说明
Windows自制SSL证书,通过libcurl发送https请求,并验证CA证书
生成证书
- 生成 CA 私钥
openssl.exe genpkey -algorithm RSA -out ca.key
- 生成 CA 证书
openssl.exe req -x509 -new -nodes -key ca.key -sha256 -days 365 -out ca.crt
这一步要填写相关信息,
特别注意 Common Name 填域名或IP
ca为客户端使用的CA证书
- 生成服务器私钥
openssl.exe genpkey -algorithm RSA -out server.key -pkeyopt rsa_keygen_bits:2048
- 创建CSR:
openssl.exe req -new -key server.key -out server.csr
- 使用 CA 证书签发服务器证书
openssl.exe x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256
NG开启SSL
server {
listen 443 ssl;
# http2 on;
ssl_certificate server.crt; # 证书文件路径
ssl_certificate_key server.key; # 私钥文件路径
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
access_log logs/access.log main;
location / {
mpc_processor;
}
}
编写程序验证
#include <stdio.h>
#include <curl/curl.h>
int main(void) {
CURL *curl;
CURLcode res;
curl_global_init(CURL_GLOBAL_DEFAULT);
curl = curl_easy_init();
if(curl) {
// curl_easy_setopt(handle, CURLOPT_VERBOSE, 1L); // 开启调试信息 生产需注释
curl_easy_setopt(curl, CURLOPT_URL, "https://127.0.0.1:443");
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2L);
// 设置 CA 证书路径
// 实际生产应该将各CA机构的根证书放在ca.crt文件中
curl_easy_setopt(curl, CURLOPT_CAINFO, "z:/ca.crt");
res = curl_easy_perform(curl);
if(res != CURLE_OK)
fprintf(stderr, "curl_easy_perform() failed: %s\n", curl_easy_strerror(res));
curl_easy_cleanup(curl);
}
curl_global_cleanup();
return 0;
}