如何设置服务器以使用 TLS-SRP 身份验证?

tag-icon tag-icon ssl
如何设置服务器以使用 TLS-SRP 身份验证?

怎样才能让它发挥作用呢?

我用了本手册。我创建了一个验证器文件,并openssl s_server使用自签名 RSA 证书启动。现在我无法连接到它。

>gnutls-cli --srpusername user --srppasswd secret 127.0.0.1 -p 4433 --insecure
Processed 145 CA certificate(s).
Resolving '127.0.0.1'...
Connecting to '127.0.0.1:4433'...
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [40]: Handshake failed
No certificates found!
*** Handshake has failed
GnuTLS error: A TLS fatal alert has been received.

Curl 似乎也不起作用,但 win32 二进制文件在"Features:"输出中没有 SRPcurl -V

openssl s_client当我添加参数时甚至停止工作-cipher SRP

openssl s_server -srpvfile xx.srp -tls1 -cipher SRP -cert ssl.crt -key ssl.key -www

-

Loading 'screen' into random state - done
CONNECTED(00000750)
2672:error:1407745B:SSL routines:SSL23_GET_SERVER_HELLO:reason(1115):.\ssl\s23_c
lnt.c:741:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 321 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

现在怎么办?

我正在使用最新版本(OpenSSL 1.0.1e 2013 年 2 月 11 日、gnutls-3.0.22-w32、最新 curl win32 版本)。

SRP账户该如何注册?

请添加 TLS-SRP 标签

答案1

这些说明对我使用在 win32 上编译的 openssl 1.0.1e 有用。

步骤1.创建空的SRP密码文件passwd.txt

步骤 2. 将用户添加到 SRP 密码文件

openssl srp -srpvfile passwd.txt -userinfo "This is Myself" -add myself
Enter pass phrase for myself:
Verifying - Enter pass phrase for myself:

步骤3.启动SRP服务器

openssl s_server -nocert -cipher SRP -srpvfile passwd.txt -accept 444
Loading 'screen' into random state - done
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT

步骤 4. 连接到服务器

openssl s_client -srpuser myself -cipher SRP -connect localhost:444
Loading 'screen' into random state - done
CONNECTED(00000108)
Enter pass phrase for SRP user:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 2407 bytes and written 1184 bytes
---
New, TLSv1/SSLv3, Cipher is SRP-AES-256-CBC-SHA
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : SRP-AES-256-CBC-SHA
    Session-ID: 69AE0C7ED831DCCDA0E79CB5ED55E0BF9C65CA64B4077585CF9DD93CEE611358

相关内容