What is boost::asio::ssl::context::load_verify_file and how to work with it?
Theare is a wary small amount of boost::asio::ssl small C++ educational codes base online. Even less on boost::asio::ssl::context::load_verify_file So I found one from here code with minimal modifications - compiles and runs with boost 1.47.0:
#include <boost/asio.hpp>
#include <boost/asio/ssl.hpp>
#include <boost/bind.hpp>
#include <iostream>
#include <istream>
#include <ostream>
#include <string>
class client
{
public:
client(boost::asio::io_service& io_service, boost::asio::ssl::context& context, boost::asio::ip::tcp::resolver::iterator endpoint_iterator)
: socket_(io_service, context)
{
socket_.set_verify_mode(boost::asio::ssl::context::verify_none);
socket_.set_verify_callback(boost::bind(&client::verify_certificate, this, _1, _2));
boost::asio::async_connect(socket_.lowest_layer(), endpoint_iterator, boost::bind(&client::handle_connect, this, boost::asio::placeholders::error));
}
bool verify_certificate(bool preverified, boost::asio::ssl::verify_context& ctx)
{
char subject_name[256];
X509* cert = X509_STORE_CTX_get_current_cert(ctx.native_handle());
X509_NAME_oneline(X509_get_subject_name(cert), subject_name, 256);
std::cout << "Verifying:\n" << subject_name << std::endl;
return preverified;
}
void handle_connect(const boost::system::error_code& error)
{
if(!error){
std::cout << "Connection OK!" << std::endl;
socket_.async_handshake(boost::asio::ssl::stream_base::client, boost::bind(&client::handle_handshake, this, boost::asio::placeholders::error));
}else{
std::cout << "Connect failed: " << error.message() << std::endl;
}
}
void handle_handshake(const boost::system::error_code& error)
{
if(!error){
std::cout << "Sending request: " << std::endl;
std::stringstream request_;
request_ << "GET /api/0/data/ticker.php HTTP/1.1\r\n";
request_ << "Host: mtgox.com\r\n";
request_ << "Accept-Encoding: *\r\n";
request_ << "\r\n";
std::cout << request_.str() << std::endl;
boost::asio::async_write(socket_, boost::asio::buffer(request_.str()), boost::bind(&client::handle_write, this, boost::asio::placeholders::error, boost::asio::placeholders::bytes_transferred));
}else{
std::cout << "Handshake failed: " << error.message() << std::endl;
}
}
void handle_write(const boost::system::error_code& error, size_t bytes_transferred)
{
if (!error){
std::cout << "Sending request OK!" << std::endl;
boost::asio::async_read(socket_, boost::asio::buffer(reply_, bytes_transferred), boost::bind(&client::handle_read, this, boost::asio::placeholders::error, boost::asio::placeholders::bytes_transferred));
}else{
std::cout << "Write failed: " << error.message() << std::endl;
}
}
void handle_read(const boost::system::error_code& error, size_t bytes_transferred)
{
if (!error){
std::cout << "Reply: ";
std::cout.write(reply_, bytes_transferred);
std::cout << "\n";
}else{
std::cout << "Read failed: " << error.message() << std::endl;
}
}
private:
boost::asio::ssl::stream<boost::asio::ip::tcp::socket> socket_;
char reply_[0x1 << 16];
};
int main(int argc, char* argv[])
{
try{
boost::asio::io_service io_service;
boost::asio::ip::tcp::resolver resolver(io_service);
boost::asio::ip::tcp::resolver::query query("mtgox.com", "443");
boost::asio::ip::tcp::resolver::iterator iterator = resolver.resolve(query);
boost::asio::ssl::context 开发者_如何学JAVAcontext(boost::asio::ssl::context::sslv23);
//context.load_verify_file("key.pem"); // uncomment this line
client c(io_service, context, iterator);
io_service.run();
}catch (std::exception& e){
std::cerr << "Exception: " << e.what() << "\n";
}
std::cin.get();
return 0;
}
Here is one really curious line: context.load_verify_file("key.pem");
So I'we got some questions about it:
- What does it mean for me as http client?
- Is it sent to server?
- How to create such file?
- What is it for anyway?
- Code compiles and works with out it. Is it OK? Is our connection to server safe with out that
key.pem
? - I want to use google or other big ssl host. What shall I do?
In simple terms :
The .pem file can contain a certificate (public key), or a private key, or a combination of both. PEM is a way to encode data, and X509 certificated are usually used with PEM. For example the server reads the .pem file and sends the certificate to a client so that the client can verify it before connecting.
A server with a self-signed certificate will pop a warning on today's browsers saying that it's not trusted (unless signed by a CA, and browsers have a database of signed CA's which they use in order to verify if the certificate is "valid" or not) and you can examine the certificate details and decide if you want to trust that site or not. A good example is the IETF.org link since their certificate expired not so long ago :)
As a client, it may mean something but it doesn't need to unless you need it to be. That it to say, if the server sends the certificate, your client may want to verify it before continuing and in that case you will need the information from the CA that signed the server certificate, which can be loaded from a .pem file containing the CA information. If your client doesn't care about verification then it doesn't need it.
Basically the
load_verify_file()
function loads the CA information in order to perform verification of a certificate send by the server.You can create your own CA file and sign your own server certificate and then use your own CA file with the client in order to verify that you are connecting to your own server.
read 1. No the client does not send it.
If you want to learn more, here is a guide straight from duckduckgo.
Read 3 and the beginning of this post.
If the client accept the servers certificate just fine and is not rejecting it since it can't verify it then it's fine. Easy to check, enable only ssl connection to/from the server and see if the client will connect and perform the work it should or just sniff the traffic and look it up.
Not sure what you mean there. Buying a ssl host? If so, the problem will still be with your client if it wants to accept the connection or not.
精彩评论