Posts Tagged ‘openssl’

配置windows下的curl来获取https页面内容

星期五, 10月 26th, 2007

刚刚看到了javayou提到了可以在windows下使用的curl命令,
http://www.javayou.com/html/diary/showlog.vm?sid=2&log_id=13985

于是下载了支持ssl的curl来使用:
下载连接为: http://www.execve.net/--escaped_anchor:5d46c217459898ec8972155e71509b97--/curl-7.17.0-win32-ssl.zip

解压到D:\Programs\curl-7.17.0
下载OpenSSL组件:
http://618119.com/--escaped_anchor:5e81b97d5483ae9cc4d410a319552617--/libeay32.dll
http://618119.com/--escaped_anchor:5e81b97d5483ae9cc4d410a319552617--/libssl32.dll
libssl32.dll和libeay32.dll复制到D:\Programs\curl-7.17.0,

否则运行curl.exe会被提示:

—————————
curl.exe - 无法找到组件
—————————
没有找到 libeay32.dll,因此这个应用程序未能启动。重新安装应用程序可能会修复此问题。
—————————
确定
—————————

—————————
curl.exe - 无法找到组件
—————————
没有找到 libssl32.dll,因此这个应用程序未能启动。重新安装应用程序可能会修复此问题。
—————————
确定
—————————
(参考: http://618119.com/archives/2007/10/26/15.html)
如果需要连接的网站使用的证书不是操作系统已经信任的证书,则需要指定ca根证书文件.
并且服务器的证书CN必须与url里的host一致,否则无法下载.

测试命令示例如下:

curl https://www.google.com/

curl https://www.618119.com/

curl https://lizongbo.618119.com/ –cacert ca.crt

D:\Programs\curl-7.17.0>curl https://www.google.com/
<HTML><HEAD><meta http-equiv=”content-type” content=”text/html;charset=utf-8″>
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A href=”http://www.google.com”>here</A>.
</BODY></HTML>

D:\Programs\curl-7.17.0>curl https://618119.com/
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify faile
d
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the –cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or –insecure) option.

D:\Programs\curl-7.17.0>curl https://lizongbo.618119.com/ –cacert ca.crt
curl: (51) SSL: certificate subject name ‘618119.com’ does not match target host name ‘lizongbo.618119.com’

Tags: cacert, curl, libssl32.dll, openssl

Related posts

Tags: , , ,
Posted in Web Server | 2 Comments »

关于OpenSSL里libssl32.dll与ssleay32.dll的区别

星期五, 10月 26th, 2007

现在很多程序都提供了ssl功能,但是在安装程序中并未自带OpenSSL组件,需要额外下载,因此选择不同版本OpenSSL的时候,可能会遇到如下的错误信息:

—————————
curl.exe - 无法找到组件
—————————
没有找到 libssl32.dll,因此这个应用程序未能启动。重新安装应用程序可能会修复此问题。
—————————
确定
—————————

或者:

—————————
lighttpd.exe - 无法找到组件
—————————
没有找到 SSLEAY32.dll,因此这个应用程序未能启动。重新安装应用程序可能会修复此问题。
—————————
确定
—————————

网上相关的问题有:
http://curl.haxx.se/mail/archive-2002-09/0063.html

libssl32.dllssleay32.dll的实际内容是没有任何区别,只是openssl在版本升级之后,
将在win32平台上编译生成的文件名libssl32.dll修改成了ssleay32.dll,libeay32.dll的名字则没改变.
(OpenSSL的changelog里并没有提到文件名变化的问题,参见: http://www.--escaped_anchor:50fe2dfc15a50670285e5a19657fe3b0--.org/news/changelog.html )
而很多依赖openssl的程序里,在加载OpenSSL的dll时,使用了固定的文件名字.只加载libssl32.dll或者ssleay32.dll,
因此在找不到文件的时候不会尝试另外一个文件名,就直接提示出错信息.

解决的办法也很简单,就是根据程序需要调用的dll名字,将libssl32.dll修改成ssleay32.dll,或者将ssleay32.dll修改成libssl32.dll.

对于开发者来说,为了让使用者少走弯路,在加载dll的时候,代码可以改成下面这个样子:
(参考这里的讨论: http://forums.miranda-im.org/showthread.php?t=4545)
if (( hLibSSL = LoadLibrary( “SSLEAY32.DLL” )) == NULL ) {
if (( hLibSSL = LoadLibrary( “LIBSSL32.DLL” )) == NULL ) { //the oldname

MSN_ShowError( “Valid %s must be installed to perform the SSL login”, “SSLEAY32.DLL” );
return 1;
}       } }

OpenSSL当前最新版本为OpenSSL 0.9.8g ,也就是OpenSSL 0.9.8.7 ,
编译好的 dll文件可以在这里下载
http://www.apachelounge.com/download/binaries/OpenSSL_0.9.8g.zip
来源: http://www.apachelounge.com/download/

如果只想下载就使用,懒得重命名的话:
可以直接下载我放在服务器上的文件:
(libssl32.dllssleay32.dll是一样的)
http://618119.com/--escaped_anchor:5e81b97d5483ae9cc4d410a319552617--/libeay32.dll
http://618119.com/--escaped_anchor:5e81b97d5483ae9cc4d410a319552617--/libssl32.dll
http://618119.com/--escaped_anchor:5e81b97d5483ae9cc4d410a319552617--/ssleay32.dll

除了将OpenSSL的dll加载的方式来使用OpenSSL,也可以采取直接编译进程序的方法来使用OpenSSL,比如
TomcatAPR组件,就是将APROpenSSL直接编译进来,使用非常方便:
参考: http://tomcat.apache.org/tomcat-6.0-doc/apr.html

Tags: libssl32.dll, openssl, ssleay32.dll, win32

Related posts

Tags: , , ,
Posted in Web Server | No Comments »

tomcat启用apr的情况下使用非自签名证书进行ssl双向认证配置

星期二, 10月 23rd, 2007

Tomcatapr组件是使用JNI用来提升Tomcat的系统性能,在启用apr特性之后,Tomcathttps功能不能使用JSSE的证书配置,
而需要使用OpenSSL,对于clientAuth的双向认证配置,也与一般方式不同,经过试验,摸索出配置步骤如下:

证书文件的制作步骤如下:

下载并安装openvpn,然后在
C:\Program Files\OpenVPN\easy-rsa下根据readme指导的步骤生成根证书,服务器证书(非自签名证书),客户端证书.

我的具体步骤:
1.命令行下进入 C:\Program Files\OpenVPN\easy-rsa
首先运行init-config.bat
当前目录下会生成openssl.cnf和vars.bat
2.编辑vars,bat,修改以下变量,保存文件.
set KEY_SIZE=2048
set KEY_COUNTRY=CN
set KEY_PROVINCE=GD
set KEY_CITY=ShenZhen
set KEY_ORG=zongbo.Inc
set KEY_EMAIL=lizongbo@618119.com

3.命令行下运行
vars.bat
clean-all
4.创建ca证书
1. vars
2. build-ca
5.创建服务器公匙密码
(由于KEY_SIZE设置成了2048,因此可能需要很长的是时间才能创建,此时可以改回1024)
1. vars
2. build-dh

6.创建服务器证书和key.
1. vars
2. build-key-server www

7.创建客户端证书(创建可导入的格式)
1. vars
2. build-key-pkcs12 lizongbo

以下是整个命令执行的过程

C:\Program Files\OpenVPN\easy-rsa>init-config

C:\Program Files\OpenVPN\easy-rsa>copy vars.bat.sample vars.bat
已复制 1 个文件。

C:\Program Files\OpenVPN\easy-rsa>copy openssl.cnf.sample openssl.cnf
已复制 1 个文件。

C:\Program Files\OpenVPN\easy-rsa>vars.bat

C:\Program Files\OpenVPN\easy-rsa>clean-all
系统找不到指定的文件。
已复制 1 个文件。
已复制 1 个文件。

C:\Program Files\OpenVPN\easy-rsa>vars

C:\Program Files\OpenVPN\easy-rsa>build-ca
Loading ’screen’ into random state - done
Generating a 2048 bit RSA private key
…………………………………..+++
……………………………………………………………………..
……………………………………………………………………..
…………………….+++
writing new private key to ‘keys\ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) [GD]:GD
Locality Name (eg, city) [ShenZhen]:ShenZhen
Organization Name (eg, company) [zongbo.Inc]:zongbo.Inc
Organizational Unit Name (eg, section) []:lzb.Inc
Common Name (eg, your name or your server’s hostname) []:ca.lizongbo.com
Email Address [lizongbo@618119.com]:lizongbo@618119.com

C:\Program Files\OpenVPN\easy-rsa>vars

C:\Program Files\OpenVPN\easy-rsa>build-dh
Loading ’screen’ into random state - done
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
………………………………………………..+……………..+…..
……………………………………………………………..+……..
……………………………………………………………………..
………………….+…………………………………………………
……………………………………………………………………..
……………………………………………………………………..
…………………..+…………………………………………..+…..
…………………………………+………………………..+……….
……………………………………………………………..+……..
………………………………………………………….+…………
………………………….+…………………………………………
……………………………………………………………+……….
……………………………………………………………………..
…+…………………………………+………..+……………………
………………………………+…………………………………….
……………………………………………………………………..
.+………………………………………………………………+…..
……………………………………………………………………..
………………………………………………………….+…………
…………………………………………
C:\Program Files\OpenVPN\easy-rsa>vars

C:\Program Files\OpenVPN\easy-rsa>build-key-server www
Loading ’screen’ into random state - done
Generating a 2048 bit RSA private key
……….+++
…………………………….+++
writing new private key to ‘keys\www.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) [GD]:GD
Locality Name (eg, city) [ShenZhen]:ShenZhen
Organization Name (eg, company) [zongbo.Inc]:zongbo.Inc
Organizational Unit Name (eg, section) []:lzb.Inc
Common Name (eg, your name or your server’s hostname) []:www.618119.com
Email Address [lizongbo@618119.com]:lizongbo@618119.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:lizongbo
An optional company name []:lzb.cmp
Using configuration from openssl.cnf
Loading ’screen’ into random state - done
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CN’
stateOrProvinceName :PRINTABLE:’GD’
localityName :PRINTABLE:’ShenZhen’
organizationName :PRINTABLE:’zongbo.Inc’
organizationalUnitName:PRINTABLE:’lzb.Inc’
commonName :PRINTABLE:’www.618119.com
emailAddress :IA5STRING:’lizongbo@618119.com’
Certificate is to be certified until Sep 17 02:27:21 2017 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

C:\Program Files\OpenVPN\easy-rsa>vars

C:\Program Files\OpenVPN\easy-rsa>build-key lizongbo
Loading ’screen’ into random state - done
Generating a 2048 bit RSA private key
……………+++
……………………+++
writing new private key to ‘keys\lizongbo.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) [GD]:GD
Locality Name (eg, city) [ShenZhen]:ShenZhen
Organization Name (eg, company) [zongbo.Inc]:zongbo.Inc
Organizational Unit Name (eg, section) []:lzb.Inc
Common Name (eg, your name or your server’s hostname) []:lizongbo
Email Address [lizongbo@618119.com]:lizongbo@618119.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:lizongbo
An optional company name []:lzb.cmp
Using configuration from openssl.cnf
Loading ’screen’ into random state - done
DEBUG[load_index]: unique_subject = “yes”
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CN’
stateOrProvinceName :PRINTABLE:’GD’
localityName :PRINTABLE:’ShenZhen’
organizationName :PRINTABLE:’zongbo.Inc’
organizationalUnitName:PRINTABLE:’lzb.Inc’
commonName :PRINTABLE:’lizongbo’
emailAddress :IA5STRING:’lizongbo@618119.com’
Certificate is to be certified until Sep 17 02:28:38 2017 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

C:\Program Files\OpenVPN\easy-rsa>

证书文件的安装步骤如下:

在IE中 :
在资源管理其中,双击easy-rsa\keys\ca.crt,导入根证书.双击www.crt,导入服务器证书,双击lizongbo.p12,导入客户端证书.

在Firefox中:

主菜单–>工具–>选项–>加密,察看证书–>证书机构->导入,选择ca.crt,导入之后,选中刚导入的证书,然后点”编辑”,将三项新任设置全部打上钩.

切换面板到”web站点”,导入,选择www.crt,导入之后,选中刚导入的证书,然后点”编辑”,选择”信任此证书的认证”

切换到”您的证书”,导入,选择lizongbo.p12, 输入生成证书时设置的密码,导入成功.
(Firefox中如果不首先导入根证书,Firefox会提示-12227错误,”接收到错误或未期望的消息,错误号-12227 “, 与IE的表现不同)
(more…)

Tags: -12227, APR, clientAuth, https, openssl, Tomcat

Related posts

Tags: , , , , ,
Posted in Tomcat | 3 Comments »