简体繁体 English

将ECDHE TLS与Boost ASIO结合使用

[英]Using ECDHE TLS with Boost ASIO

原文 2018-03-20 02:58:11 4 2 c++/ ssl/ boost/ openssl/ ecdhe

The TL;DR version TL; DR版本

I'd like to know: 我想知道：

Where does the specification for the use of ECDHE get defined (in a cert parameter or a server configuration of SSL contexts, or elsewhere)? 在哪里定义了ECDHE使用规范（在cert参数或SSL上下文的服务器配置中或其他位置）？
In a non-home-rolled certificate setup, who's responsibility is it to define the ECDHE public and private information (the end user or cert provider)? 在非本地化证书设置中，定义ECDHE公共和私人信息（最终用户或证书提供者）是谁的责任？
Can an existing Certificate which does not appear to use ECDHE be made to without causing issues with the Certificate? 是否可以制作似乎没有使用ECDHE的现有证书而不引起证书问题？
Are there any examples of someone using SSL in Boost::ASIO with an ECDHE setup? 有没有人在带有ECDHE设置的Boost :: ASIO中使用SSL的示例？

The Longer Version 较长的版本

We've been building an application which is using a proper-paid-for certificate from an external Cert Authority. 我们一直在构建一个使用来自外部证书颁发机构的适当付费证书的应用程序。 The application uses a home-rolled server setup based off of Boost ASIO and Boost Beast, and we only recently noticed it doesn't play nice with iOS - ASIO says there is no shared cipher. 该应用程序使用基于Boost ASIO和Boost Beast的本地服务器设置，我们只是在最近才注意到它在iOS上不能很好地工作-ASIO表示没有共享密码。

Reading into how TLS works has led me to the fact that some part of our server was preventing us from serving TLS using the ECDHE-* suite of ciphers (which iOS seems to want) - but I'm having difficulty in figuring out how to wrangle ASIO and our current cert/key into serving ECDHE. 阅读TLS的工作原理后，我发现服务器的某些部分阻止了我们使用ECDHE- *密码套件（iOS似乎希望此密码套件）为TLS提供服务-但我很难确定如何将ASIO和我们当前的证书/密钥合并到服务ECDHE中。

What I've tried: 我尝试过的

Using the same cert and key, adding in the results of openssl dhparam into ASIO using set_tmp_dh , then specifying ciphers. 使用相同的证书和密钥，使用set_tmp_dh将openssl dhparam的结果添加到ASIO中，然后指定密码。 Curl reports that this allows a connection using DHE but not ECDHE . Curl报告这允许使用DHE而非ECDHE进行连接。 Specifying ciphers that only use ECDHE causes errors when connecting. 指定仅使用ECDHE密码在连接时会导致错误。
Trying to pass the output of openssl ecparam to ASIO using a similar method to the above. 尝试使用与上述类似的方法将openssl ecparam的输出传递给ASIO。 I've not been able to format something that ASIO accepts. 我无法格式化ASIO接受的格式。
Trying to see if there is a way you can use the output of openssl ecparam with another combining function to modify the original cert into one that uses ECDHE . 尝试查看是否有一种方法可以将openssl ecparam的输出与另一个组合功能一起使用，以将原始证书修改为使用ECDHE证书。 I clued onto this one from the OpenSSL wiki suggesting that if the cert does not contain the line ASN1 OID: prime256v1 (or a similar named curve), then it is not suitable for ECDHE usage. 我从OpenSSL Wiki得出这一结论，建议如果该证书不包含ASN1 OID: prime256v1行ASN1 OID: prime256v1 （或类似的命名曲线），则不适合ECDHE使用。

At this point I'm unsure as to where the issue truly lies (in ASIO, in the certificates or in how I'm putting it all together) and most of the information on the internet I can find relates to home-rolling everything from scratch, rather than working with existing certs. 在这一点上，我不确定问题的真正根源（在ASIO中，在证书中还是在如何将它们放在一起）以及我可以在Internet上找到的大多数信息都涉及将所有内容从头开始，而不是使用现有证书。

2 个解决方案

Update 11/05/19 更新11/05/19

https://github.com/chriskohlhoff/asio/pull/117 pulled in changes for ASIO with ECDHE. https://github.com/chriskohlhoff/asio/pull/117使用ECDHE对ASIO进行了更改。 Will need to wait a while to see which Boost lib version it makes it into. 将需要等待一段时间才能查看将其转换为哪个Boost lib版本。

Original Answer 原始答案

I seem to have found an answer for any googlers - ASIO does not appear to support ECDHE natively at the time of writing. 我似乎已经找到了所有Google员工的答案-在撰写本文时，ASIO似乎并不原生支持ECDHE。 This issue from the main repo suggests that ECDHE is on the cards for support but is not yet implemented. 主存储库中的此问题表明，ECDHE已在支持中，但尚未实施。

Here is a link to the ECDHE implementation that's been waiting to be merged since 2016: https://github.com/chriskohlhoff/asio/pull/117 . 这是自2016年以来一直在等待合并的ECDHE实现的链接： https : //github.com/chriskohlhoff/asio/pull/117 。

+1 to get the attention of the Boost ASIO maintainer; +1以引起Boost ASIO维护人员的注意； he's been pretty slow with it. 他已经很慢了。