问题描述
我们正在尝试设置TLS1.2连接。已经在Macbook中下载了最新的OpenSSL。使用此创建TLS1.2连接。
但是这条特定的线路可能会导致这个问题。它使用TLSv1。
We are trying to setup TLS1.2 connection. Have downloaded the latest OpenSSL in the Macbook. Using this code to create the TLS1.2 connection.
However this particular line is possibly causing the issue. It uses TLSv1.
/* ---------------------------------------------------------- *
* Set SSLv2 client hello, also announce SSLv3 and TLSv1 *
* ---------------------------------------------------------- */
method = SSLv23_client_method();
尝试 TLSv1_2_client_method()
方法,但它给出以下链接错误:
Tried TLSv1_2_client_method()
method, but it gives below linking error:
如果有人可以帮助创建TLS1.2连接然后从中调用,那将是一个很好的帮助目标C(如果套接字编程需要一些特殊处理)。
It would be a great help, if someone can assist in creating TLS1.2 connection and then calling from the objective C (if some special treatment required for socket programming).
[请注意,我不是iOS用户。我正在帮助团队解决问题。也是套接字编程的新手,虽然团队有一定的经验。]
[Kindly note that, I am not an iOS person. I am helping a team to fix a problem. Also newbie to socket programming myself, though the team has some experience.]
推荐答案
架构x86_64的未定义符号:_ TLSv1_2_client_method,引自:sslconnect中的
_main- 7aa462.o
Undefined symbols for architecture x86_64: "_TLSv1_2_client_method", referenced from: _main in sslconnect-7aa462.o
好的,这听起来像是在链接 x86_64
,但你需要iOS。您可以使用以下两个命令验证体系结构:
OK, it sounds like you are linking against x86_64
, but you need iOS. You can verify the architecture with the following two commands:
xcrun -sdk iphoneos lipo -info libcrypto.a
xcrun -sdk iphoneos lipo -info libssl.a
例如:
$ xcrun -sdk iphoneos lipo -info /usr/local/ssl/ios/lib/libcrypto.a
Architectures in the fat file: /usr/local/ssl/ios/lib/libcrypto.a are: armv7 armv7s arm64 i386
前三个体系结构是自我解释的;而i386适用于iOS调试器。
The first three architectures are self explanatory; while i386 is for the iOS debugger.
注意: / usr / local / ssl / ios /
是我在构建之后安装OpenSSL for iOS的地方。 Apple不提供它。
Note: /usr/local/ssl/ios/
is where I installed OpenSSL for iOS after I built it. Apple does not provide it.
如果您没有四种iOS架构,那么您有两种选择。首先,您可以根据,附录E.2,第122页。
If you don't have the four iOS architectures, then you have two options. First, you can build based on the iOS procedures in the User Guide for the OpenSSL FIPS Object Module, Appendix E.2, page 122.
其次是从GitHub下载预建版本。这是使用OpenSSL程序构建的OpenSSL 1.0.1h 的GitHub。这是来自的另一个,它看起来很受欢迎,但它的OpenSSL 1.0.1g。
Second is to download a prebuilt version from a GitHub. Here's a GitHub by noloader with OpenSSL 1.0.1h built using OpenSSL's procedures. Here's another one from Stefan Arentz that seems to be pretty popular, but its OpenSSL 1.0.1g.
C与Objective C一起正常工作。调用它没什么特别的。
C works fine with Objective C. There's nothing special about calling it.
在客户端,您需要设置服务器名称包含 SSL_set_tlsext_host_name
。
On clients, you will need to set the server name with SSL_set_tlsext_host_name
.
在服务器上,由于您处理回调,因此更加复杂。有关示例,请参阅和。
Be sure to set your cipher suites with SSL_CTX_set_cipher_list
. Pick 16 or so of your favorite, and ignore the rest. For the docs on it (and the names of the cipher suites like DHE-RSA-AES256-SHA
), see SSL_CTX_set_cipher_list(3)
and ciphers(1)
.
选择16个左右的密码套件可实现两个目标。首先,它确保您得到您想要的。其次,它确保像F5或IronPort这样的旧设备不会窒息。较旧的设备使用固定大小的缓冲区,并且该缓冲区对于具有80多个密码套件的 ClientHello
而言太小。如果有16或20个密码套件, ClientHello
会通过。
Choosing 16 or so cipher suites achieves two goals. First, it ensures you get exactly what you want. Second, it ensures older appliances like an F5 or an IronPort does not choke. The older appliances use a fixed size buffer, and that buffer is too small for a ClientHello
with 80+ cipher suites. The ClientHello
passes if there are 16 or 20 cipher suites.
最后一条评论....
And one last comment....
1.1.0之前的OpenSSL 不执行主机名匹配。但是,它确实执行其他常规检查。因此,如果您使用1.0.2或更低版本,则必须执行主机名匹配。有关检查的信息,请参阅OpenSSL wiki上的。
OpenSSL prior to 1.1.0 does not perform hostname matching. However, it does perform the other customary checks. So if you are usong 1.0.2 or below, you will have to perform the hostname matching. For information on the checks, see SSL/TLS Client on the OpenSSL wiki.
这篇关于设置支持SNI的TLS1.2连接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!