* Set SSLv2 client hello, also announce SSLv3 and TLSv1 *
* ---------------------------------------------------------- */
method = SSLv23_client_method();
尝试 TLSv1_2_client_method()方法,但它给出以下链接错误:
Tried TLSv1_2_client_method() method, but it gives below linking error:
架构x86_64的未定义符号:_ TLSv1_2_client_method,
引自:
_main in sslconnect-7aa462.o
Undefined symbols for architecture x86_64: "_TLSv1_2_client_method", referenced from: _main in sslconnect-7aa462.o
如果有人可以帮助创建TLS1.2连接然后从中调用,那将是一个很好的帮助目标C(如果套接字编程需要一些特殊处理)。
It would be a great help, if someone can assist in creating TLS1.2 connection and then calling from the objective C (if some special treatment required for socket programming).
[请注意,我不是iOS用户。我正在帮助团队解决问题。也是套接字编程的新手,虽然团队有一定的经验。]
[Kindly note that, I am not an iOS person. I am helping a team to fix a problem. Also newbie to socket programming myself, though the team has some experience.]
推荐答案
尝试过TLSv1_2_client_method( )方法,但它给出了以下链接
错误:
Tried TLSv1_2_client_method() method, but it gives below linking error:
架构x86_64的未定义符号:_ TLSv1_2_client_method,引自:sslconnect中的
_main- 7aa462.o
Undefined symbols for architecture x86_64: "_TLSv1_2_client_method", referenced from: _main in sslconnect-7aa462.o
好的,这听起来像是在链接 x86_64 ,但你需要iOS。您可以使用以下两个命令验证体系结构:
OK, it sounds like you are linking against x86_64, but you need iOS. You can verify the architecture with the following two commands:
xcrun -sdk iphoneos lipo -info libcrypto.a
xcrun -sdk iphoneos lipo -info libssl.a
例如:
$ xcrun -sdk iphoneos lipo -info /usr/local/ssl/ios/lib/libcrypto.a
Architectures in the fat file: /usr/local/ssl/ios/lib/libcrypto.a are: armv7 armv7s arm64 i386
前三个体系结构是自我解释的;而i386适用于iOS调试器。
The first three architectures are self explanatory; while i386 is for the iOS debugger.
注意: / usr / local / ssl / ios / 是我在构建之后安装OpenSSL for iOS的地方。 Apple不提供它。
Note: /usr/local/ssl/ios/ is where I installed OpenSSL for iOS after I built it. Apple does not provide it.
如果您没有四种iOS架构,那么您有两种选择。首先,您可以根据 OpenSSL FIPS用户指南中的iOS程序进行构建对象模块,附录E.2,第122页。
If you don't have the four iOS architectures, then you have two options. First, you can build based on the iOS procedures in the User Guide for the OpenSSL FIPS Object Module, Appendix E.2, page 122.
其次是从GitHub下载预建版本。这是使用OpenSSL程序构建的OpenSSL 1.0.1h noloader 的GitHub。这是来自 Stefan Arentz 的另一个,它看起来很受欢迎,但它的OpenSSL 1.0.1g。
Second is to download a prebuilt version from a GitHub. Here's a GitHub by noloader with OpenSSL 1.0.1h built using OpenSSL's procedures. Here's another one from Stefan Arentz that seems to be pretty popular, but its OpenSSL 1.0.1g.
然后从目标C调用
and then calling from the objective C
C与Objective C一起正常工作。调用它没什么特别的。
C works fine with Objective C. There's nothing special about calling it.
...支持iPhone应用程序的SNI
...supports SNI for an iPhone application
在客户端,您需要设置服务器名称包含 SSL_set_tlsext_host_name 。
On clients, you will need to set the server name with SSL_set_tlsext_host_name.
在服务器上,由于您处理回调,因此更加复杂。有关示例,请参阅在一个包含SNI的框中提供多个域。
On servers, its more involved because you deal with a callback. For an example, see Serving multiple domains in one box with SNI.
对此的快速评论:
方法= SSLv23_client_method();
method = SSLv23_client_method();
...尝试过TLSv1_2_client_method()方法
... Tried TLSv1_2_client_method() method
理想情况下,您需要执行以下操作:
Ideally, you perofrm something like this:
SSL_library_init();
SSL_load_error_strings();
const SSL_METHOD* method = SSLv23_method();
if(NULL == method) handleFailure();
SSL_CTX* ctx = SSL_CTX_new(method);
if(ctx == NULL) handleFailure();
/* Cannot fail ??? */
const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
SSL_CTX_set_options(ctx, flags);
...
SSLv23_method 为您提供SSLv2及更高版本。然后删除你不想要的东西,比如SSLv2,SSLv3和压缩。这使您获得TLS 1.0及更高版本(TLS 1.3即将到来,因此您无需更改源代码即可获得)。您将获得服务器支持的最高协议(例如,TLS 1.2)。
The SSLv23_method gets you SSLv2 and above. Then you remove what you don't want, like SSLv2, SSLv3 and compression. That leaves you with TLS 1.0 and above (TLS 1.3 is around the corner, so you get it with no source code changes). You will get the highest protocol that the server supports (for example, TLS 1.2).
另一方面,这将只为您提供TLS 1.2:
On the other hand, this will get you only TLS 1.2:
SSL_library_init();
SSL_load_error_strings();
const SSL_METHOD* method = TLSv1_2_client_method();
if(NULL == method) handleFailure();
这意味着你将无法连接到运行TLS 1.0的服务器(就像许多IIS服务器一样) 。 如果使用ECC连接到Google服务器,则需要确保禁用压缩。否则,您将失败,因为Google在使用带有ECC的TLS 1.2时必须禁用压缩。
That means you won't be able to connect to servers running TLS 1.0 (like many IIS servers). And if you connect to a Google server using ECC, then you need to ensure compression is disabled. Otherwise, you will fail because Google has an odd requirement that compression must be disabled when using TLS 1.2 with ECC.
如果您发表评论:
/* ---------------------------------------------------------- *
* Set SSLv2 client hello, also announce SSLv3 and TLSv1 *
* ---------------------------------------------------------- */
你会使用以下内容,但我不喜欢推荐它:
You would use the following, though I don't recommend it:
long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_TLS1_1 | SSL_OP_NO_TLS1_2;
我不推荐它,因为它禁用了TLS 1.2和TLS 1.1;它启用SSLv3。 2014年没有理由使用SSLv3。
I don't recommend it because it disables TLS 1.2 and TLS 1.1; and it enables SSLv3. There's no reason for SSLv3 in 2014.
还有另一条评论....
Yet another comment....
请务必使用 SSL_CTX_set_cipher_list 设置密码套件。挑选你最喜欢的16个左右,忽略其余部分。对于它上面的文档(以及密码套件的名称,如 DHE-RSA-AES256-SHA ),请参阅 SSL_CTX_set_cipher_list(3) 和 密码(1) 。
Be sure to set your cipher suites with SSL_CTX_set_cipher_list. Pick 16 or so of your favorite, and ignore the rest. For the docs on it (and the names of the cipher suites like DHE-RSA-AES256-SHA), see SSL_CTX_set_cipher_list(3) and ciphers(1).
选择16个左右的密码套件可实现两个目标。首先,它确保您得到您想要的。其次,它确保像F5或IronPort这样的旧设备不会窒息。较旧的设备使用固定大小的缓冲区,并且该缓冲区对于具有80多个密码套件的 ClientHello 而言太小。如果有16或20个密码套件, ClientHello 会通过。
Choosing 16 or so cipher suites achieves two goals. First, it ensures you get exactly what you want. Second, it ensures older appliances like an F5 or an IronPort does not choke. The older appliances use a fixed size buffer, and that buffer is too small for a ClientHello with 80+ cipher suites. The ClientHello passes if there are 16 or 20 cipher suites.
最后一条评论....
And one last comment....
1.1.0之前的OpenSSL 不执行主机名匹配。但是,它确实执行其他常规检查。因此,如果您使用1.0.2或更低版本,则必须执行主机名匹配。有关检查的信息,请参阅OpenSSL wiki上的 SSL / TLS客户端。
OpenSSL prior to 1.1.0 does not perform hostname matching. However, it does perform the other customary checks. So if you are usong 1.0.2 or below, you will have to perform the hostname matching. For information on the checks, see SSL/TLS Client on the OpenSSL wiki.
这篇关于设置支持SNI的TLS1.2连接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
