[英]Using ECDHE TLS with Boost ASIO
The TL;DR version TL; DR版本
I'd like to know: 我想知道:
The Longer Version 较长的版本
We've been building an application which is using a proper-paid-for certificate from an external Cert Authority. 我们一直在构建一个使用来自外部证书颁发机构的适当付费证书的应用程序。 The application uses a home-rolled server setup based off of Boost ASIO and Boost Beast, and we only recently noticed it doesn't play nice with iOS - ASIO says there is no shared cipher.
该应用程序使用基于Boost ASIO和Boost Beast的本地服务器设置,我们只是在最近才注意到它在iOS上不能很好地工作-ASIO表示没有共享密码。
Reading into how TLS works has led me to the fact that some part of our server was preventing us from serving TLS using the ECDHE-* suite of ciphers (which iOS seems to want) - but I'm having difficulty in figuring out how to wrangle ASIO and our current cert/key into serving ECDHE. 阅读TLS的工作原理后,我发现服务器的某些部分阻止了我们使用ECDHE- *密码套件(iOS似乎希望此密码套件)为TLS提供服务-但我很难确定如何将ASIO和我们当前的证书/密钥合并到服务ECDHE中。
What I've tried: 我尝试过的
openssl dhparam
into ASIO using set_tmp_dh , then specifying ciphers. openssl dhparam
的结果添加到ASIO中,然后指定密码。 Curl reports that this allows a connection using DHE
but not ECDHE
. DHE
而非ECDHE
进行连接。 Specifying ciphers that only use ECDHE
causes errors when connecting. ECDHE
密码在连接时会导致错误。 openssl ecparam
to ASIO using a similar method to the above. openssl ecparam
的输出传递给ASIO。 I've not been able to format something that ASIO accepts. openssl ecparam
with another combining function to modify the original cert into one that uses ECDHE
. openssl ecparam
的输出与另一个组合功能一起使用,以将原始证书修改为使用ECDHE
证书。 I clued onto this one from the OpenSSL wiki suggesting that if the cert does not contain the line ASN1 OID: prime256v1
(or a similar named curve), then it is not suitable for ECDHE usage. ASN1 OID: prime256v1
行ASN1 OID: prime256v1
(或类似的命名曲线),则不适合ECDHE使用。 At this point I'm unsure as to where the issue truly lies (in ASIO, in the certificates or in how I'm putting it all together) and most of the information on the internet I can find relates to home-rolling everything from scratch, rather than working with existing certs. 在这一点上,我不确定问题的真正根源(在ASIO中,在证书中还是在如何将它们放在一起)以及我可以在Internet上找到的大多数信息都涉及将所有内容从头开始,而不是使用现有证书。
Update 11/05/19 更新11/05/19
https://github.com/chriskohlhoff/asio/pull/117 pulled in changes for ASIO with ECDHE. https://github.com/chriskohlhoff/asio/pull/117使用ECDHE对ASIO进行了更改。 Will need to wait a while to see which Boost lib version it makes it into.
将需要等待一段时间才能查看将其转换为哪个Boost lib版本。
Original Answer 原始答案
I seem to have found an answer for any googlers - ASIO does not appear to support ECDHE natively at the time of writing. 我似乎已经找到了所有Google员工的答案-在撰写本文时,ASIO似乎并不原生支持ECDHE。 This issue from the main repo suggests that ECDHE is on the cards for support but is not yet implemented.
主存储库中的此问题表明,ECDHE已在支持中,但尚未实施。
Here is a link to the ECDHE implementation that's been waiting to be merged since 2016: https://github.com/chriskohlhoff/asio/pull/117 . 这是自2016年以来一直在等待合并的ECDHE实现的链接: https : //github.com/chriskohlhoff/asio/pull/117 。
+1 to get the attention of the Boost ASIO maintainer; +1以引起Boost ASIO维护人员的注意; he's been pretty slow with it.
他已经很慢了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.