|
OpenSSL VPN Serveurs de messagerie |
OpenSSL/ClientTCPAvecSSLOpenSSL.ClientTCPAvecSSL HistoryHide minor edits - Show changes to markup Changed lines 1-2 from:
client TCP to:
client TCP avec SSL Added lines 9-27:
//#define CA_FILE NULL //#define CA_DIR "C:\\temp\\openssl"
//#define CLIENT_PVK "C:\\temp2\\cert\\client1_ca2_pvk.pem" static char pass[]="MjYxQUNERjE="; // Changed lines 29-33 from:
to:
// insérer C:\OpenSSL\include dans C/C++>PreProcessor>Additional include directories // insérer C:\OpenSSL\out32.dbg Link>Input>Additional library path: // C/C++>Code Generation>Use Runtime library>Debug Multithread DLL // Changed lines 39-41 from:
int main(int argc, char* argv[]) to:
static int password_cb(char *buf,int num,int rwflag,void *userdata) Changed lines 44-56 from:
WSADATA wsaData; SOCKET sd; struct sockaddr_in sa; hostent* remoteHost; int err; //----------------------------------------------- // Initialize Winsock WSAStartup(MAKEWORD(2,2), &wsaData); sd = socket(AF_INET, SOCK_STREAM, 0); CHK_ERR(sd, "socket"); to:
if(num<strlen(pass)+1) return(0); Changed lines 47-70 from:
memset (&sa, '\0', sizeof(sa));
sa.sin_family = AF_INET;
//sa.sin_addr.s_addr = inet_addr ("172.31.198.15"); /* Server IP */
remoteHost = gethostbyname("sec030dev146");
sa.sin_addr.s_addr = *((u_long*)remoteHost->h_addr_list[0]);
sa.sin_port = htons (400); /* Server Port number */
err = connect(sd, (struct sockaddr*) &sa,sizeof(sa));
CHK_ERR(err, "connect");
int bytesSent;
char sendbuf[32] = "hello world";
bytesSent = send( sd, sendbuf, strlen(sendbuf), 0 );
closesocket(sd);
cleanUp: WSACleanup(); return 0; to:
strcpy(buf,pass);
return(strlen(pass));
Changed lines 51-72 from:
(:sourcend:) serveur TCP (:source lang=C :) // serveur.cpp application console //
// insérer Ws2_32.lib dans Link>General>Library Modules
int main(int argc, char* argv[]) to:
void PrintSSLError(){ int sslerror = ERR_get_error();
char error_buffer[120];
ERR_error_string(sslerror, error_buffer);
printf("%s",error_buffer);
} int verify_callback(int ok, X509_STORE_CTX *store) Added lines 60-84:
char data[256];
printf("verify_callback\r\n");
if (!ok)
{
X509 *cert = X509_STORE_CTX_get_current_cert(store);
int depth = X509_STORE_CTX_get_error_depth(store);
int err = X509_STORE_CTX_get_error(store);
//printf("-Error with certificate at depth: %i\n", depth);
//X509_NAME_oneline(X509_get_issuer_name(cert), data, 256);
//printf(" issuer = %s\n", data);
//X509_NAME_oneline(X509_get_subject_name(cert), data, 256);
//printf(" subject = %s\n", data);
//printf("err s\n", err, X509_verify_cert_error_string(err));
PrintSSLError();
}
return ok;
} int main(int argc, char* argv[]) { Changed lines 90-92 from:
char recvbuf[32]; int bytesRecv; to:
char buf [4096]; SSL_CTX* ctx; SSL* ssl; X509* server_cert; SSL_METHOD *meth; X509_STORE *store; X509_LOOKUP *lookup; X509_STORE_CTX *verify_ctx; X509 *cert; FILE *fp=NULL; Added line 103:
Changed lines 116-118 from:
sa.sin_port = htons (400); /* Server Port number */ to:
sa.sin_port= htons(2907); /* Server Port number */ Changed lines 120-124 from:
bool bOptVal = TRUE; setsockopt(sd,SOL_SOCKET,SO_REUSEADDR, (char*)&bOptVal,sizeof(bOptVal)); to:
err = connect(sd,(struct sockaddr*) &sa,sizeof(sa));
CHK_ERR(err, "connect");
// INIT
SSL_library_init();
SSLeay_add_ssl_algorithms();
meth = SSLv3_client_method();
SSL_load_error_strings();
ctx = SSL_CTX_new(meth);
CHK_NULL(ctx);
printf("SSL_CTX_load_verify_locations\r\n");
if (SSL_CTX_load_verify_locations(ctx, CA_FILE, CA_DIR) != 1)
printf("Error loading CA file and/or directory");
Changed lines 139-141 from:
if(bind(sd,(struct sockaddr *)&sa, sizeof(sa))== SOCKET_ERROR){
printf(WSAGetLastErrorMessage("client"));
goto cleanUp;
to:
//if(!(SSL_CTX_use_certificate_file(ctx,"c:\\client2_crt.pem",SSL_FILETYPE_PEM))){
// printf("Couldn't read certificate file");
// int sslerror = ERR_get_error();
// char error_buffer[120];
// ERR_error_string(sslerror, error_buffer);
// printf("%s",error_buffer);
//}
if(!SSL_CTX_use_certificate_chain_file(ctx, CLIENT_CRT)){
printf("Couldn't read certificate file");
int sslerror = ERR_get_error();
char error_buffer[120];
ERR_error_string(sslerror, error_buffer);
printf("%s",error_buffer);
Added lines 154-171:
printf("SSL_CTX_set_default_passwd_cb\r\n");
SSL_CTX_set_default_passwd_cb(ctx,password_cb);
printf("SSL_CTX_use_PrivateKey_file\r\n");
//if(!(SSL_CTX_use_PrivateKey_file(ctx,CLIENT_PVK,SSL_FILETYPE_PEM))){
if(!(SSL_CTX_use_PrivateKey_file(ctx,CLIENT_CRT,SSL_FILETYPE_PEM))){
printf("Couldn't read private key file");
}
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,verify_callback);
CHK_SSL(err);
Changed lines 174-178 from:
if(listen(sd,SOMAXCONN)== SOCKET_ERROR){
printf(WSAGetLastErrorMessage("client"));
goto cleanUp;
}
to:
// first read the client certificate
printf("opening client certificate ...\r\n");
Added lines 179-192:
if ((fp = fopen(CLIENT_CRT, "r")) == NULL){
printf("Error reading client certificate file");
return 0;
}
printf("PEM_read_X509...\r\n");
cert = PEM_read_X509(fp, NULL, NULL, NULL);
//if ((cert = PEM_read_X509(fp, NULL, NULL, NULL)) == NULL){
// printf("Error reading client certificate in file");
// return 0;
//}
fclose(fp);
Changed lines 194-200 from:
SOCKET AcceptSocket; to:
printf("creating store...");
if (!(store = X509_STORE_new ())){
printf("error initialize store certificat");
return 1;
}
X509_STORE_set_verify_cb_func (store, verify_callback);
Changed lines 202-221 from:
while(1) {
AcceptSocket = SOCKET_ERROR;
while( AcceptSocket == SOCKET_ERROR ) {
AcceptSocket = accept( sd, NULL, NULL );
}
printf("Client connected.\n");
bytesRecv = SOCKET_ERROR;
while( bytesRecv == SOCKET_ERROR ) {
bytesRecv = recv( AcceptSocket, recvbuf, 32, 0 );
if ( bytesRecv == 0 || bytesRecv == WSAECONNRESET ) {
printf( "Connection Closed.\n");
break;
}
recvbuf[bytesRecv]='\0';
printf( "Bytes Recv: %ld ***%s***\n", bytesRecv,recvbuf );
}
to:
printf("reading CA ...");
if (X509_STORE_load_locations (store, CA_FILE, CA_DIR) != 1){
PrintSSLError();
printf("Error loading the CA file or directory");
Changed lines 208-212 from:
cleanUp: WSACleanup(); to:
if (X509_STORE_set_default_paths
(store) != 1)
printf ("Error loading the system-wide CA certificates");
if (!(lookup = X509_STORE_add_lookup (store, X509_LOOKUP_file ())))
printf ("Error creating X509_LOOKUP object");
//if (X509_load_crl_file (lookup, CRL_FILE, X509_FILETYPE_PEM) != 1){
// PrintSSLError();
// printf ("Error reading the CRL file");
//}
Changed lines 219-269 from:
return 0; } (:sourcend:) client TCP avec SSL (:source lang=C :) // client.cpp : application console //
//#define CA_FILE NULL //#define CA_DIR "C:\\temp\\openssl"
//#define CLIENT_PVK "C:\\temp2\\cert\\client1_ca2_pvk.pem" static char pass[]="MjYxQUNERjE="; // // insérer Ws2_32.lib dans Link>General>Library Modules // insérer C:\OpenSSL\include dans C/C++>PreProcessor>Additional include directories // insérer C:\OpenSSL\out32.dbg Link>Input>Additional library path: // C/C++>Code Generation>Use Runtime library>Debug Multithread DLL //
static int password_cb(char *buf,int num,int rwflag,void *userdata) { if(num<strlen(pass)+1) return(0); to:
// enabling verification against CRLs is not possible in prior versions
Changed lines 226-253 from:
strcpy(buf,pass);
return(strlen(pass));
} void PrintSSLError(){ int sslerror = ERR_get_error();
char error_buffer[120];
ERR_error_string(sslerror, error_buffer);
printf("%s",error_buffer);
} int verify_callback(int ok, X509_STORE_CTX *store) { char data[256];
printf("verify_callback\r\n");
if (!ok)
{
X509 *cert = X509_STORE_CTX_get_current_cert(store);
int depth = X509_STORE_CTX_get_error_depth(store);
int err = X509_STORE_CTX_get_error(store);
//printf("-Error with certificate at depth: %i\n", depth);
//X509_NAME_oneline(X509_get_issuer_name(cert), data, 256);
//printf(" issuer = %s\n", data);
//X509_NAME_oneline(X509_get_subject_name(cert), data, 256);
//printf(" subject = %s\n", data);
//printf("err s\n", err, X509_verify_cert_error_string(err));
to:
// create a verification context and initialize it
if (!(verify_ctx = X509_STORE_CTX_new ()))
printf ("Error creating X509_STORE_CTX object");
// X509_STORE_CTX_init did not return an error condition in prior versions
printf("Error initializing verification context");
printf("Error verifying the certificate");
Changed lines 241-273 from:
}
return ok;
} int main(int argc, char* argv[]) { WSADATA wsaData; SOCKET sd; struct sockaddr_in sa; hostent* remoteHost; int err; char buf [4096]; SSL_CTX* ctx; SSL* ssl; X509* server_cert; SSL_METHOD *meth; X509_STORE *store; X509_LOOKUP *lookup; X509_STORE_CTX *verify_ctx; X509 *cert; FILE *fp=NULL; //----------------------------------------------- // Initialize Winsock WSAStartup(MAKEWORD(2,2), &wsaData); sd = socket(AF_INET, SOCK_STREAM, 0); CHK_ERR(sd, "socket"); to:
}
else{
printf ("Certificate verified correctly!\n");}
ssl = SSL_new(ctx);
CHK_NULL(ssl);
Changed lines 252-254 from:
memset (&sa, '\0', sizeof(sa));
sa.sin_family = AF_INET;
//sa.sin_addr.s_addr = inet_addr ("172.31.198.15"); /* Server IP */
to:
printf("connect ...\r\n");
SSL_set_fd(ssl, sd);
err = SSL_connect(ssl);
CHK_SSL(err);
printf ("SSL connection using %s\n", SSL_get_cipher (ssl));
Changed lines 261-265 from:
remoteHost = gethostbyname("sec030dev146");
sa.sin_addr.s_addr = *((u_long*)remoteHost->h_addr_list[0]);
sa.sin_port= htons(2907); /* Server Port number */
to:
/* Get server's certificate (note: beware of dynamic allocation) - opt */ Changed lines 263-314 from:
err = connect(sd,(struct sockaddr*) &sa,sizeof(sa));
CHK_ERR(err, "connect");
// INIT
SSL_library_init();
SSLeay_add_ssl_algorithms();
meth = SSLv3_client_method();
SSL_load_error_strings();
ctx = SSL_CTX_new(meth);
CHK_NULL(ctx);
printf("SSL_CTX_load_verify_locations\r\n");
if (SSL_CTX_load_verify_locations(ctx, CA_FILE, CA_DIR) != 1)
printf("Error loading CA file and/or directory");
//if(!(SSL_CTX_use_certificate_file(ctx,"c:\\client2_crt.pem",SSL_FILETYPE_PEM))){
// printf("Couldn't read certificate file");
// int sslerror = ERR_get_error();
// char error_buffer[120];
// ERR_error_string(sslerror, error_buffer);
// printf("%s",error_buffer);
//}
if(!SSL_CTX_use_certificate_chain_file(ctx, CLIENT_CRT)){
printf("Couldn't read certificate file");
int sslerror = ERR_get_error();
char error_buffer[120];
ERR_error_string(sslerror, error_buffer);
printf("%s",error_buffer);
}
printf("SSL_CTX_set_default_passwd_cb\r\n");
SSL_CTX_set_default_passwd_cb(ctx,password_cb);
printf("SSL_CTX_use_PrivateKey_file\r\n");
//if(!(SSL_CTX_use_PrivateKey_file(ctx,CLIENT_PVK,SSL_FILETYPE_PEM))){
if(!(SSL_CTX_use_PrivateKey_file(ctx,CLIENT_CRT,SSL_FILETYPE_PEM))){
printf("Couldn't read private key file");
}
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,verify_callback);
CHK_SSL(err);
to:
server_cert = SSL_get_peer_certificate (ssl); CHK_NULL(server_cert);
printf ("Server certificate:\n");
Changed lines 266-270 from:
// first read the client certificate
printf("opening client certificate ...\r\n");
to:
char *str = X509_NAME_oneline (X509_get_subject_name (server_cert),0,0);
CHK_NULL(str);
printf ("\t subject: %s\n", str);
OPENSSL_free (str);
Changed lines 271-284 from:
if ((fp = fopen(CLIENT_CRT, "r")) == NULL){
printf("Error reading client certificate file");
return 0;
}
printf("PEM_read_X509...\r\n");
cert = PEM_read_X509(fp, NULL, NULL, NULL);
//if ((cert = PEM_read_X509(fp, NULL, NULL, NULL)) == NULL){
// printf("Error reading client certificate in file");
// return 0;
//}
fclose(fp);
to:
str = X509_NAME_oneline (X509_get_issuer_name (server_cert),0,0);
CHK_NULL(str);
printf ("\t issuer: %s\n", str);
OPENSSL_free (str);
Changed lines 276-282 from:
printf("creating store...");
if (!(store = X509_STORE_new ())){
printf("error initialize store certificat");
return 1;
}
X509_STORE_set_verify_cb_func (store, verify_callback);
to:
/* We could do all sorts of certificate verification stuff here before deallocating the certificate. */ Changed lines 279-294 from:
printf("reading CA ...");
if (X509_STORE_load_locations (store, CA_FILE, CA_DIR) != 1){
PrintSSLError();
printf("Error loading the CA file or directory");
}
if (X509_STORE_set_default_paths
(store) != 1)
printf ("Error loading the system-wide CA certificates");
if (!(lookup = X509_STORE_add_lookup (store, X509_LOOKUP_file ())))
printf ("Error creating X509_LOOKUP object");
//if (X509_load_crl_file (lookup, CRL_FILE, X509_FILETYPE_PEM) != 1){
// PrintSSLError();
// printf ("Error reading the CRL file");
//}
to:
X509_free(server_cert); // --------------------------------------------------- // DATA EXCHANGE - Send a message and receive a reply. Changed lines 284-289 from:
// enabling verification against CRLs is not possible in prior versions
to:
err = SSL_write (ssl, "GET / HTTP/1.0\r\n\r\n", strlen("GET / HTTP/1.1\r\n\r\n")); CHK_SSL(err);
Changed lines 286-295 from:
// create a verification context and initialize it
if (!(verify_ctx = X509_STORE_CTX_new ()))
printf ("Error creating X509_STORE_CTX object");
// X509_STORE_CTX_init did not return an error condition in prior versions
printf("Error initializing verification context");
to:
err = SSL_read (ssl, buf, sizeof(buf) - 1); CHK_SSL(err);
buf[err] = '\0';
printf ("Got s'\n", err, buf);
Changed lines 293-306 from:
// verify the certificate
if (X509_verify_cert (verify_ctx) != 1){
printf("Error verifying the certificate");
PrintSSLError();
}
else{
printf ("Certificate verified correctly!\n");}
ssl = SSL_new(ctx);
CHK_NULL(ssl);
to:
Changed lines 295-302 from:
printf("connect ...\r\n");
SSL_set_fd(ssl, sd);
err = SSL_connect(ssl);
CHK_SSL(err);
printf ("SSL connection using %s\n", SSL_get_cipher (ssl));
to:
//BIO_free(sbio); SSL_shutdown(ssl); // send SSL/TLS close_notify SSL_free (ssl); SSL_CTX_free(ctx); closesocket(sd); cleanUp: WSACleanup(); Deleted lines 308-355:
/* Get server's certificate (note: beware of dynamic allocation) - opt */
server_cert = SSL_get_peer_certificate (ssl); CHK_NULL(server_cert);
printf ("Server certificate:\n");
char *str = X509_NAME_oneline (X509_get_subject_name (server_cert),0,0);
CHK_NULL(str);
printf ("\t subject: %s\n", str);
OPENSSL_free (str);
str = X509_NAME_oneline (X509_get_issuer_name (server_cert),0,0);
CHK_NULL(str);
printf ("\t issuer: %s\n", str);
OPENSSL_free (str);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
X509_free(server_cert);
// ---------------------------------------------------
// DATA EXCHANGE - Send a message and receive a reply.
err = SSL_write (ssl, "GET / HTTP/1.0\r\n\r\n", strlen("GET / HTTP/1.1\r\n\r\n")); CHK_SSL(err);
err = SSL_read (ssl, buf, sizeof(buf) - 1); CHK_SSL(err);
buf[err] = '\0';
printf ("Got s'\n", err, buf);
//BIO_free(sbio);
SSL_shutdown(ssl); // send SSL/TLS close_notify
SSL_free (ssl);
SSL_CTX_free(ctx);
closesocket(sd);
cleanUp: WSACleanup(); Added lines 1-473:
client TCP (:source lang=C :) // client.cpp : application console //
// insérer Ws2_32.lib dans Link>General>Library Modules
int main(int argc, char* argv[]) { WSADATA wsaData;
SOCKET sd;
struct sockaddr_in sa;
hostent* remoteHost;
int err;
//-----------------------------------------------
// Initialize Winsock
WSAStartup(MAKEWORD(2,2), &wsaData);
sd = socket(AF_INET, SOCK_STREAM, 0); CHK_ERR(sd, "socket");
memset (&sa, '\0', sizeof(sa));
sa.sin_family = AF_INET;
//sa.sin_addr.s_addr = inet_addr ("172.31.198.15"); /* Server IP */
remoteHost = gethostbyname("sec030dev146");
sa.sin_addr.s_addr = *((u_long*)remoteHost->h_addr_list[0]);
sa.sin_port = htons (400); /* Server Port number */
err = connect(sd, (struct sockaddr*) &sa,sizeof(sa));
CHK_ERR(err, "connect");
int bytesSent;
char sendbuf[32] = "hello world";
bytesSent = send( sd, sendbuf, strlen(sendbuf), 0 );
closesocket(sd);
cleanUp: WSACleanup(); return 0; } (:sourcend:) serveur TCP (:source lang=C :) // serveur.cpp application console //
// insérer Ws2_32.lib dans Link>General>Library Modules
int main(int argc, char* argv[]) { WSADATA wsaData;
SOCKET sd;
struct sockaddr_in sa;
hostent* remoteHost;
int err;
char recvbuf[32];
int bytesRecv;
//-----------------------------------------------
// Initialize Winsock
WSAStartup(MAKEWORD(2,2), &wsaData);
sd = socket(AF_INET, SOCK_STREAM, 0); CHK_ERR(sd, "socket");
memset (&sa, '\0', sizeof(sa));
sa.sin_family = AF_INET;
//sa.sin_addr.s_addr = inet_addr ("172.31.198.15"); /* Server IP */
remoteHost = gethostbyname("sec030dev146");
sa.sin_addr.s_addr = *((u_long*)remoteHost->h_addr_list[0]);
sa.sin_port = htons (400); /* Server Port number */
bool bOptVal = TRUE;
setsockopt(sd,SOL_SOCKET,SO_REUSEADDR, (char*)&bOptVal,sizeof(bOptVal));
if(bind(sd,(struct sockaddr *)&sa, sizeof(sa))== SOCKET_ERROR){
printf(WSAGetLastErrorMessage("client"));
goto cleanUp;
}
if(listen(sd,SOMAXCONN)== SOCKET_ERROR){
printf(WSAGetLastErrorMessage("client"));
goto cleanUp;
}
SOCKET AcceptSocket;
while(1) {
AcceptSocket = SOCKET_ERROR;
while( AcceptSocket == SOCKET_ERROR ) {
AcceptSocket = accept( sd, NULL, NULL );
}
printf("Client connected.\n");
bytesRecv = SOCKET_ERROR;
while( bytesRecv == SOCKET_ERROR ) {
bytesRecv = recv( AcceptSocket, recvbuf, 32, 0 );
if ( bytesRecv == 0 || bytesRecv == WSAECONNRESET ) {
printf( "Connection Closed.\n");
break;
}
recvbuf[bytesRecv]='\0';
printf( "Bytes Recv: %ld ***%s***\n", bytesRecv,recvbuf );
}
}
cleanUp: WSACleanup(); return 0; } (:sourcend:) client TCP avec SSL (:source lang=C :) // client.cpp : application console //
//#define CA_FILE NULL //#define CA_DIR "C:\\temp\\openssl"
//#define CLIENT_PVK "C:\\temp2\\cert\\client1_ca2_pvk.pem" static char pass[]="MjYxQUNERjE="; // // insérer Ws2_32.lib dans Link>General>Library Modules // insérer C:\OpenSSL\include dans C/C++>PreProcessor>Additional include directories // insérer C:\OpenSSL\out32.dbg Link>Input>Additional library path: // C/C++>Code Generation>Use Runtime library>Debug Multithread DLL //
static int password_cb(char *buf,int num,int rwflag,void *userdata) { if(num<strlen(pass)+1)
return(0);
strcpy(buf,pass);
return(strlen(pass));
} void PrintSSLError(){ int sslerror = ERR_get_error();
char error_buffer[120];
ERR_error_string(sslerror, error_buffer);
printf("%s",error_buffer);
} int verify_callback(int ok, X509_STORE_CTX *store) { char data[256];
printf("verify_callback\r\n");
if (!ok)
{
X509 *cert = X509_STORE_CTX_get_current_cert(store);
int depth = X509_STORE_CTX_get_error_depth(store);
int err = X509_STORE_CTX_get_error(store);
//printf("-Error with certificate at depth: %i\n", depth);
//X509_NAME_oneline(X509_get_issuer_name(cert), data, 256);
//printf(" issuer = %s\n", data);
//X509_NAME_oneline(X509_get_subject_name(cert), data, 256);
//printf(" subject = %s\n", data);
//printf("err s\n", err, X509_verify_cert_error_string(err));
PrintSSLError();
}
return ok;
} int main(int argc, char* argv[]) { WSADATA wsaData;
SOCKET sd;
struct sockaddr_in sa;
hostent* remoteHost;
int err;
char buf [4096];
SSL_CTX* ctx;
SSL* ssl;
X509* server_cert;
SSL_METHOD *meth;
X509_STORE *store;
X509_LOOKUP *lookup;
X509_STORE_CTX *verify_ctx;
X509 *cert;
FILE *fp=NULL;
//-----------------------------------------------
// Initialize Winsock
WSAStartup(MAKEWORD(2,2), &wsaData);
sd = socket(AF_INET, SOCK_STREAM, 0); CHK_ERR(sd, "socket");
memset (&sa, '\0', sizeof(sa));
sa.sin_family = AF_INET;
//sa.sin_addr.s_addr = inet_addr ("172.31.198.15"); /* Server IP */
remoteHost = gethostbyname("sec030dev146");
sa.sin_addr.s_addr = *((u_long*)remoteHost->h_addr_list[0]);
sa.sin_port= htons(2907); /* Server Port number */
err = connect(sd,(struct sockaddr*) &sa,sizeof(sa));
CHK_ERR(err, "connect");
// INIT
SSL_library_init();
SSLeay_add_ssl_algorithms();
meth = SSLv3_client_method();
SSL_load_error_strings();
ctx = SSL_CTX_new(meth);
CHK_NULL(ctx);
printf("SSL_CTX_load_verify_locations\r\n");
if (SSL_CTX_load_verify_locations(ctx, CA_FILE, CA_DIR) != 1)
printf("Error loading CA file and/or directory");
//if(!(SSL_CTX_use_certificate_file(ctx,"c:\\client2_crt.pem",SSL_FILETYPE_PEM))){
// printf("Couldn't read certificate file");
// int sslerror = ERR_get_error();
// char error_buffer[120];
// ERR_error_string(sslerror, error_buffer);
// printf("%s",error_buffer);
//}
if(!SSL_CTX_use_certificate_chain_file(ctx, CLIENT_CRT)){
printf("Couldn't read certificate file");
int sslerror = ERR_get_error();
char error_buffer[120];
ERR_error_string(sslerror, error_buffer);
printf("%s",error_buffer);
}
printf("SSL_CTX_set_default_passwd_cb\r\n");
SSL_CTX_set_default_passwd_cb(ctx,password_cb);
printf("SSL_CTX_use_PrivateKey_file\r\n");
//if(!(SSL_CTX_use_PrivateKey_file(ctx,CLIENT_PVK,SSL_FILETYPE_PEM))){
if(!(SSL_CTX_use_PrivateKey_file(ctx,CLIENT_CRT,SSL_FILETYPE_PEM))){
printf("Couldn't read private key file");
}
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,verify_callback);
CHK_SSL(err);
// first read the client certificate
printf("opening client certificate ...\r\n");
if ((fp = fopen(CLIENT_CRT, "r")) == NULL){
printf("Error reading client certificate file");
return 0;
}
printf("PEM_read_X509...\r\n");
cert = PEM_read_X509(fp, NULL, NULL, NULL);
//if ((cert = PEM_read_X509(fp, NULL, NULL, NULL)) == NULL){
// printf("Error reading client certificate in file");
// return 0;
//}
fclose(fp);
printf("creating store...");
if (!(store = X509_STORE_new ())){
printf("error initialize store certificat");
return 1;
}
X509_STORE_set_verify_cb_func (store, verify_callback);
printf("reading CA ...");
if (X509_STORE_load_locations (store, CA_FILE, CA_DIR) != 1){
PrintSSLError();
printf("Error loading the CA file or directory");
}
if (X509_STORE_set_default_paths
(store) != 1)
printf ("Error loading the system-wide CA certificates");
if (!(lookup = X509_STORE_add_lookup (store, X509_LOOKUP_file ())))
printf ("Error creating X509_LOOKUP object");
//if (X509_load_crl_file (lookup, CRL_FILE, X509_FILETYPE_PEM) != 1){
// PrintSSLError();
// printf ("Error reading the CRL file");
//}
// enabling verification against CRLs is not possible in prior versions
printf ("Error creating X509_STORE_CTX object");
// X509_STORE_CTX_init did not return an error condition in prior versions
printf("Error initializing verification context");
printf("Error verifying the certificate");
PrintSSLError();
else{
printf ("Certificate verified correctly!\n");}
ssl = SSL_new(ctx);
CHK_NULL(ssl);
printf("connect ...\r\n");
SSL_set_fd(ssl, sd);
err = SSL_connect(ssl);
CHK_SSL(err);
printf ("SSL connection using %s\n", SSL_get_cipher (ssl));
/* Get server's certificate (note: beware of dynamic allocation) - opt */
server_cert = SSL_get_peer_certificate (ssl); CHK_NULL(server_cert);
printf ("Server certificate:\n");
char *str = X509_NAME_oneline (X509_get_subject_name (server_cert),0,0);
CHK_NULL(str);
printf ("\t subject: %s\n", str);
OPENSSL_free (str);
str = X509_NAME_oneline (X509_get_issuer_name (server_cert),0,0);
CHK_NULL(str);
printf ("\t issuer: %s\n", str);
OPENSSL_free (str);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
X509_free(server_cert);
// ---------------------------------------------------
// DATA EXCHANGE - Send a message and receive a reply.
err = SSL_write (ssl, "GET / HTTP/1.0\r\n\r\n", strlen("GET / HTTP/1.1\r\n\r\n")); CHK_SSL(err);
err = SSL_read (ssl, buf, sizeof(buf) - 1); CHK_SSL(err);
buf[err] = '\0';
printf ("Got s'\n", err, buf);
//BIO_free(sbio);
SSL_shutdown(ssl); // send SSL/TLS close_notify
SSL_free (ssl);
SSL_CTX_free(ctx);
closesocket(sd);
cleanUp: WSACleanup(); return 0; } (:sourcend:) |