logo标签列表

如何使用boost::asio SSL验证客户端证书?

c++boostsslboost-asio
19

以下是SSL上下文初始化和验证回调注册的代码片段。如果我使用正确的证书连接SSL客户端,它将验证证书并按预期工作。

但是,如果我连接没有任何证书的客户端,则允许连接(实际上不应该允许没有证书的连接)。如果SSL客户端未发送证书,则不会调用验证回调函数。

    boost::asio::ssl::context_base::method SSL_version =
            static_cast<boost::asio::ssl::context_base::method>(param_values[ID_PROTOCOL_VERSION].int32_value);

    // load certificate files
    boost::shared_ptr<boost::asio::ssl::context> context_ = boost::shared_ptr<boost::asio::ssl::context>(
            new boost::asio::ssl::context(SSL_version)); // parasoft-suppress BD-RES-LEAKS "The memory is allocated via boost::shared_ptr, hence it'll be deallocated automatically"

    p_ctx = boost::static_pointer_cast<void>(context_);

    context_->set_options(boost::asio::ssl::context::default_workarounds);

    context_->use_certificate_chain_file(cert_chain_file);
    context_->use_certificate_file(cert_file, boost::asio::ssl::context::pem);
    context_->use_private_key_file(cert_file, boost::asio::ssl::context::pem);

    context_->set_verify_mode(boost::asio::ssl::verify_peer);
    context_->set_verify_callback(boost::bind(&verify_certificate_cb, _1, _2));

verify_certificate_cb 回调函数

bool verify_certificate_cb(bool preverified, boost::asio::ssl::verify_context& ctx)
{
    std::cout << "Function : " << __func__ << " ----------------- Line : " << __LINE__ << std::endl;
    int8_t subject_name[256];
    X509_STORE_CTX *cts = ctx.native_handle();
    int32_t length = 0;
    X509* cert = X509_STORE_CTX_get_current_cert(ctx.native_handle());
    std::cout << "CTX ERROR : " << cts->error << std::endl;

    int32_t depth = X509_STORE_CTX_get_error_depth(cts);
    std::cout << "CTX DEPTH : " << depth << std::endl;

    switch (cts->error)
    {
    case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
        Debug(PRIORITY_ERROR, "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT");
        break;
    case X509_V_ERR_CERT_NOT_YET_VALID:
    case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
        Debug(PRIORITY_ERROR, "Certificate not yet valid!!");
        break;
    case X509_V_ERR_CERT_HAS_EXPIRED:
    case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
        Debug(PRIORITY_ERROR, "Certificate expired..");
        break;
    case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
        Debug(PRIORITY_WARN, "Self signed certificate in chain!!!\n");
        preverified = true;
        break;
    default:
        break;
    }
    const int32_t name_length = 256;
    X509_NAME_oneline(X509_get_subject_name(cert), reinterpret_cast<char*>(subject_name), name_length);
    Debug(PRIORITY_INFO, "Verifying %s", subject_name);
    Debug(PRIORITY_INFO, "Verification status : %d", preverified);

    std::cout << "Function : " << __func__ << " ----------------- Line : " << __LINE__ << std::endl;
    return preverified;
}

如何修改代码以允许连接而不需要正确的证书文件?谢谢!

如何在不使用set_verify_callback的情况下同步执行verify_certificate_cb? - Pritesh Acharya
1个回答
27

终于找到了解决方案。我的一个队友建议使用标志 boost::asio::ssl::verify_fail_if_no_peer_certboost::asio::ssl::verify_peer 结合使用,结果它起作用了。

更新的代码行:

context_->set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::ssl::verify_fail_if_no_peer_cert);
你能解释一下额外标志正在做什么吗? - H.M
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接