All geek questions in one place

Configure a TLS1.2 connection that supports SNI

We are trying to establish a TLS1.2 connection. Download the latest version of OpenSSL on your Macbook. Using this code to create a TLS1.2 connection.
However, this particular line may be causing the problem. It uses TLSv1.

  /* ---------------------------------------------------------- *
   * Set SSLv2 client hello, also announce SSLv3 and TLSv1      *
   * ---------------------------------------------------------- */
  method = SSLv23_client_method();

Tried the method TLSv1_2_client_method(), but it gives the following link:

Undefined symbols for x86_64 architecture: "_TLSv1_2_client_method", reference: _main in sslconnect-7aa462.o

It would be very helpful if someone could help create a TLS1.2 connection and then call from the C lens (if special treatment is required for programming sockets).

[Please note that I am not an iOS person. I help the team solve the problem. Also new to socket programming, though the team has some experience.]

+4
source share
1 answer

Tried the TLSv1_2_client_method () method, but it gives the link below Error:

Undefined characters for x86_64 architecture: "_TLSv1_2_client_method" referenced: _main in sslconnect-7aa462.o

OK, it looks like you're getting attached to x86_64, but you need iOS. You can test the architecture with the following two commands:

xcrun -sdk iphoneos lipo -info libcrypto.a
xcrun -sdk iphoneos lipo -info libssl.a

For instance:

$ xcrun -sdk iphoneos lipo -info /usr/local/ssl/ios/lib/libcrypto.a 
Architectures in the fat file: /usr/local/ssl/ios/lib/libcrypto.a are: armv7 armv7s arm64 i386

The first three architectures are self-evident; and i386 for the iOS debugger.

: /usr/local/ssl/ios/, OpenSSL iOS , . Apple .

iOS, . -, iOS OpenSSL FIPS, E.2, . 122.

GitHub. GitHub noloader OpenSSL 1.0.1h, OpenSSL. Stefan Arentz, , , , OpenSSL 1.0.1g.

C

C Objective C. .

... SNI iPhone

SSL_set_tlsext_host_name.

, . , . SNI.

:

= SSLv23_client_method();

... TLSv1_2_client_method()

- :

SSL_library_init();
SSL_load_error_strings();

const SSL_METHOD* method = SSLv23_method();
if(NULL == method) handleFailure();

SSL_CTX* ctx = SSL_CTX_new(method);
if(ctx == NULL) handleFailure();

/* Cannot fail ??? */
const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
SSL_CTX_set_options(ctx, flags);

...

SSLv23_method SSLv2 . , , SSLv2, SSLv3 . TLS 1.0 (TLS 1.3 , ). , (, TLS 1.2).

, TLS 1.2:

SSL_library_init();
SSL_load_error_strings();

const SSL_METHOD* method = TLSv1_2_client_method();
if(NULL == method) handleFailure();

, , TLS 1.0 ( IIS). Google ECC, , . , Google , TLS 1.2 ECC.

:

/* ---------------------------------------------------------- *
 * Set SSLv2 client hello, also announce SSLv3 and TLSv1      *
 * ---------------------------------------------------------- */

, :

long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_TLS1_1 | SSL_OP_NO_TLS1_2;

, TLS 1.2 TLS 1.1; SSLv3. SSLv3 2014 .

....

SSL_CTX_set_cipher_list. 16 , . ( , DHE-RSA-AES256-SHA), . SSL_CTX_set_cipher_list(3) ciphers(1).

16 . -, , , . -, , F5 IronPort, . , ClientHello 80+ . ClientHello , 16 20 .

....

OpenSSL 1.1.0 . . , usong 1.0.2 , . . SSL/TLS Client OpenSSL.

+3

Source: https://habr.com/ru/post/1546010/

More articles:


All Articles