将 SSL 支持添加到现有的 TCP &UDP代码?
这是我的问题.
现在我有一个与 Windows C++ 客户端应用程序(Visual Studio 9,Qt 4.5)通信的 Linux 服务器应用程序(使用 C++ - gcc 编写).
Right now I have a Linux server application (written using C++ - gcc) that communicates with a Windows C++ client application (Visual Studio 9, Qt 4.5.)
在不完全破坏现有协议的情况下,向双方添加 SSL 支持以保护通信安全的非常最简单的方法是什么?
What is the very easiest way to add SSL support to both sides in order to secure the communication, without completely gutting the existing protocol?
这是一个 VOIP 应用程序,它使用 UDP 和 TCP 的组合来初始建立连接并进行端口隧道处理,然后使用 UDP 传输数据.
It's a VOIP application that uses a combination of UDP and TCP to initially set up the connection and do port tunneling stuff, and then uses UDP for the streaming data.
过去,我在从头开始创建安全证书时遇到了很多问题,这些问题是让这些东西正常工作所必需的.
I've had lots of problems in the past with creating the security certificates from scratch that were necessary to get this stuff working.
现有的工作示例代码将是理想的.
Existing working example code would be ideal.
谢谢!
推荐答案
SSL 非常复杂,所以你需要使用一个库.
SSL is very complex, so you're going to want to use a library.
有多种选择,例如Keyczar、Botan, cryptlib 等.这些库中的每一个(或其他人建议的库,例如 Boost.Asio 或 OpenSSL)都将有示例代码.
There are several options, such as Keyczar, Botan, cryptlib, etc. Each and every one of those libraries (or the libraries suggested by others, such as Boost.Asio or OpenSSL) will have sample code for this.
回答您的第二个问题(如何将库集成到现有代码中而不会造成太多痛苦):这将取决于您当前的代码.如果您已经有简单的函数调用 Winsock 或套接字方法来发送/接收 int
s、strings
等,那么您只需要重写这些函数的内容即可.当然,还要更改设置套接字的代码.
Answering your second question (how to integrate a library into existing code without causing too much pain): it's going to depend on your current code. If you already have simple functions that call the Winsock or socket methods to send/receive int
s, strings
, etc. then you just need to rewrite the guts of those functions. And, of course, change the code that sets up the socket to begin with.
另一方面,如果您直接调用 Winsock/socket 函数,那么您可能希望编写具有相似语义但发送加密数据的函数,并用这些函数替换您的 Winsock 调用.
On the other hand, if you're calling the Winsock/socket functions directly then you'll probably want to write functions that have similar semantics but send the data encrypted, and replace your Winsock calls with those functions.
但是,您可能需要考虑切换到类似 Google 协议缓冲区 或 Google Protocol Buffersa href="http://wiki.apache.org/thrift/" rel="nofollow noreferrer">Apache Thrift(又名 Facebook Thrift).谷歌的协议缓冲区文档说,在协议缓冲区之前,有一种请求和响应的格式,它使用请求和响应的手动编组/解组,并且支持许多版本的协议.这导致了一些非常丑陋的代码.……"
However, you may want to consider switching to something like Google Protocol Buffers or Apache Thrift (a.k.a. Facebook Thrift). Google's Protocol Buffers documentation says, "Prior to protocol buffers, there was a format for requests and responses that used hand marshalling/unmarshalling of requests and responses, and that supported a number of versions of the protocol. This resulted in some very ugly code. ..."
您目前处于手动编组/解组阶段.它可以工作,事实上我从事的一个项目确实使用了这种方法.但是把它留给图书馆要好得多.尤其是一个已经考虑过在未来更新软件的库.
You're currently in the hand marshalling/unmarshalling phase. It can work, and in fact a project I work on does use this method. But it is a lot nicer to leave that to a library; especially a library that has already given some thought to updating the software in the future.
如果您走这条路,您将使用 SSL 库设置网络连接,然后将 Thrift/Protocol Buffer 数据推送到这些连接上.而已.它确实涉及大量重构,但最终需要维护的代码更少.当我们将 Protocol Buffers 引入我提到的那个项目的代码库中时,我们能够摆脱大约 300 行编组/解组代码.
If you go this route you'll set up your network connections with an SSL library, and then you'll push your Thrift/Protocol Buffer data over those connections. That's it. It does involve extensive refactoring, but you'll end up with less code to maintain. When we introduced Protocol Buffers into the codebase of that project I mentioned, we were able to get rid of about 300 lines of marshalling/demarshalling code.
相关文章