在WinHTTP中使用SSL
Microsoft Windows HTTP Services (WinHTTP) supports Secure Sockets Layer (SSL) transactions including client certificates. This topic explains concepts involved in an SSL transaction and how they are handled using WinHTTP.
WinHTTP支持包含客户证书的SSL交互。本主题将讲解SSL交互概念及WinHTTP如何使用它。
Secure Sockets Layer(安全套接字层)
SSL is an established standard for ensuring secure HTTP transactions. SSL provides a mechanism to perform up to 128-bit encryption on all transactions between the client and server. It enables the client to verify that the server belongs to a trusted entity through the use of server certificates. It also enables the server to confirm the identity of the client with client certificates.
SSL是个已建立的标准安全HTTP交互过程。SSL可以为客户端与服务器之间所有的通信提供128bit加密。它可以让用户通过验证服务器的证书来验证其可信性。同理服务器也可以验证客户的证书是否合法。
Each of these issues—encryption, server identity, and client identity—are negotiated in the SSL handshake that occurs when a client first requests a resource from a Secure Hypertext Transfer Protocol (HTTPS) server. Essentially, the client and server each present a list of required and preferred settings. If a common set of requirements can be agreed upon and met, an SSL connection is established.
上述每个问题-加密,服务器验证和客户端验证-将会在客户端向服务器发出HTTPS请求时通过握手过程完成。实质上,客户端和服务器端每方都保存有一个列表和一些可选的设置。如果达到通用设置要求,那么SSL连接就可以被建立。
WinHTTP provides a high level interface for using SSL. While the details of the SSL handshake and transaction are handled internally, WinHTTP enables you to retrieve encryption levels, specify the security protocol, and interact with server and client certificates. The following sections provide details on creating WinHTTP based applications that elect an SSL protocol version, examine server certificates, and select client certificates to send to HTTPS servers.
WinHTTP为使用SSL提供了高层接口。这样SSL握手交换在内部得以处理。WinHTTP使你获取加密等级,设置加密协议,操作服务器和客户端证书。下面章节讲述了基于WinHTTP如何创建SSL协议,测试服务器证书,选择客户端证书发送到HTTPS服务器。
Server Certificates
服务器证书
Server certificates are sent from the server to the client so that the client can obtain a public key for the server and ensure that the server has been verified by a certification authority. Certificates can contain different types of data. For example, an X.509 certificate includes the format of the certificate, the serial number of the certificate, the algorithm used to sign the certificate, the name of the certification authority (CA) that issued the certificate, the name and public key of the entity that requests the certificate, and the CA's signature.
从服务器发送给客户的证书称为服务器证书,这样客户就可获取一个服务器的公钥,以此确保服务器可以通过证书验证。证书可以包含不同信息。例如一个X.509证书包含证书类型、证书序列号、证书签名算法,证书颁发机构名称,证书的名字和公钥需要证书和证书签名。
When using the WinHTTP application programming interface (API), you can retrieve a server certificate by calling WinHttpQueryOption and specifying the WINHTTP_OPTION_SECURITY_CERTIFICATE_STRUCT flag. The server certificate is returned in a WINHTTP_CERTIFICATE_INFO structure. If you prefer to retrieve the certificate context, specify the WINHTTP_OPTION_SERVER_CERT_CONTEXT flag instead.
当使用WinHTTP API时,你可以通过调用WinHttpQueryOption(使用WINHTTP_OPTION_SECURITY_CERTIFICATE_STRUCT标识)获取服务器证书。服务器证书以一个WINHTTP_CERTIFICATE_INFO结构体返回。如果你想获得证书内容,使用WINHTTP_OPTION_SERVER_CERT_CONTEXT标识。
If a server certificate contains errors, details about the error can be obtained in the status callback function. The WINHTTP_CALLBACK_STATUS_SECURE_FAILURE notification indicates an error with a server certificate. The lpvStatusInformation parameter contains one or more detailed error flags. See WINHTTP_STATUS_CALLBACK for more information.
如果服务器证书包含错误,可以通过状态回调函数获取。WINHTTP_CALLBACK_STATUS_SECURE_FAILURE通知表明有服务器证书错误发生。lpvStatusInformation参数包含一个或多个错误细节。查看