问题描述
我想将xmpp客户端库从limesode 0.9.1升级到libstrophe 0.10.0。 (cafile分支https://github.com/strophe/libstrophe/tree/cafile)
我想对xmpp服务器进行认证检查
用于验证证书的libstrophe函数为:
tls_t *tls_new(xmpp_conn_t *conn)
{
tls_t *tls = xmpp_alloc(conn->ctx,sizeof(*tls));
int mode;
_xmppctx = tls->ctx;
conn->tls_trust = 0;
if (tls) {
int ret;
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
/* Hostname verification is supported in OpenSSL 1.0.2 and newer. */
X509_VERIFY_ParaM *param;
#endif
memset(tls,sizeof(*tls));
tls->ctx = conn->ctx;
tls->sock = conn->sock;
#if OPENSSL_VERSION_NUMBER < 0x10100000L
tls->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
#else
tls->ssl_ctx = SSL_CTX_new(TLS_client_method());
#endif
if (tls->ssl_ctx == NULL)
goto err;
/* Enable bug workarounds. */
SSL_CTX_set_options(tls->ssl_ctx,SSL_OP_ALL);
/* disable insecure SSL/TLS versions. */
SSL_CTX_set_options(tls->ssl_ctx,SSL_OP_NO_SSLv2); /* DROWN */
SSL_CTX_set_options(tls->ssl_ctx,SSL_OP_NO_SSLv3); /* POODLE */
SSL_CTX_set_options(tls->ssl_ctx,SSL_OP_NO_TLSv1); /* BEAST */
SSL_CTX_set_client_cert_cb(tls->ssl_ctx,NULL);
SSL_CTX_set_mode(tls->ssl_ctx,SSL_MODE_ENABLE_PARTIAL_WRITE);
ret = SSL_CTX_set_default_verify_paths(tls->ssl_ctx);
if (ret == 0 && !conn->tls_trust) {
/*
* Returns 1 on success and 0 on failure. A missing default
* location is still treated as a success.
* Ignore errors when XMPP_CONN_FLAG_TRUST_TLS is set.
*/
xmpp_error(tls->ctx,"tls","SSL_CTX_set_default_verify_paths() Failed");
goto err_free_ctx;
}
tls->ssl = SSL_new(tls->ssl_ctx);
if (tls->ssl == NULL)
goto err_free_ctx;
#if OPENSSL_VERSION_NUMBER >= 0x0908060L && !defined(OPENSSL_NO_TLSEXT)
/* Enable SNI. */
SSL_set_tlsext_host_name(tls->ssl,conn->domain);
#endif
if (conn->tls_cafile) {
/* Trust server's certificate when user sets the flag explicitly. */
//mode = conn->tls_trust ? SSL_VERIFY_NONE : SSL_VERIFY_PEER;
SSL_set_verify(tls->ssl,SSL_VERIFY_PEER,NULL);
//SSL_CTX_set_verify(tls->ssl_ctx,NULL);
}else {
conn->tls_trust = 0;
SSL_set_verify(tls->ssl,SSL_VERIFY_NONE,NULL);
}
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
/* Hostname verification is supported in OpenSSL 1.0.2 and newer. */
param = SSL_get0_param(tls->ssl);
/*
* Allow only complete wildcards. RFC 6125 discourages wildcard usage
* completely,and lists internationalized domain names as a reason
* against partial wildcards.
* See https://tools.ietf.org/html/rfc6125#section-7.2 for more
* @R_68_4045@ion.
*/
X509_VERIFY_ParaM_set_hostflags(param,X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
X509_VERIFY_ParaM_set1_host(param,conn->domain,0);
#endif
ret = SSL_set_fd(tls->ssl,conn->sock);
if (ret <= 0)
goto err_free_ssl;
}
return tls;
err_free_ssl:
SSL_free(tls->ssl);
err_free_ctx:
SSL_CTX_free(tls->ssl_ctx);
err:
xmpp_free(conn->ctx,tls);
_tls_log_error(conn->ctx);
return NULL;
}
当我未在SSL_set_verify(tls-> ssl,SSL_VERIFY_PEER,NULL)中指定验证回调函数(NULL)时; ssl握手失败:
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - xmpp SRV lookup Failed,connecting via domain.
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - xmpp sock_connect() to ThinkPad-E480:5222 returned 3
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - xmpp Attempting to connect to -ThinkPad-E480
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - xmpp connection successful
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - conn SENT: <?xml version="1.0"?><stream:stream to="ThinkPad-E480" xml:lang="en" version="1.0" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams">
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - xmpp RECV: <stream:stream id="11596129080418563431" version="1.0" lang="en" from="ThinkPad-E480">
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - xmpp RECV: <features xmlns="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls></features>
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - conn->tls_cafile : /etc/ssl/certs/server.pem
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - conn SENT: <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - xmpp RECV: <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - xmpp handle proceedtls called for proceed
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - xmpp proceeding with TLS
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - conn->tls_cafile : /etc/ssl/certs/server.pem
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - tls Certificate verification Failed,result=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY(20)
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - tls Certificate was not presented by peer
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - tls error=SSL_ERROR_SSL(1) errno=0
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - tls error:14090086:lib(20):func(144):reason(134)
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - conn Couldn't start TLS! error -3 tls_error 1
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - conn SENT: </stream:stream>
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - xmpp Send error occurred,disconnecting.
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - xmpp Closing socket.
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - event Stopping event loop.
2018-05-05 18:17:46 [tr069_xmpp] INFO - XMPP_DEBUG cur_xmmp_con.cafile=/etc/ssl/certs/server.pem
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - xmpp SRV lookup Failed,connecting via domain.
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - xmpp sock_connect() to ThinkPad-E480:5222 returned 3
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - xmpp Attempting to connect to ThinkPad-E480
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - xmpp connection successful
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - conn SENT: <?xml version="1.0"?><stream:stream to="ThinkPad-E480" xml:lang="en" version="1.0" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams">
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - xmpp RECV: <stream:stream id="16476924513276290289" version="1.0" lang="en" from="ThinkPad-E480">
2018-05-05 18:17:46 [tr069_xmpp] DEBUG - xmpp RECV: <features xmlns="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls></features>
在limesode版本0.9.1中,我们使用SSL_CTX_set_verify(tls-> ssl_ctx,SSL_VERIFY_NONE,NULL); 此问题未转载!!
如何解决此问题?
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)