Tongsuo
Tongsuo copied to clipboard
Published
20 hours ago •
Tongsuo-Project
Tongsuo-Project
请问:如何实现SM2证书的双向认证
【主题需求】 请教如何实现SM2证书的双向认证
【问题描述】 我在CentOS7.6环境使用BabaSSL8.2.1稳定版做开发,要实现client与Server之间的双向认证。
在同样配置环境下: 1.如果客户端与server之间使用的是RSA算法的证书,双向认证正常,
Client端、Server端均可以在 if( X509_V_OK == SSL_get_verify_result(pSSL)) { 然后从pSSL 中得到X509类型的参数,从而正常解析出对端的公钥; }
2.但是客户端和服务器端换成SM2算法的证书,服务器端获取不到对端证书
我主要按照Babassl官网文档《使用BabaSSL签发SM2证书》提供的文档执行的,生成如下的证书链的关系: sm2_root.crt--->SM2_middle_ca.crt --->sm2_server.crt sm2_root.crt--->SM2_middle_ca.crt --->sm2_client.crt 所有的SM2算法证书均为V3版本, 根证书sm2_root.crt;
在我的代码中,服务器端加载的与证书有关的文件为: sm2_middle_ca.crt sm2_server.crt sm2_server_pri.key
客户端加载的与证书有关的文件为: sm2_middle_ca.crt sm2_client.crt sm2_client_pri.key
客户端、服务器启动后的双向认证逻辑与前面执行RSA格式证书相同:
在客户端运行中: if( X509_V_OK == SSL_get_verify_result(pSSL)) { //客户端可以正常获取到服务器端的证书,从而解析出对端公钥: }
但是在服务器端 if( X509_V_OK == SSL_get_verify_result(pSSL)) { //服务器端程序走不到这一步。无法获取到客户端的证书信息 }
请教:如何能够让服务器和客户端证书双向认证执行成功,能够从SSL协议交互中获取到客户端证书;
【场景补充】我在使用命令行方式生成证书后,曾使用openssl verify 命令对证书链做过检查,不知如下步骤是否妥当,是否与上面代码造成的异常有关?
sm2_root.crt sm2_middle_ca.crt sm2_server.crt sm2_server_pri.key
#openssl verify -CAfile sm2-root.crt sm2_middle_ca.crt
OK
#openssl verify -CAfile sm2_middle_ca.crt sm2_server.crt
Error
在此处错误信息显示说找不到issuser, 于是我执行了如下命令:
cat sm2_root.crt >> sm2_middle_ca.crt
然后再执行
#openssl verify -CAfile sm2_middle_ca.crt sm2_server.crt
OK
我这样的作法是否不妥,从而造成了代码中SSL协议对证书链做合法性检查失败导致?
如果是这样,在运行环境中,我该怎么对证书文件作配置?
https://github.com/BabaSSL/BabaSSL/wiki/NTLS%E4%BD%BF%E7%94%A8%E6%89%8B%E5%86%8C
https://github.com/BabaSSL/BabaSSL/wiki/NTLS%E4%BD%BF%E7%94%A8%E6%89%8B%E5%86%8C 请教一下如下【单证书】是怎么体现出来的?@InfoHunter
支持RFC 8998,即TLS 1.3 + 国密单证书
https://github.com/BabaSSL/BabaSSL/wiki/NTLS%E4%BD%BF%E7%94%A8%E6%89%8B%E5%86%8C
不知道如下问题解决没有?
重要说明 由于国密双证书的握手流程和协议版本号与标准tls流程存在一定的不同,因此我们选择将双证书的实现(代码里命名为ntls)同现有的tls状态机拆分开来,然后在入口处通过对请求的版本号进行识别,然后使其进入正确的状态机。然而比较麻烦的是,openssl的bio体系并没有实现msg_peek的功能,因此目前的实现是通过获取链接的fd,然后通过recv(fd, MSG_PEEK)的形式来获取链接的协议的,造成的困扰是如果你实现了一套非socket形式的bio,则无法使用这个功能,该问题我们后续会视情况进行修复
【主题需求】 请教如何实现SM2证书的双向认证
【问题描述】 我在CentOS7.6环境使用BabaSSL8.2.1稳定版做开发,要实现client与Server之间的双向认证。
在同样配置环境下: 1.如果客户端与server之间使用的是RSA算法的证书,双向认证正常,
Client端、Server端均可以在 if( X509_V_OK == SSL_get_verify_result(pSSL)) { 然后从pSSL 中得到X509类型的参数,从而正常解析出对端的公钥; }
2.但是客户端和服务器端换成SM2算法的证书,服务器端获取不到对端证书
我主要按照Babassl官网文档《使用BabaSSL签发SM2证书》提供的文档执行的,生成如下的证书链的关系: sm2_root.crt--->SM2_middle_ca.crt --->sm2_server.crt sm2_root.crt--->SM2_middle_ca.crt --->sm2_client.crt 所有的SM2算法证书均为V3版本, 根证书sm2_root.crt;
在我的代码中,服务器端加载的与证书有关的文件为: sm2_middle_ca.crt sm2_server.crt sm2_server_pri.key
客户端加载的与证书有关的文件为: sm2_middle_ca.crt sm2_client.crt sm2_client_pri.key
客户端、服务器启动后的双向认证逻辑与前面执行RSA格式证书相同:
在客户端运行中: if( X509_V_OK == SSL_get_verify_result(pSSL)) { //客户端可以正常获取到服务器端的证书,从而解析出对端公钥: }
但是在服务器端 if( X509_V_OK == SSL_get_verify_result(pSSL)) { //服务器端程序走不到这一步。无法获取到客户端的证书信息 }
请教:如何能够让服务器和客户端证书双向认证执行成功,能够从SSL协议交互中获取到客户端证书;
【场景补充】我在使用命令行方式生成证书后,曾使用openssl verify 命令对证书链做过检查,不知如下步骤是否妥当,是否与上面代码造成的异常有关?
sm2_root.crt sm2_middle_ca.crt sm2_server.crt sm2_server_pri.key
#openssl verify -CAfile sm2-root.crt sm2_middle_ca.crtOK
#openssl verify -CAfile sm2_middle_ca.crt sm2_server.crtError 在此处错误信息显示说找不到issuser, 于是我执行了如下命令:cat sm2_root.crt >> sm2_middle_ca.crt然后再执行#openssl verify -CAfile sm2_middle_ca.crt sm2_server.crtOK 我这样的作法是否不妥,从而造成了代码中SSL协议对证书链做合法性检查失败导致?如果是这样,在运行环境中,我该怎么对证书文件作配置?
我理解是要测试TLS 1.3 + SM2单证书场景吧。
不知道你说的服务器端程序走不到这一步,具体是哪里,自己写的应用程序吗?
我使用BabaSSL源代码构建的s_client和s_server进行TLS 1.3,SM2证书,双向认证通信是OK的。
# 服务端
/opt/babassl/bin/openssl s_server -accept 127.0.0.1:56789 -tls1_3 -cert sm2.crt -cert_chain sm2_chain.crt -build_chain -key sm2.key -www -Verify 2 -verify_return_error -CAfile sm2_chain.crt
# 客户端
/opt/babassl/bin/openssl s_client -connect 127.0.0.1:56789 -tls1_3 -ign_eof -CAfile sm2_chain.crt -verify_return_error -cert sm2.crt -key sm2.key -ciphersuites TLS_SM4_GCM_SM3
握手成功,双向认证成功。
另外,使用openssl verify命令时,-CAfile参数需要设置完整的CA证书链,把sm2-root.crt和sm2_middle_ca.crt都放到一个文件里,例如
openssl verify -CAfile sm2_ca_chain.crt sm2_server.crt
这样就可以校验通过了。
@dongbeiouba 证书链的生成是你和你们的一样的,至于测试程序我们是通过SSL_CTX相关接口自己写的。 看见你们的命令行测试是通的,能给个程序测试demo,发我们个链接,并说明哪个版本的BaBaSSL,可以吗?
@dongbeiouba 证书链的生成是你和你们的一样的,至于测试程序我们是通过SSL_CTX相关接口自己写的。 看见你们的命令行测试是通的,能给个程序测试demo,发我们个链接,并说明哪个版本的BaBaSSL,可以吗?
BabaSSL 8.2.1版本。
参考我发的命令执行一下试试。
@dongbeiouba 证书链的生成是你和你们的一样的,至于测试程序我们是通过SSL_CTX相关接口自己写的。 看见你们的命令行测试是通的,能给个程序测试demo,发我们个链接,并说明哪个版本的BaBaSSL,可以吗?
BabaSSL 8.2.1版本。
参考我发的命令执行一下试试。
结果报错:
服务器和客户端都有自己的证书和私钥,而且都是二级CA颁发的
版本号:
$/opt/babassl/bin/openssl version
BabaSSL 8.2.1
OpenSSL 1.1.1h-dev xx XXX xxxx
服务端:
$/opt/babassl/bin/openssl s_server -accept 127.0.0.1:56789 -tls1_3 -cert sm2/kms_server.crt -key sm2/kms_server.key -cert_chain sm2/chain.crt -build_chain -www -Verify 2 -CAfile sm2/chain.crt
verify depth is 2, must return a certificate
Using default temp DH parameters
ACCEPT
depth=0 C = CN, ST = BEIJING, O = SubShrong, OU = ENC, CN = EncClient, emailAddress = [email protected]
verify error:num=26:unsupported certificate purpose
verify return:1
depth=2 C = CN, ST = BEIJING, O = Shrong, OU = DataSec, CN = ShrongCA, emailAddress = [email protected]
verify return:1
depth=1 C = CN, ST = BEIJING, O = Shrong, OU = AppSoftWare, CN = middleCA, emailAddress = [email protected]
verify return:1
depth=0 C = CN, ST = BEIJING, O = SubShrong, OU = ENC, CN = EncClient, emailAddress = [email protected]
verify return:1
客户端:
$/opt/babassl/bin/openssl s_client -connect 127.0.0.1:56789 -tls1_3 -ign_eof -CAfile sm2/chain.crt -verify_return_error -cert sm2/enc_client.crt -key sm2/enc_client.key -ciphersuites TLS_SM4_GCM_SM3
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = CN, ST = BEIJING, O = Shrong, OU = DataSec, CN = ShrongCA, emailAddress = [email protected]
verify return:1
depth=1 C = CN, ST = BEIJING, O = Shrong, OU = AppSoftWare, CN = middleCA, emailAddress = [email protected]
verify return:1
depth=0 C = CN, ST = BEIJING, O = SubShrong, OU = KMS, CN = KmsServer, emailAddress = [email protected]
verify return:1
---
Certificate chain
0 s:C = CN, ST = BEIJING, O = SubShrong, OU = KMS, CN = KmsServer, emailAddress = [email protected]
i:C = CN, ST = BEIJING, O = Shrong, OU = AppSoftWare, CN = middleCA, emailAddress = [email protected]
1 s:C = CN, ST = BEIJING, O = Shrong, OU = AppSoftWare, CN = middleCA, emailAddress = [email protected]
i:C = CN, ST = BEIJING, O = Shrong, OU = DataSec, CN = ShrongCA, emailAddress = [email protected]
2 s:C = CN, ST = BEIJING, O = Shrong, OU = DataSec, CN = ShrongCA, emailAddress = [email protected]
i:C = CN, ST = BEIJING, O = Shrong, OU = DataSec, CN = ShrongCA, emailAddress = [email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDXjCCAwWgAwIBAgIQQEuNy4vf5mj6grup0uY8mjAKBggqgRzPVQGDdTB6MQsw
CQYDVQQGEwJDTjEQMA4GA1UECAwHQkVJSklORzEPMA0GA1UECgwGU2hyb25nMRQw
EgYDVQQLDAtBcHBTb2Z0V2FyZTERMA8GA1UEAwwIbWlkZGxlQ0ExHzAdBgkqhkiG
9w0BCQEWEG1pZGRsZUBzaHJvbmcuY24wHhcNMjExMjE3MDQxMDI3WhcNMzExMjE1
MDQxMDI3WjBzMQswCQYDVQQGEwJDTjEQMA4GA1UECAwHQkVJSklORzESMBAGA1UE
CgwJU3ViU2hyb25nMQwwCgYDVQQLDANLTVMxEjAQBgNVBAMMCUttc1NlcnZlcjEc
MBoGCSqGSIb3DQEJARYNa21zQHNocm9uZy5jbjBZMBMGByqGSM49AgEGCCqBHM9V
AYItA0IABHTfwaSR36Ek4r0MI3nN56qwM6Cgvd43V2w598pYU7+FQt9Dz2XzVTeZ
6ukxbxyyeOU8vOIPo9u9ITFBaH2GAJ6jggFyMIIBbjAJBgNVHRMEAjAAMBEGCWCG
SAGG+EIBAQQEAwIGQDAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQg
U2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBTVmIL64O0Fb6dEaOmTG++K2VH+
QTCBsQYDVR0jBIGpMIGmgBTymLA6HktzqEjngxe47pDDx1VDSKF8pHoweDELMAkG
A1UEBhMCQ04xEDAOBgNVBAgMB0JFSUpJTkcxDzANBgNVBAoMBlNocm9uZzEQMA4G
A1UECwwHRGF0YVNlYzERMA8GA1UEAwwIU2hyb25nQ0ExITAfBgkqhkiG9w0BCQEW
EnNocm9uZ2NhQHNocm9uZy5jboIQQEuNy4vf5mj6grup0uY8mTAOBgNVHQ8BAf8E
BAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwIQYDVR0RBBowGIIJc2hyb25nLmNu
ggsqLnNocm9uZy5jbjAKBggqgRzPVQGDdQNHADBEAiAkZ7yYIc8o+fE0EWGohpzb
/OpOKh3LGjxhgjTvywdwWQIgVjwkdYRr1Zf8glnBt5T8bl4CzdGPnf+BltUVDWMb
hSM=
-----END CERTIFICATE-----
subject=C = CN, ST = BEIJING, O = SubShrong, OU = KMS, CN = KmsServer, emailAddress = [email protected]
issuer=C = CN, ST = BEIJING, O = Shrong, OU = AppSoftWare, CN = middleCA, emailAddress = [email protected]
---
Acceptable client certificate CA names
C = CN, ST = BEIJING, O = Shrong, OU = AppSoftWare, CN = middleCA, emailAddress = [email protected]
C = CN, ST = BEIJING, O = Shrong, OU = DataSec, CN = ShrongCA, emailAddress = [email protected]
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:SM2+SM3:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:SM2+SM3:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SM3
Peer signature type: SM2
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2757 bytes and written 2489 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_SM4_GCM_SM3
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_SM4_GCM_SM3
Session-ID: DD3761967054B0DAC6AAEF37165AC63DF103514872FCFFC84BFB712228AB85D4
Session-ID-ctx:
Resumption PSK: E54CDB8BA2606D05B42E0A59357E985250F396F71F81A52157E03B25910A3AC5
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - db 92 ad 6a ca 09 b3 90-54 1f 1a 3f 4e 16 14 e3 ...j....T..?N...
0010 - 98 77 fc c0 25 6d ac 91-ce e9 0a 5d b9 d9 9c 8d .w..%m.....]....
0020 - 92 e4 43 fe b3 7e 95 24-d3 e5 1a 61 b0 d5 85 c0 ..C..~.$...a....
0030 - b9 89 6f eb 65 91 39 83-dc e7 75 e3 93 2e 99 72 ..o.e.9...u....r
0040 - 91 de 6c c9 0f 1d bd 26-18 99 89 eb 7f 58 f8 03 ..l....&.....X..
0050 - ce 17 ac 8d 60 cb 01 f1-24 fd 3c a7 7f d2 13 6a ....`...$.<....j
0060 - 8b 94 01 52 38 8a 34 8d-a2 86 62 d9 de 8d 95 c3 ...R8.4...b.....
0070 - f1 cb e9 a7 38 5b d4 76-64 33 75 13 16 f4 3a f6 ....8[.vd3u...:.
0080 - 47 8c fa 8e 12 27 a7 5e-e8 9b 1c 8a 46 a5 50 25 G....'.^....F.P%
0090 - 12 d0 54 0f 6b ce a8 71-3d ac 01 7a 42 39 3a 93 ..T.k..q=..zB9:.
00a0 - e5 fe 20 89 fd 5c 50 3e-59 b5 e5 5b ac 2d 4f 6a .. ..\P>Y..[.-Oj
00b0 - e9 dd 10 13 e1 81 d3 82-a3 c8 74 27 82 f8 fe bc ..........t'....
00c0 - fc ef 29 b8 8b 7d d9 39-65 05 f4 e5 3f c4 be 22 ..)..}.9e...?.."
00d0 - 57 6b d7 d1 20 b3 e0 94-77 64 15 73 d0 fe ec 3d Wk.. ...wd.s...=
00e0 - f5 89 7e 25 f4 e8 f4 af-b2 04 c8 7c f9 7c 8a bd ..~%.......|.|..
00f0 - 49 b7 bb d3 ed 4c 2a 6a-d6 96 b1 54 b9 38 bf 68 I....L*j...T.8.h
0100 - d1 63 84 0a b5 cc 7a 88-dd 2d ca f1 a5 83 99 f6 .c....z..-......
0110 - 7c f3 02 df 7d 22 bd 9e-3b 7b f3 23 f6 3a c7 26 |...}"..;{.#.:.&
0120 - b7 ab da e9 94 f7 d6 da-fb 99 2f 83 9c 63 58 67 ........../..cXg
0130 - a4 42 6b 44 cc b2 06 b8-b8 87 2d c7 67 c5 6d 42 .BkD......-.g.mB
0140 - 2e a7 d6 05 81 6a f0 8e-48 6d b0 c5 e3 5e ce 7b .....j..Hm...^.{
0150 - 29 55 73 54 2a e8 66 31-b8 0f 00 f3 c9 23 24 33 )UsT*.f1.....#$3
0160 - 2d dc e3 21 6b 7e 38 6e-4f 96 e0 02 bb 6e 91 af -..!k~8nO....n..
0170 - 8d 81 41 c5 30 4f 98 72-a3 fa cc c1 bd c5 25 93 ..A.0O.r......%.
0180 - 13 4c 6e f0 9c 69 3a 0c-11 81 f6 48 1e e2 03 f7 .Ln..i:....H....
0190 - b6 22 a5 fc b1 8b a9 a5-5a 21 10 4b 51 b8 53 91 ."......Z!.KQ.S.
01a0 - 49 b0 b2 66 96 92 d5 26-d2 6d d2 d3 d5 20 f0 91 I..f...&.m... ..
01b0 - 15 77 e0 94 95 1b a7 45-cb 6a bf db 5a df f4 26 .w.....E.j..Z..&
01c0 - c4 da e1 ed 3b 5c cf 16-6c 2a 1e f6 29 8c 4b 22 ....;\..l*..).K"
01d0 - aa 5a de 07 ed 68 53 9c-46 63 89 20 29 e6 2a bf .Z...hS.Fc. ).*.
01e0 - 31 5f dd d8 75 3a 0d c2-d5 30 52 4a f3 41 54 f0 1_..u:...0RJ.AT.
01f0 - 09 f2 b7 98 40 b5 8c 1e-54 c7 f1 99 5d 81 dc b7 [email protected]...]...
0200 - 0e c7 ed 2b a3 e8 f5 a2-58 b4 cc 53 6f f4 c6 33 ...+....X..So..3
0210 - 6e 64 f1 aa 15 4b ef dc-91 a8 45 c9 a6 39 52 53 nd...K....E..9RS
0220 - 94 ee 31 4f db 15 90 3b-11 72 ea bc e6 54 99 13 ..1O...;.r...T..
0230 - f4 cc 19 23 55 db a6 f2-a5 f4 a8 5a 7f 8c ea a6 ...#U......Z....
0240 - 68 80 85 22 fa 5f 7d 36-20 6b d2 f6 f5 a5 0d 20 h.."._}6 k.....
0250 - fe c7 69 7a ad 75 45 07-dc c2 bb 4c d4 40 9c f4 ..iz.uE....L.@..
0260 - b8 67 c6 bd 40 09 f9 f1-28 0b 29 0c 4c f5 a2 f9 .g..@...(.).L...
0270 - 40 65 07 aa fa ab cf 07-4b f1 1c 57 01 99 30 e5 @e......K..W..0.
0280 - 4d fb 06 0a 75 e2 29 bd-a0 17 4e 4b 96 e7 8a 92 M...u.)...NK....
0290 - bb 07 d1 4f 25 2a 18 d1-a5 b4 16 5d 21 5a 21 7f ...O%*.....]!Z!.
02a0 - f9 5d d6 e5 3c 63 e0 97-d0 6c 7a 8e c9 d8 99 b4 .]..<c...lz.....
02b0 - d5 25 32 4a 08 32 0f 90-8c 0c 58 53 51 a9 84 dd .%2J.2....XSQ...
02c0 - 5b 9c c0 45 f6 cc e5 e4-69 a5 9f f5 1f ed ad 83 [..E....i.......
02d0 - 69 99 c9 c2 f5 0c f9 5d-93 26 31 d9 0f da 5f 74 i......].&1..._t
02e0 - ef 92 19 f3 42 eb 89 99-12 aa b6 5f fe 84 05 b5 ....B......_....
02f0 - 67 aa 4a a1 b7 15 26 d0-6d 74 ab 25 ee 03 35 b6 g.J...&.mt.%..5.
0300 - 01 bb 9d a4 d6 74 71 b1-9c 90 82 2d 86 e5 70 6b .....tq....-..pk
0310 - ed 95 df 73 e1 79 48 22-23 14 27 51 8b a8 db 39 ...s.yH"#.'Q...9
0320 - 62 f7 32 10 52 32 e8 48-3f 3f 04 9b 35 6b d1 fd b.2.R2.H??..5k..
0330 - 26 be 75 4d c7 52 73 fc-96 8f 30 32 8d 58 54 f2 &.uM.Rs...02.XT.
0340 - 56 a0 ac ee 3c 0b 6c 4f-b9 97 c1 f5 e6 fb 2c 43 V...<.lO......,C
0350 - 9f cd 08 5a 9e 3b 34 3d-af 8a 92 2f 45 83 42 7b ...Z.;4=.../E.B{
0360 - df 75 8b 56 f1 f8 fa 77-47 0a 72 ae a3 79 1c b2 .u.V...wG.r..y..
0370 - ec 17 ac b1 4f ab b8 79-48 74 f6 12 db 1c 4d 38 ....O..yHt....M8
0380 - 9a 10 64 2d ce 08 05 17-bb b9 76 4a 3a 33 a2 d0 ..d-......vJ:3..
0390 - ad e0 d1 d7 46 e6 15 30-91 f4 f3 cf 7e b0 2d 6a ....F..0....~.-j
03a0 - 19 0a 6b 29 4a c4 0f 28-75 12 20 b9 a2 b5 80 7d ..k)J..(u. ....}
03b0 - 77 8c a8 91 e2 21 83 c2-58 10 93 08 66 64 37 4d w....!..X...fd7M
03c0 - 4c 25 62 27 85 af 26 aa-e7 f7 50 f2 5f e5 76 34 L%b'..&...P._.v4
03d0 - 89 80 f7 a6 4a a0 fc b1-6d 93 87 4c 18 4e 7b 6b ....J...m..L.N{k
03e0 - 87 5a ed a9 4d 25 32 d1-c7 71 ae 71 b5 14 d5 08 .Z..M%2..q.q....
03f0 - 1a 46 0b d9 70 d3 9c ce-c6 56 e4 b5 88 96 3d 4c .F..p....V....=L
0400 - 85 be 0d bc 63 c2 bb 8d-75 e5 28 15 df 3e 30 30 ....c...u.(..>00
0410 - b4 4e 87 86 5c ca 62 89-00 32 26 0a 32 ad 37 2f .N..\.b..2&.2.7/
Start Time: 1640681482
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
QUIC: no
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_SM4_GCM_SM3
Session-ID: 030F5945DC7E2B1DD69C6FA36201FCE2A8A518434280EF007BA997C2810654DA
Session-ID-ctx:
Resumption PSK: 029D021927E449F97A301415502E61773A7919C1BEE1EA6272B0E6AF2834B48F
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - db 92 ad 6a ca 09 b3 90-54 1f 1a 3f 4e 16 14 e3 ...j....T..?N...
0010 - c5 97 ec 93 ac f4 c7 81-b2 68 d3 cd 32 c3 d8 c6 .........h..2...
0020 - 0f 6e e5 57 b6 6c 2f 75-93 6d 03 4f f1 3f 83 d6 .n.W.l/u.m.O.?..
0030 - 2f 50 d5 2b 7c 0c 6a f3-36 17 ee 44 85 f9 02 bd /P.+|.j.6..D....
0040 - cc b8 da 93 d9 61 80 da-ce 86 e2 c5 4a 72 8b 15 .....a......Jr..
0050 - 2b 09 d1 f2 59 a4 d5 ac-38 b0 35 f5 b4 56 dd 85 +...Y...8.5..V..
0060 - 6d a5 64 63 a1 49 13 43-0a f8 43 d0 de 60 df a1 m.dc.I.C..C..`..
0070 - fe 7c 2a fe fc e6 e7 5c-a2 b3 b3 6a f8 2e f8 85 .|*....\...j....
0080 - a1 fd 67 32 d2 53 15 11-a9 c3 37 d9 09 07 78 21 ..g2.S....7...x!
0090 - 50 5a f8 21 d8 af 90 af-cb 0c 1d 69 46 e6 f2 6d PZ.!.......iF..m
00a0 - 82 37 04 85 fd 56 f1 83-07 2f 52 c6 be e2 7b 8f .7...V.../R...{.
00b0 - 51 76 2e d9 19 e5 98 e9-7f 6c 94 51 32 39 28 ab Qv.......l.Q29(.
00c0 - a0 6b 62 74 5b 5e f1 99-ad e0 82 37 ed 29 c0 06 .kbt[^.....7.)..
00d0 - a0 c3 f0 d8 04 80 d3 b9-da cb 4a 9a ae 10 dc da ..........J.....
00e0 - 71 c1 8b e6 6f 03 ca 54-65 53 b8 2f b0 44 d2 b7 q...o..TeS./.D..
00f0 - 61 67 a2 09 c0 e1 85 49-04 e8 b7 25 ac d0 9b 2e ag.....I...%....
0100 - 75 0c fe bc f7 1c a0 e1-5a eb 38 e6 a8 3f 0c c2 u.......Z.8..?..
0110 - d6 f9 35 09 ca 82 d7 88-38 13 11 b4 69 e3 42 76 ..5.....8...i.Bv
0120 - f1 e8 f9 fe 91 ee 5b 33-79 e8 cb 1a 79 b1 a5 9f ......[3y...y...
0130 - 20 75 64 db 46 e9 3a 2a-34 ec fa 70 97 f6 08 fa ud.F.:*4..p....
0140 - 45 c9 2e 01 34 39 0e 32-e8 6c 72 23 3c 0f 38 01 E...49.2.lr#<.8.
0150 - 10 f7 4a cb 17 23 dd b0-22 93 4e fd c3 06 56 33 ..J..#..".N...V3
0160 - e8 df ce 29 87 3b a1 d3-cd ab 8c c6 d4 17 91 9c ...).;..........
0170 - 4a 34 db bb fa eb 57 96-bc 3f 05 2f 4b 43 07 ae J4....W..?./KC..
0180 - a9 41 8a cd 4d ae 10 97-0c 6f 09 36 dc b0 1a f9 .A..M....o.6....
0190 - 29 d0 2a f5 fd 1e f3 c1-28 7c 33 56 cf 13 d1 7e ).*.....(|3V...~
01a0 - 7e d0 e2 9f 08 dc 8e a1-48 27 33 37 28 4d c9 a1 ~.......H'37(M..
01b0 - f3 87 b9 4c cf 47 26 ad-c0 ed 49 fc e5 35 19 13 ...L.G&...I..5..
01c0 - e4 b0 93 ac 2a 97 3e dc-b3 a9 f4 d1 bc e1 7e 29 ....*.>.......~)
01d0 - 9a 6a d9 e0 1b 60 a7 13-fe 3f 56 59 88 a7 18 b5 .j...`...?VY....
01e0 - 1d 9e 0b 4f e0 4a e6 45-1f 5b 1f ae 12 8f 77 12 ...O.J.E.[....w.
01f0 - 4e 8b 22 f0 1a a0 8f db-c3 d8 3c 9c e8 7e 1c 56 N.".......<..~.V
0200 - af 39 bd c1 a4 06 9f 49-14 e0 d8 ae c1 c4 e5 26 .9.....I.......&
0210 - c7 6a f2 9d 70 6a a3 61-3d 22 c8 08 98 14 d3 2e .j..pj.a="......
0220 - 9a 0b cd 9e 5e 1c d0 4c-79 7c b9 df 77 c4 26 0a ....^..Ly|..w.&.
0230 - f8 73 be 8f 5e 35 f7 a5-44 be 3c 7b f7 6d 70 c3 .s..^5..D.<{.mp.
0240 - 6b c8 bd a6 a0 a3 29 c4-30 cf 28 a5 78 05 e7 89 k.....).0.(.x...
0250 - 00 27 3b 78 47 08 23 a8-fe e2 eb 6d bf 08 e5 28 .';xG.#....m...(
0260 - 55 bf 72 db 82 7f e7 9d-9e ff e0 fd 11 8f 75 4b U.r...........uK
0270 - 56 55 f6 a0 68 11 25 09-d9 13 7c e9 9b 8e c2 3f VU..h.%...|....?
0280 - d3 8c 0a a2 2d c5 fc 61-db c6 33 c6 19 25 5e b4 ....-..a..3..%^.
0290 - 1a b2 04 67 e5 2d ea bc-83 01 c6 c2 75 6f 01 7b ...g.-......uo.{
02a0 - 4f bb 52 d2 71 fb 0e ca-3d 0f 05 14 00 ed 4b 02 O.R.q...=.....K.
02b0 - 5f 15 73 c5 8e db 66 51-75 e3 cd 9b ae 79 c3 31 _.s...fQu....y.1
02c0 - ab bd b3 8c 3f 3c a4 82-39 26 0f fd 39 d2 88 ee ....?<..9&..9...
02d0 - a8 80 84 f0 6b ef d6 4c-db af ea 9d 10 41 d0 22 ....k..L.....A."
02e0 - 26 b7 d1 c4 6e ea 51 b9-88 b9 06 20 99 15 1f 05 &...n.Q.... ....
02f0 - 3c 90 30 c5 51 63 90 aa-c0 93 88 5e 17 59 2b a8 <.0.Qc.....^.Y+.
0300 - 54 a9 68 34 db 18 cf 2d-e3 59 ae 08 7a 70 8b 7b T.h4...-.Y..zp.{
0310 - 0c 44 6f 5c 80 8d 23 90-6f 66 fa 4c 5c 65 99 7b .Do\..#.of.L\e.{
0320 - 99 5c 16 59 c7 69 ff 62-0c c5 0f f1 00 94 1c 99 .\.Y.i.b........
0330 - e2 91 73 2b da 19 14 f8-07 33 2e a4 49 19 e7 87 ..s+.....3..I...
0340 - c2 a0 21 2b 46 3f 44 24-db 28 23 22 aa 09 0b d9 ..!+F?D$.(#"....
0350 - 29 4f bc 50 95 46 47 ad-74 fd 09 74 f7 f2 88 38 )O.P.FG.t..t...8
0360 - 93 33 49 d2 f1 ff 2b 04-1d fa 80 b7 5d 1d 3b 94 .3I...+.....].;.
0370 - b4 37 b2 6d df df 85 39-11 91 1d bb 2f 49 50 c0 .7.m...9..../IP.
0380 - fa ea ad 5b 73 38 f9 7a-ef f3 4d b7 d9 e9 f0 26 ...[s8.z..M....&
0390 - e4 2e 13 d5 dc 34 d4 a6-98 24 ce bd ae f7 97 ff .....4...$......
03a0 - 67 2d 72 18 d7 82 4d e5-8f 74 1b d8 fb d3 35 de g-r...M..t....5.
03b0 - 67 84 12 2a 7f fb eb 50-85 1c e7 d9 d5 93 d8 fa g..*...P........
03c0 - e4 16 7c 6f b9 d3 c0 58-8f 4e 63 51 87 a5 5c 27 ..|o...X.NcQ..\'
03d0 - c9 46 00 bf f2 23 75 b4-d3 43 b4 72 78 9c ac bf .F...#u..C.rx...
03e0 - 62 f6 06 94 d8 37 8d a7-d5 ec a2 6c e1 82 3a 2d b....7.....l..:-
03f0 - c9 a8 91 7b 65 79 fd 6f-4c 74 cf e6 13 b2 49 b1 ...{ey.oLt....I.
0400 - 51 8c b2 e5 01 bc d7 65-d8 81 0a 82 38 eb ec 20 Q......e....8..
0410 - 93 2d e7 09 48 72 99 11-d6 99 9a c2 4e 16 2e 21 .-..Hr......N..!
Start Time: 1640681482
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
QUIC: no
---
read R BLOCK
GET / HTTP/1.0
HTTP/1.0 200 ok
Content-type: text/html
<HTML><BODY BGCOLOR="#ffffff">
<pre>
s_server -accept 127.0.0.1:56789 -tls1_3 -cert sm2/kms_server.crt -key sm2/kms_server.key -cert_chain sm2/chain.crt -build_chain -www -Verify 2 -CAfile sm2/chain.crt
Secure Renegotiation IS supported
Ciphers supported in s_server binary
TLSv1.3 :TLS_AES_256_GCM_SHA384 TLSv1.3 :TLS_AES_128_GCM_SHA256
TLSv1.3 :TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 :TLS_SM4_CCM_SM3
TLSv1.3 :TLS_SM4_GCM_SM3 TLSv1.2 :ECDHE-ECDSA-AES256-GCM-SHA384
TLSv1.2 :ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 :DHE-RSA-AES256-GCM-SHA384
TLSv1.2 :ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 :ECDHE-RSA-CHACHA20-POLY1305
TLSv1.2 :DHE-RSA-CHACHA20-POLY1305 TLSv1.2 :ECDHE-ECDSA-AES128-GCM-SHA256
TLSv1.2 :ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 :DHE-RSA-AES128-GCM-SHA256
TLSv1.2 :ECDHE-ECDSA-AES256-SHA384 TLSv1.2 :ECDHE-RSA-AES256-SHA384
TLSv1.2 :DHE-RSA-AES256-SHA256 TLSv1.2 :ECDHE-ECDSA-AES128-SHA256
TLSv1.2 :ECDHE-RSA-AES128-SHA256 TLSv1.2 :DHE-RSA-AES128-SHA256
TLSv1.0 :ECDHE-ECDSA-AES256-SHA TLSv1.0 :ECDHE-RSA-AES256-SHA
SSLv3 :DHE-RSA-AES256-SHA TLSv1.0 :ECDHE-ECDSA-AES128-SHA
TLSv1.0 :ECDHE-RSA-AES128-SHA SSLv3 :DHE-RSA-AES128-SHA
TLSv1.2 :RSA-PSK-AES256-GCM-SHA384 TLSv1.2 :DHE-PSK-AES256-GCM-SHA384
TLSv1.2 :RSA-PSK-CHACHA20-POLY1305 TLSv1.2 :DHE-PSK-CHACHA20-POLY1305
TLSv1.2 :ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 :AES256-GCM-SHA384
TLSv1.2 :PSK-AES256-GCM-SHA384 TLSv1.2 :PSK-CHACHA20-POLY1305
TLSv1.2 :RSA-PSK-AES128-GCM-SHA256 TLSv1.2 :DHE-PSK-AES128-GCM-SHA256
TLSv1.2 :AES128-GCM-SHA256 TLSv1.2 :PSK-AES128-GCM-SHA256
NTLSv1.1 :ECC-SM2-SM4-GCM-SM3 NTLSv1.1 :ECDHE-SM2-SM4-GCM-SM3
TLSv1.2 :AES256-SHA256 TLSv1.2 :AES128-SHA256
TLSv1.0 :ECDHE-PSK-AES256-CBC-SHA384 TLSv1.0 :ECDHE-PSK-AES256-CBC-SHA
SSLv3 :SRP-RSA-AES-256-CBC-SHA SSLv3 :SRP-AES-256-CBC-SHA
TLSv1.0 :RSA-PSK-AES256-CBC-SHA384 TLSv1.0 :DHE-PSK-AES256-CBC-SHA384
SSLv3 :RSA-PSK-AES256-CBC-SHA SSLv3 :DHE-PSK-AES256-CBC-SHA
SSLv3 :AES256-SHA TLSv1.0 :PSK-AES256-CBC-SHA384
SSLv3 :PSK-AES256-CBC-SHA TLSv1.0 :ECDHE-PSK-AES128-CBC-SHA256
TLSv1.0 :ECDHE-PSK-AES128-CBC-SHA SSLv3 :SRP-RSA-AES-128-CBC-SHA
SSLv3 :SRP-AES-128-CBC-SHA TLSv1.0 :RSA-PSK-AES128-CBC-SHA256
TLSv1.0 :DHE-PSK-AES128-CBC-SHA256 SSLv3 :RSA-PSK-AES128-CBC-SHA
SSLv3 :DHE-PSK-AES128-CBC-SHA NTLSv1.1 :ECC-SM2-SM4-CBC-SM3
NTLSv1.1 :ECDHE-SM2-SM4-CBC-SM3 SSLv3 :AES128-SHA
TLSv1.0 :PSK-AES128-CBC-SHA256 SSLv3 :PSK-AES128-CBC-SHA
---
Ciphers common between both SSL end points:
TLS_SM4_GCM_SM3
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:SM2+SM3:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:SM2+SM3:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SM3
Peer signature type: SM2
Supported Elliptic Groups: X25519:P-256:X448:P-521:P-384:SM2
Shared Elliptic groups: X25519:P-256:X448:P-521:P-384:SM2
---
New, TLSv1.3, Cipher is TLS_SM4_GCM_SM3
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_SM4_GCM_SM3
Session-ID: 1AF9EE0FC8BA1C4902C4B64CD4B977BC086BA36F530ACBDD223D0D086FC194B2
Session-ID-ctx: 01000000
Resumption PSK: 029D021927E449F97A301415502E61773A7919C1BEE1EA6272B0E6AF2834B48F
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1640681482
Timeout : 7200 (sec)
Verify return code: 26 (unsupported certificate purpose)
Extended master secret: no
Max Early Data: 0
QUIC: no
---
0 items in the session cache
0 client connects (SSL_connect())
0 client renegotiates (SSL_connect())
0 client connects that finished
1 server accepts (SSL_accept())
0 server renegotiates (SSL_accept())
1 server accepts that finished
0 session cache hits
0 session cache misses
0 session cache timeouts
0 callback cache hits
0 cache full overflows (128 allowed)
---
DC tag: 0
---
Client certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
40:4b:8d:cb:8b:df:e6:68:fa:82:bb:a9:d2:e6:3c:9b
Signature Algorithm: SM2-with-SM3
Issuer: C=CN, ST=BEIJING, O=Shrong, OU=AppSoftWare, CN=middleCA/[email protected]
Validity
Not Before: Dec 17 04:11:13 2021 GMT
Not After : Dec 15 04:11:13 2031 GMT
Subject: C=CN, ST=BEIJING, O=SubShrong, OU=ENC, CN=EncClient/[email protected]
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:19:bc:84:4c:c3:f5:28:57:58:f0:f2:19:2f:e6:
27:f0:36:bb:01:71:87:74:f5:1e:7f:03:fc:22:f3:
08:34:55:6d:15:cd:e5:df:e9:d9:3e:58:f6:0c:18:
05:e9:5f:8c:24:a1:39:b1:8e:f0:47:8d:a7:6e:7b:
7c:a1:a4:49:69
ASN1 OID: SM2
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
3D:CD:63:F9:65:E3:71:E6:F1:5A:93:B2:76:82:7B:5E:8C:65:24:27
X509v3 Authority Key Identifier:
keyid:F2:98:B0:3A:1E:4B:73:A8:48:E7:83:17:B8:EE:90:C3:C7:55:43:48
DirName:/C=CN/ST=BEIJING/O=Shrong/OU=DataSec/CN=ShrongCA/[email protected]
serial:40:4B:8D:CB:8B:DF:E6:68:FA:82:BB:A9:D2:E6:3C:99
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:shrong.cn, DNS:*.shrong.cn
Signature Algorithm: SM2-with-SM3
30:45:02:20:14:2b:6e:46:c3:b1:68:c3:79:19:21:7a:00:8c:
0a:11:7c:21:36:c1:24:b0:50:a1:91:14:f5:fd:2c:5d:f0:6b:
02:21:00:f2:c1:a2:a5:17:9a:de:f1:10:1a:c2:d7:65:e0:ac:
e2:a0:05:20:51:a9:98:cb:ed:88:75:e9:c3:ad:2e:e5:12
-----BEGIN CERTIFICATE-----
MIIDXzCCAwWgAwIBAgIQQEuNy4vf5mj6grup0uY8mzAKBggqgRzPVQGDdTB6MQsw
CQYDVQQGEwJDTjEQMA4GA1UECAwHQkVJSklORzEPMA0GA1UECgwGU2hyb25nMRQw
EgYDVQQLDAtBcHBTb2Z0V2FyZTERMA8GA1UEAwwIbWlkZGxlQ0ExHzAdBgkqhkiG
9w0BCQEWEG1pZGRsZUBzaHJvbmcuY24wHhcNMjExMjE3MDQxMTEzWhcNMzExMjE1
MDQxMTEzWjBzMQswCQYDVQQGEwJDTjEQMA4GA1UECAwHQkVJSklORzESMBAGA1UE
CgwJU3ViU2hyb25nMQwwCgYDVQQLDANFTkMxEjAQBgNVBAMMCUVuY0NsaWVudDEc
MBoGCSqGSIb3DQEJARYNZW5jQHNocm9uZy5jbjBZMBMGByqGSM49AgEGCCqBHM9V
AYItA0IABBm8hEzD9ShXWPDyGS/mJ/A2uwFxh3T1Hn8D/CLzCDRVbRXN5d/p2T5Y
9gwYBelfjCShObGO8EeNp257fKGkSWmjggFyMIIBbjAJBgNVHRMEAjAAMBEGCWCG
SAGG+EIBAQQEAwIGQDAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQg
U2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBQ9zWP5ZeNx5vFak7J2gntejGUk
JzCBsQYDVR0jBIGpMIGmgBTymLA6HktzqEjngxe47pDDx1VDSKF8pHoweDELMAkG
A1UEBhMCQ04xEDAOBgNVBAgMB0JFSUpJTkcxDzANBgNVBAoMBlNocm9uZzEQMA4G
A1UECwwHRGF0YVNlYzERMA8GA1UEAwwIU2hyb25nQ0ExITAfBgkqhkiG9w0BCQEW
EnNocm9uZ2NhQHNocm9uZy5jboIQQEuNy4vf5mj6grup0uY8mTAOBgNVHQ8BAf8E
BAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwIQYDVR0RBBowGIIJc2hyb25nLmNu
ggsqLnNocm9uZy5jbjAKBggqgRzPVQGDdQNIADBFAiAUK25Gw7Fow3kZIXoAjAoR
fCE2wSSwUKGRFPX9LF3wawIhAPLBoqUXmt7xEBrC12XgrOKgBSBRqZjL7Yh16cOt
LuUS
-----END CERTIFICATE-----
</pre></BODY></HTML>
read:errno=0
chain.crt中包含根CA证书和中间CA证书吗?
我把我们的证书发给你,你试试
我用BabaSSL 8.2.1,使用你发给我的证书是握手成功的。
chain.crt中包含根CA证书和中间CA证书吗?
我把我们的证书发给你,你试试
我用BabaSSL 8.2.1,使用你发给我的证书是握手成功的。
好的,我马上看看问题在哪里,有没有调用API接口的测试程序(包括服务端和客户端),因为我们需要程序实现。
test目录下面有大量测试用例,可以参考test/ssl_test.c、test/sslapitest.c等;
也可以参考apps/s_client.c、apps/s_server.c。
@dongbeiouba 刚才仔细看了一下服务器端报错了 verify error:num=26:unsupported certificate purpose
好似双方的通信也没有成功
@dongbeiouba 刚才仔细看了一下服务器端报错了 verify error:num=26:unsupported certificate purpose
好似双方的通信也没有成功
服务端都发送HTTP应答了,握手必然成功了...
@dongbeiouba 刚才仔细看了一下服务器端报错了 verify error:num=26:unsupported certificate purpose 好似双方的通信也没有成功
服务端都发送HTTP应答了,握手必然成功了...
这个错误可以忽略么
@dongbeiouba 刚才仔细看了一下服务器端报错了 verify error:num=26:unsupported certificate purpose 好似双方的通信也没有成功
服务端都发送HTTP应答了,握手必然成功了...
这个错误可以忽略么
这个跟s_server实现相关,具体可以参考一下apps/s_cb.c文件的verify_callback()。
