支持国密ssl的curl编译和测试验证(上)

目录

  • [1. 编译铜锁ssl库](#1. 编译铜锁ssl库)
  • [2. 编译nghttp2库](#2. 编译nghttp2库)
  • [3. 编译curl](#3. 编译curl)
  • [4. 验证](#4. 验证)
    • [4.1 查看版本信息](#4.1 查看版本信息)
    • [4.2 验证国密ssl握手功能](#4.2 验证国密ssl握手功能)
    • [4.3 验证http2协议功能](#4.3 验证http2协议功能)

以下以ubuntu 22.04环境为例进行编译

本次编译采用铜锁ssl+nghttp2+curl,使得编译出来的curl可以支持国密ssl,并且可以支持http2协议。

废话少说,直接上编译过程:

1. 编译铜锁ssl库

复制代码
git clone https://github.com/Tongsuo-Project/Tongsuo


cd Tongsuo

./config --prefix=/opt/tongsuo enable-ntls
make -j
sudo make install

2. 编译nghttp2库

复制代码
git clone https://github.com/tatsuhiro-t/nghttp2.git


cd nghttp2

autoreconf -i
automake
autoconf


./configure --prefix=/opt/nghttp2
make
sudo make install

3. 编译curl

复制代码
git clone https://github.com/Tongsuo-Project/curl.git


cd curl
git apply tongsuo.patch

autoreconf -fi


 LDFLAGS=-Wl,-rpath=/opt/tongsuo/lib64:/opt/nghttp2/lib ./configure --enable-warnings --enable-werror --with-openssl=/opt/tongsuo --with-nghttp2=/opt/nghttp2 --prefix=/opt/gmcurl --disable-shared

make
sudo make install

这里通过rpath指定了生成的curl依赖的libcrypto.so和libssl.so的目录为/opt/tongsuo/lib64,libnghttp2.so的目录为/opt/nghttp2/lib,并且以静态链接的方式链接到libcurl。

4. 验证

4.1 查看版本信息

通过curl的 --version选项查看相关信息:

复制代码
命令:
/opt/gmcurl/curl --version

输出:

curl 8.5.0-DEV (x86_64-pc-linux-gnu) libcurl/8.5.0-DEV OpenSSL/3.0.3 zlib/1.2.11 nghttp2/1.60.0-DEV
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS HSTS HTTP2 HTTPS-proxy IPv6 Largefile libz NTLM SSL threadsafe TLS-SRP UnixSockets

从上面看到程序已经支持http2协议了。

在进行相关功能测试之前,需要准备一个支持国密和http2协议能力的tengine服务器。

4.2 验证国密ssl握手功能

然后测试和支持国密https的web服务器的国密ssl握手:

复制代码
命令:
 /opt/gmcurl/bin/curl --tlcp "https://www.test.com:9443/" -kv

输出:
 
* Host www.test.com:9441 was resolved.
* IPv6: (none)
* IPv4: 127.0.0.1
*   Trying 127.0.0.1:9441...
* Connected to www.test.com (127.0.0.1) port 9441
* ALPN: curl offers h2,http/1.1
* (101) (OUT), , Unknown (1):
* (101) (IN), , Unknown (2):
* (101) (IN), , Unknown (11):
* (101) (IN), , Unknown (12):
* (101) (IN), , Unknown (14):
* (101) (OUT), , Unknown (16):
* (101) (OUT), , Change cipher spec (1):
* (101) (OUT), , Unknown (20):
* (101) (IN), , Unknown (20):
* SSL connection using NTLSv1.1 / ECC-SM2-SM4-GCM-SM3 / UNDEF / SM2
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: C=CN; ST=BJ; L=HaiDian; O=Beijing JNTA Technology LTD.; OU=BSRC of TASS; CN=server sign (SM2)
*  start date: May 23 02:45:48 2019 GMT
*  expire date: Jul  1 02:45:48 2023 GMT
*  issuer: C=CN; ST=BJ; L=HaiDian; O=Beijing JNTA Technology LTD.; OU=SORB of TASS; CN=Test CA (SM2)
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
*   Certificate level 0: Public key type SM2/SM2 (256/128 Bits/secBits), signed using SM2-with-SM3
*   Certificate level 1: Public key type SM2/SM2 (256/128 Bits/secBits), signed using SM2-with-SM3
* using HTTP/1.x
> GET / HTTP/1.1
> Host: www.test.com:9441
> User-Agent: curl/8.5.0-DEV
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: Tengine/3.1.0
< Date: Mon, 26 Feb 2024 02:21:21 GMT
< Content-Type: text/plain
< Content-Length: 91
< Connection: keep-alive
< Content-Type: text/html;charset=utf-8
< 
* Connection #0 to host www.test.com left intact

可以看到已经可以支持国密ssl握手了。

4.3 验证http2协议功能

复制代码
命令:
 /opt/gmcurl/bin/curl --http "https://www.test.com:9443/" -kv

输出:

* Host www.test.com:9441 was resolved.
* IPv6: (none)
* IPv4: 127.0.0.1
*   Trying 127.0.0.1:9441...
* Connected to www.test.com (127.0.0.1) port 9441
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
*  subject: C=cn; ST=cd; L=Default City; O=Default Company Ltd
*  start date: Aug 23 07:31:25 2019 GMT
*  expire date: Aug 22 07:31:25 2020 GMT
*  issuer: C=cn; ST=cd; L=Default City; O=Default Company Ltd
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA1
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://www.test.com:9441/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: www.test.com:9441]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.5.0-DEV]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: www.test.com:9441
> User-Agent: curl/8.5.0-DEV
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 200 
< server: Tengine/3.1.0
< date: Mon, 26 Feb 2024 02:44:16 GMT
< content-type: text/plain
< content-length: 90
< content-type: text/html;charset=utf-8
< 
* Connection #0 to host www.test.com left intact
tengine ntls test OK, ssl_protocol is TLSv1.3 (NTLSv1.1 表示国密,其他表示国际)

下文进一步对铜锁ssl通过curl进行测试验证:

支持国密ssl的curl编译和测试验证(下)

相关推荐
guts°1 小时前
10-ACL技术
网络·网络协议
群联云防护小杜1 小时前
深度隐匿源IP:高防+群联AI云防护防绕过实战
运维·服务器·前端·网络·人工智能·网络协议·tcp/ip
2301_780789665 小时前
UDP和TCP的主要区别是什么
服务器·网络协议·web安全·网络安全·udp
_丿丨丨_6 小时前
XSS(跨站脚本攻击)
前端·网络·xss
一只栖枝7 小时前
HCIA-Security 认证精讲!网络安全理论与实战全掌握
网络·web安全·网络安全·智能路由器·hcia·it·hcia-security
FileLink跨网文件交换7 小时前
文件摆渡系统十大软件|文件摆渡系统如何构建网络安全呢?
网络
晨欣10 小时前
大型语言模型(LLM)在网络安全中最具商业价值的应用场景(Grok3 回答 DeepSearch模式)
网络·web安全·语言模型
有书Show11 小时前
个人IP的塑造方向有哪些?
网络·网络协议·tcp/ip
HHRL-yx11 小时前
C++网络编程 5.TCP套接字(socket)通信进阶-基于多线程的TCP多客户端通信
网络·c++·tcp/ip
迈威通信11 小时前
接口黑洞?破!安全堡垒?筑!冰火炼狱?战!MES7114W终极掌控
网络·安全