我尝试通过winsock2使用openssl 1.1.1作为SSL层执行HTTP GET请求:
#define _WINSOCK_DEPRECATED_NO_WARNINGS
#define _CRT_SECURE_NO_WARNINGS
#include <winsock2.h>
#include <ws2tcpip.h>
#include <stdio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/applink.c>
// Need to link with Ws2_32.lib, Mswsock.lib, and Advapi32.lib
#pragma comment (lib, "Ws2_32.lib")
//#pragma comment (lib, "Mswsock.lib")
//#pragma comment (lib, "AdvApi32.lib")
#define DEFAULT_BUFLEN 512
#define FAIL -1
#define WIN32_LEAN_AND_MEAN
SOCKET OpenConnection(char* hostname, char* port)
{
WSADATA wsaData;
SOCKET ConnectSocket = INVALID_SOCKET;
struct addrinfo* result = NULL;
struct addrinfo* ptr = NULL;
struct addrinfo hints;
char recvbuf[DEFAULT_BUFLEN];
int iResult;
int recvbuflen = DEFAULT_BUFLEN;
printf("nInitializing Winsock");
// Initialize Winsock
iResult = WSAStartup(MAKEWORD(2, 2), &wsaData);
if (iResult != 0) {
printf("WSAStartup failed with error: %dn", iResult);
return 1;
}
ZeroMemory(&hints, sizeof(hints));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
// Resolve the server address and port
iResult = getaddrinfo(hostname, port, &hints, &result);
if (iResult != 0) {
printf("getaddrinfo failed with error: %dn", iResult);
WSACleanup();
return 1;
}
for(ptr=result; ptr != NULL ;ptr=ptr->ai_next) {
// Create a SOCKET for connecting to server
ConnectSocket = socket(ptr->ai_family, ptr->ai_socktype,
ptr->ai_protocol);
if (ConnectSocket == INVALID_SOCKET) {
printf("socket failed with error: %ldn", WSAGetLastError());
WSACleanup();
return 1;
}
// Connect to server.
iResult = connect( ConnectSocket, ptr->ai_addr, (int)ptr->ai_addrlen);
if (iResult == SOCKET_ERROR) {
closesocket(ConnectSocket);
ConnectSocket = INVALID_SOCKET;
continue;
}
break;
}
return ConnectSocket;
}
SSL_CTX* InitCTX(void)
{
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
const SSL_METHOD* method = SSLv23_method();
SSL_CTX* ctx = SSL_CTX_new(method);
SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1);
if (ctx == NULL)
{
ERR_print_errors_fp(stderr);
abort();
}
return ctx;
}
void ShowCerts(SSL* ssl)
{
X509* cert;
char* line;
cert = SSL_get_peer_certificate(ssl); /* get the server's certificate */
if (cert != NULL)
{
printf("Server certificates:n");
line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
printf("Subject: %sn", line);
//free(line); /* free the malloc'ed string */
line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
printf("Issuer: %sn", line);
//free(line); /* free the malloc'ed string */
X509_free(cert); /* free the malloc'ed certificate copy */
} else {
printf("Info: No client certificates configured.n");
}
}
void releaseSocket( SSL_CTX* ctx, int server)
{
/* close socket */
closesocket(server);
/* release context */
SSL_CTX_free(ctx);
putchar('n');
}
int main(int argc, char* argv[])
{
printf("Initializing Connection");
char buf[1024];
char acClientRequest[1024] = { 0 };
SSL_library_init();
char* hostname = "google.com";
char* portnum = "443";
SSL_CTX* ctx = InitCTX();
int server = OpenConnection(hostname, portnum);
SSL* ssl = SSL_new(ctx); /* create new SSL connection state */
SSL_set_fd(ssl, server); /* attach the socket descriptor */
if (SSL_connect(ssl) == FAIL) {
ERR_print_errors_fp(stderr);
} else {
const char* cpRequestMessage = "GET / HTTP 1.1rnHost: google.comrnUser-Agent: curl/7.54.0rnConnection: closernAccept: */*rnrn";
printf("nnConnected with %s encryptionn", SSL_get_cipher(ssl));
/* get any certs */
ShowCerts(ssl);
/* encrypt & send message */
printf("REQUEST:nn%sn",cpRequestMessage);
SSL_write(ssl, acClientRequest, strlen(acClientRequest));
/* get reply & decrypt */
int bytes = SSL_read(ssl, buf, sizeof(buf));
int error = SSL_get_error(ssl,bytes);
switch (error)
{
case SSL_ERROR_SSL:
puts("SSL ERROR SSL");
releaseSocket(ctx,server);
return 1;
case SSL_ERROR_SYSCALL:
puts("SSL ERROR SYSCALL");
releaseSocket(ctx,server);
return 1;
case SSL_ERROR_WANT_ASYNC_JOB:
puts("SSL ERROR WANT ASYNC_LOOKUP");
releaseSocket(ctx,server);
return 1;
case SSL_ERROR_WANT_ASYNC:
puts("SSL ERROR WANT X509_LOOKUP");
releaseSocket(ctx,server);
return 1;
case SSL_ERROR_WANT_X509_LOOKUP:
puts("SSL ERROR WANT X509_LOOKUP");
releaseSocket(ctx,server);
return 1;
case SSL_ERROR_WANT_WRITE:
puts("SSL ERROR WANT WRITE");
releaseSocket(ctx,server);
return 1;
case SSL_ERROR_WANT_READ:
puts("SSL ERROR WANT READ");
releaseSocket(ctx,server);
return 1;
case SSL_ERROR_ZERO_RETURN:
puts("SSL ERROR SSL_ERROR_ZERO_RETURN");
releaseSocket(ctx,server);
return 1;
break;
case SSL_ERROR_NONE:
break;
default:
break;
}
puts("RESPONSEn");
for(int i=0;i<bytes;i++){
putchar(buf[i]);
}
/* release connection state */
SSL_free(ssl);
}
/* close socket */
closesocket(server);
/* release context */
SSL_CTX_free(ctx);
putchar('n');
return 0;
}
当我通过cmd运行时,我得到以下错误:
Initializing Connection
Initializing Winsock
Connected with TLS_AES_256_GCM_SHA384 encryption
Server certificates:
Subject: /OU=No SNI provided; please fix your client./CN=invalid2.invalid
Issuer: /OU=No SNI provided; please fix your client./CN=invalid2.invalid
REQUEST:
GET / HTTP 1.1
Host: google.com
User-Agent: curl/7.54.0
Connection: close
Accept: */*
SSL ERROR SYSCALL
上面代码中的错误SSL ERROR SYSCALL表示SSL_get_error返回SSL_ERROR_SYSCALL。但是我很难找出原因。
我做的第一件事是使用sslyze:
$ docker run --rm -it nablac0d3/sslyze:5.0.0 www.google.com
Unable to find image 'nablac0d3/sslyze:5.0.0' locally
5.0.0: Pulling from nablac0d3/sslyze
eff15d958d66: Pull complete
16dc372daf37: Pull complete
509d5831bcf5: Pull complete
72742266298b: Pull complete
ba03a8977ca9: Pull complete
8c15f448a534: Pull complete
ef94aa21ac3e: Pull complete
48214524924f: Pull complete
b3e45cda18ec: Pull complete
4220edb8d370: Pull complete
Digest: sha256:6e4a25153507f8f2eed3ee232d7ae8ebed978d5923799ca3977e82912f3b5f77
Status: Downloaded newer image for nablac0d3/sslyze:5.0.0
CHECKING CONNECTIVITY TO SERVER(S)
----------------------------------
www.google.com:443 => 172.217.17.196
SCAN RESULTS FOR WWW.GOOGLE.COM:443 - 172.217.17.196
----------------------------------------------------
* Certificates Information:
Hostname sent for SNI: www.google.com
Number of certificates detected: 2
Certificate #0 ( _EllipticCurvePublicKey )
SHA1 Fingerprint: 60c9b43a60d44f363641731cfa42c03a3a3cdc5b
Common Name: www.google.com
Issuer: GTS CA 1C3
Serial Number: 208743615106412169146553081758012741296
Not Before: 2022-06-27
Not After: 2022-09-19
Public Key Algorithm: _EllipticCurvePublicKey
Signature Algorithm: sha256
Key Size: 256
Curve: secp256r1
DNS Subject Alternative Names: ['www.google.com']
Certificate #0 - Trust
Hostname Validation: OK - Certificate matches server hostname
Android CA Store (12.0.0_r3): OK - Certificate is trusted
Apple CA Store (iOS 15, iPadOS 15, macOS 12, tvOS 15, and watchOS 8):OK - Certificate is trusted
Java CA Store (jdk-13.0.2): OK - Certificate is trusted
Mozilla CA Store (2021-09-25): OK - Certificate is trusted
Windows CA Store (2021-09-25): OK - Certificate is trusted
Symantec 2018 Deprecation: OK - Not a Symantec-issued certificate
Received Chain: www.google.com --> GTS CA 1C3 --> GTS Root R1
Verified Chain: www.google.com --> GTS CA 1C3 --> GTS Root R1
Received Chain Contains Anchor: OK - Anchor certificate not sent
Received Chain Order: OK - Order is valid
Verified Chain contains SHA1: OK - No SHA1-signed certificate in the verified certificate chain
Certificate #0 - Extensions
OCSP Must-Staple: NOT SUPPORTED - Extension not found
Certificate Transparency: WARNING - Only 2 SCTs included but Google recommends 3 or more
Certificate #0 - OCSP Stapling
NOT SUPPORTED - Server did not send back an OCSP response
Certificate #1 ( _RSAPublicKey )
SHA1 Fingerprint: b7bfe0030b69e712368e65d2c3c0c51f0b643c3b
Common Name: www.google.com
Issuer: GTS CA 1C3
Serial Number: 210362545992136918327962384234505396292
Not Before: 2022-06-27
Not After: 2022-09-19
Public Key Algorithm: _RSAPublicKey
Signature Algorithm: sha256
Key Size: 2048
Exponent: 65537
DNS Subject Alternative Names: ['www.google.com']
Certificate #1 - Trust
Hostname Validation: OK - Certificate matches server hostname
Android CA Store (12.0.0_r3): OK - Certificate is trusted
Apple CA Store (iOS 15, iPadOS 15, macOS 12, tvOS 15, and watchOS 8):OK - Certificate is trusted
Java CA Store (jdk-13.0.2): OK - Certificate is trusted
Mozilla CA Store (2021-09-25): OK - Certificate is trusted
Windows CA Store (2021-09-25): OK - Certificate is trusted
Symantec 2018 Deprecation: OK - Not a Symantec-issued certificate
Received Chain: www.google.com --> GTS CA 1C3 --> GTS Root R1
Verified Chain: www.google.com --> GTS CA 1C3 --> GTS Root R1
Received Chain Contains Anchor: OK - Anchor certificate not sent
Received Chain Order: OK - Order is valid
Verified Chain contains SHA1: OK - No SHA1-signed certificate in the verified certificate chain
Certificate #1 - Extensions
OCSP Must-Staple: NOT SUPPORTED - Extension not found
Certificate Transparency: WARNING - Only 2 SCTs included but Google recommends 3 or more
Certificate #1 - OCSP Stapling
NOT SUPPORTED - Server did not send back an OCSP response
* SSL 2.0 Cipher Suites:
Attempted to connect using 7 cipher suites; the server rejected all cipher suites.
* SSL 3.0 Cipher Suites:
Attempted to connect using 80 cipher suites; the server rejected all cipher suites.
* TLS 1.0 Cipher Suites:
Attempted to connect using 80 cipher suites.
The server accepted the following 5 cipher suites:
TLS_RSA_WITH_AES_256_CBC_SHA 256
TLS_RSA_WITH_AES_128_CBC_SHA 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA 168
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 ECDH: prime256v1 (256 bits)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 ECDH: prime256v1 (256 bits)
The group of cipher suites supported by the server has the following properties:
Forward Secrecy OK - Supported
Legacy RC4 Algorithm OK - Not Supported
* TLS 1.1 Cipher Suites:
Attempted to connect using 80 cipher suites.
The server accepted the following 5 cipher suites:
TLS_RSA_WITH_AES_256_CBC_SHA 256
TLS_RSA_WITH_AES_128_CBC_SHA 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA 168
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 ECDH: prime256v1 (256 bits)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 ECDH: prime256v1 (256 bits)
The group of cipher suites supported by the server has the following properties:
Forward Secrecy OK - Supported
Legacy RC4 Algorithm OK - Not Supported
* TLS 1.2 Cipher Suites:
Attempted to connect using 156 cipher suites.
The server accepted the following 11 cipher suites:
TLS_RSA_WITH_AES_256_GCM_SHA384 256
TLS_RSA_WITH_AES_256_CBC_SHA 256
TLS_RSA_WITH_AES_128_GCM_SHA256 128
TLS_RSA_WITH_AES_128_CBC_SHA 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA 168
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 ECDH: X25519 (253 bits)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 ECDH: prime256v1 (256 bits)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 ECDH: prime256v1 (256 bits)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 ECDH: prime256v1 (256 bits)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 ECDH: prime256v1 (256 bits)
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 256 ECDH: X25519 (253 bits)
The group of cipher suites supported by the server has the following properties:
Forward Secrecy OK - Supported
Legacy RC4 Algorithm OK - Not Supported
* TLS 1.3 Cipher Suites:
Attempted to connect using 5 cipher suites.
The server accepted the following 3 cipher suites:
TLS_CHACHA20_POLY1305_SHA256 256 ECDH: X25519 (253 bits)
TLS_AES_256_GCM_SHA384 256 ECDH: X25519 (253 bits)
TLS_AES_128_GCM_SHA256 128 ECDH: X25519 (253 bits)
* Deflate Compression:
OK - Compression disabled
* OpenSSL CCS Injection:
OK - Not vulnerable to OpenSSL CCS injection
* OpenSSL Heartbleed:
OK - Not vulnerable to Heartbleed
* ROBOT Attack:
OK - Not vulnerable.
* Session Renegotiation:
Client Renegotiation DoS Attack: OK - Not vulnerable
Secure Renegotiation: OK - Supported
* Elliptic Curve Key Exchange:
Supported curves: X25519, prime256v1
Rejected curves: X448, prime192v1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp224r1, secp256k1, secp384r1, secp521r1, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1
SCANS COMPLETED IN 7.110242 S
-----------------------------
COMPLIANCE AGAINST MOZILLA TLS CONFIGURATION
--------------------------------------------
Checking results against Mozilla's "intermediate" configuration. See https://ssl-config.mozilla.org/ for more details.
www.google.com:443: FAILED - Not compliant.
* tls_versions: TLS versions {'TLSv1.1', 'TLSv1'} are supported, but should be rejected.
* ciphers: Cipher suites {'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_AES_256_GCM_SHA384', 'TLS_RSA_WITH_AES_128_GCM_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA'} are supported, but should be rejected.
支持TLS 1.3。根据我的尝试,我使用TLS1.3,因此,我敢说,这似乎不是一个错误的TLS版本问题。主机也可以通过网络连接到google.com根据平:
PING google.com (142.250.184.142) 56(84) bytes of data.
64 bytes from sof02s43-in-f14.1e100.net (142.250.184.142): icmp_seq=1 ttl=114 time=22.3 ms
64 bytes from sof02s43-in-f14.1e100.net (142.250.184.142): icmp_seq=2 ttl=114 time=21.8 ms
64 bytes from sof02s43-in-f14.1e100.net (142.250.184.142): icmp_seq=3 ttl=114 time=22.0 ms
64 bytes from sof02s43-in-f14.1e100.net (142.250.184.142): icmp_seq=4 ttl=114 time=21.4 ms
64 bytes from sof02s43-in-f14.1e100.net (142.250.184.142): icmp_seq=5 ttl=114 time=22.3 ms
64 bytes from sof02s43-in-f14.1e100.net (142.250.184.142): icmp_seq=6 ttl=114 time=21.6 ms
^C^C
--- google.com ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5006ms
rtt min/avg/max/mdev = 21.484/21.957/22.385/0.355 ms
因此,为什么我仍然得到错误,尽管能够执行Https调用google.com?
您得到错误的原因是因为您从一个名为acClientRequest的归零表的变量中提供请求:
char acClientRequest[1024] = { 0 };
请求是这样执行的:
SSL_write(ssl, acClientRequest, strlen(acClientRequest));
但是必须这样执行:
SSL_write(ssl, cpRequestMessage, strlen(cpRequestMessage));
。