OpenSSL单向与双向认证通信

服务器端:
openssl req -newkey rsa:512 -nodes -keyout server.key -x509 -days 5 -out server.crt
测试一下:
google@ubuntu1404:~/workspace/openssl/server$ openssl s_server -accept 2020 -key server.key -cert server.crtUsing default temp DH parameterserror setting certificate140273329796928:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: DH PARAMETERS140273329796928:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small:ssl/ssl_rsa.c:310:
结果出现了问题,貌似是在产生私钥时给的值太小了,那就删掉原来的文件,把原来的客户端和服务器端的值都改大一点吧!改成1024试一下看看
openssl req -newkey rsa:1024 -nodes -keyout server.key -x509 -days 5 -out server.crtopenssl req -newkey rsa:1024 -nodes -keyout client.key -x509 -days 5 -out client.crt
填写好生成证书的信息之后
服务器端输入- 2020 -key .key -cert .crt
客户端输入- :2020 -cert .crt -key .key
双向认证测试结果
连上后服务器端输入hello world!结果如下:
google@ubuntu1404:~/workspace/openssl/server$ openssl s_server -accept 2020 -key server.key -cert server.crtUsing default temp DH parametersACCEPT-----BEGIN SSL SESSION PARAMETERS-----MH0CAQECAgMEBAITAgQgi7VOIMA4IwKdDQPAGKfZYIAaQF166qiWfYxrBMmFPZUEMLGAyyYryR9kChTPG6Z3rgSKHC7nVoXHIhEnNtLBcXdv9Azjmb0Jb1CoVcvqknNaPaEGAgRfB9mAogQCAhwgpAYEBAEAAACuBgIEZSqe7A==-----END SSL SESSION PARAMETERS-----Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHASignature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1:DSA+SHA224:DSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1Supported Elliptic Groups: X25519:P-256:X448:P-521:P-384Shared Elliptic groups: X25519:P-256:X448:P-521:P-384CIPHER is TLS_AES_256_GCM_SHA384Secure Renegotiation IS supportedhello world!
在客户端显示结果如下:
google@ubuntu1404:~/workspace/test/client$ openssl s_client -connect localhost:2020 -cert client.crt -key client.keyCONNECTED(00000003)Can't use SSL_get_servernamedepth=0 C = 12, ST = 12, L = 12, O = 12, OU = 121, CN = 2, emailAddress = 12verify error:num=18:self signed certificateverify return:1depth=0 C = 12, ST = 12, L = 12, O = 12, OU = 121, CN = 2, emailAddress = 12verify return:1---Certificate chain0 s:C = 12, ST = 12, L = 12, O = 12, OU = 121, CN = 2, emailAddress = 12i:C = 12, ST = 12, L = 12, O = 12, OU = 121, CN = 2, emailAddress = 12---Server certificate-----BEGIN CERTIFICATE-----MIICnjCCAgegAwIBAgIUFfstl/lR6ZuQGMoYxUJN5ejwPSUwDQYJKoZIhvcNAQELBQAwYTELMAkGA1UEBhMCMTIxCzAJBgNVBAgMAjEyMQswCQYDVQQHDAIxMjELMAkGA1UECgwCMTIxDDAKBgNVBAsMAzEyMTEKMAgGA1UEAwwBMjERMA8GCSqGSIb3DQEJARYCMTIwHhcNMjAwNzEwMDI1NjE1WhcNMjAwNzE1MDI1NjE1WjBhMQswCQYDVQQGEwIxMjELMAkGA1UECAwCMTIxCzAJBgNVBAcMAjEyMQswCQYDVQQKDAIxMjEMMAoGA1UECwwDMTIxMQowCAYDVQQDDAEyMREwDwYJKoZIhvcNAQkBFgIxMjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqnONVTCk1wGB7MBIehqgolR93JIYlIMg+upNctAtdcqCojz8rWD2bd18D9KL5vPS+VS4/MeFuqST/fZNR7Ax5ooX3y00VUdol7Z1QxLTwafoou3uAuv4ExPdHA0GXmNodudJ1FSKFj8ronTSs1RaUQT347aTp5QzkojCMwXTLmsCAwEAAaNTMFEwHQYDVR0OBBYEFCf/7ZDNmd41ZBKc7pqW82yz1/jzMB8GA1UdIwQYMBaAFCf/7ZDNmd41ZBKc7pqW82yz1/jzMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADgYEAZmfHiMphOeiCm6RKVRJx2+08kabW9KKa+kH0XUaYJ1y1P2yZmV/Wq6T+SKLpXTEesqfxrQkVfOCsie1GVZP9WvDFGCRr84IgWh8atLMv839d344ZtqATCZ6RfC9tTl74AmTtNjlAWZxey0Wd9GvOcIWhaVKp5g3Qc9DmfzpvdY4=-----END CERTIFICATE-----subject=C = 12, ST = 12, L = 12, O = 12, OU = 121, CN = 2, emailAddress = 12issuer=C = 12, ST = 12, L = 12, O = 12, OU = 121, CN = 2, emailAddress = 12---No client certificate CA names sentPeer signing digest: SHA256Peer signature type: RSA-PSSServer Temp Key: X25519, 253 bits---SSL handshake has read 1102 bytes and written 373 bytesVerification error: self signed certificate---New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384Server public key is 1024 bitSecure Renegotiation IS NOT supportedCompression: NONEExpansion: NONENo ALPN negotiatedEarly data was not sentVerify return code: 18 (self signed certificate)------Post-Handshake New Session Ticket arrived:SSL-Session:Protocol: TLSv1.3Cipher: TLS_AES_256_GCM_SHA384Session-ID: F8A32282B336576A86CAB8E8BC6FA0EDB5984C7C2454287F6792563FBBB5BD1ESession-ID-ctx: Resumption PSK: FF703E0C67C7BC8CD48393BCBA13223F70AB67ECB78A008C94F8B04F1BD6CCCCAEB5148F49D2A402784D269C924960E2PSK identity: NonePSK identity hint: NoneSRP username: NoneTLS session ticket lifetime hint: 7200 (seconds)TLS session ticket:0000 - 35 b2 1c ea 7e 51 96 41-4e 88 7b 99 bf 98 fe ce5...~Q.AN.{.....0010 - 9c ac f0 d2 04 bb bb 95-75 bf 4b f7 a5 91 b2 ed........u.K.....0020 - 74 3f 54 d6 ba c2 f6 5f-07 50 7c ce 92 ec ea d3t?T...._.P|.....0030 - 3d 80 12 ab 37 da 80 bf-de 23 79 88 c3 fe 75 dd=...7....#y...u.0040 - 0b 09 0b 71 fc 05 32 1b-f5 4e 24 03 6c 6b be 30...q..2..N$.lk.00050 - 1e 21 02 e4 79 76 87 b4-24 3f 38 23 5f 65 ca 8b.!..yv..$?8#_e..0060 - d4 40 32 91 d7 b6 85 3c-b7 a8 c2 a8 f1 f8 46 90.@2....