基于@L_419_0@的示例,我尝试了以下方法:
X509 *x = NulL;EVP_PKEY *pk = NulL;EVP_PKEY_CTX *ctx = NulL;EVP_PKEY *params = NulL;if(NulL == (params = EVP_PKEY_new())) goto err;if(1 != EVP_PKEY_set1_DH(params,DH_get_2048_256())) goto err;if(!(ctx = EVP_PKEY_CTX_new(params,NulL))) goto err;if(!EVP_PKEY_keygen_init(ctx)) goto err;if(!EVP_PKEY_keygen(ctx,&pk)) goto err;if ((x=X509_new()) == NulL) goto err;X509_set_version(x,2);X509_set_pubkey(x,pk);//... (setting the issuer,subject,etc)//Here is where it failsif (!X509_sign(x,pk,EVP_sha256())) goto err;
RSA的代码与DH相同. X509_sign给出的错误是此键类型不支持EVP_PKEY_sign_init *** 作.
我能做什么?我更喜欢连接使用ECDHE,但我不知道如何设置它.我需要在合理范围内保证安全,但我对安全的了解非常有限.我正在研究它.任何帮助将不胜感激,但请提供代码与您的答案(而不是命令行生成).
解决方法My objective is to programatically generate a certificate that passes the “obsolete” shaming that Chrome does…
What Could I do? I would prefer the connection to use ECDHE but I have no IDea how to set that up….
I trIEd setting the cipher List tokEECDH:kEDH:!ADH:AES256-SHA256…
通常,HIGH:!aNulL:!RC4:!MD5就足够了.既然你想使用短暂的密钥交换(这是一件好事),你也应该删除RSA密钥传输:HIGH:!aNulL:!kRSA:!RC4:!MD5.
Based on the example from the documentation…
另请参阅OpenSSL wiki上的SSL/TLS Client.它是一个客户端,但它向您展示了如何设置上下文.
因为它是一个服务器,你可能也想要像SSL_OP_SAFARI_ECDHE_ECDSA_BUG这样的上下文选项.
OpenSSL certificate generation for DHE exchange
几乎任何证书都可以.它可以是RSA密钥,DSS密钥或ECDSA密钥.证书中的密钥将用于签署服务器消息(一些手放弃),因此用于服务器身份验证.
短暂的密钥交换是不同的.您可以使用SSL_CTX_set_cipher_list和密码套件字符串确保.
由于您没有使用SRP和PSK等密码套件,因此您也可以删除它们. RSA仍然显示,但它用于服务器身份验证,而不是密钥传输:
$openssl ciphers -v 'HIGH:!aNulL:!kRSA:!RC4:!MD5:!3DES:!DSS:!DSA:!SRP:!PSK'ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEADECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEADECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEADDHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1DHE-RSA-CAMELliA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEADECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEADECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384ECDH-RSA-AES256-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA1ECDH-ECDSA-AES256-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA1ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEADECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEADECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEADDHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1DHE-RSA-CAMELliA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEADECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEADECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256ECDH-RSA-AES128-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA1ECDH-ECDSA-AES128-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA1总结
以上是内存溢出为你收集整理的c – 用于DHE交换的OpenSSL证书生成全部内容,希望文章能够帮你解决c – 用于DHE交换的OpenSSL证书生成所遇到的程序开发问题。
如果觉得内存溢出网站内容还不错,欢迎将内存溢出网站推荐给程序员好友。
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)