Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
从godaddy买ssl证书最后测试https服务器成功。
/*
Godaddy买ssl证书,godaddy说买的时候填优惠码可以有35%的折扣,我的优惠码 WOWjiqiyu 据说我可以得到$10的积分,还没试过。
使用我的优惠码购买链接:
http://www.godaddy.com/ssl/ssl-certificates.aspx?ics=WOWjiqiyu
不使用直接去:
http://www.godaddy.com/ssl/ssl-certificates.aspx
参考资料:
Nginx 配置 SSL 证书 + HTTPS 站点小记
http://zou.lu/nginx-https-ssl-module/
SSL证书请求文件(CSR)生成指南 - Apache SSL / Apache ModSSL
http://zou.lu/install-godaddy-ssl-https-on-nginx/
Generating a Certificate Signing Request
http://support.godaddy.com/help/article/5343/generating-a-certificate-signing-request
步骤:
[1] 在本地开一个dos窗口cd到openssl\bin
openssl genrsa -des3 -out <name of your certificate>.key 2048
Enter pass phrase for <name of your certificate>.key:密码
openssl req -new -key <name of your certificate>.key -out <name of your certificate>.csr
Country Name (2 letter code) [AU]:CN(CN就代表中国)
State or Province Name (full namne) [Some-State]:Guangdong(填省份)
Locality Name (eg, city) []:Shaoguan(填城市名)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXX.com
Organizational Unit Name (eg, section) []:DBA
Common Name (e.g. server FQDN or YOUR name) []:这里填写最终认证的网址,如:xxx.com(加不加www都是可以的,加或不加,godaddy都会同时认证www和不带www的。见godaddy的说明 http://support.godaddy.com/help/article/5343/generating-a-certificate-signing-request?pc_split_value=4)
Email Address []:admin@xxx.com(最好是以域名为后缀的邮箱,填写其它的不知道行不行,反正我填写了这个,第二天godaddy审核通过了)
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:(留空)
An optional company name []:(留空)
[2] 用记事本打开产生的<name of your certificate>.csr,把里面的内容粘到godaddy的相应表单内,然后等待审核。
[3] godaddy审核通过后,就可以下载证书,下载证书的时候会要求选择类型,我选的是other。
然后就下下来一个压缩包,解压后里面有:一个xxx.com.crt和一个gd_bundle.crt
在命令行把这两个文件合成一个:
cat xxx.com.crt gd_bundle.crt > xxx_com_combined.crt
[4] 然后,把证书放到下面的例子中测试(需要两个文件,一个就是xxx_com_combined.crt,一个就是最初生成的那个key)。
编译后运行(需要下载openssl,并且把applink.c编译进来。)
执行的时候会需要输入密码(这里我还没有改,其实openssl是有一个密码回调的,就是不用手动输入)
[5] 在浏览器里面输入:https://www.xxx.com:5555 如果看到hello world就成功了(因为只是测试,服务器运行只接收一个连接,接完就退出了。)。
下面的例子修改自:
http://h71000.www7.hp.com/doc/83final/ba554_90007/ch05s04.html
附修改这个例子时遇到的问题:
编译的时候会出现:OPENSSL_Uplink(10115000,08): no OPENSSL_Applink
这是因为缺少applink.c,添加这个文件就可以了,这个文件在openssl的目录里可以找到。
chrome的HTTPS测试成功。
但是用IE出现这个:
948:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:.\ssl\s3_pkt.c:350:
修改
meth = SSLv3_method();
meth = SSLv23_method();
就好了。
*/
/*
* ++
* FACILITY:
*
* Simplest SSL Server
*
* ABSTRACT:
*
* This is an example of a SSL server with minimum functionality.
* The socket APIs are used to handle TCP/IP operations. This SSL
* server loads its own certificate and key, but it does not verify
* the certificate of the SSL client.
*
*/
/* Assumptions, Build, Configuration, and Execution Instructions */
/*
* ASSUMPTIONS:
*
* The following are assumed to be true for the
* execution of this program to succeed:
*
* - SSL is installed and started on this system.
*
* - this server program, and its accompanying client
* program are run on the same system, but in different
* processes.
*
* - the certificate and keys referenced by this program
* reside in the same directory as this program. There
* is a command procedure, SSL$EXAMPLES_SETUP.COM, to
* help set up the certificates and keys.
*
*
* BUILD INSTRUCTIONS:
*
* To build this example program use commands of the form,
*
* For a 32-bit application using only SSL APIs needs to run the
* following commands for SSL_APP.C .
* -----------------------------------------------------------------
* $CC/POINTER_SIZE=32/PREFIX_LIBRARY_ENTRIES=ALL_ENTRIES SSL_APP.C
* $LINK SSL_APP.OBJ, VMS_DECC_OPTIONS.OPT/OPT
* -----------------------------------------------------------------
* VMS_DECC_OPTIONS.OPT should include the following lines.
* -------------------------------------------------
* SYS$LIBRARY:SSL$LIBCRYPTO_SHR32.EXE/SHARE
* SYS$LIBRARY:SSL$LIBSSL_SHR32.EXE/SHARE
* -------------------------------------------------
*
* Creating a 64-bit application of SSL_APP.C should run the
* following commands.
* -----------------------------------------------------------------
* $CC/POINTER_SIZE=64/PREFIX_LIBRARY_ENTRIES=ALL_ENTRIES SSL_APP.C
* $LINK SSL_APP.OBJ, VMS_DECC_OPTIONS.OPT/OPT
* -----------------------------------------------------------------
* VMS_DECC_OPTIONS.OPT should include the following lines.
* -------------------------------------------------
* SYS$LIBRARY:SSL$LIBCRYPTO_SHR.EXE/SHARE
* SYS$LIBRARY:SSL$LIBSSL_SHR.EXE/SHARE
* -------------------------------------------------
*
*
* CONFIGURATION INSTRUCTIONS:
*
*
* RUN INSTRUCTIONS:
*
* To run this example program:
*
* 1) Start the server program,
*
* $ run server
*
* 2) Start the client program on this same system,
*
* $ run client
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#ifndef _WIN32
#include <netdb.h>
#include <unistd.h>
#endif
#ifndef _WIN32
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#endif
#ifdef _WIN32
#define close closesocket
#endif
#include <openssl/crypto.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#define RSA_SERVER_CERT "xxx_com_combined.crt"
#define RSA_SERVER_KEY "xxx_com.key"
#define RSA_SERVER_CA_CERT "xxx_com_combined.crt"
#define ON 1
#define OFF 0
#define RETURN_NULL(x) if ((x)==NULL) exit(1)
#define RETURN_ERR(err,s) if ((err)==-1) { perror(s); exit(1); }
#define RETURN_SSL(err) if ((err)==-1) { ERR_print_errors_fp(stderr); exit(1); }
#define RESPONSE \
"HTTP/1.1 200 OK\r\n" \
"Content-Type: text/plain\r\n" \
"Content-Length: 12\r\n" \
"\r\n" \
"hello world\n"
void main()
{
int err;
int verify_client = OFF; /* To verify a client certificate, set ON */
int listen_sock;
int sock;
struct sockaddr_in sa_serv;
struct sockaddr_in sa_cli;
size_t client_len;
char *str;
char buf[4096];
SSL_CTX *ctx;
SSL *ssl;
const SSL_METHOD *meth;
X509 *client_cert = NULL;
short int s_port = 5555;
{
WSADATA wsaData;
WSAStartup(MAKEWORD(2, 2),
&wsaData);
}
/*----------------------------------------------------------------*/
/* Load encryption & hashing algorithms for the SSL program */
SSL_library_init();
/* Load the error strings for SSL & CRYPTO APIs */
SSL_load_error_strings();
/* Create a SSL_METHOD structure (choose a SSL/TLS protocol version) */
//meth = SSLv3_method();
meth = SSLv23_method();
/* Create a SSL_CTX structure */
ctx = SSL_CTX_new(meth);
if (!ctx) {
ERR_print_errors_fp(stderr);
exit(1);
}
/* Load the server certificate into the SSL_CTX structure */
if (SSL_CTX_use_certificate_file(ctx, RSA_SERVER_CERT, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(1);
}
/* Load the private-key corresponding to the server certificate */
if (SSL_CTX_use_PrivateKey_file(ctx, RSA_SERVER_KEY, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(1);
}
/* Check if the server certificate and private-key matches */
if (!SSL_CTX_check_private_key(ctx)) {
fprintf(stderr,"Private key does not match the certificate public key\n");
exit(1);
}
if(verify_client == ON)
{
/* Load the RSA CA certificate into the SSL_CTX structure */
if (!SSL_CTX_load_verify_locations(ctx, RSA_SERVER_CA_CERT, NULL)) {
ERR_print_errors_fp(stderr);
exit(1);
}
/* Set to require peer (client) certificate verification */
SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,NULL);
/* Set the verification depth to 1 */
SSL_CTX_set_verify_depth(ctx,1);
}
/* ----------------------------------------------- */
/* Set up a TCP socket */
listen_sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
RETURN_ERR(listen_sock, "socket");
memset (&sa_serv, '\0', sizeof(sa_serv));
sa_serv.sin_family = AF_INET;
sa_serv.sin_addr.s_addr = INADDR_ANY;
sa_serv.sin_port = htons (s_port); /* Server Port number */
err = bind(listen_sock, (struct sockaddr*)&sa_serv,sizeof(sa_serv));
RETURN_ERR(err, "bind");
/* Wait for an incoming TCP connection. */
err = listen(listen_sock, 5);
RETURN_ERR(err, "listen");
client_len = sizeof(sa_cli);
/* Socket for a TCP/IP connection is created */
sock = accept(listen_sock, (struct sockaddr*)&sa_cli, &client_len);
RETURN_ERR(sock, "accept");
close (listen_sock);
printf ("Connection from %lx, port %x\n", sa_cli.sin_addr.s_addr,
sa_cli.sin_port);
/* ----------------------------------------------- */
/* TCP connection is ready. */
/* A SSL structure is created */
ssl = SSL_new(ctx);
RETURN_NULL(ssl);
/* Assign the socket into the SSL structure (SSL and socket without BIO) */
SSL_set_fd(ssl, sock);
/* Perform SSL Handshake on the SSL server */
err = SSL_accept(ssl);
RETURN_SSL(err);
/* Informational output (optional) */
printf("SSL connection using %s\n", SSL_get_cipher (ssl));
if (verify_client == ON)
{
/* Get the client's certificate (optional) */
client_cert = SSL_get_peer_certificate(ssl);
if (client_cert != NULL)
{
printf ("Client certificate:\n");
str = X509_NAME_oneline(X509_get_subject_name(client_cert), 0, 0);
RETURN_NULL(str);
printf ("\t subject: %s\n", str);
free (str);
str = X509_NAME_oneline(X509_get_issuer_name(client_cert), 0, 0);
RETURN_NULL(str);
printf ("\t issuer: %s\n", str);
free (str);
X509_free(client_cert);
}
else
printf("The SSL client does not have certificate.\n");
}
/*------- DATA EXCHANGE - Receive message and send reply. -------*/
/* Receive data from the SSL client */
err = SSL_read(ssl, buf, sizeof(buf) - 1);
RETURN_SSL(err);
buf[err] = '\0';
printf ("Received %d chars:'%s'\n", err, buf);
/* Send data to the SSL client */
err = SSL_write(ssl, RESPONSE,
strlen(RESPONSE));
RETURN_SSL(err);
/*--------------- SSL closure ---------------*/
/* Shutdown this side (server) of the connection. */
err = SSL_shutdown(ssl);
RETURN_SSL(err);
/* Terminate communication on a socket */
err = close(sock);
RETURN_ERR(err, "close");
/* Free the SSL structure */
SSL_free(ssl);
/* Free the SSL_CTX structure */
SSL_CTX_free(ctx);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.