2
我正在嘗試編寫簡單的C openssl客戶端和服務器。下面是客戶端的代碼:openssl握手失敗
int main() {
int err;
SSL_CTX * ctx = init_ctx("client-cert.pem", "client-private.pem", "certs/cacert.pem", "clientpass");
if (!ctx) {
fprintf(stderr, "couldn't init ctx\n");
exit(1);
}
int sock = tcp_connect("localhost", 4443);
/* Connect the SSL socket */
SSL * ssl = SSL_new(ctx);
BIO * sbio = BIO_new_socket(sock,BIO_NOCLOSE);
SSL_set_bio(ssl,sbio,sbio);
if((err = SSL_connect(ssl)) != 1) {
switch(SSL_get_error(ssl, err)) {
case SSL_ERROR_NONE:
fprintf(stderr, "error SSL_ERROR_NONE\n");
break;
case SSL_ERROR_ZERO_RETURN:
fprintf(stderr, "errorSSL_ERROR_ZERO_RETURN \n");
break;
case SSL_ERROR_WANT_READ:
fprintf(stderr, "error SSL_ERROR_WANT_READ\n");
break;
case SSL_ERROR_WANT_WRITE:
fprintf(stderr, "error SSL_ERROR_WANT_WRITE\n");
break;
case SSL_ERROR_WANT_CONNECT:
fprintf(stderr, "error SSL_ERROR_WANT_CONNECT\n");
break;
case SSL_ERROR_WANT_X509_LOOKUP:
fprintf(stderr, "error SSL_ERROR_WANT_X509_LOOKUP\n");
break;
case SSL_ERROR_SYSCALL:
fprintf(stderr, "error SSL_ERROR_SYSCALL\n");
break;
case SSL_ERROR_SSL:
fprintf(stderr, "error SSL_ERROR_SSL\n");
break;
default:
fprintf(stderr, "error f****** s***!!!\n");
break;
}
fprintf(stderr, "%s\n", ERR_error_string(ERR_get_error(), NULL));
ERR_print_errors_fp(stderr);
//exit(1);
}
check_cert(ssl, "host.com");
fprintf(stderr, "%d bytes sent\n", send_request(ssl, "come with me, we'll go dreaming"));
/* shutdown ssl connection */
err = SSL_shutdown(ssl);
if (err < 0) {
ERR_print_errors_fp(stderr);
exit(1);
}
close(sock);
SSL_free(ssl);
SSL_CTX_free(ctx);
return 0;
}
ssize_t send_request(SSL * ssl, const char * req) {
fprintf(stderr, "sending request...\n");
ssize_t size = SSL_write(ssl, req, strlen(req));
if (size < 0) {
ERR_print_errors_fp(stderr);
}
return size;
}
SSL_get_error(ssl, err)回報SSL_ERROR_SYSCALL和以下錯誤send_request回報:5269:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:。有密碼保護的私鑰,我設置pem_password_cb回調:
SSL_CTX_set_default_passwd_cb(ctx, passwd_func);
SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *)password);
。使用V23的方法......我不知道這個握手的原因失敗...
我試着調試這樣的方式:openssl s_client -connect localhost:4443 -cert sberbank-cert.pem -key sberbank-private.pem -verify 1 -CAfile cacert.pem -prexit -msg和我有以下結果:
[email protected]:~/src/tests/ssl$ openssl s_client -connect localhost:4443 -cert sberbank-cert.pem -key sberbank-private.pem -verify 1 -CAfile cacert.pem -prexit -msg
verify depth is 1
CONNECTED(00000003)
>>> TLS 1.0 Handshake [length 005a], ClientHello
01 00 00 56 03 01 4d ed fc 5e a7 d7 56 6a 70 40
0c a6 19 d0 06 23 08 28 65 07 53 46 d1 87 c0 c2
a2 27 d8 5b ad ac 00 00 28 00 39 00 38 00 35 00
16 00 13 00 0a 00 33 00 32 00 2f 00 05 00 04 00
15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00
ff 02 01 00 00 04 00 23 00 00
5825:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 95 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
這裏tcp_connect的來源。我敢肯定,這不是失敗,因爲它返回的fd(不-1):
int tcp_connect(const char *host, int port) {
struct hostent *hp;
struct sockaddr_in addr;
int sock;
if(!(hp=gethostbyname(host)))
return -1;
memset(&addr,0,sizeof(addr));
addr.sin_addr=*(struct in_addr*)
hp->h_addr_list[0];
addr.sin_family=AF_INET;
addr.sin_port=htons(port);
if((sock=socket(AF_INET,SOCK_STREAM, IPPROTO_TCP))<0)
return -1;
if(connect(sock,(struct sockaddr *)&addr, sizeof(addr))<0)
return -1;
return sock;
}
如果你的'connect'已經失敗,那麼'send_request'也會失敗。 man'SSL_ERROR_SYSCALL 發生了一些I/O錯誤。 OpenSSL錯誤隊列可能包含有關錯誤的更多信息。如果錯誤隊列爲空(即ERR_get_error()返回0),ret可用於 找出更多關於錯誤的信息:如果ret == 0,則觀察到EOF違反協議。如果ret == -1,底層的BIO報告了一個I/O錯誤(對於Unix系統上的套接字I/O,請參考errno獲取詳細信息)。「你做過了嗎? – RedX 2011-06-07 10:03:15
你確定'tcp_connect()'永遠不會失敗嗎? – 2011-06-07 10:30:06
'tcp_connect'不會失敗,它會返回套接字的fd。並且服務器響應它有傳入連接。 – milo 2011-06-07 10:34:07