Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

利用Tongsuo验证国密ssl #523

Open
zhangshdn opened this issue Nov 21, 2023 · 3 comments
Open

利用Tongsuo验证国密ssl #523

zhangshdn opened this issue Nov 21, 2023 · 3 comments

Comments

@zhangshdn
Copy link

请教一个问题,困扰很长时间没搞定,openssl版本如下
openssl version BabaSSL 8.3.2 OpenSSL 1.1.1h 22 Sep 2020

我利用国密双证书,server_sign.crt server_enc.crt,以及CA证书 root.crt启动服务端和客户端的例子,请问这两个双证书如何使用,
服务启动:
openssl s_server -port 15003 -key tlcp-server-sign.key -cert tlcp-server-sign.crt -dkey tlcp-server-enc.key -dcert tlcp-server-enc.crt -CAfile cas.pem
现在不知道客户端如何启动,我的客户端也是双证书的
@zhangshdn
Copy link
Author

我现在用铜锁和guanzhi的GMSSL互相访问,但是发现,两者无法互通,只用tongsuo对tongsuo,gmssl对gmssl才通
以下是铜锁作为客户端的报错,gmssl作为服务端

[root@localhost zsh]# openssl s_client -connect 192.168.56.132:15003 -sign_key tlcp-client-sign.key -sign_cert tlcp-client-sign.crt -enc_cert tlcp-client-enc.crt -enc_key tlcp-client-enc.key -CAfile cas.pem -enable_ntls -ntls 
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 CN = tlcp-ca
verify return:1
depth=1 CN = tlcp-intca
verify return:1
depth=0 CN = tlcp-server-enc
verify return:1
depth=2 CN = tlcp-ca
verify return:1
depth=1 CN = tlcp-intca
verify return:1
depth=0 CN = tlcp-server-sign
verify return:1
140299320743744:error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:ssl/record/rec_layer_s3.c:1548:SSL alert number 51
---
Certificate chain
 0 s:CN = tlcp-server-sign
   i:CN = tlcp-intca
 1 s:CN = tlcp-server-enc
   i:CN = tlcp-intca
 2 s:CN = tlcp-intca
   i:CN = tlcp-ca
 3 s:CN = tlcp-ca
   i:CN = tlcp-ca
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIBkzCCATigAwIBAgIUGIkLAz7D4ttqcn+O/Nq6e7xUl8YwCgYIKoEcz1UBg3Uw
FTETMBEGA1UEAwwKdGxjcC1pbnRjYTAeFw0yMzExMjEwOTA0MTRaFw0zMzExMTgw
OTA0MTRaMBsxGTAXBgNVBAMMEHRsY3Atc2VydmVyLXNpZ24wWTATBgcqhkjOPQIB
BggqgRzPVQGCLQNCAATFXb4kfSCQa3+b1gRN0M7abGu1jF4D0DEMAc2zvmoxQgiF
4HJD+uWCURKFCVSqigj1nC5b2cYIFITQWcUP9spvo2AwXjAdBgNVHQ4EFgQUB+D1
NXhTr7dwhiAR5XwMTaqFy2wwHwYDVR0jBBgwFoAUgvmWB9PXYnGkFy3Xu8/Hi0bk
xUswDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwCgYIKoEcz1UBg3UDSQAw
RgIhAMRY3w7pvjMgFccGllqBgvQPTADHsEzv35IABCNR9KUNAiEAsIEE+oMazxFz
h6b5YxGwr/bF+z3noPCFzAJMH8o3aMs=
-----END CERTIFICATE-----
subject=CN = tlcp-server-sign

issuer=CN = tlcp-intca

---
Acceptable client certificate CA names
CN = tlcp-intca
CN = tlcp-ca
Client Certificate Types: RSA sign, DSA sign
---
SSL handshake has read 1836 bytes and written 2040 bytes
Verification: OK
---
New, NTLSv1.1, Cipher is ECC-SM2-SM4-CBC-SM3
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : NTLSv1.1
    Cipher    : ECC-SM2-SM4-CBC-SM3
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 01FD0D259FF150F880C8EAD80D2DD3068EDEE69AA109250685183624E1ECF1A751546C9DC6E1ED10B1F71784321FA25B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1700622055
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    QUIC: no
---

然后我使用铜锁作为服务端,gmssl作为客户端,客户端报错如下

[root@localhost zsh]# gmssl s_client -connect 192.168.56.134:15003 -key tlcp-client-sign.key -dkey tlcp-client-enc.key -cert tlcp-client-sign.crt -dcert tlcp-client-enc.crt -CAfile cas.pem -state        
[GMTLS_DEBUG] set sm2 signing certificate
[GMTLS_DEBUG] set sm2 signing private key
[GMTLS_DEBUG] set sm2 encryption certificate
[GMTLS_DEBUG] set sm2 decryption private key
CONNECTED(00000003)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL3 alert read:fatal:handshake failure
SSL_connect:error in SSLv3/TLS write client hello
140560061241152:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1385:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 196 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1700621890
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

看现象是两者不通,老师,帮忙看下吧,能看出有什么原因吗

@Laisky
Copy link

Laisky commented Jan 11, 2024
edited
Loading

国密实现各自有一套独立的 x509 定义,互不兼容…

@InfoHunter
Copy link
Member

国密实现各自有一套独立的 x509 定义,互不兼容…

铜锁在获取软件密码模块安全一级资质的过程中,在国密局商用密码检测中心的检测项里是有TLCP客户端和TLCP服务器端的兼容性测试,通过后才给予资质的发放,所以铜锁和测试标准是兼容的

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@InfoHunter @Laisky @zhangshdn