我正在尝试在C中使用OpenSSL(在ubuntu 12.04上)。 从here获得了一个例子。
一切顺利,直到BIO_do_connect()返回负值。 可能我在调用这两个API时做错了,因为bio被传递给BIO_do_connect()。
可以理解在这两个函数的第二个参数中使用的格式示例。
BIO_set_conn_ip(bio, &ip);
BIO_set_conn_int_port(bio, &port);
如here所述,两个函数总是返回1(正确,错误或任何东西)真的不太舒服。
这里是完整的代码:
int main(void) {
BIO * bio;
SSL * ssl;
SSL_CTX * ctx;
int p;
char ip[4];
int port = 60054;
/* considered big-endian */
ip[0] = 0b11000000;
ip[1] = 0b10100100;
ip[2] = 0b1;
ip[3] = 0b1110100;
char * request =
"request";
char r[1024];
SSL_library_init();
/* Set up the library */
ERR_load_BIO_strings();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
/* Set up the SSL context */
ctx = SSL_CTX_new(SSLv23_client_method());
/* Load the trust store */
if (!SSL_CTX_load_verify_locations(ctx, "cert.pem", NULL)) {
fprintf(stderr, "Error loading trust store\n");
ERR_print_errors_fp(stderr);
SSL_CTX_free(ctx);
return 0;
}
/* Setup the connection */
bio = BIO_new_ssl_connect(ctx);
/* Set the SSL_MODE_AUTO_RETRY flag */
BIO_get_ssl(bio, &ssl);
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
/* Create and setup the connection */
BIO_set_conn_ip(bio, &ip);
BIO_set_conn_port(bio, &port);
int ret = BIO_do_connect(bio);
if (ret <= 0) {
fprintf(stderr, "Error attempting to connect\n");
ERR_print_errors_fp(stderr);
BIO_free_all(bio);
SSL_CTX_free(ctx);
return 0;
}
/* Check the certificate */
if (SSL_get_verify_result(ssl) != X509_V_OK) {
fprintf(stderr, "Certificate verification error: %i\n",
SSL_get_verify_result(ssl));
BIO_free_all(bio);
SSL_CTX_free(ctx);
return 0;
}
/* Send the request */
BIO_write(bio, request, strlen(request));
/* Read in the response */
for (;;) {
p = BIO_read(bio, r, 1023);
if (p <= 0)
break;
r[p] = 0;
printf("%s", r);
}
/* Close the connection and free the context */
BIO_free_all(bio);
SSL_CTX_free(ctx);
return 0;
}
这是我从stderr API获得的输出ERR_print_errors_fp:
SSL例程:SSL3_READ_BYTES:sslv3警报握手失败:s3_pkt.c:1256:SSL警报号40
当我尝试启动此命令时:
openssl s_client -connect [ip]:[port] -debug
我得到类似下面的东西(当然有一些合理而不是++++):
+++++
------
CONNECTED(00000003)
write to 0x9494140 [0x9494418] (225 bytes => 225 (0xE1))
0000 ++++++
---
Certificate chain
0 ++++++
---
Server certificate
-----BEGIN CERTIFICATE-----
MI++++++
-----END CERTIFICATE-----
subject=/C++++++
---
No client certificate CA names sent
---
SSL handshake has read 931 bytes and written 210 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: DF77194+++
Session-ID-ctx:
Master-Key: 11D6++++
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1394815215
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
答案 0 :(得分:1)
BIO_set_conn_ip()使用二进制格式将IP地址设置为ip,即以 big-endian 形式指定IP地址的四个字节。您正在尝试以little-endian形式编写IP。像这样更改字节顺序:
ip[3] = 0b11000000;
ip[2] = 0b10100100;
ip[1] = 0b1;
ip[0] = 0b1110100;
此外,您尝试设置的IP为 192.164.1.116 ,如果您选择 192.168.1.116 ,可能会出错(请注意 168 < / strong> vs 164 部分)。