前言
本次参加开放原子训练营(第一季)铜锁国密训练营活动,听了蚂蚁技术专家的精彩课程。课程进度和内容都非常棒,也更深入地了解国密规范和实现细节。非常感谢开放原子开源基金会跟铜锁社区的举办的此次活动。课程后也有了一些对之前使用项目修改的想法,期望对国密的发展贡献一些微弱的力量。
项目介绍
引用官方的描述,Siege是一个 http 压力测试工具。
Siege is an http load tester and benchmarking utility
https://github.com/JoeDog/siege
在原本的基础上更换 openssl 为 Tongsuo 作为SSL的实现。
国密规范
TLCP 协议是在国标 GBT 38636-2020(信息安全技术 传输层密码协议(TLCP)) 描述的。TLCP协议是一种使用国密算法的传输层密码协议,它提供了数据保护和身份认证的服务。相比于传统的SSL/TLS协议,TLCP协议有着更强大的安全性,能够更好地保护数据的机密性、完整性和可用性。此外,TLCP协议还具有高效的性能、丰富的密钥管理功能和灵活的应用范围等优点。使用TLCP协议可以提高网络应用的安全性和可靠性,防止数据的泄露和篡改。总之,TLCP协议是一种非常优秀的传输层密码协议,值得广泛使用。
修改思路
参考:https://www.yuque.com/tsdoc/ts/hedgqf
国密实现时,只需要修改 SSL_METHOD
和 SSL_CTX_use_PrivateKey
相关
加载签名证书使用:SSL_CTX_use_sign_certificate_file
加载签名密钥使用:SSL_CTX_use_sign_PrivateKey_file
加载加密证书使用:SSL_CTX_use_enc_PrivateKey_file
加载加密密钥使用:SSL_CTX_use_enc_certificate_file
原因是,根据国密/国标规范SM2密钥要区分密钥用途,身份认证与数据保护要分开密钥使用,即签名密钥与加密密钥。
具体为什么要分开,可以后面展开讲讲国密规范体系。
修改内容:
编译
export PREFIX_PATH=`pwd`/release
# Tongsuo
cd Tongsuo
./config --prefix=$PREFIX_PATH/Tongsuo -Wl,-rpath=../lib64:../../lib64 enable-ntls
make -j
make install
# siege
cd siege
./utils/bootstrap
./configure \\
LDFLAGS="-L$PREFIX_PATH/Tongsuo/lib64 -Wl,-rpath=../../Tongsuo/lib64" \\
CFLAGS="-I$PREFIX_PATH/Tongsuo/include" \\
--prefix=$PREFIX_PATH/siege-v4.15 \\
--with-ssl=$PREFIX_PATH/Tongsuo
make -j
make install
使用说明
- 测试 Tongsuo
[root@localhost bin]# cd release/Tongsuo/bin
[root@localhost bin]# ./tongsuo version
Tongsuo: Tongsuo 8.4.0-dev (Library: Tongsuo 8.4.0-dev)
OpenSSL 3.0.3 3 May 2022 (Library: OpenSSL 3.0.3 3 May 2022)
- 测试 Siege
# 运行
[root@localhost bin]# ./siege -V
SIEGE 4.1.5 gm
Copyright (C) 2022 by Jeffrey Fulmer, et al.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE.
# 测试百度
[root@localhost bin]# ./siege -c 1 -r 5 <https://www.baidu.com>
** SIEGE 4.1.5 gm
** Preparing 1 concurrent users for battle.
The server is now under siege...
HTTP/1.1 200 0.10 secs: 227 bytes ==> GET /
HTTP/1.1 200 0.11 secs: 227 bytes ==> GET /
HTTP/1.1 200 0.09 secs: 227 bytes ==> GET /
HTTP/1.1 200 0.11 secs: 227 bytes ==> GET /
HTTP/1.1 200 0.10 secs: 227 bytes ==> GET /
Transactions: 5 hits
Availability: 100.00 %
Elapsed time: 0.51 secs
Data transferred: 0.00 MB
Response time: 0.10 secs
Transaction rate: 9.80 trans/sec
Throughput: 0.00 MB/sec
Concurrency: 1.00
Successful transactions: 5
Failed transactions: 0
Longest transaction: 0.11
Shortest transaction: 0.09
# TLCP 单向
[root@localhost bin]# ./siege -c 1 -r 5 --tlcp <https://10.0.x.x:443/>
** SIEGE 4.1.5 gm
** Preparing 1 concurrent users for battle.
The server is now under siege...
HTTP/1.1 200 0.02 secs: 28435 bytes ==> GET /
HTTP/1.1 200 0.01 secs: 28435 bytes ==> GET /
HTTP/1.1 200 0.02 secs: 28435 bytes ==> GET /
HTTP/1.1 200 0.01 secs: 28435 bytes ==> GET /
HTTP/1.1 200 0.01 secs: 28435 bytes ==> GET /
Transactions: 5 hits
Availability: 100.00 %
Elapsed time: 0.07 secs
Data transferred: 0.14 MB
Response time: 0.01 secs
Transaction rate: 71.43 trans/sec
Throughput: 1.94 MB/sec
Concurrency: 1.00
Successful transactions: 5
Failed transactions: 0
Longest transaction: 0.02
Shortest transaction: 0.01
# TLCP 双向
[root@localhost bin]# ./siege -c 1 -r 5 --tlcp --cert sign.pem --key sign.key --xcert enc.pem --xkey enc.key <https://10.0.x.x:444/>
** SIEGE 4.1.5 gm
** Preparing 1 concurrent users for battle.
The server is now under siege...
HTTP/1.1 200 0.03 secs: 28435 bytes ==> GET /
HTTP/1.1 200 0.02 secs: 28435 bytes ==> GET /
HTTP/1.1 200 0.02 secs: 28435 bytes ==> GET /
HTTP/1.1 200 0.02 secs: 28435 bytes ==> GET /
HTTP/1.1 200 0.03 secs: 28435 bytes ==> GET /
Transactions: 5 hits
Availability: 100.00 %
Elapsed time: 0.12 secs
Data transferred: 0.14 MB
Response time: 0.02 secs
Transaction rate: 41.67 trans/sec
Throughput: 1.13 MB/sec
Concurrency: 1.00
Successful transactions: 5
Failed transactions: 0
Longest transaction: 0.03
Shortest transaction: 0.02