Make a self-signed certificate SSL socket server for you

Posted 2020-10-17

I‘m sorry to hurt those who have difficulty in English but I don‘t have CHS input method installed on my openSUSE. This passage is primitively written for students suffering Computer Networks in BUPT.

Firstly, you should have prepared openssl environment on your computer.

　　Under most Linux Release you can install openssl and libopenssl with your package manager, for example openSUSE:

#zypper in openssl openssl-devel

　　But on Ubuntu you must run this instead:

#apt-get install openssl libssl-devel

　　If you are using Windows, go directly to their official wiki and download the binary version that suits you and just install it. This is the easiest way. You can also compile the source code by yourself, seeing this passage.

Then, you should have configured your development tools‘ compile settings.

　　If you were using JetBrains CLION with CMake, just add the following configure code onto your CMakeLists.txt:

link_libraries(ssl crypto)
include_directories(openssl)
link_directories(openssl)

　　Else if you were using Visual Studio, refer to this StackOverflow Question.

　　Else if you were using other IDEs(Dev-cpp for example), you should have made it clear how to configure its compile settings.

Then, enter your .c file and start coding:

　　include openssl‘s .h file:

#include <openssl/ssl.h>
#include <openssl/bio.h>
#include <openssl/err.h>

　　do initializing work:

SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();

//ctx is a special structure to storage related configuration about this ssl connection.
SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method());
SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);//using single DH is good for you. See the ref link at the end of this passage for details.

//I‘ll introduce how to gen cert.pem and key.pem later. Be patience.
if (!SSL_CTX_use_certificate_file(ctx, "cert/cert.pem", SSL_FILETYPE_PEM)) {
    printf("cert error\\n");
}
if (!SSL_CTX_use_PrivateKey_file(ctx, "cert/key.pem", SSL_FILETYPE_PEM)) {
    printf("pkey error\\n");
}
if (!SSL_CTX_check_private_key(ctx)) {
    printf("pkey invalid\\n");
}
SSL* ssl = SSL_new(ctx);//Create a ssl connection from ctx configuration.

　　to generate a self-signed ssl cert and private key, run this with your openssl program:

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out cert.pem
#####################################################################################
#key.pem is your PrivateKey file and cert.pem is your CA cert file. Expired day was #
#set to 365 days. If you were interested in this command, just google it!           #
#####################################################################################

 

　　i assumed that you have successfully create a socket and accept it with a handle/FileDescriber(named fd)connection upon port 465, then we shall deal with it:

SSL_set_fd(ssl, fd);//bind this ssl connection upon your fd
if(SSL_accept(ssl) <=0){//openssl is smart enough to do handshake itself
    printf("ssl accept error!");
    SSL_shutdown(ssl);
    SSL_free(ssl);
}

　　and you can enjoy your ssl socket connection, just to do some replacement:

//replace this:
send(fd,  buf,  bufsize, 0);
//with this:
SSL_write(ssl, buf, bufsize);
//
//and replace this:
recv(fd, r_buf, r_bufsize, 0);
//with this:
SSL_read(ssl, r_buf, r_bufsize);

ref links:

https://www.ibm.com/support/knowledgecenter/zh/SSWHYP_4.0.0/com.ibm.apimgmt.cmc.doc/task_apionprem_gernerate_self_signed_openSSL.html

https://stackoverflow.com/questions/7698488/turn-a-simple-socket-into-an-ssl-socket

http://www.cnblogs.com/etangyushan/p/3679457.html