如何让 OpenSSL 使用 http 而不是 https?
所以我想要的很简单 - 我喜欢 openSSL api。我找到了一些简单的代码来学习它。我对服务器创建很陌生。我想知道如何让 OpenSSL 使用简单的 http 而不是 https 来工作?我的意思是我想提供相同的服务,能够在需要时跳转到 https,但没有保护 http 版本。
我的意思是,我非常高兴地说
SSLServer server("cert", "pkey", 1420);
// Set the thread function.
server.SetPthread_F(conn_thread);
我希望我能为不受保护的 http 服务创建做同样的事情。
经过一些精彩的回答后,我明白了,我将编辑主要问题:
如何保留/仅使用 OpenSSL 库的非阻塞 TCP 服务器部分?主要目标是一个跨平台的小型且易于使用的 TCP 服务器,在其之上很容易实现 http 和 http 定制的类似物
所以如果我们看一下示例:
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <iostream>
#include <stdlib.h>
#include <stdio.h>
#include <time.h>
#include "sslserver.h"
#define REPLY "<html><body>Metalshell.com OpenSSL Server</body></html>"
#define MAX_PACKET_SIZE 1024
// Called when a new connection is made.
void *conn_thread(void *ssl) {
int fd = SSL_get_fd((SSL *)ssl);
if(SSL_accept((SSL *)ssl) == -1) {
ERR_print_errors_fp(stderr);
} else {
char cipdesc[128];
SSL_CIPHER *sslciph = SSL_get_current_cipher((SSL *)ssl);
cout << "Encryption Description:\n";
cout << SSL_CIPHER_description(sslciph, cipdesc, sizeof(cipdesc)) << endl;
char buff[MAX_PACKET_SIZE];
// Wait for data to be sent.
int bytes = SSL_read((SSL *)ssl, buff, sizeof(buff));
buff[bytes] = '\0';
// Show the browser request.
cout << "Recieved: \n" << buff << endl;
// Send the html reply.
SSL_write((SSL *)ssl, REPLY, strlen(REPLY));
}
// Tell the client we are closing the connection.
SSL_shutdown((SSL *)ssl);
// We do not wait for a reply, just clear everything.
SSL_free((SSL *)ssl);
close(fd);
cout << "Connection Closed\n";
cout << "---------------------------------------------\n";
pthread_exit(NULL);
}
int main() {
SSLServer server("cert", "pkey", 1420);
// Set the thread function.
server.SetPthread_F(conn_thread);
while(1) {
/* Wait for 10 seconds, and if no one trys
* to connect return back. This allows us to do
* other things while waiting.
*/
server.CheckClients(10);
}
return 0;
}
我们的服务器应该进行哪些更改,接受所有连接而不仅仅是 ssl 连接(如果可能的话,请计算完整的请求)并向他们发送回复?
So what I want is simple -I love openSSL api. I found some simple code to begin with for learning it. I am quite new to server creation stuff. I wonder - how to make OpenSSL work with simple http instead of https? I mean I want to provide same service, be capable to jump into https when I need to but have no protection http vercion of it.
I mean It is so grate just to say
SSLServer server("cert", "pkey", 1420);
// Set the thread function.
server.SetPthread_F(conn_thread);
I wish I could do same for not protected http service creation.
After some grate answers I understood I shall edit main question:
How to keep/use only non-blocking TCP server part of OpenSSL library? Main goal would be a crossplatform small and simple in use TCP server on top of which it would be eazy to implement http and http costumized analogs
So If we look onto example:
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <iostream>
#include <stdlib.h>
#include <stdio.h>
#include <time.h>
#include "sslserver.h"
#define REPLY "<html><body>Metalshell.com OpenSSL Server</body></html>"
#define MAX_PACKET_SIZE 1024
// Called when a new connection is made.
void *conn_thread(void *ssl) {
int fd = SSL_get_fd((SSL *)ssl);
if(SSL_accept((SSL *)ssl) == -1) {
ERR_print_errors_fp(stderr);
} else {
char cipdesc[128];
SSL_CIPHER *sslciph = SSL_get_current_cipher((SSL *)ssl);
cout << "Encryption Description:\n";
cout << SSL_CIPHER_description(sslciph, cipdesc, sizeof(cipdesc)) << endl;
char buff[MAX_PACKET_SIZE];
// Wait for data to be sent.
int bytes = SSL_read((SSL *)ssl, buff, sizeof(buff));
buff[bytes] = '\0';
// Show the browser request.
cout << "Recieved: \n" << buff << endl;
// Send the html reply.
SSL_write((SSL *)ssl, REPLY, strlen(REPLY));
}
// Tell the client we are closing the connection.
SSL_shutdown((SSL *)ssl);
// We do not wait for a reply, just clear everything.
SSL_free((SSL *)ssl);
close(fd);
cout << "Connection Closed\n";
cout << "---------------------------------------------\n";
pthread_exit(NULL);
}
int main() {
SSLServer server("cert", "pkey", 1420);
// Set the thread function.
server.SetPthread_F(conn_thread);
while(1) {
/* Wait for 10 seconds, and if no one trys
* to connect return back. This allows us to do
* other things while waiting.
*/
server.CheckClients(10);
}
return 0;
}
What shall be changed to our server accept all connections not only ssl ones (cout full request if possible) and send them REPLYs?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
HTTPS 是带有 SSL 的简单 HTTP(其实现是 OpenSSL 的重点)。 HTTPS 中的 S 代表安全。
当您不需要 SSL 时,请勿使用 OpenSSL API。
HTTPS is simple HTTP with SSL (the implementations of which is the point of OpenSSL). The S in HTTPS stands for secure.
Don't use the OpenSSL API when you don't want SSL.
如果您查看第 5 章中的 OpenSSL Book(我认为),他们通过一系列步骤构建了一个简单的 SSL 服务器。第一步使用 OpenSSL API 执行明文(非 SSL)网络 I/O,这正是您所要求的。
If you look at OpenSSL Book in chapter 5 (I think), they build a simple SSL server in a series of steps. The first step uses the OpenSSL API to do plaintext (non-SSL) network I/O, which is what you're asking for.
您引用的代码是非阻塞 TCP 服务器 + SSL 的简单实现。因此,您需要做的就是从该代码中剥离 OpenSSL,这样您就拥有了一个简单的非阻塞 TCP 服务器实现。请注意,这与真正的 HTTP 服务器相去甚远 - 它根本不执行请求解析(这可能很重要)并以预定义的响应进行响应。所以如果你需要一个HTTP/HTTPS服务器,你需要搜索相应的第三方库或代码。
The code you've referenced is a trivial implementation of non-blocking TCP server + SSL. So what you need to do is strip OpenSSL from that code and you have a trivial implementation of nonblocking TCP server. Note, that this is very far from real HTTP server - it performs no request parsing at all (which can be non-trivial) and responds with a predefined response. So if you need an HTTP / HTTPS server, you need to search for corresponding third-party library or code.
仅当客户端和服务器端应用程序都“意识到”SSL 中将发生事务时,HTTPS 才会起作用。因此,大多数应用程序对于 ssl 和非 ssl 通信都有独立的入口点,例如 HTTP 通常在端口 80 上,而 HTTPS 将在端口 443 上。如果客户端在端口 80 上启动事务,并且服务器端应用程序确定其余交换的安全性必须受到保护,它会“重定向”客户端应用程序以在端口 443 上进行交易。例如,如果您访问 http:// www.gmail.com 事务从端口 80 上的通信开始,但是由于此应用程序要求您安全登录,因此它会重定向您的浏览器以在端口 443 上打开到另一个 url 的新连接。
您也可以执行相同的操作是的,当事务在 SSL 中进行时,您也可以指示客户端在不安全的端口 80 上开始事务。
HTTPS will work only when both the client and server side applications are "AWARE" of the transaction will happen in SSL. Most applications therefore have independent entry points for ssl and non-ssl communication, for example HTTP is usually on port 80 while HTTPS would be port 443. If the client starts transaction on the port 80, and if the server-side application determines that rest of the exchange must be secured, it "redirects" the client application to transact on port 443. For example if you access http://www.gmail.com the transaction begins with communication on port 80, however since this application requires you to login securely, it redirects your browser to open a new connection to another url on port 443.
You too can do the same, and yes while the transactions are happening in the SSL you can direct the client to start transacting on port unsecured port 80 too.