ssl handshake and certificate validation ca

Language 2019-07-05 23:06:08 views: null

Reprinted: https://www.cnblogs.com/cposture/p/9029014.html

SSL Certification

Communication may be arranged between the SSL server and the client using SSL authentication unidirectional or bidirectional.

SSL certificates are generally one-way client server authentication server using the information pass over the legitimacy, the legality of the server include: whether the certificate is expired, CA issuing server certificate is authentic, the public key certificate issuer's ability to correct unlock the server certificates of "digital signature issuer", the domain name on the server certificate and the server's actual domain name matches.

In addition to two-way SSL authentication is required to authenticate the legitimacy of the server, but also need to authenticate the legitimacy of the client in accordance with the one-way SSL authentication method.

In the financial payment process, the relatively high level of safety requirements for the interface, not only to verify the signature, but also for two-way authentication SSL certificate, so some will need to install a security certificate in service after the opening of a third party to send us.

To facilitate a better understanding and awareness of the SSL protocol, here we focus on the SSL protocol handshake. SSL protocol uses both public key encryption technology and uses symmetric encryption, asymmetric encryption technology, while faster than public-key encryption, but public-key encryption provides better authentication techniques. SSL handshake protocol excellent way to allow the completion of the mutual authentication between between client and server, the main process is as follows:
  ① the type of client browser version number to the server delivers the client SSL protocol, encryption algorithm, randomly generated number, as well as other kinds of information between the server and client communications needs.
  SSL version number ② transfer protocol server to the client, the type of encryption algorithm, random number and other relevant information, and the server will transmit its own certificate to the client.
  ③ customers use to verify the server server pass over the legitimacy, the legality of the server include: whether the certificate is expired, CA issuing server certificate is authentic, the public key certificate issuer's ability to correct unlock the server certificate "issuer digital signature ", the domain name on the server certificate and the server's actual domain name matches. If legality verification does not pass, the communication will be disconnected; legality verification if adopted, would proceed to step four.
  ④ UE randomly generated "symmetric cryptography" for later communications, and the server's public key (public key certificate is obtained from the server in step ② server) encrypts it, and then "pre-encrypted master password "to the server.
  ⑤ if the server requires client authentication (optional during the handshake), users can create a random number and its signature data, this will contain the signature of the random number and the customer's own certificates and encrypted "pre-main password "together to the server.
  ⑥ if the server requires client authentication, the server must verify the legitimacy of the client certificate and the signature of the random number, the specific legality verification process include: the use of client certificate date is valid, CA certificate to provide customers with the reliability, the issue of CA the public key can unlock the correct client certificate issuing CA's digital signature, check the customer's certificate in the certificate Revocation list (CRL) in. If you do not pass inspection, communication interrupted immediately; if validated, will unlock an encrypted server "pre-master password" with its private key, and then perform a series of steps to produce the main communication password (client will be produced by the same method the same primary communication password).
  ⑦ servers and clients with the same master password is "password talk", a symmetric key encryption for secure data communication protocol of SSL communication. At the same time we must complete integrity of data communications in SSL communication process, to prevent any change in the data communications.
  ⑧ client sends the server information, the master password specified later step ⑦ to be used in data communication is a symmetric key, and the server notifies the client of the handshake process is completed.
  Step ⑦ ⑨ master password server sends information to the client, indicating the latter to be used in data communication is a symmetric key, and notify the client server handshake ends.
  Part ⑩ SSL handshake ends, SSL secure data communications channel begins, the client and server to start using the same symmetric key for data communication, and to test the integrity of the communication.

  The specific process of mutual authentication SSL protocol
  ① browser sends a connection request to the security server.
  ② server sends its own certificate, and a certificate with information related to the client browser.
  ③ whether the client browser checks the server certificate is sent over by their own trusted CA issued by the center. If it is, continue to implement the agreement; if not, the client browser will give customers a warning message: warning customers that the certificate is not trusted, asking whether the customer needs to continue.
  ④ then compare client browser certificate of messages, such as messages related to the domain name and public key, and the server just sent is consistent, if is the same, the client browser recognition of the legal status of the server.
  ⑤ server requires the client to send the customer's own certificate. Upon receipt, the client server authentication certificate, if not verified, rejected the connection; if authenticated, the server gets the user's public key.
  ⑥ client tells the server what the browser is capable of supporting communication symmetric cryptographic schemes.
  ⑦ server password sent from the client program over, choose the highest level of password encryption scheme, tells the browser after been encrypted with the public key customers.
  ⑧ browser program for this password, select a session key, followed by the public key of the server is added back to the server by sending the secret.
  ⑨ server receives the browser to send back a message with his private key to decrypt the session key is obtained.
  ⑩ server, the browser next communication is symmetric cryptographic schemes, symmetric key is been encrypted.
  The above is a specific communications protocol SSL mutual authentication process, this requires server and user credentials on both sides. One-way authentication protocol SSL certificate CA does not need to have a customer, a specific process with respect to the above steps, only the server-side validation processes to remove the client certificate, and negotiating a symmetric cipher scheme, symmetric session key, the server sends to the client plus your password is not encrypted program (which does not affect the security of SSL process). In this way, both the specific content of communications, is been encrypted data, if a third party attacks, but the encrypted data obtained from third parties to obtain useful information, you need to decrypt the encrypted data, this time on security It depends on the security of cryptographic schemes. And fortunately, cryptographic schemes currently used, as long as the communication key length is long enough, enough security. This is also the reason we emphasize the requirement to use 128-bit encrypted communication.

Back to the top (go to top)

Achieve certification

And one-way SSL authentication-related curl_easy_setopthave the following options:

  • CURLOPT_SSL_VERIFYPEER: cURL to verify other certificates (peer's certificate), a value of 1, the authentication, no authentication is 0. To verify the certificates can be exchanged in CURLOPT_CAINFO options, or set in the certificate directory CURLOPT_CAPATH.
  • CURLOPT_SSL_VERIFYHOST: 1 is: if there is a common name (common name) cURL check server SSL certificate; is 2: cURL checks whether there is a common name, and matches the host name supplied; 0 name is not checked. Here is the common name specified in the certificate creation process, for example subj option value in /CNvalue;openssl req -subj "/C=CN/ST=IL/L=ShenZhen/O=Tencent/OU=Tencent/CN=luffichen_server.tencent.com/[email protected]" ...
  • CURLOPT_CAINFO: a preserved one or more certificates to allow the server to verify the file name. This parameter only makes sense if and CURLOPT_SSL_VERIFYPEER used together.
  • CURLOPT_CAPATH: a catalog holds more CA certificates. This option is used with and CURLOPT_SSL_VERIFYPEER.

Related to SSL mutual authentication curl_easy_setoptoptions are as follows:

  • CURLOPT_SSLCERT: Client Certificate path
  • CURLOPT_SSLCERTTYPE: type certificate. Supported formats are "PEM" (default value), "DER" and "ENG".
  • CURLOPT_SSLKEY: The client private key file path
  • CURLOPT_SSLKEYTYPE: private client type, supported by the private key of type "PEM" (default value), "DER" and "ENG".
  • CURLOPT_KEYPASSWD: The client private key password, you can choose when you create a private key encryption.
if(!oneway_certification)
{
    // 验证服务器证书有效性
    curl_easy_setopt(m_curl_handler, CURLOPT_SSL_VERIFYPEER, 1);
    // 检验证书中的主机名和你访问的主机名一致
    curl_easy_setopt(m_curl_handler, CURLOPT_SSL_VERIFYHOST, 2);
    // 指定 CA 证书路径
    curl_easy_setopt(m_curl_handler, CURLOPT_CAINFO, m_ca_cert_file.c_str());
}
else
{
    // 不验证服务器证书
    curl_easy_setopt(m_curl_handler, CURLOPT_SSL_VERIFYPEER, 0);
    curl_easy_setopt(m_curl_handler, CURLOPT_SSL_VERIFYHOST, 0);
}

if(!client_cert_file.empty())
{
    // 客户端证书,用于双向认证
    curl_easy_setopt(m_curl_handler, CURLOPT_SSLCERT, client_cert_file.c_str());
}

if(!client_cert_type.empty())
{
    // 客户端证书类型,用于双向认证
    curl_easy_setopt(m_curl_handler, CURLOPT_SSLCERTTYPE, client_cert_type.c_str());
}

if(!private_key.empty())
{
    // 客户端证书私钥,用于双向认证
    curl_easy_setopt(m_curl_handler, CURLOPT_SSLKEY, private_key.c_str());
}

if(!private_key_type.empty())
{
    // 客户端证书私钥类型,用于双向认证
    curl_easy_setopt(m_curl_handler, CURLOPT_SSLKEYTYPE, private_key_type.c_str());
}

if(!private_key_passwd.empty())
{
    // 客户端证书私钥密码
    curl_easy_setopt(m_curl_handler, CURLOPT_KEYPASSWD, private_key_passwd.c_str());
}

Description: When you set curl options, null value judgments here, if empty, not a two-way authentication.

Back to the top (go to top)

problem solved

curl does not support https

curl -V
curl 7.56.0-DEV (Linux) libcurl/7.56.0-DEV OpenSSL/1.0.1e zlib/1.2.3
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IPv6 Largefile NTLM SSL libz UnixSockets HTTPS-proxy

If not, Features no ssl, it will need to be recompiled to support curl version of ssl (./configure --with-ssl)

At compile time, the method may be carried out according to the official website of curl given:

./configure --with-ssl
If you have OpenSSL installed somewhere else (for example, /opt/OpenSSL) and you have pkg-config installed, set the pkg-config path first, like this:

env PKG_CONFIG_PATH=/opt/OpenSSL/lib/pkgconfig ./configure --with-ssl
Without pkg-config installed, use this:

./configure --with-ssl=/opt/OpenSSL

If you insist on forcing a build without SSL support, even though you may have OpenSSL installed in your system, you can run configure like this:

./configure --without-ssl

If you have OpenSSL installed, but with the libraries in one place and the header files somewhere else, you have to set the LDFLAGS and CPPFLAGS environment variables prior to running configure. Something like this should work:

CPPFLAGS="-I/path/to/ssl/include" LDFLAGS="-L/path/to/ssl/lib" ./configure
If you have shared SSL libs installed in a directory where your run-time linker doesn't find them (which usually causes configure failures), you can provide the -R option to ld on some operating systems to set a hard-coded path to the run-time linker:

LDFLAGS=-R/usr/local/ssl/lib ./configure --with-ssl

Also note that support for different versions of openssl ssl protocol version. Only openssl 1.0.2 and above currently supports TLS version 1.2.

1.0.2h found at compile openssl it generates libssl file libss.so.1.0.0 / libcrypto.so.1.0.0 instead libssl.so.1.0.2 / libcrypto.so.1.0.2, ssl here software version number and version of the library is inconsistent reason for this Richard Levitte did explain:

We recognised that our shared library version numbering was confusing, so from OpenSSL version 1.1.0 and up, the shared library version retains the two first digits of the OpenSSL version only, which reflects our intent that for any versions x.y.z where x.y stays the same, ABI backward compatibility will be maintained.

SSL certificate problem, verify that the CA cert is OK

When CURLOPT_SSL_VERIFYPEERis 1, it indicates access-enabled verification of the legality of the server and must be set CURLOPT_CAINFOor CURLOPT_CAPATHone of them, and CURLOPT_SSL_VERIFYHOSTis 2, represents a CA certificate to verify whether the common name of the server and access the same domain name. During the test, we need to remember to add the appropriate host domain name resolves to the IP client side of the machine, if using direct IP access will report SSL certificate problem, verify that the CA cert is OKan error.

curl: (60) SSL certificate : unable to get local issuer certificate

There are many reasons for the problem, just to name a few.

When the authentication server certificate, the CA certificate can not be found, or if set correctly cainfo capath parameters and CA certificate is already rootCA, still wrong, there may be a certificate that is generated when an error, and then re-generate a; if an intermediate CA certificate by the certificates issued, rootCA issued intermediate certificate, then if the server does not provide an intermediate certificate in the verification process, openssl will report this error in certificate form a complete chain, it cat intermediate.crt >> domain.crtwill be bundled with all intermediate certificates and rootCA certificate.

Back to the top (go to top)

Reference links

curl_easy_setopt - Options for the SET A curl the Easy handle
curl_easy_setopt
ssl certification and introduce a one-way and two-way authentication principles
How to install curl libcurl and
OpenSSL 1.0.2h. Generates libss.so.1.0.0 INSTEAD of libssl.so.1.0.2
CURL use SSL certificate access HTTPS
HowTo: a using the Create CSR OpenSSL Without Prompt (Non-Interactive)
curl: (60) SSL certificate: Unable to GET local Issuer certificate

Guess you like

Origin blog.csdn.net/liweigao01/article/details/94744576
Recommended
Ranking
Solve the problem that the Chinese display of the drawing using python matplotlib under the Linux system is displayed as a box
[Conference Call for Papers] The 5th International Conference on Civil Engineering, Environmental Resources and Energy Materials (CCESEM 2023)
4-yl Fast Fourier Transform
DataGirdView interlaced display color
[Docker implements test deployment CI/CD----Dingding alarm after the build is successful (7)]
[Asp.net core series] 6 the complete structure of a project in actual combat
The new version of OpenCenterV3 management background
Why can box plots detect outliers and what is the principle?
[Switch] jumbo frame Introduction
C++对象移动(3)——移动构造函数
Daily
More
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)

Code World

© 2018 codetd.com