Ubuntu下用c代码实现openssl的客户端服务器
前几天组长让我实现一个使用openssl的c语言编写的客户端和java编写的服务器实现字符流的通信,给了段代码。在自己的ubuntu上跑服务器和客户端收发信息都没有问题,但是就是和java的通信不了。后来发现组长给的客户端代码有问题,于是网上找到了比较正确的客户端和服务器代码,自己做了稍微的改动。有一点要说一下,我的c客户端使用的证书格式是.pem的而java那边使用kittool生成的证书格式是.cer的所以需要进行cer到pem格式的转换才可以使用。
我使用的是这个网址下进行证书格式转换:https://www.sslshopper.com/ssl-converter.html
操作是:1.选择要转换的文件。
2.选择文件的格式,里面没有cer格式选项,可以使用der就可以。
3.选择要转换成为什么格式我是选择standard pem。生成的是。crt文件,这个在ubuntu下面导入到我的客户端中即可。
以下是我编程的具体的操作步骤,大部分是从网上整理的,小部分的做了改动,加了注释。
#安装openssl安装包
在以下网站下载openssl:
http://www.openssl.org/source/openssl-1.0.0a.tar.gz
tar -zxvf openssl-1.0.0a.tar.gz
mv openssl-1.0.1a openssl
cd openssl
如果需要zlib压缩模块的话,还需要先安装zlib
./config --prefix=/usr/local/ssl shared zlib-dynamic enable-camellia
不需要就直接用:
./config --prefix=/usr/local/ssl shared no-zlib
更多详细帮助请运行
./config –help
./config –t
make depend
make
make test
sudo make install
设置环境变量:在/etc/profile的PATH中增加如下内容
PATH=/usr/local/ssl/bin:/sbin/:$PATH:/usr/sbin
export PATH
cat /etc/ssl/openssl.cnf
#查看路径
which openssl
#查看版本
openssl version
openssl安装完毕
//如果计算机联网的话可以使用如下命令安装比较简便
sudo apt-get install openssl
#安装openssl-devel
由于ubuntu下无法安装openssl-devel
所以使用libssl-dev代替openssl-devel
sudo apt-get install libssl-dev
CentOS系统下安装openssl
//解压openssl安装包
[root@localhost opt]# tar xvzf
openssl-1.0.0d.tar.gz
//进入解压后的目录
[root@localhost
opt]# cd openssl-1.0.0d
//修改openssl配置文件
[root@localhost
openssl-1.0.0d]# ./configure --prefix=/usr/local/openssl
//编译代码
[root@localhost
openssl-1.0.0d]# make
//安装
[root@localhost
openssl-1.0.0d]# make install
#安装curses.h头文件的库
sudo apt-get install libncurses5-dev
所需软件安装完毕:openssl、openssl-devel、libncurses5-dev三个软件
======================================================
#生成工作目录产生CA凭证
ca.crt为自签名证书;
server.crt,server.key为服务器端的证书和私钥文件;
proxy.crt,proxy.key为代理服务器端的证书和私钥文件;
client.crt,client.key为客户端的证书和私钥文件。
#把openssl安装目录下的misc拷贝到用户目录下
cd
mkdir sslca
cd sslca
sudo cp /usr/local/ssl/ssl/misc -r ./
sudo cp /usr/local/ssl/ssl/openssl.cnf ./misc
Cd misc
CA.sh –newca
#产生一个demoCA文件夹
cd demoCA
#复制安装目录下面的openssl.cnf文件到demoCA下
sudo cp /usr/local/ssl/ssl/openssl.cnf ./
#产生CA自签名证书
openssl genrsa -out ./private/ca.key -rand
./private/.rnd -des 2048
openssl req -new -x509 -days 3650 -key
./private/ca.key -out ./private/ca.crt -config openssl.cnf
openssl x509 -in
./private/ca.crt -noout -text
#产生server的证书过程
openssl genrsa -out ./private/server.key
1024
openssl req -new -key ./private/server.key -out ./newcerts/server.csr
-config openssl.cnf
//这一步如果产生错误,请看后面的解决方法
openssl ca -in ./newcerts/server.csr -cert
./private/ca.crt -keyfile ./private/ca.key -config openssl.cnf -policy
policy_anything -out ./certs/server.crt
openssl x509 -in ./certs/server.crt
-noout -text
#产生proxy的证书过程
openssl genrsa -out ./private/proxy.key
1024
//这步要是产生错误,请看后面的解决方法
openssl req -new -key ./private/proxy.key
-out ./newcerts/proxy.csr -config openssl.cnf
openssl ca -in
./newcerts/proxy.csr -cert ./private/ca.crt -keyfile./private/ca.key -config
openssl.cnf -policy policy_anything -out ./certs/proxy.crt
openssl x509 -in
./certs/proxy.crt -noout -text
#产生client的证书过程
openssl genrsa -out ./private/client.key
1024
openssl req -new -key ./private/client.key -out ./newcerts/client.csr
-config openssl.cnf
openssl ca -in ./newcerts/client.csr -cert
./private/ca.crt -keyfile ./private/ca.key -config openssl.cnf -policy
policy_anything -out ./certs/client.crt
openssl x509 -in ./certs/client.crt
-noout -text
#产生一般错误的解决方法
出现:I am unable to access the ./demoCA/newcerts directory
./demoCA/newcerts:Nosuch file or directory
解决:修改openssl.cnf
在42行:dir = ./demoCA修改为 dir = ./
出现:failed to update database
TXT_DB error number 2
解决:修改index.txt.attr
将unique_subject = yes修改为 unique_subject = no
======================================================
#客户端的代码
vi client.c
//client
#include
<openssl/rand.h>
#include <stdio.h>
#include
<string.h>
#include <errno.h>
#include
<sys/socket.h>
#include <resolv.h>
#include
<stdlib.h>
#include <netinet/in.h>
#include
<arpa/inet.h>
#include <unistd.h>
#include
<openssl/ssl.h>
#include <openssl/err.h>
#include
<errno.h>
#include <curses.h>
#define PORT 7979
#define SERVER
"127.0.0.1"
#define CACERT "./private/ca.crt"
/* 如果需要与不是本机的服务器通信,在这个地方的证书导入对应服务器的证书,我的是和java通信,所以就导入了java端的服务器证书
注意,java端的证书需要进行格式转换,具体操作方法请参见开头的说明。*/
#define MYCERTF
"./certs/proxy.crt"
#define MYKEYF "./private/proxy.key"
#define MSGLENGTH
1024
int
main ()
{
struct sockaddr_in sin;
int
seed_int[100];
SSL *ssl;
SSL_METHOD *meth;
SSL_CTX
*ctx;
int i;
/* 初始化OpenSSL */
SSL_library_init();
/*加载算法库 */
OpenSSL_add_ssl_algorithms ();
/*加载错误处理信息 */
SSL_load_error_strings ();
/* 选择会话协议 */
meth = (SSL_METHOD *)
TLSv1_client_method ();
/* 创建会话环境 */
ctx = SSL_CTX_new
(meth);
if (NULL == ctx)
exit (1);
/* 制定证书验证方式 */
SSL_CTX_set_verify (ctx,
SSL_VERIFY_PEER, NULL);
/* 为SSL会话加载CA证书*/
SSL_CTX_load_verify_locations (ctx, CACERT, NULL);
/* 为SSL会话加载用户证书 */
if (0 ==
SSL_CTX_use_certificate_file (ctx, MYCERTF,
SSL_FILETYPE_PEM))
{
ERR_print_errors_fp (stderr);
exit
(1);
}
/*
为SSL会话加载用户私钥 */
if (0 ==
SSL_CTX_use_PrivateKey_file (ctx, MYKEYF,
SSL_FILETYPE_PEM))
{
ERR_print_errors_fp (stderr);
exit
(1);
}
/* 验证私钥和证书是否相符 */
if
(!SSL_CTX_check_private_key (ctx))
{
printf ("Private key does not match
the certificate public key\n");
exit (1);
}
/* 设置随机数 */
srand ((unsigned) time
(NULL));
for (i = 0; i < 100; i++)
seed_int[i] = rand ();
RAND_seed
(seed_int, sizeof (seed_int));
/* 指定加密器类型 */
SSL_CTX_set_cipher_list (ctx,
"RC4-MD5");
SSL_CTX_set_mode (ctx, SSL_MODE_AUTO_RETRY);
int
sock;
printf ("Begin tcp socket...\n");
/* 创建socket描述符 */
sock = socket (AF_INET,
SOCK_STREAM, 0);
if (sock == -1)
{
printf ("SOCKET error.
\n");
}
memset (&sin, ‘\0‘, sizeof (sin));
/* 准备通信地址和端口号 */
sin.sin_family
= AF_INET;
sin.sin_addr.s_addr
= inet_addr (SERVER); /* Server IP */
sin.sin_port
= htons (PORT); /* Server Port number */
int
icnn = connect (sock, (struct sockaddr *) &sin, sizeof (sin));
if
(icnn == -1)
{
printf
("can not connect to server,%s\n", strerror (errno));
exit
(1);
}
/* 创建一个SSL套接字*/
ssl
= SSL_new (ctx);
if
(NULL == ssl)
exit
(1);
/* 申请一个ssl套接字 */
if (0 >= SSL_set_fd
(ssl, sock))
{
printf ("Attach to Line fail!\n");
exit
(1);
}
//建立SSL连接
int k = SSL_connect (ssl);
if (0 ==
k)
{
printf ("%d\n", k);
printf ("SSL connect fail!\n");
exit
(1);
}
printf ("connect to server\n");
char sendmsg[MSGLENGTH] =
"\0";
char revmsg[MSGLENGTH] = "\0";
//接收服务器消息
int err = SSL_read (ssl, revmsg, sizeof
(revmsg));
revmsg[err] = ‘\0‘;
printf ("%s\n", revmsg);
while
(1)
{
printf ("please input the data to send:\n");
scanf ("%s",
sendmsg);
//向服务器发送消息
SSL_write (ssl, sendmsg, strlen
(sendmsg));
printf ("send message ‘ %s ‘ success\n",
sendmsg);
}
//关闭连接
SSL_shutdown (ssl);
SSL_free
(ssl);
SSL_CTX_free (ctx);
close (sock);
getch ();
return
0;
}
======================================================
#服务端的代码
vi server.c
//server
#include
<stdio.h>
#include <openssl/x509.h>
#include
<openssl/ssl.h>
#include <openssl/err.h>
#include
<stdlib.h>
#include <errno.h>
#include
<string.h>
#include <sys/types.h>
#include
<netinet/in.h>
#include <sys/socket.h>
#include
<sys/wait.h>
#include <unistd.h>
#include
<arpa/inet.h>
#include <openssl/ssl.h>
#include
<openssl/err.h>
#include <curses.h>
#define MSGLENGTH 1024
#define PORT
7979
#define CACERT "./private/ca.crt"
#define SVRCERTF
"./certs/server.crt"
#define SVRKEYF "./private/server.key"
#define ADDRESS “127.0.0.1”
int main
()
{
int sock;
SSL_METHOD *meth;
SSL_CTX *ctx;
SSL
*ssl;
//SSL初库始化
SSL_library_init();
//载入所有SSL算法
OpenSSL_add_ssl_algorithms ();
//载入所有错误信息
SSL_load_error_strings ();
meth =
(SSL_METHOD *) TLSv1_server_method ();
ctx = SSL_CTX_new (meth);
if (NULL
== ctx)
exit (1);
SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER,
NULL);
SSL_CTX_load_verify_locations (ctx, CACERT, NULL);
//加载证书和私钥
if (0 == SSL_CTX_use_certificate_file
(ctx, SVRCERTF, SSL_FILETYPE_PEM))
{
ERR_print_errors_fp (stderr);
exit
(1);
}
if (0 == SSL_CTX_use_PrivateKey_file (ctx, SVRKEYF,
SSL_FILETYPE_PEM))
{
ERR_print_errors_fp (stderr);
exit (1);
}
if
(!SSL_CTX_check_private_key (ctx))
{
printf ("Private key does not match
the certificate public key\n");
exit (1);
}
SSL_CTX_set_cipher_list
(ctx, "RC4-MD5");
SSL_CTX_set_mode (ctx, SSL_MODE_AUTO_RETRY);
printf
("Begin tcp socket...\n");
sock = socket (AF_INET, SOCK_STREAM, 0);
if
(sock == -1)
{
printf ("SOCKET error! \n");
return 0;
}
//准备通信地址和端口号
struct sockaddr_in addr;
memset
(&addr, ‘\0‘, sizeof (addr));
addr.sin_family = AF_INET;
addr.sin_port
= htons (PORT); /* Server Port number */
//addr.sin_addr.s_addr =
INADDR_ANY;
addr.sin_addr.s_addr = inet_addr(ADDRESS);
//绑定地址和端口号
int nResult = bind (sock, (struct sockaddr
*) &addr, sizeof (addr));
if (nResult == -1)
{
printf ("bind socket
error\n");
return 0;
}
printf ("server start
successfully,port:%d\nwaiting for connections\n",
PORT);
struct
sockaddr_in sa_cli;
//设置最大连接数
int err = listen (sock, 5);
if (-1 ==
err)
exit (1);
int client_len = sizeof (sa_cli);
//等待客户端连接
int ss = accept (sock, (struct sockaddr *)
&sa_cli, &client_len);
if (ss == -1)
{
exit (1);
}
close
(sock);
printf ("Connection from %d, port %d\n",
sa_cli.sin_addr.s_addr,
sa_cli.sin_port);
ssl = SSL_new (ctx);
if (NULL
== ssl)
exit (1);
if (0 == SSL_set_fd (ssl, ss))
{
printf ("Attach
to Line fail!\n");
exit (1);
}
int k = SSL_accept (ssl);
if (0 ==
k)
{
printf ("%d/n", k);
printf ("SSL connect fail!\n");
exit
(1);
}
X509 *client_cert;
client_cert = SSL_get_peer_certificate
(ssl);
printf ("find a customer to try to connect\n");
if (client_cert !=
NULL)
{
printf ("Client certificate:\n");
char *str
=
X509_NAME_oneline (X509_get_subject_name (client_cert), 0, 0);
if (NULL
== str)
{
printf ("auth error!\n");
exit (1);
}
printf ("subject:
%s\n", str);
str = X509_NAME_oneline (X509_get_issuer_name (client_cert), 0,
0);
if (NULL == str)
{
printf ("certificate name is null\n");
exit
(1);
}
printf ("issuer: %s\n", str);
printf ("connect
successfully\n");
X509_free (client_cert);
OPENSSL_free
(str);
}
else
{
printf ("can not find the customer‘s
certificate\n");
exit (1);
}
char buf[MSGLENGTH];
SSL_write (ssl,
"Server is connect to you!\n",
strlen ("Server is connect to
you!\n"));
printf ("Listen to the client: \n");
while (1)
{
err =
SSL_read (ssl, buf, sizeof (buf));
buf[err] = ‘\0‘;
printf ("%s\n",
buf);
}
SSL_shutdown (ssl);
SSL_free (ssl);
SSL_CTX_free
(ctx);
getch ();
return 0;
}
#makefile的代码:
vi makefile
all:client.c server.c
gcc –o clientclient.c –Wall –lssl –ldl -lcurses
gcc –o serverserver.c –Wall –lssl –ldl –lcurses
#如果是自定义安装路径的,可以使用下面的
#gcc -Wall -o clientclient.c -I/usr/openssl-1.0.0c/include/usr/openssl-1.0.0c/libssl.a /usr/openssl-1.0.0c/libcrypto.a –ldl
#gcc -Wall -o serverserver.c
-I/usr/openssl-1.0.0c/include/usr/openssl-1.0.0c/libssl.a
/usr/openssl-1.0.0c/libcrypto.a -ldl
clean::
rm -f client server