从TCP到HTTPS代码实现-https服务器

https 就是在http和tcp之间加一道加密的过程, 在代码上的实现和一般的TCP Server区别就两点

1. 在accpet之后要由ssl接管套接字, 协商加密算法,交换密钥等.
2. 之后的send(), recv()替换成SSL的 SSL_write(), SSL_read()

代码实现

https_client.c

#include <openssl/bio.h>  
#include <openssl/ssl.h>  
#include <openssl/err.h>

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>

#define SERVER_PORT 443
#define CA_CERT_FILE "server/ca.crt"
#define SERVER_CERT_FILE "server/server.crt"
#define SERVER_KEY_FILE "server/server.key"

SSL_CTX  *ssl_ctx_int();
SSL *client_ssl_init(SSL_CTX *ctx, int fd);
int bind_and_listen();

int main(int argc, char **argv)  
{  
    printf("Server Running at hppts://127.0.0.1/\n");

    int data_len;  
    struct sockaddr_in addr;   
    int listen_fd, accept_fd;  
    socklen_t len  = sizeof(addr);
    SSL_CTX *ctx = ssl_ctx_int();
    listen_fd = bind_and_listen();
    int times = 0;
    while(1){
        char recvbuf[1024] = {0};
        char sendbuf[1024] = {0};
       
        accept_fd = accept(listen_fd, (struct sockaddr *)&addr, &len);
        SSL *ssl = client_ssl_init(ctx, accept_fd);
        data_len = SSL_read(ssl,recvbuf, sizeof(recvbuf));  
        fprintf(stdout, "[%d] Get %d data:\n%s\n",times++, data_len, recvbuf);

        sprintf(sendbuf, "HTTP/1.0 200 OK\r\n\r\n<h1>hello ssl! [%d]</h1>", times);
        SSL_write(ssl, sendbuf, strlen(sendbuf));  
    
        SSL_free (ssl);  
        close(accept_fd);
    }
    SSL_CTX_free (ctx);  
    return 0;
}

ssl_ctx_int()

SSL初始化,服务器加载证书私钥

SSL_CTX  *ssl_ctx_int(){
    SSLeay_add_ssl_algorithms();  
    OpenSSL_add_all_algorithms();  
    SSL_load_error_strings();  
    ERR_load_BIO_strings();  
    SSL_CTX *ctx = SSL_CTX_new (SSLv23_method());
    if(ctx == NULL){
        printf("SSL_CTX_new error!\n");
        exit(0);
    }

    // 是否要求校验对方证书 此处不验证客户端身份所以为： SSL_VERIFY_NONE
    SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);  

    // 加载CA的证书  
    if(!SSL_CTX_load_verify_locations(ctx, CA_CERT_FILE, NULL)){
        printf("SSL_CTX_load_verify_locations error!\n");
        ERR_print_errors_fp(stderr);
        exit(0);
    }

    // 加载自己的证书  
    if(SSL_CTX_use_certificate_file(ctx, SERVER_CERT_FILE, SSL_FILETYPE_PEM) <= 0){
        printf("SSL_CTX_use_certificate_file error!\n");
        ERR_print_errors_fp(stderr);
        exit(0);
    }

    //加载自己的私钥  私钥的作用是，ssl握手过程中，对客户端发送过来的随机
    //消息进行加密，然后客户端再使用服务器的公钥进行解密，若解密后的原始消息跟
    //客户端发送的消息一直，则认为此服务器是客户端想要链接的服务器
    if(SSL_CTX_use_PrivateKey_file(ctx, SERVER_KEY_FILE, SSL_FILETYPE_PEM) <= 0){
        printf("SSL_CTX_use_PrivateKey_file error!\n");
        ERR_print_errors_fp(stderr);
        exit(0);
    }

    // 判定私钥是否正确  
    if(!SSL_CTX_check_private_key(ctx)){
        printf("SSL_CTX_check_private_key error!\n");
        ERR_print_errors_fp(stderr);
        exit(0);
    }
    return ctx;
}

client_ssl_init()

和客户端ssl握手,协商算法,交换公钥等

SSL *client_ssl_init(SSL_CTX *ctx, int fd)
{
    if (ctx == NULL){
        printf("The SSL_CTX is NULL\n");
        exit(0);
    }
    // 将连接付给SSL  
    SSL *ssl = SSL_new (ctx);
    if(!ssl){
        printf("SSL_new error!\n");
        ERR_print_errors_fp(stderr);
        exit(0);
    }
    SSL_set_fd (ssl, fd); 
    if(SSL_accept (ssl) != 1){
        int icode = -1;
        ERR_print_errors_fp(stderr);
        int iret = SSL_get_error(ssl, icode);
        printf("SSL_accept error! code = %d, iret = %d\n", icode, iret);
    }

    return ssl;
}

bind_and_listen()

建立套接字,绑定并监听,这个没什么说的

int bind_and_listen()
{
    int listen_fd;
  
    listen_fd = socket(AF_INET, SOCK_STREAM, 0);
    if( listen_fd == -1 ){
        printf("socket error\n");
        exit(0);
    }
    int one = 1;
    if (setsockopt(listen_fd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)) < 0) {
        printf("setsockopt error\n");
        close(listen_fd);
    }
    struct sockaddr_in sin;
    sin.sin_family = AF_INET;
    sin.sin_addr.s_addr = 0;
    sin.sin_port = htons(SERVER_PORT);

    if(bind(listen_fd, (struct sockaddr *)&sin, sizeof(sin)) < 0 ){
        printf("Bind error\n");
        exit(0);
    }

    if(listen(listen_fd, 5) < 0){
        printf("listen error\n");
        exit(0);
    }

    return listen_fd;
}

编译运行

把上面的代码写到一个文件当中命名为https_server.c

gcc https_server.c -lssl -lcrypto -o https_server

此时还不能运行,还要生成服务器密钥,证书才可以, 看一下代码中宏定义的路径,生成证书放到相应路径

sudo ./https_server #监听443端口 需要root权限

然后打开浏览器,访问 https://127.0.0.1/, 因为证书是自制的,所以一般会拦截. 测试Chrome浏览器会拦截无法访问, 用Firefox忽略风险可以继续访问.