我的系统是Linux。
我尝试使用Openssl创建一个tlsv1.2 https服务器,该服务器需要检查客户端的证书,但是当客户端尝试与Server握手时,在客户端向服务器发送证书后,Server将回复未知的CA。enter image description here < / p>
我可以确认这是证书的问题,因为我将通过SSL_CTX_set_verify(IEctx,SSL_VERIFY_PEER,NULL)删除注释,完成握手。
是因为服务器不信任此证书吗?
服务器是否通过SSL_CTX_set_client_CA_list()设置信任证书?
init_openssl_library();
SSL_load_error_strings();
// build the SSL objects...
const SSL_METHOD* method = TLS_server_method();
SSLeay_add_ssl_algorithms();
if (!(NULL != method)) fprintf(stderr, "SSL Method Error\n");
IEctx = SSL_CTX_new(method);
if (!(IEctx != NULL)) fprintf(stderr, "CXT New Error\n");
SSL_CTX_set_cipher_list(IEctx, "ECDHE-ECDSA-AES128-CCM8");
SSL_CTX_set_verify(IEctx, SSL_VERIFY_PEER, NULL);
SSL_CTX_load_verify_locations(IEctx,"sat-root.crt",NULL);
STACK_OF(X509_NAME) *list;
list = SSL_load_client_CA_file("Root.pem");
if (list == NULL) {
printf("Failed to load client CA file from \"Root.pem\"\n");
//return -1;
}
SSL_CTX_set_client_CA_list(IEctx, SSL_load_client_CA_file("Root.pem"));
SSL_CTX_use_certificate_file(IEctx, "sat-root.pem", SSL_FILETYPE_PEM);//root CA
SSL_CTX_use_certificate_chain_file(IEctx, "sat-cli_mca-mica-dev_55937-13-1_56000020.pem");//Chain CA
if (SSL_CTX_use_PrivateKey_file(IEctx, "sat-key_dev_55937-13-1_56000020.pem", SSL_FILETYPE_PEM) <= 0) {//Private Key
ERR_print_errors_fp(stdout);
return 1;
}
if (!SSL_CTX_check_private_key(IEctx)) {//Check Private key
ERR_print_errors_fp(stdout);
return 1;
}
if (!IEctx) {
ERR_print_errors_fp(stderr);
}
IEssl = SSL_new(IEctx);
SSL_set_fd(IEssl, listener);
FD_SET(listener, &master);
if (select(fdmax + 1, &read_fds, NULL, NULL, &tv) == -1) {
perror("select");
return 4;
}
for (int i = 0; i <= fdmax; i++) {
if (FD_ISSET(i, &read_fds)) { // 我們找到一個!!
DC_DEBUG_NL("we find one");
if (i == listener) {
DC_DEBUG_NL("i == listener");
// handle new connections
addrlen = sizeof remoteaddr;
newfd = accept(listener, (struct sockaddr *)&remoteaddr, &addrlen);
if (newfd == -1) {
perror("accept");
} else {
DC_DEBUG_NL("add new fd");
SSL_set_fd(IEssl, newfd); //新增到 master set
if (newfd > fdmax) { //持續追蹤最大的 fd
fdmax = newfd;
}
int r = SSL_accept(IEssl);
if (r == 1){
DC_DEBUG_NL("scuess to accept");
}
nbytes = SSL_read(IEssl, IEEEBuf, sizeof(IEEEBuf) - 1);
DC_DEBUG_NL("IEEEBuf[nbytes]=%s", IEEEBuf);
string webpage = "/ntfy/0";
string RequestBody = "";
string SendstrPacket = "";
char chRequest[500];
SendstrPacket = https.TransToPacketFormat(P_IE2030, RequestBody, webpage, "", H_Create);
StrToChar(chRequest, SendstrPacket);
int result = SSL_write(IEssl, chRequest, strlen(chRequest));
if(result != -1){
DC_DEBUG_NL("scuess to write");
}
}
}