OpenSSL implements two-way authentication tutorial (with server and client code)

1. Background

1.1 Problems

A recent product testing report recommended the use of a PKI-based authentication method. Since the product has implemented HTTPS, we discussed and believed that it meant the use of two-way authentication to handle man-in-the-middle attacks.

I have come across two-way authentication in the course "Information Security Engineering", but there are two problems.

The first was that the final course design client was a browser, and the server was Tomcat. Two-way authentication only required configuration of both and did not require actual implementation of the code.

The second is that although the course also has implementation code close to two-way authentication, it was in the Java+JCE environment at the time and now it has to use the C+++OpenSSL environment. The overall meaning is indeed similar, but there are still many differences in specific functions and parameters.

So what we have now is: the idea of certificate generation + the idea of implementing two-way authentication. For readers, it is assumed that they have a basic understanding of several concepts such as certificates, SSL/TSL, socket programming, etc., which will not be introduced in detail in this article.

Based on this, the problem to be solved in this article is: how does openssl generate certificates specifically + how does openssl implement two-way authentication.

The key points of two-way authentication are the following functions (the same for both the server and the client). For the rest, please refer to the code comments:

SSL_CTX_set_verify----Configure to enable two-way authentication

SSL_CTX_load_verify_locations - Load trusted root certificates

SSL_CTX_use_certificate_file----Load your own certificate

SSL_CTX_use_PrivateKey_file----Load your own private key

SSL_get_verify_result----To really verify, you must call this function, otherwise the previous four functions are just configurations and will not perform two-way verification.

2. Implementation of Bidirectional Authentication Procedure

2.1 Install openssl and develop api

apt-get install libssl-dev

2.2 Server code

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <openssl/ssl.h>
#include <openssl/err.h>

#define MAXBUF 1024

void ShowCerts(SSL * ssl)
{
  X509 *cert;
  char *line;

  cert = SSL_get_peer_certificate(ssl);
  // SSL_get_verify_result() is the key point. SSL_CTX_set_verify() only configures whether to enable it and does not perform authentication. Calling this function will actually verify the certificate authentication. // If the verification fails, the program throws an exception to terminate the connection if (SSL_get_verify_result (ssl) == X509_V_OK) {
    printf("Certificate verification passed\n");
  }
  if (cert != NULL) {
    printf("Digital certificate information:\n");
    line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
    printf("Certificate: %s\n", line);
    free(line);
    line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
    printf("Issuer: %s\n", line);
    free(line);
    X509_free(cert);
  } else
    printf("No certificate information!\n");
}

int main(int argc, char **argv) {
  int sockfd, new_fd;
  socklen_t len;
  struct sockaddr_in my_addr, their_addr;
  unsigned int myport, lisnum;
  char buf[MAXBUF + 1];
  SSL_CTX *ctx;

  if (argv[1])
    myport = atoi(argv[1]);
  else
    myport = 7838;

  if (argv[2])
    lisnum = atoi(argv[2]);
  else
    lisnum = 2;

  /* SSL library initialization */
  SSL_library_init();
  /* Load all SSL algorithms */
  OpenSSL_add_all_algorithms();
  /* Load all SSL error messages */
  SSL_load_error_strings();
  /* Generate a SSL_CTX, SSL Content Text, in a way that is compatible with SSL V2 and V3 standards */
  ctx = SSL_CTX_new(SSLv23_server_method());
  /* You can also use SSLv2_server_method() or SSLv3_server_method() to indicate V2 or V3 standards separately*/
  if (ctx == NULL) {
    ERR_print_errors_fp(stdout);
    exit(1);
  }

  // Two-way verification // SSL_VERIFY_PEER --- requires certificate authentication, and will allow the request to pass even if no certificate is present // SSL_VERIFY_FAIL_IF_NO_PEER_CERT --- requires the client to provide a certificate, but will allow the request to pass even if no certificate is present SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
  // Set up the trusted root certificate if (SSL_CTX_load_verify_locations(ctx, "ca.crt",NULL)<=0){
    ERR_print_errors_fp(stdout);
    exit(1);
  }

  /* Load the user's digital certificate, which is used to send to the client. The certificate contains the public key*/
  if (SSL_CTX_use_certificate_file(ctx, argv[3], SSL_FILETYPE_PEM) <= 0) {
    ERR_print_errors_fp(stdout);
    exit(1);
  }
  /* Load user private key */
  if (SSL_CTX_use_PrivateKey_file(ctx, argv[4], SSL_FILETYPE_PEM) <= 0) {
    ERR_print_errors_fp(stdout);
    exit(1);
  }
  /* Check if the user's private key is correct*/
  if (!SSL_CTX_check_private_key(ctx)) {
    ERR_print_errors_fp(stdout);
    exit(1);
  }

  /* Open a socket listener */
  if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
    perror("socket");
    exit(1);
  } else
    printf("socket created\n");

  bzero(&my_addr, sizeof(my_addr));
  my_addr.sin_family = PF_INET;
  my_addr.sin_port = htons(myport);
  my_addr.sin_addr.s_addr = INADDR_ANY;

  if (bind(sockfd, (struct sockaddr *) &my_addr, sizeof(struct sockaddr))
      == -1) {
    perror("bind");
    exit(1);
  } else
    printf("binded\n");

  if (listen(sockfd, lisnum) == -1) {
    perror("listen");
    exit(1);
  } else
    printf("begin listen\n");

  while (1) {
    SSL *ssl;
    len = sizeof(struct sockaddr);
    /* Waiting for the client to connect*/
    if ((new_fd = accept(sockfd, (struct sockaddr *) &their_addr, &len))
        == -1) {
      perror("accept");
      exit(errno);
    } else
      printf("server: got connection from %s, port %d, socket %d\n",
          inet_ntoa(their_addr.sin_addr), ntohs(their_addr.sin_port),
          new_fd);

    /* Generate a new SSL based on ctx */
    ssl = SSL_new(ctx);
    /* Add the connected user's socket to SSL */
    SSL_set_fd(ssl, new_fd);
    /* Establish SSL connection */
    if (SSL_accept(ssl) == -1) {
      perror("accept");
      close(new_fd);
      break;
    }
    ShowCerts(ssl);

    /* Start processing data sending and receiving on each new connection*/
    bzero(buf, MAXBUF + 1);
    strcpy(buf, "server->client");
    /* Send message to client */
    len = SSL_write(ssl, buf, strlen(buf));

    if (len <= 0) {
      printf("Message '%s' failed to send! Error code is %d, error message is '%s'\n", buf, errno,
          strerror(errno));
      goto finish;
    } else
      printf("Message '%s' was sent successfully, a total of %d bytes were sent!\n", buf, len);

    bzero(buf, MAXBUF + 1);
    /* Receive messages from the client */
    len = SSL_read(ssl, buf, MAXBUF);
    if (len > 0)
      printf("Successful message reception: '%s', %d bytes of data\n", buf, len);
    else
      printf("Message reception failed! Error code is %d, error message is '%s'\n",
      errno, strerror(errno));
    /* Handle the end of data sending and receiving on each new connection*/
    finish:
    /* Close the SSL connection */
    SSL_shutdown(ssl);
    /* Release SSL */
    SSL_free(ssl);
    /* Close the socket */
    close(new_fd);
  }
  /* Close the listening socket */
  close(sockfd);
  /* Release CTX */
  SSL_CTX_free(ctx);
  return 0;
}

2.3 Client Code

#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <sys/socket.h>
#include <resolv.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <openssl/ssl.h>
#include <openssl/err.h>

#define MAXBUF 1024

void ShowCerts(SSL * ssl)
{
  X509 *cert;
  char *line;

  cert = SSL_get_peer_certificate(ssl);
  // SSL_get_verify_result() is the key point. SSL_CTX_set_verify() only configures whether to enable it and does not perform authentication. Calling this function will actually verify the certificate authentication. // If the verification fails, the program throws an exception to terminate the connection if (SSL_get_verify_result (ssl) == X509_V_OK) {
    printf("Certificate verification passed\n");
  }
  if (cert != NULL) {
    printf("Digital certificate information:\n");
    line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
    printf("Certificate: %s\n", line);
    free(line);
    line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
    printf("Issuer: %s\n", line);
    free(line);
    X509_free(cert);
  } else
    printf("No certificate information!\n");
}

int main(int argc, char **argv)
{
  int sockfd, len;
  struct sockaddr_in dest;
  char buffer[MAXBUF + 1];
  SSL_CTX *ctx;
  SSL *ssl;

  if (argc != 5) {
    printf("Parameter format error! Correct usage is as follows:\n\t\t%s IP address port\n\tFor example:\t%s 127.0.0.1 80\nThis program is used to get from a certain"
       "The server at IP address receives messages with at most MAXBUF bytes at a certain port",
       argv[0], argv[0]);
    exit(0);
  }

  /* SSL library initialization, see ssl-server.c code*/
  SSL_library_init();
  OpenSSL_add_all_algorithms();
  SSL_load_error_strings();
  ctx = SSL_CTX_new(SSLv23_client_method());
  if (ctx == NULL) {
    ERR_print_errors_fp(stdout);
    exit(1);
  }

  // Two-way verification // SSL_VERIFY_PEER --- requires certificate authentication, and will allow the request to pass even if no certificate is present // SSL_VERIFY_FAIL_IF_NO_PEER_CERT --- requires the client to provide a certificate, but will allow the request to pass even if no certificate is present SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
  // Set up the trusted root certificate if (SSL_CTX_load_verify_locations(ctx, "ca.crt",NULL)<=0){
    ERR_print_errors_fp(stdout);
    exit(1);
  }

  /* Load the user's digital certificate, which is used to send to the client. The certificate contains the public key*/
  if (SSL_CTX_use_certificate_file(ctx, argv[3], SSL_FILETYPE_PEM) <= 0) {
    ERR_print_errors_fp(stdout);
    exit(1);
  }
  /* Load user private key */
  if (SSL_CTX_use_PrivateKey_file(ctx, argv[4], SSL_FILETYPE_PEM) <= 0) {
    ERR_print_errors_fp(stdout);
    exit(1);
  }
  /* Check if the user's private key is correct*/
  if (!SSL_CTX_check_private_key(ctx)) {
    ERR_print_errors_fp(stdout);
    exit(1);
  }

  /* Create a socket for TCP communication */
  if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
    perror("Socket");
    exit(errno);
  }
  printf("socket created\n");

  /* Initialize the server (other party) address and port information*/
  bzero(&dest, sizeof(dest));
  dest.sin_family = AF_INET;
  dest.sin_port = htons(atoi(argv[2]));
  if (inet_aton(argv[1], (struct in_addr *) &dest.sin_addr.s_addr) == 0) {
    perror(argv[1]);
    exit(errno);
  }
  printf("address created\n");

  /* Connect to server */
  if (connect(sockfd, (struct sockaddr *) &dest, sizeof(dest)) != 0) {
    perror("Connect ");
    exit(errno);
  }
  printf("server connected\n");

  /* Generate a new SSL based on ctx */
  ssl = SSL_new(ctx);
  SSL_set_fd(ssl, sockfd);
  /* Establish SSL connection */
  if (SSL_connect(ssl) == -1)
    ERR_print_errors_fp(stderr);
  else {
    printf("Connected with %s encryption\n", SSL_get_cipher(ssl));
    ShowCerts(ssl);
  }

  /* Receive the message sent by the other party, and receive at most MAXBUF bytes*/
  bzero(buffer, MAXBUF + 1);
  /* Receive messages from the server */
  len = SSL_read(ssl, buffer, MAXBUF);
  if (len > 0)
    printf("Received message successfully: '%s', total %d bytes of data\n",
        buffer,len);
  else {
    printf
      ("Message reception failed! Error code is %d, error message is '%s'\n",
       errno, strerror(errno));
    goto finish;
  }
  bzero(buffer, MAXBUF + 1);
  strcpy(buffer, "from client->server");
  /* Send a message to the server */
  len = SSL_write(ssl, buffer, strlen(buffer));
  if (len < 0)
    printf
      ("Message '%s' failed to send! Error code is %d, error message is '%s'\n",
       buffer, errno, strerror(errno));
  else
    printf("Message '%s' was sent successfully, a total of %d bytes were sent!\n",
        buffer,len);

 finish:
  /* Close the connection */
  SSL_shutdown(ssl);
  SSL_free(ssl);
  close(sockfd);
  SSL_CTX_free(ctx);
  return 0;
}

2.4 Certificate Generation

Pay attention to three points

First, pay attention to changing the private key encryption password (-passout parameter) to your own password; the following steps all generate private keys with the -passout parameter. If you use the -nodes parameter, the last step "Convert the encrypted RSA key to an unencrypted RSA key" does not need to be executed.

Second, certificates and keys are given in two forms: direct one-step generation and step-by-step generation. The two forms are equivalent. Here we use the direct generation form (the step-by-step generation form is commented)

Third, be sure to change the certificate information to your own organization information. The meanings of the parameters of the certificate number are as follows:

C-----Country Name

ST----State or Province Name

L----City (Locality Name)

O----Company (Organization Name)

OU----Department (Organizational Unit Name)

CN----Common Name

emailAddress----Email Address

# CA certificate and key generation method 1 - directly generate CA key and self-signed certificate # If you do not need to enter a password when reading the private key file ca_rsa_private.pem in the future, that is, do not encrypt the private key for storage, then replace -passout pass:123456 with -nodes
openssl req -newkey rsa:2048 -passout pass:123456 -keyout ca_rsa_private.pem -x509 -days 365 -out ca.crt -subj "/C=CN/ST=GD/L=SZ/O=COM/OU=NSP/CN=CA/[email protected]"
# CA certificate and key generation method 2 -- Generate CA key and self-signed certificate step by step:
# openssl genrsa -aes256 -passout pass:123456 -out ca_rsa_private.pem 2048
# openssl req -new -x509 -days 365 -key ca_rsa_private.pem -passin pass:123456 -out ca.crt -subj "/C=CN/ST=GD/L=SZ/O=COM/OU=NSP/CN=CA/[email protected]"

# Server certificate and key generation method 1 - directly generate server key and certificate to be signed # If you do not need to enter a password when reading the private key file server_rsa_private.pem in the future, that is, do not encrypt and store the private key, then replace -passout pass:server with -nodes
openssl req -newkey rsa:2048 -passout pass:server -keyout server_rsa_private.pem -out server.csr -subj "/C=CN/ST=GD/L=SZ/O=COM/OU=NSP/CN=SERVER/[email protected]"
# Server certificate and key generation method 2 -- Generate server key and certificate to be signed step by step# openssl genrsa -aes256 -passout pass:server -out server_rsa_private.pem 2048
# openssl req -new -key server_rsa_private.pem -passin pass:server -out server.csr -subj "/C=CN/ST=GD/L=SZ/O=COM/OU=NSP/CN=SERVER/[email protected]"
# Use the CA certificate and key to sign the server certificate:
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca_rsa_private.pem -passin pass:123456 -CAcreateserial -out server.crt
# Convert the encrypted RSA key to an unencrypted RSA key to avoid requiring the decryption password every time it is read. # The password is the passout set when generating the private key file and the passin to be entered when reading the private key file. For example, enter "server" here.
openssl rsa -in server_rsa_private.pem -out server_rsa_private.pem.unsecure

# Method 1 for generating client certificate and key: directly generate client key and certificate to be signed # If you do not need to enter a password when reading the private key file client_rsa_private.pem in the future, that is, do not encrypt and store the private key, then replace -passout pass:client with -nodes
openssl req -newkey rsa:2048 -passout pass:client -keyout client_rsa_private.pem -out client.csr -subj "/C=CN/ST=GD/L=SZ/O=COM/OU=NSP/CN=CLIENT/[email protected]"
# Method 2 for generating client certificate and key: Generate client key and certificate to be signed step by step:
# openssl genrsa -aes256 -passout pass:client -out client_rsa_private.pem 2048
# openssl req -new -key client_rsa_private.pem -passin pass:client -out client.csr -subj "/C=CN/ST=GD/L=SZ/O=COM/OU=NSP/CN=CLIENT/[email protected]"
# Use the CA certificate and key to sign the client certificate:
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca_rsa_private.pem -passin pass:123456 -CAcreateserial -out client.crt
# Convert the encrypted RSA key to an unencrypted RSA key to avoid requiring the decryption password every time it is read. # The password is the passout set when generating the private key file and the passin to be entered when reading the private key file. For example, enter "client" here.
openssl rsa -in client_rsa_private.pem -out client_rsa_private.pem.unsecure

2.5 Development environment configuration

Operating system----kali-roaling. It's just for the purpose of using the current virtual machine. There should be no difference in using Ubuntu, CentOS, etc.

IDE----eclipse. If the compilation fails directly in the terminal, I will not investigate further. If there is no problem compiling in Eclipse, I will just use Eclipse.

2.5.1 Create two projects in the same active directory

myclient1----Create a src folder to put the client code

myserver1----Create a src folder to store the server code

(Other directories are either automatically generated or automatically generated after compilation, so don't worry about them; if the project reports an error, try restarting eclipse or even the operating system several times)

2.5.2 Specifying SSL and Crypto

Right click on the project folder ---- Properties ---- specify the ssl library and crypto library directories, otherwise the compilation cannot find ssl. Both projects need to be configured

2.5.3 Compilation

Use the Ctrl+B shortcut key to compile, eclipse will compile all projects

2.5.4 Certificate Copy

Copy the previously generated ca certificate (ca.crt), client certificate (client.crt), and client unencrypted private key file () to the Debug directory of the myclient1 project

Copy the previously generated CA certificate, server certificate, and server-side unencrypted private key files to the Debug directory of the myclient1 project

2.5.5 Run the program

Run the server first and then the client

./myserver1 7838 1 server.crt server_rsa_private.pem.unsecure
./myclient1 127.0.0.1 7838 client.crt client_rsa_private.pem.unsecure

The operation results are as follows, server:

Client:

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.

You may also be interested in:

Enable OCSP to improve https certificate verification efficiency and solve the problem of slow access to Let's Encrypt SSL certificates
Java reads the PEM public key file generated by OpenSSL
Solve the problem that Pip cannot be used due to low SSL version in Python 3.7.0
Python pip install SSL exception handling operation
Detailed explanation of how to implement SSLSocket encrypted communication using C#
How to implement encrypted communication through Python3 and ssl
Python implements SSL sending based on QQ mailbox
Jupyter notebook remote configuration and SSL encryption tutorial
Start nginxssl configuration based on docker

<<: Example analysis of interval calculation of mysql date and time

>>: JavaScript knowledge: Constructors are also functions

Detailed explanation of Linux one-line command to process batch files

OpenSSL implements two-way authentication tutorial (with server and client code)

Detailed explanation of Linux one-line command to process batch files

MySql 5.6.36 64-bit green version installation graphic tutorial

Detailed explanation of Vue life cycle functions

How to quickly build a LAMP environment on CentOS platform

Sample code for implementing PC resolution adaptation in Vue

MySQL online log library migration example

JavaScript offsetParent case study

Detailed explanation of how to install PHP curl extension under Linux

JavaScript array merging case study

Various ways to modify the background image color using CSS3

Recommend

Implementation code for operating mysql database in golang

Steps for Docker to build its own local image repository

Implementation of inserting millions of records into MySQL database within 10 seconds

Shell script to monitor MySQL master-slave status

Share some uncommon but useful JS techniques

Distributed monitoring system Zabbix uses SNMP and JMX channels to collect data

Beginners learn some HTML tags (2)

MySQL table deletion operation implementation (differences between delete, truncate, and drop)

Vue+js click arrow to switch pictures

IDEA graphic tutorial on configuring Tomcat server and publishing web projects

How to use VUE and Canvas to implement a Thunder Fighter typing game

Specific steps to use vant framework in WeChat applet

Discussion on CSS style priority and cascading order

Detailed usage of kubernetes object Volume

CSS3 realizes the website product display effect diagram