Learn how to use OpenSSL — for secure communication of the most famous open library — API some demanding others because their documents are not complete.
You can use the tips in this article complements the knowledge and ability to control the API. In establishing basic connectivity, you can view how to use OpenSSL's BIO libraries to establish a secure connection and non-secure connection. At the same time, you will learn some knowledge on error detection. OpenSSLAPI document some vague. Because there is not much about OpenSSL also use tutorial, so beginners, use it in your applications may have some difficulties. So how can I use OpenSSL to implement a basic security connection? this tutorial will help you solve this problem. Learn how to achieve the difficult parts of OpenSSL is its document is incomplete. Incomplete API documentation often interfere with the developers to use the API, and this usually means that it is doomed to failure. But OpenSSL remained active, and is gradually becoming more powerful. This is why it is used for secure communications OpenSSL's most famous open library. Search at google for "SSLlibrary" get results that are returned at the top of the list is the OpenSSL. It was born in 1998, derived from the exploitation of TimHudson EricYoung and SSLeay library. Other SSL Toolkit includes follow GNUGeneralPublicLicense issued GNUTLS and MozillaNetworkSecurityServices (NSS) (see references for additional information). So, what makes OpenSSL or GNUTLS, MozillaNSS than all other libraries are superior? license is one factor (see references). In addition, GNSTLS (so far) only supports TLSv1.0 and SSLv3.0 protocol, that's it. MozillaNSS release both follow MozillaPublicLicense and follow the GNUGPL, which allows developers to make a selection. However, larger than OpenSSL MozillaNSS, and other external libraries required to compile the library, and OpenSSL is completely self-contained. Same with OpenSSL, most NSSAPI no documentation. MozillaNSS won the PKCS # 11 support, the support can be used for purposes such as smart card such encryption flag. OpenSSL does not have this support. Prerequisites to fully understand and take advantage of this article, you should: proficient in C programming familiarity with Internet communication and support Internet applications. Does not absolutely require that you are familiar with SSL, because later on will give you a brief description of the SLL; however, if you want to get detail in the SSL link to an article, please see the resources section. Have knowledge of cryptography is certainly good, but this is not required. What is SSL? SSL is an abbreviation that represents the SecureSocketsLayer. It is supported on the Internet standard for secure communication and data Cryptography is integrated into the agreement. Data on leaving your computer before it has been encrypted, and then only reaches its intended target after being decrypted. Certificates and cryptography algorithm supported all of this work, using OpenSSL, you will have the opportunity to experience them personally. In theory, if the encrypted data to reach the destination before the intercepted or tapped, that data is not likely to be cracked. However, because the computer changes each year, and a password of translation has a new development, therefore, the use of SSL encryption protocol break possibilities also increases. You can set the SSL and secure connection to the Internet any type of agreement, whether it is HTTP, POP3, or FTP. You can also use SSL to protect the Telnet session. Although you can use SSL to protect any connection, but not for each type of connection is using SSL. If the connection to the transmission of sensitive information, you should use SSL. What is OpenSSL OpenSSL just SSL?. It can achieve a message digest, file encryption and decryption, digital certificates, digital signatures, and random number. On the contents of the OpenSSL library is very large, is far from an article can hold. OpenSSL is not only the API, it's also a command line tool. Command line tool can do the same work with the API, and further, you can test SSL server and client. It also gives developers the ability to have an OpenSSL. Documentation about how to use the OpenSSL command line tool, please see the resources section. You need first need the latest version of OpenSSL. Access to the resources section, to determine from where can I get the latest source code can be compiled, or the latest version of the binary file (if you do not want to spend time to compile). However, for security reasons, I recommend that you download the latest source code and compile it yourself. Binary versions are usually made by a third party and not by the OpenSSL developers to compile and release. Some Linux distributions come with OpenSSL binary version, for learning how to use the OpenSSL library, it is enough; however, if you are going to do some real things, so be sure to get the latest version, and keep this version has been updated. For RPM install Linux distributions (RedHat, Mandrake, etc.), it is recommended by the manufacturer from the release version for RPM package to update your OPenSSL release version. For security reasons, we recommend that you use the latest version of the release version. If your distribution does not use the latest version of OpenSSL, it is recommended that you only cover library files do not overwrite the executable file. OpenSSL FAQ document attached contains details about this. Also note that OpenSSL is not all platforms are officially supported. Although the manufacturer has tried to make it to the cross-platform compatible, but still present OpenSSL is not available for your computer and/or operating system. Please refer to the OpenSSL Web site (reference links), to which platforms are supported. If you want to use OpenSSL to generate a certificate request and a digital certificate, you must create a configuration file. In the OpenSSL package apps folder, there is a free template file openssl.cnf. I will not discuss the file because it is not within the scope of the requirements of this article. However, the template file has some very good comments, but if you search on the Internet, you can find a lot of discussion, modify the file in the tutorial. The header file and initializes this tutorial uses the header file has only three: ssl.h, bio.h and err.h. They are located in a subdirectory, and openssl are developing your project. To initialize the OpenSSL library, just need three lines of code. Listing 1 shows all of the content. Other header files and/or initialization function may be a number of other necessary functions. 1. the list of required header file/* OpenSSLheaders */# include "openssl/bio." #include"openssl/ssl." #include"openssl/err." /*InitializingOpenSSL*/ SSL_load_error_strings(); ERR_load_BIO_strings(); OpenSSL_add_all_algorithms(); The establishment of a non-secure connection regardless of the connection is secure or not secure, OpenSSL uses a BIO abstraction library to handle include files and Sockets, various types of communication. You can also set a filter for OpenSSL, such as for UU, or Base64 encoding filters. Here for a full description of BIO library a little trouble, so I will introduce it bit by bit. First, I will show you how to build a standard socket connections. Relative to using the BSD socket library, this operation requires fewer lines of code. In establishing the connection (whether security or not), to create a link to a BIO object. This is similar to standard C for file stream pointer to create the FILE. Listing 2-pointer; BIO * bio Open a connection to create a new connection need to call BIO_new_connect. You can in the same call, specifying the host name and port number. It can also be split into two separate calls: one is to create the connection and set the host name of the call, another BIO_new_connect is set port number BIO_set_conn_port (or BIO_set_conn_int_port) calls. Anyway, once the BIO's host name and port number is specified, the pointer will attempt to open the connection. Nothing can affect it. If you create a BIO object encountered a problem, the pointer will be NULL. In order to ensure that the connection is successful, you must perform the BIO_do_connect calls. 3. create the list and open the connect bio = BIO_new_connect ("hostname: port"); if(bio==NULL) { /*Handlethefailure*/ } if(BIO_do_connect(bio) <=0) { /*handlefailedconnection*/ } 在这里,第一行代码使用指定的主机名和端口创建了一个新的bio对象,并以所示风格对该对象进行格式化。> For example, if you want to connect to www.ibm.com port 80, then the string would be www.ibm.com:80. Call BIO_do_connect checks whether the connection is successful. If you make a mistake, it will return 0 or-1. Communicate with the server object regardless of the BIO is Sockets or files, read and write operations are the following two functions to accomplish: BIO_read and BIO_write. Very simple, right? wonderful place is that it is always the case. BIO_read will attempt to read from the server to a specific number of bytes. It returns the number of bytes read, 0 or-1. In the blocked connection, this function returns 0, which indicates that the connection has been closed, and-1 indicates that connection errors. In non-blocking connection returns the 0 indicates that no data can be obtained, or-1 indicates that the connection error. You can call to determine if possible BIO_should_retry repeat the error. 4. from the connection list read intx = BIO_read (bio, buf, len); if(x==0) { /*Handleclosedconnection*/ } elseif(x < 0) { if(!bio_should_retry(bio)) { /*handlefailedreadh>Ere */}/* Dosomethingtohandletheretry */} BIO_write will try bytes written to the socket. It will return the actual number of bytes written or-1, 0. With BIO_read, 0 or-1 does not necessarily indicate an error. BIO_should_retry is isolate the problem. If you need to try and write operations, it must use and previous identical parameters. 5. write the connection if (BIO_write (bio, buf, len) <=0) { if(!bio_should_retry(bio))>
No comments:
Post a Comment