參考 OpenSSL 證書
===
自我認證 CA
$ mkdir ca; cd ca
產生私鑰
$ mkdir private
$ openssl genrsa -out private/cakey.pem 2048
產生自簽章證書
$ cp /etc/ssl/openssl.cnf .
$ vi openssl.cnf
dir = .
default_md = sha512
keyUsage = cRLSign, keyCertSign
$ openssl req -new -x509 -nodes -key private/cakey.pem -out cacert.pem \
-days 3650 -subj "/C=TW/ST=Taiwan/L=Taichung/O=SDL/OU=R&D/CN=z390-CA" \
-config openssl.cnf
顯示證書
$ openssl x509 -text -noout -in cacert.pem
===
產生網站的證書
$ mkdir web1; cd web1
產生私鑰
$ openssl genrsa -out server.key 2048
$ vi ssl.conf
[ req ]
prompt = no
default_md = sha512
default_bits = 2048
distinguished_name = dn
req_extensions = v3_req
[ dn ]
C = TW
ST = Taiwan
L = Taichung
O = SDL
OU = R&D
emailAddress = mark@localhost
CN = mark-z390-u
[ v3_req ]
basicConstraints = CA:FALSE
subjectAltName = @alt_names
subjectKeyIdentifier = hash
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ alt_names ]
DNS.1 = localhost
DNS.2 = mark-z390-u
DNS.3 = dixx.vigorddns.com
DNS.4 = 192.168.0.101
IP.1 = 127.0.0.1
IP.2 = 192.168.0.101
$ openssl req -new -sha512 -key server.key -out server.csr -config ssl.conf
顯示需求證書
$ openssl req -text -noout -in server.csr
顯示私鑰
$ openssl rsa -out -noout -in server.key
顯示公鑰
$ openssl rsa -in server.key -pubout -out server_pub.key
$ openssl rsa -in server_pub.key -pubin -noout -text
===
使用 自我認證 CA 簽署 需求證書
回到 ca 目錄
$ mkdir newcerts
$ touch index.txt
$ echo "01">serial
$ openssl ca -in ../web1/server.csr -out ../web1/server.crt -days 3650 -extennsions v3_req -extfile ../web1/ssl.conf -config openssl.cnf
匯入憑證到 Windows 10
cacert.pem 改名為 cacert.crt
本機裝置 的憑證 certlm.msc
目前的使用者憑證 certmgr.msc
受信任的根憑證授權單位/憑證
按滑鼠右鍵/所有工作/匯入 選擇 cacert.crt
金鑰使用方法
Certificate Signing, Off-line CRL Signing, CRL Signing (06)
===
參考 OCSP & CRL 介紹
CRL(Certificate Revocation List) 被 CA 撤銷的憑證清單
OCSP(Online Certificate Status Protocal) 線上查詢憑證狀態
參考根憑證
AAA Certificate Services
CRL 發佈點
CRL Distribution Point
URL=http://crl.comodoca.com/AAACertificateServices.crl
參考 Visual Studio(VS2017)編譯並配置C/C++-libcurl開發環境
從 https://curl.haxx.se/download.html 下載 curl-7.68.0.zip
解壓縮後進入 curl 目錄
執行 buildconf.bat
以 x86 為例(64為原則改為 x64)
開始/Visual Studio 2017/x86 Native Tools Command Prompt for VS 2017
按滑鼠右鍵選擇 Run as administrator
進入 curl/winbuild
nmake /f Makefile.vc mode=static VC=15 MACHINE=x86 DEBUG=yes
nmake /f Makefile.vc mode=static VC=15 MACHINE=x86 DEBUG=no
編譯的結果在 builds 下
Visual Studio 使用 libcurl
Configuration Properties/C/C++/Preprocessor/Preprocessor Definitions 加入 CURL_STATICLIB
#include <curl/curl.h>
加入下列 library
libcurl_a.lib(libcurl_a_debug.lib)
Ws2_32.lib
Wldap32.lib
winmm.lib(似乎不用)
Crypt32.lib
Normaliz.lib
form 使用
curl_easy_setopt(curl, CURLOPT_MIMEPOST, form);
curl_easy_setopt(curl, CURLOPT_MIMEPOST, form);
json 使用
curl_easy_setopt(curl, CURLOPT_POSTFIELDS, strU8);
curl_easy_setopt(curl, CURLOPT_POST, 1);
libcurl 之傳送接收使用 UTF-8, 函數之參數使用 Big5
在 vc 上使用 CStringA 儲存 Big5 和 UTF-8, 轉換要經過 CStringW (Unicode)
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_3);
curl 之 --insecure 等於
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, false);
不使用 --insecure 等於
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, true);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2); // 0 不檢查 host
curl_easy_setopt(curl, CURLOPT_CAINFO, "cacert.pem");
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, false);
不使用 --insecure 等於
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, true);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2); // 0 不檢查 host
curl_easy_setopt(curl, CURLOPT_CAINFO, "cacert.pem");
curl 之 --ssl-no-revoke 等於
curl_easy_setopt(curl, CURLOPT_SSL_OPTIONS, CURLSSLOPT_NO_REVOKE);
curl_easy_setopt(curl, CURLOPT_SSL_OPTIONS, CURLSSLOPT_NO_REVOKE);
使用 curl 測試
===
在 windows 下,引號不能使用'要使用"
--insecure 不檢查證書
===
D:\temp\aaa>curl.exe -v https://dixx.vigorddns.com:5000/api/Json -X
POST -H "Content-Type:application/json" -d "{\"updDate\":\"aaa\", \"camera\":\"b
bb\", \"ipaddress\":\"ccc\", \"addr\":\"ddd\"}" --insecure
* Trying 114.35.104.33:5000...
* TCP_NODELAY set
* Connected to dixx.vigorddns.com (114.35.104.33) port 5000 (#0)
* schannel: next InitializeSecurityContext failed: SEC_E_INVALID_TOKEN (0x800903
08) - 提供給功能的權杖不正確
* Closing connection 0
* schannel: shutting down SSL/TLS connection with dixx.vigorddns.com por
t 5000
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_INVALID_TOKEN
(0x80090308) - 提供給功能的權杖不正確
===
Windows 7 要加上 --tlsv1.3
Windows 10 不用
===
D:\temp\aaa>curl.exe -v https://dixx.vigorddns.com:5000/api/Json -X
POST -H "Content-Type:application/json" -d "{\"updDate\":\"aaa\", \"camera\":\"b
bb\", \"ipaddress\":\"ccc\", \"addr\":\"ddd\"}" --insecure --tlsv1.3
D:\temp\aaa>curl.exe -v https://dixx.vigorddns.com:5000/api/Json -X
POST -H "Content-Type:application/json" -d "{\"updDate\":\"aaa\", \"camera\":\"b
bb\", \"ipaddress\":\"ccc\", \"addr\":\"ddd\"}" --tlsv1.3
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 114.35.104.33:5000...
* TCP_NODELAY set
* Connected to dixx.vigorddns.com (114.35.104.33) port 5000 (#0)
* schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) -
撤銷功能無法檢查憑證的撤銷。
* Closing connection 0
* schannel: shutting down SSL/TLS connection with dixx.vigorddns.com por
t 5000
curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x800
92012) - 撤銷功能無法檢查憑證的撤銷。
===
要檢查證書,用參數 --cacert 傳入證書檔
===
D:\temp\aaa>curl.exe -v https://dixx.vigorddns.com:5000/api/Json -X
POST -H "Content-Type:application/json" -d "{\"updDate\":\"aaa\", \"camera\":\"b
bb\", \"ipaddress\":\"ccc\", \"addr\":\"ddd\"}" --tlsv1.3 --cacert cacert.pem
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 114.35.104.33:5000...
* TCP_NODELAY set
* Connected to dixx.vigorddns.com (114.35.104.33) port 5000 (#0)
* schannel: added 1 certificate(s) from CA file 'cacert.pem'
* schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNK
NOWN 0x00000040
* Closing connection 0
* schannel: shutting down SSL/TLS connection with dixx.vigorddns.com por
t 5000
curl: (60) schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_S
TATUS_UNKNOWN 0x00000040
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
===
因檢查證書時,會去檢查證書是否已經撤銷
--ssl-no-revoke 避免檢查
===
D:\temp\aaa>curl.exe -v https://dixx.vigorddns.com:5000/api/Json -X
POST -H "Content-Type:application/json" -d "{\"updDate\":\"aaa\", \"camera\":\"b
bb\", \"ipaddress\":\"ccc\", \"addr\":\"ddd\"}" --tlsv1.3 --cacert cacert.pem --
ssl-no-revoke
===
使用 form
D:\temp\aaa>curl.exe -v https://dixx.vigorddns.com:5000/api/SendForm
-X POST -d "location=aaa&dt=bbb&text=ccc&camera_name=eee&X=x&Y=y&plateId=ddd" --
tlsv1.3 --cacert cacert.pem --ssl-no-revoke
