drogon icon indicating copy to clipboard operation
drogon copied to clipboard
verified publisher icon drogonframework

drogon 客户端(websocket)如何验证服务器证书

Open yunhui0501 opened this issue 5 months ago • 12 comments

Notice If you need support or clarification regarding the usage of Drogon in your project, visit the official Drogon support channel at gitter

Please create a new issue only if you think you have found a bug or if have a feature request/enhancement.

Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like A clear and concise description of what you want to happen.

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

Additional context Add any other context or screenshots about the feature request here.

yunhui0501 avatar Jul 22 '25 10:07 yunhui0501 

static WebSocketClientPtr newWebSocketClient(
        const std::string &ip,
        uint16_t port,
        bool useSSL = false,
        trantor::EventLoop *loop = nullptr,
        bool useOldTLS = false,
        bool validateCert = true);

最后一个参数,默认就是验证的

an-tao avatar Jul 22 '25 13:07 an-tao

@an-tao 谢谢你的回答, newWebSocketClient最后一个参数确实是默认验证服务器证书的合法性, 但是要验证服务器证书的合法性,需要根证书(ca.pem)来验证吧, 我一直不知道如何设置根证书啊?

yunhui0501 avatar Jul 24 '25 00:07 yunhui0501

image

albaropereyra22 avatar Jul 24 '25 02:07 albaropereyra22

验证服务器的证书合法性,是应该用根证书验证吧? 这个是要在客户端配置根证书吧? 大家不是这样做的吗? 但是我找不到如何在客户端配置根证书啊?有哪位大拿指导一下?

yunhui0501 avatar Jul 24 '25 03:07 yunhui0501

一般来讲,如果对方服务端是从正规颁证机构获取的证书,你是不需要关心根证书问题的。如果是你自建服务,最好也是从颁证机构获取证书。

an-tao avatar Jul 24 '25 03:07 an-tao

@an-tao 你好,客户端检验服务器 证书是否合法,是为了防止中间人攻击,正规机构颁布的也要注意这个问题吧? 我找了很多资料,发现都是用 SSLConfig.h等等,我的库里面都没有这个, 很奇怪。

yunhui0501 avatar Jul 24 '25 03:07 yunhui0501

@an-tao 你好,客户端检验服务器 证书是否合法,是为了防止中间人攻击,正规机构颁布的也要注意这个问题吧? 我找了很多资料,发现都是用 SSLConfig.h等等,我的库里面都没有这个, 很奇怪。

是的,你自己签名的证书,别人的浏览器也不认

an-tao avatar Jul 24 '25 06:07 an-tao

I recommend using the cert bot tool from https://letsencrypt.org to create certificates. It is easier if you use route 53 from AWS to re-certify automatically.

albaropereyra22 avatar Jul 24 '25 08:07 albaropereyra22

@albaropereyra22 你好, 是不是DROGON自己实现不了这个功能, 需要开发者调用openssl的API自己实现这个验证的功能?

yunhui0501 avatar Jul 28 '25 00:07 yunhui0501

@albaropereyra22 你好, 是不是DROGON自己实现不了这个功能, 需要开发者调用openssl的API自己实现这个验证的功能?

你从环境变量 export SSL_CERT_FILE=/path/to/ca-bundle.crt 设置 看看

nqf avatar Jul 28 '25 01:07 nqf

Like @nqf mentioned this can be set in Drogon in the config file but, to scale horizontal you want to use a third party.

Enjoy,

Sent from my iPhone

On Jul 27, 2025, at 6:16 PM, nqf @.***> wrote:



nqf left a comment (drogonframework/drogon#2356) @albaropereyra22 你好, 是不是DROGON自己实现不了这个功能, 需要开发者调用openssl的API自己实现这个验证的功能?

你从环境变量 export SSL_CERT_FILE=/path/to/ca-bundle.crt 设置 看看

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.

albaropereyra22 avatar Jul 28 '25 16:07 albaropereyra22

drogon::HttpClient::newHttpClient(url.c_str(), loopPool_->getNextLoop(),true, "/userdata/oem/websocket/ca.pem"); 用AI的代码, 试了一下,可以编译过,但是都是非法证书,不能用。 如果用第三方工具,还不如换libwebsocket的库来实现。

yunhui0501 avatar Jul 29 '25 06:07 yunhui0501