Linux下OpenSSL-1.0.0 c编写OpenSSL服务器和客户端
Linux下OpenSSL-1.0.0 c编写OpenSSL服务器和客户端
ca.crt为自签名***;server.crt,server.key为服务器端的***和私钥文件;proxy.crt,proxy.key为代理服务器端的***和私钥文件;client.crt,client.key为客户端的***和私钥文件。
#产生CA自签名***openssl genrsa -out ./private/ca.key -rand ./private/.rnd -des 2048openssl req -new -x509 -days 3650 -key ./private/ca.key -out ./private/ca.crt -config fopenssl x509 -in ./private/ca.crt -noout -text
#产生server的***过程openssl genrsa -out ./private/server.key 1024openssl req -new -key ./private/server.key -out ./newcerts/server.csr -config fopenssl ca -in ./newcerts/server.csr -cert ./private/ca.crt -keyfile ./private/ca.key -config f -policy policy_anything -out ./certs/server.crtopenssl x509 -in ./certs/server.crt -noout -text
#产生proxy的***过程openssl genrsa -out ./private/proxy.key 1024openssl req -new -key ./private/proxy.key -out ./newcerts/proxy.csr -config fopenssl ca -in ./newcerts/proxy.csr -cert ./private/ca.crt -keyfile ./private/ca.key -config f -policy policy_anything -out ./certs/proxy.crtopenssl x509 -in ./certs/proxy.crt -noout -text
#产生client的***过程openssl genrsa -out ./private/client.key 1024openssl req -new -key ./private/client.key -out ./newcerts/client.csr -config fopenssl ca -in ./newcerts/client.csr -cert ./private/ca.crt -keyfile ./private/ca.key -config f -policy policy_anything -out ./certs/client.crtopenssl x509 -in ./certs/client.crt -noout -text
//client #include &openssl/rand.h&#include &stdio.h&#include &string.h&#include &errno.h&#include &sys/socket.h&#include &resolv.h&#include &stdlib.h&#include &netinet/in.h&#include &arpa/inet.h&#include &unistd.h&#include &openssl/ssl.h&#include &openssl/err.h&#include &errno.h&#include &curses.h&
#define PORT 443#define SERVER "127.0.0.1"#define CACERT "./private/ca.crt"#define MYCERTF "./certs/proxy.crt"#define MYKEYF "./private/proxy.key"#define MSGLENGTH 1024intmain (){struct sockaddr_int seed_int[100];
SSL *SSL_METHOD *SSL_CTX *
OpenSSL_add_ssl_algorithms ();SSL_load_error_strings ();meth = (SSL_METHOD *) TLSv1_client_method ();ctx = SSL_CTX_new (meth);if (NULL == ctx)exit (1);SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER, NULL);SSL_CTX_load_verify_locations (ctx, CACERT, NULL);if (0 == SSL_CTX_use_certificate_file (ctx, MYCERTF, SSL_FILETYPE_PEM)){ERR_print_errors_fp (stderr);exit (1);}if (0 == SSL_CTX_use_PrivateKey_file (ctx, MYKEYF, SSL_FILETYPE_PEM)){ERR_print_errors_fp (stderr);exit (1);}if (!SSL_CTX_check_private_key (ctx)){printf ("Private key does not match the certificate public key/n");exit (1);}srand ((unsigned) time (NULL));for (i = 0; i & 100; i++)seed_int[i] = rand ();RAND_seed (seed_int, sizeof (seed_int));SSL_CTX_set_cipher_list (ctx, "RC4-MD5");SSL_CTX_set_mode (ctx, SSL_MODE_AUTO_RETRY);printf ("Begin tcp socket.../n");sock = socket (AF_INET, SOCK_STREAM, 0);if (sock == -1){printf ("SOCKET error. /n");}memset (&sin, '/0', sizeof (sin));sin.sin_family = AF_INET;sin.sin_addr.s_addr = inet_addr (SERVER); /* Server IP */sin.sin_port = htons (PORT); /* Server Port number */int icnn = connect (sock, (struct sockaddr *) &sin, sizeof (sin));if (icnn == -1){printf ("can not connect to server,%s/n", strerror (errno));exit (1);}ssl = SSL_new (ctx);if (NULL == ssl)exit (1);if (0 &= SSL_set_fd (ssl, sock)){printf ("Attach to Line fail!/n");exit (1);}int k = SSL_connect (ssl);if (0 == k){printf ("%d/n", k);printf ("SSL connect fail!/n");exit (1);}printf ("connect to server/n");char sendmsg[MSGLENGTH] = "/0";char revmsg[MSGLENGTH] = "/0";int err = SSL_read (ssl, revmsg, sizeof (revmsg));revmsg[err] = '/0';printf ("%s/n", revmsg);while (1){printf ("please input the data to send:/n");scanf ("%s", sendmsg);SSL_write (ssl, sendmsg, strlen (sendmsg));printf ("send message ' %s ' success/n", sendmsg);}SSL_shutdown (ssl);SSL_free (ssl);SSL_CTX_free (ctx);close (sock);getch ();return 0;}
//server #include &stdio.h&#include &openssl/x509.h&#include &openssl/ssl.h&#include &openssl/err.h&#include &stdlib.h&#include &errno.h&#include &string.h&#include &sys/types.h&#include &netinet/in.h&#include &sys/socket.h&#include &sys/wait.h&#include &unistd.h&#include &arpa/inet.h&#include &openssl/ssl.h&#include &openssl/err.h&#include &curses.h&
#define MSGLENGTH 1024#define PORT 443#define CACERT "./private/ca.crt"#define SVRCERTF "./certs/server.crt"#define SVRKEYF "./private/server.key"intmain (){SSL_METHOD *SSL_CTX *SSL *OpenSSL_add_ssl_algorithms ();SSL_load_error_strings ();meth = (SSL_METHOD *) TLSv1_server_method ();ctx = SSL_CTX_new (meth);if (NULL == ctx)exit (1);SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER, NULL);SSL_CTX_load_verify_locations (ctx, CACERT, NULL);if (0 == SSL_CTX_use_certificate_file (ctx, SVRCERTF, SSL_FILETYPE_PEM)){ERR_print_errors_fp (stderr);exit (1);}if (0 == SSL_CTX_use_PrivateKey_file (ctx, SVRKEYF, SSL_FILETYPE_PEM)){ERR_print_errors_fp (stderr);exit (1);}if (!SSL_CTX_check_private_key (ctx)){printf ("Private key does not match the certificate public key/n");exit (1);}SSL_CTX_set_cipher_list (ctx, "RC4-MD5");SSL_CTX_set_mode (ctx, SSL_MODE_AUTO_RETRY);printf ("Begin tcp socket.../n");sock = socket (AF_INET, SOCK_STREAM, 0);if (sock == -1){printf ("SOCKET error! /n");return 0;}struct sockaddr_memset (&addr, '/0', sizeof (addr));addr.sin_family = AF_INET;addr.sin_port = htons (PORT); /* Server Port number */addr.sin_addr.s_addr = INADDR_ANY;int nResult = bind (sock, (struct sockaddr *) &addr, sizeof (addr));if (nResult == -1){printf ("bind socket error/n");return 0;}printf ("server start successfully,port:%d/nwaiting for connections/n",PORT);struct sockaddr_in sa_int err = listen (sock, 5);if (-1 == err)exit (1);int client_len = sizeof (sa_cli);int ss = accept (sock, (struct sockaddr *) &sa_cli, &client_len);if (ss == -1){exit (1);}close (sock);printf ("Connection from %d, port %d/n", sa_cli.sin_addr.s_addr,sa_cli.sin_port);ssl = SSL_new (ctx);if (NULL == ssl)exit (1);if (0 == SSL_set_fd (ssl, ss)){printf ("Attach to Line fail!/n");exit (1);}int k = SSL_accept (ssl);if (0 == k){printf ("%d/n", k);printf ("SSL connect fail!/n");exit (1);}X509 *client_client_cert = SSL_get_peer_certificate (ssl);printf ("find a customer to try to connect/n");if (client_cert != NULL){printf ("Client certificate:/n");char *str =X509_NAME_oneline (X509_get_subject_name (client_cert), 0, 0);if (NULL == str){printf ("auth error!/n");exit (1);}printf ("subject: %s/n", str);str = X509_NAME_oneline (X509_get_issuer_name (client_cert), 0, 0);if (NULL == str){printf ("certificate name is null/n");exit (1);}printf ("issuer: %s/n", str);printf ("connect successfully/n");X509_free (client_cert);OPENSSL_free (str);}else{printf ("can not find the customer's certificate/n");exit (1);}char buf[MSGLENGTH];SSL_write (ssl, "Server is connect to you!/n",strlen ("Server is connect to you!/n"));printf ("Listen to the client: /n");while (1){err = SSL_read (ssl, buf, sizeof (buf));buf[err] = '/0';printf ("%s/n", buf);}SSL_shutdown (ssl);SSL_free (ssl);SSL_CTX_free (ctx);getch ();return 0;}
makefileall:client.c server.cgcc -Wall -o client client.c -I/usr/openssl-1.0.0c/include /usr/openssl-1.0.0c/libssl.a /usr/openssl-1.0.0c/libcrypto.a -ldlgcc -Wall -o server server.c -I/usr/openssl-1.0.0c/include /usr/openssl-1.0.0c/libssl.a /usr/openssl-1.0.0c/libcrypto.a -ldlclean::rm -f client server
H3C认证Java认证Oracle认证
基础英语软考英语项目管理英语职场英语
.NETPowerBuilderWeb开发游戏开发Perl
二级模拟试题一级模拟试题一级考试经验四级考试资料
港口与航道工程建设工程法规及相关知识建设工程经济考试大纲矿业工程市政公用工程通信与广电工程
操作系统汇编语言计算机系统结构人工智能数据库系统微机与接口
软件测试软件外包系统分析与建模敏捷开发
法律法规历年试题软考英语网络管理员系统架构设计师信息系统监理师
高级通信工程师考试大纲设备环境综合能力
路由技术网络存储无线网络网络设备
CPMP考试prince2认证项目范围管理项目配置管理项目管理案例项目经理项目干系人管理
Powerpoint教程WPS教程
电子政务客户关系管理首席信息官办公自动化大数据
职称考试题目
就业指导签约违约职业测评
招生信息考研政治
网络安全安全设置工具使用手机安全
3DMax教程Flash教程CorelDraw教程Director教程
Dreamwaver教程HTML教程网站策划网站运营Frontpage教程
生物识别传感器物联网传输层物联网前沿技术物联网案例分析
互联网电信IT业界IT生活
Java核心技术J2ME教程
Linux系统管理Linux编程Linux安全AIX教程
Windows系统管理Windows教程Windows网络管理Windows故障
组织运营财务资本
视频播放文件压缩杀毒软件输入法微博
数据库开发Sybase数据库Informix数据库
&&&&&&&&&&&&&&&
希赛网 版权所有 & &&今天看啥 热点:
OpenSSL的***和使用1,***openssltar zxvf openssl-1.0.0a.tar.gzcd openssl-1.0.0a./config --prefix=/usr/local/opensslmake && make install2,***apachetar zxvf httpd-2.2.16.tar.gzcd httpd-2.2.16./configure --prefix=/usr/local/apache --enable-ssl --enable-rewrite--enable-so --with-ssl=/usr/local/opensslmake && make install如果你是yum install ,apt-get,pacman这样的软件管理工具进行***的话,上面的二步可以省掉。3,创建主***在/usr/local/apache/conf/下面建个目录ssl3.1,mkdir ssl3.2,cp /openssl的***目录/ssl/misc/CA.sh /usr/local/apache/conf/ssl/3.3 用CA.sh来创建***查看复制打印?1. [root@BlackGhost ssl]# ./CA.sh -newca //建立主*** 2. CA certificate filename (or enter to create) 3. 4. Making CA certificate ... 5. Generating a 1024 bit RSA private key 6. ............++++++ 7. ......++++++ 8. writing new private key to './demoCA/private/./cakey.pem' 9. Enter PEM pass phrase: 10. Verifying - Enter PEM pass phrase: 11. Verify failure 12. Enter PEM pass phrase: 13. Verifying - Enter PEM pass phrase: 14. ----- 15. You are about to be asked to enterinformation that will be incorporated 16. into your certificate request. 17. What you are about to enter is what iscalled a Distinguished Name or a DN. 18. There are quite a few fields but you canleave some blank 19. For some fields there will be a default value, 20. If you enter '.', the field will be left blank. 21. ----- 22. Country Name (2 letter code) [AU]:cn 23. State or Province Name (full name) [Some-State]:cn 24. Locality Name (eg, city) []:cn 25. Organization Name (eg, company) [InternetWidgits Pty Ltd]:cn 26. Organizational Unit Name (eg, section)[]:cn 27. Common Name (eg, YOUR name) []:localhost 28. Email Address []: 29. 30. Please enter the following 'extra' attributes 31. to be sent with your certificate request 32. A challenge password []:****************** 33. An optional company name []: 34. Using configuration from/etc/f 35. Enter pass phrase for ./demoCA/private/./cakey.pem: //填的是上面的PEM密码 36. Check that the request matches thesignature 37. Signature ok 38. Certificate Details: 39. Serial Number: 40. 89:11:9f:a6:ca:03:63:ab 41. Validity 42. Not Before: Aug 7 12:35:28 2010 GMT 43. Not After : Aug 6 12:35:28 2013 GMT 44. Subject: 45. countryName = cn 46. stateOrProvinceName = cn 47. organizationName = cn 48. organizationalUnitName = cn 49. commonName = localhost 50. emailAddress =
51. X509v3 extensions: 52. X509v3 Subject Key Identifier: 53. 26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76 54. X509v3 Authority Key Identifier: 55. keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76 56. DirName:/C=cn/ST=cn/O=cn/OU=cn/CN=localhost/emailAddress= 57. serial:89:11:9F:A6:CA:03:63:AB 58. 59. X509v3 Basic Constraints: 60. CA:TRUE 61. Certificate is to be certified until Aug 612:35:28 2013 GMT (1095 days) 62. 63. Write out database with 1 new entries 64. Data Base Updated [root@BlackGhost ssl]# ./CA.sh-newca //建立主***CA certificate filename (orenter to create)Making CA certificate ...Generating a 1024 bit RSAprivate key............++++++......++++++writing new private key to'./demoCA/private/./cakey.pem'Enter PEM pass phrase:Verifying - Enter PEM passphrase:Verify failureEnter PEM pass phrase:Verifying - Enter PEM passphrase:-----You are about to be asked toenter information that will be incorporatedinto your certificate request.What you are about to enter iswhat is called a Distinguished Name or a DN.There are quite a few fieldsbut you can leave some blankFor some fields there will be adefault value,If you enter '.', the fieldwill be left blank.-----Country Name (2 letter code)[AU]:cnState or Province Name (fullname) [Some-State]:cnLocality Name (eg, city) []:cnOrganization Name (eg, company)[Internet Widgits Pty Ltd]:cnOrganizational Unit Name (eg,section) []:cnCommon Name (eg, YOUR name)[]:localhostEmail Address []:Please enter the following'extra' attributesto be sent with yourcertificate requestA challenge password[]:******************An optional company name []:Using configuration from/etc/fEnter pass phrase for ./demoCA/private/./cakey.pem: //填的是上面的PEM密码Check that the request matchesthe signatureSignature okCertificate Details:Serial Number:89:11:9f:a6:ca:03:63:abValidityNot Before: Aug 7 12:35:28 2010 GMTNot After : Aug 6 12:35:28 2013 GMTSubject:countryName = cnstateOrProvinceName = cnorganizationName = cnorganizationalUnitName = cncommonName = localhostemailAddress = X509v3 extensions:X509v3 Subject Key Identifier:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76X509v3 Authority Key Identifier:keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76DirName:/C=cn/ST=cn/O=cn/OU=cn/CN=localhost/emailAddress=serial:89:11:9F:A6:CA:03:63:ABX509v3 Basic Constraints:CA:TRUECertificate is to be certifieduntil Aug 6 12:35:28 2013 GMT (1095days)Write out database with 1 new entriesData Base Updated***成功的话,会在ssl目录下面产生一个文件夹demoCA4 生成服务器私钥和服务器***查看复制打印?1. [root@BlackGhost ssl]# openssl genrsa-des3 -out server.key 1024 //产生服务器私钥 2. Generating RSA private key, 1024 bit long modulus 3. .....................++++++ 4. .........++++++ 5. e is 601) 6. Enter pass phrase for server.key: 7. Verifying - Enter pass phrase for server.key: 8. [root@BlackGhost ssl]# openssl req -new -key server.key -out server.csr //生成服务器*** 9. Enter pass phrase for server.key: 10. You are about to be asked to enterinformation that will be incorporated 11. into your certificate request. 12. What you are about to enter is what iscalled a Distinguished Name or a DN. 13. There are quite a few fields but you canleave some blank 14. For some fields there will be a default value, 15. If you enter '.', the field will be left blank. 16. ----- 17. Country Name (2 letter code) [AU]:cn 18. State or Province Name (full name) [Some-State]:cn 19. Locality Name (eg, city) []:cn 20. Organization Name (eg, company) [InternetWidgits Pty Ltd]:cn 21. Organizational Unit Name (eg, section)[]:cn 22. Common Name (eg, YOUR name) []:localhost //要填全域名 23. Email Address []: 24. 25. Please enter the following 'extra' attributes 26. to be sent with your certificate request 27. A challenge password []:***************** 28. An optional company name []: [root@BlackGhost ssl]# opensslgenrsa -des3 -out server.key 1024 //产生服务器私钥Generating RSA private key,1024 bit long modulus.....................++++++.........++++++e is 601)Enter pass phrase forserver.key:Verifying - Enter pass phrasefor server.key:[root@BlackGhost ssl]# opensslreq -new -key server.key -out server.csr //生成服务器***Enter pass phrase forserver.key:You are about to be asked toenter information that will be incorporatedinto your certificate request.What you are about to enter iswhat is called a Distinguished Name or a DN.There are quite a few fieldsbut you can leave some blankFor some fields there will be adefault value,If you enter '.', the fieldwill be left blank.-----Country Name (2 letter code)[AU]:cnState or Province Name (fullname) [Some-State]:cnLocality Name (eg, city) []:cnOrganization Name (eg, company)[Internet Widgits Pty Ltd]:cnOrganizational Unit Name (eg,section) []:cnCommon Name (eg, YOUR name) []:localhost //要填全域名Email Address[]:Please enter the following'extra' attributesto be sent with yourcertificate requestA challenge password[]:*****************An optional company name []:4.1 对产生的服务器***进行签证cp server.csr newseq.pem查看复制打印?1. [root@BlackGhost ssl]# ./CA.sh -sign //为服务器***签名 2. Using configuration from/etc/f 3. Enter pass phrase for ./demoCA/private/cakey.pem: 4. Check that the request matches thesignature 5. Signature ok 6. Certificate Details: 7. Serial Number: 8. 89:11:9f:a6:ca:03:63:ac 9. Validity 10. Not Before: Aug 7 12:39:41 2010 GMT 11. Not After : Aug 7 12:39:41 2011 GMT 12. Subject: 13. countryName = cn 14. stateOrProvinceName = cn 15. localityName = cn 16. organizationName = cn 17. organizationalUnitName = cn 18. commonName = localhost 19. emailAddress =
20. X509v3 extensions: 21. X509v3 Basic Constraints: 22. CA:FALSE 23. Netscape Comment: 24. OpenSSL Generated Certificate 25. X509v3 Subject Key Identifier: 26. FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81 27. X509v3 Authority Key Identifier: 28. keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76 29. 30. Certificate is to be certified until Aug 712:39:41 2011 GMT (365 days) 31. Sign the certificate? [y/n]:y 32. 33. 1 out of 1 certificate requests certified,commit? [y/n]y 34. Write out database with 1 new entries 35. Data Base Updated 36. Certificate: 37. Data: 38. Version: 3 (0x2) 39. Serial Number: 40. 89:11:9f:a6:ca:03:63:ac 41. Signature Algorithm: sha1WithRSAEncryption 42. Issuer: C=cn, ST=cn, O=cn, OU=cn,CN=localhost/emailAddress= 43. Validity 44. Not Before: Aug 7 12:39:41 2010 GMT 45. Not After : Aug 7 12:39:41 2011 GMT 46. Subject: C=cn, ST=cn, L=cn, O=cn, OU=cn,CN=localhost/emailAddress= 47. Subject Public Key Info: 48. Public Key Algorithm: rsaEncryption 49. Public-Key: (1024 bit) 50. Modulus: 51. 00:ce:d5:a8:df:d1:e7:ee:92:d1:d1:78:20:a9:6d: 52. 0a:1b:f6:09:dd:13:29:ef:72:1d:17:54:dd:1c:8d: 53. 28:27:69:fe:70:3b:fa:2b:a3:45:40:80:ea:0e:5b: 54. a7:bd:40:d0:cd:bc:2c:74:03:8b:f7:6c:5e:1f:09: 55. 5d:c6:8a:05:ea:b8:72:fc:79:8b:62:62:38:0b:42: 56. 28:7e:0d:fc:e7:bb:b0:87:66:6a:b2:35:92:91:b9: 57. 78:9c:b6:76:01:0b:2a:74:df:5f:a1:8b:31:61:90: 58. 93:f9:20:db:46:59:12:2e:9b:59:c0:32:4e:92:14: 59. a1:7e:52:7b:cc:02:5e:e2:45 60. Exponent: 601) 61. X509v3 extensions: 62. X509v3 Basic Constraints: 63. CA:FALSE 64. Netscape Comment: 65. OpenSSL Generated Certificate 66. X509v3 Subject Key Identifier: 67. FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81 68. X509v3 Authority Key Identifier: 69. keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76 70. 71. Signature Algorithm: sha1WithRSAEncryption 72. 09:a0:16:43:a2:93:11:a7:ab:f5:17:b7:36:35:84:9f:3b:37: 73. 32:33:3f:93:63:b0:4c:bb:d1:b4:9b:4f:37:78:62:f4:ac:ff: 74. 28:b0:63:71:2e:9a:7c:f4:40:2e:b1:5f:ae:49:e7:e2:6f:de: 75. cf:30:cc:9a:08:26:26:24:c5:00:03:32:20:48:41:b1:29:8f: 76. 5d:3d:2a:78:54:0e:a8:76:07:6c:7f:23:42:75:c2:fb:83:1d: 77. 70:44:5e:8c:90:cf:b4:23:b7:23:5b:06:05:32:58:e3:af:1c: 78. be:1d:50:7b:fd:37:66:ba:9c:ec:bb:af:ee:b6:04:f7:c5:2e: 79. 59:22 80. -----BEGIN CERTIFICATE----- 81. MIIC2jCCAkOgAwIBAgIJAIkRn6bKA2OsMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV 82. BAYTAmNuMQswCQYDVQQIEwJjbjELMAkGA1UEChMCY24xCzAJBgNVBAsTAmNuMRIw 83. EAYDVQQDEwlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlpbmdAZ21haWwu 84. Y29tMB4XDTEwMDgwNzEyMzk0MVoXDTExMDgwNzEyMzk0MVowdzELMAkGA1UEBhMC 85. Y24xCzAJBgNVBAgMAmNuMQswCQYDVQQHDAJjbjELMAkGA1UECgwCY24xCzAJBgNV 86. BAsMAmNuMRIwEAYDVQQDDAlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlp 87. bmdAZ21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO1ajf0efu 88. ktHReCCpbQob9gndEynvch0XVN0cjSgnaf5wO/oro0VAgOoOW6e9QNDNvCx0A4v3 89. bF4fCV3GigXquHL8eYtiYjgLQih+Dfznu7CHZmqyNZKRuXictnYBCyp031+hizFh 90. kJP5INtGWRIum1nAMk6SFKF+UnvMAl7iRQIDAQABo3sweTAJBgNVHRMEAjAAMCwG 91. CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV 92. HQ4EFgQU/iBWBI62vj464dqmSjrhFpMdP4EwHwYDVR0jBBgwFoAUJgnz1SYTAB8+ 93. zIYd5O43BmUVTnYwDQYJKoZIhvcNAQEFBQADgYEACaAWQ6KTEaer9Re3NjWEnzs3 94. MjM/k2OwTLvRtJtPN3hi9Kz/KLBjcS6afPRALrFfrknn4m/ezzDMmggmJiTFAAMy 95. IEhBsSmPXT0qeFQOqHYHbH8jQnXC+4MdcERejJDPtCO3I1sGBTJY468cvh1Qe/03 96. Zrqc7Luv7rYE98UuWSI= 97. -----END CERTIFICATE----- 98. Signed certificate is in newcert.pem [root@BlackGhost ssl]# ./CA.sh-sign //为服务器***签名Using configuration from/etc/fEnter pass phrase for./demoCA/private/cakey.pem:Check that the request matchesthe signatureSignature okCertificate Details:Serial Number:89:11:9f:a6:ca:03:63:acValidityNot Before: Aug 7 12:39:41 2010 GMTNot After : Aug 7 12:39:41 2011 GMTSubject:countryName = cnstateOrProvinceName = cnlocalityName = cnorganizationName = cnorganizationalUnitName = cncommonName = localhostemailAddress = X509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81X509v3 Authority Key Identifier:keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76Certificate is to be certifieduntil Aug 7 12:39:41 2011 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requestscertified, commit? [y/n]yWrite out database with 1 newentriesData Base UpdatedCertificate:Data:Version: 3 (0x2)Serial Number:89:11:9f:a6:ca:03:63:acSignature Algorithm: sha1WithRSAEncryptionIssuer: C=cn, ST=cn, O=cn, OU=cn,CN=localhost/emailAddress=ValidityNot Before: Aug 7 12:39:41 2010 GMTNot After : Aug 7 12:39:41 2011 GMTSubject: C=cn, ST=cn, L=cn, O=cn, OU=cn,CN=localhost/emailAddress=Subject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (1024 bit)Modulus:00:ce:d5:a8:df:d1:e7:ee:92:d1:d1:78:20:a9:6d:0a:1b:f6:09:dd:13:29:ef:72:1d:17:54:dd:1c:8d:28:27:69:fe:70:3b:fa:2b:a3:45:40:80:ea:0e:5b:a7:bd:40:d0:cd:bc:2c:74:03:8b:f7:6c:5e:1f:09:5d:c6:8a:05:ea:b8:72:fc:79:8b:62:62:38:0b:42:28:7e:0d:fc:e7:bb:b0:87:66:6a:b2:35:92:91:b9:78:9c:b6:76:01:0b:2a:74:df:5f:a1:8b:31:61:90:93:f9:20:db:46:59:12:2e:9b:59:c0:32:4e:92:14:a1:7e:52:7b:cc:02:5e:e2:45Exponent: 601)X509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81X509v3 Authority Key Identifier:keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76Signature Algorithm: sha1WithRSAEncryption09:a0:16:43:a2:93:11:a7:ab:f5:17:b7:36:35:84:9f:3b:37:32:33:3f:93:63:b0:4c:bb:d1:b4:9b:4f:37:78:62:f4:ac:ff:28:b0:63:71:2e:9a:7c:f4:40:2e:b1:5f:ae:49:e7:e2:6f:de:cf:30:cc:9a:08:26:26:24:c5:00:03:32:20:48:41:b1:29:8f:5d:3d:2a:78:54:0e:a8:76:07:6c:7f:23:42:75:c2:fb:83:1d:70:44:5e:8c:90:cf:b4:23:b7:23:5b:06:05:32:58:e3:af:1c:be:1d:50:7b:fd:37:66:ba:9c:ec:bb:af:ee:b6:04:f7:c5:2e:59:22-----BEGIN CERTIFICATE-----MIIC2jCCAkOgAwIBAgIJAIkRn6bKA2OsMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNVBAYTAmNuMQswCQYDVQQIEwJjbjELMAkGA1UEChMCY24xCzAJBgNVBAsTAmNuMRIwEAYDVQQDEwlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlpbmdAZ21haWwuY29tMB4XDTEwMDgwNzEyMzk0MVoXDTExMDgwNzEyMzk0MVowdzELMAkGA1UEBhMCY24xCzAJBgNVBAgMAmNuMQswCQYDVQQHDAJjbjELMAkGA1UECgwCY24xCzAJBgNVBAsMAmNuMRIwEAYDVQQDDAlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlpbmdAZ21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO1ajf0efuktHReCCpbQob9gndEynvch0XVN0cjSgnaf5wO/oro0VAgOoOW6e9QNDNvCx0A4v3bF4fCV3GigXquHL8eYtiYjgLQih+Dfznu7CHZmqyNZKRuXictnYBCyp031+hizFhkJP5INtGWRIum1nAMk6SFKF+UnvMAl7iRQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU/iBWBI62vj464dqmSjrhFpMdP4EwHwYDVR0jBBgwFoAUJgnz1SYTAB8+zIYd5O43BmUVTnYwDQYJKoZIhvcNAQEFBQADgYEACaAWQ6KTEaer9Re3NjWEnzs3MjM/k2OwTLvRtJtPN3hi9Kz/KLBjcS6afPRALrFfrknn4m/ezzDMmggmJiTFAAMyIEhBsSmPXT0qeFQOqHYHbH8jQnXC+4MdcERejJDPtCO3I1sGBTJY468cvh1Qe/03Zrqc7Luv7rYE98UuWSI=-----END CERTIFICATE-----Signed certificate is innewcert.pemcp newcert.pem server.crt5,产生客户端***生成客户私钥:openssl genrsa -des3 -out client.key 1024生成客户***openssl req -new -key client.key -out client.csr签证:openssl ca -in client.csr -out client.crt转换成pkcs12格式,为客户端***所用openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -outclient.pfx这一步根***服务器的***差不多,不同的是签证,最后***的时候,client.pfx的密码要记住,在客户端***的时候要用到的。[root@BlackGhost ssl]# openssl pkcs12 -export -clcerts -in client.crt-inkey client.key -out client.pfxEnter pass phrase for client.key:Enter Export Password:Verifying - Enter Export Password:客户端和服务器端都可以使用服务器端***,所以这一步不做也行。6,集中所以***和私私钥到一起#cp demoCA/cacert.pem cacert.pem同时复制一份***,更名为ca.crt#cp cacert.pem ca.crt7,apache配置vi /usr/local/apache/conf/extra/ssl.conf查看复制打印?1. ssl开启 2. SSLEngine on 3. 4. 指定服务器***位置 5. SSLCertificateFile/usr/local/apache/conf/ssl/server.crt 6. 7. 指定服务器***key位置 8. SSLCertificateKeyFile/usr/local/apache/conf/ssl/server.key 9. 10. ***目录 11. SSLCACertificatePath/usr/local/apache/conf/ssl 12. 13. 根***位置 14. SSLCACertificateFile/usr/local/apache/conf/ssl/cacert.pem 15. 16. 要求客户拥有*** 17. SSLVerifyClient require 18. SSLVerifyDepth 1 19. SSLOptions +StdEnvVars 20. 21. 记录log 22. CustomLog "/usr/local/apache/logs/ssl_request_log" \ 23. "%t %h%{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ssl开启SSLEngine on指定服务器***位置SSLCertificateFile/usr/local/apache/conf/ssl/server.crt指定服务器***key位置SSLCertificateKeyFile/usr/local/apache/conf/ssl/server.key***目录SSLCACertificatePath /usr/local/apache/conf/ssl根***位置SSLCACertificateFile/usr/local/apache/conf/ssl/cacert.pem要求客户拥有***SSLVerifyClient requireSSLVerifyDepth 1SSLOptions +StdEnvVars记录logCustomLog"/usr/local/apache/logs/ssl_request_log" \ "%t %h %{SSL_PROTOCOL}x%{SSL_CIPHER}x \"%r\" %b"vi /usr/local/apache/conf/extra/httpd_vhosts.conf查看复制打印?1. listen 443 https 2. NameVirtualHost *:443 3. &VirtualHost _default_:443& 4. 5. DocumentRoot "/home/zhangy/www/metbee/trunk/src/web" 6. ServerName *:443 7. ErrorLog "/home/zhangy/apache/-error.log" 8. CustomLog "/home/zhangy/apache/-access.log" common 9. Include conf/extra/ssl.conf 10. 11. &/VirtualHost& listen 443 httpsNameVirtualHost *:443&VirtualHost _default_:443&DocumentRoot"/home/zhangy/www/metbee/trunk/src/web"ServerName *:443ErrorLog"/home/zhangy/apache/-error.log"CustomLog"/home/zhangy/apache/-access.log" commonInclude conf/extra/ssl.conf&/VirtualHost&vi /usr/local/apache/conf/httpd.conf把Includeconf/extra/httpd-vhosts.conf前面的注释去掉启动 /usr/local/apache/bin/apachectl -D SSL -k startServer *:10000 (RSA)Enter pass phrase:输入的是server的密钥OK: Pass Phrase Dialog successful.8,***客户端***把ca.crt和client.pfx copy到客户端,双击client.pfx就会进入***的***向导,下一步就行了,中间会让你输入密码四,***所遇到的问题1,生成的密码很多,一会让输入密码,会忘得,并且主***的密码和下面的***的密码不能重得,会报错的,所以要搞个文本记下来。2,升级openssl引发的问题httpd: Syntax error on line 56 of /usr/local/apache/conf/httpd.conf:Cannot load /usr/local/apache/modules/libphp5.so into server: libssl.so.0.9.8:cannot open shared object file: No such file or directoryhttpd: Syntax error on line 56 of /usr/local/apache/conf/httpd.conf:Cannot load /usr/local/apache/modules/libphp5.so into server:libcrypto.so.0.9.8: cannot open shared object file: No such file or directory用ln-s来建立软链接,就可以了。不过这种方法不是万能的,比如我把libpng从1.2升到1.4,libjpeg从7.0升到8.0结果是系统差点崩掉,用软链接不管用,我把他们弄掉,从网上下的低版本重装。3,***的国家名称,省名要相同不然生成空***,The countryName field needed to be the same in theCA certificate (cn) and the request (sh)4,提示CommonName时,要添写全域名,会提示警告RSA server certificate CommonName (CN) `cn' does NOT match server name!?5,相同的***不能生成二次,名字不一样也不行,也就是说server.cst和client.csr信息不能完相同,不然会报failed to update databaseTXT_DB error number 26,页面浏览时,会看到提示,你的***是不可信的,是因为我配置的不对,还是自己建的***就是不要信的呢?7,当我加了SSLVerifyClient requireSSLVerifyDepth 1 这二个配置时,在windows下面,要你输入***后,就可以看到页面了,但在用firefox就是不行呢?看下面的ssl_request_log日志,192.168.18.3是用windows的IE浏览器[09/Aug/:21 +.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA"GET /robots.txt HTTP/1.1" 208[09/Aug/:21 +.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA "GET/robots.txt HTTP/1.1" 208[09/Aug/:21 +.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA "GET/robots.txt HTTP/1.1" 208[09/Aug/:55 +8.18.3 TLSv1 RC4-MD5 "GET /HTTP/1.1" 1505[09/Aug/:55 +8.18.3 TLSv1 RC4-MD5 "GET /HTTP/1.1" 1505[09/Aug/:55 +8.18.3 TLSv1 RC4-MD5 "GET /HTTP/1.1" 1505加密解密传统加密(对称加密)openssl enc -ciphername(加密算法) -k password(口令) -in file(被加密的算法) -out (输出文件)file解密openssl enc -ciphername -k password-d -in file -out file加密算法有:base64,des,des3,rc2,rc5,aes256例如:/bin/openssl enc -des3 -kboobooke -in pt.txt -out ct.bin //加密/bin/openssl enc -des3 -d -k boobooke -in ct.bin -out pt1.txt //解密非对称加密Generate the private/public keyOpenssl genrsa -out file 1024 例如:Openssl genrsa -out priv.key 1024 //用rsa算法生成私钥(priv.key) Openssl rsa -in file -pubout例如: Openssl rsa -in priv.key -pubout&pub.key //用私钥priv.key生成公钥,并重定向到pub.key这个文件里面Encrypt the file with public keyOpenssl rsautl -in file -outfile -inkey file -pubin -encrypt例如:Openssl rsautl -in test.txt -outtest.bin -inkey pub.key -pubin -encrypt //利用公钥文件(pub.key)对text.txt文件进行加密,生成加密后的文件text.binDecrypt the file the private keyOpenssl rsautl -in file -outfile -inkey file -decrypt例如:Openssl rsautl -in text.bin -outtext1.txt -inkey priv.key -decrypt //利用私钥priv.key对公钥加密的text.bin进行加密的文件进行解密,生成解密后的文件是text1.txtUse openssl sign/verify functions(数字签名)Generate the private/public key生成密钥对Openssl genrsa -out file 1024 Openssl rsa -in file -puboutSign the file with the private keyOpenssl rsautl -in file -outfile -inkey file -sign例如:Openssl rsatul -in test.txt -outtest.sig -inkey priv.key -sign //利用私钥对test.txt 进行加密也就是签名Openssl rsautl -in file -outfile -inkey file -pubin -verify例如:Openssl rsautl -in test.sig -outtest2.txt -inkey pub.key -pubin -verify //利用公钥对私钥加密后的文件(test.sig)进行解密或是认证Hash functions(hash函数)……MD5 SHA1作用:主要是验证文件的完整性,没有被别人篡改!Generate the md5 hash resultOpenssl dgst -md5 file 或Md5sum file例如:Openssl dgst -md5 openssl.tar.gz //生成MD5值Md5sum openssl.tar.gzGenerate the sha1 hash resultOpenssl dgst -sha1file 或Sha1sum file例如:Openssl -dgst -sha1openssl.tar.gz //生成sha1值Install apache Configure the environmenttar -zxvf httpd-2.0.63.tar.gzcd httpd-2.0.63./configure -prefix=/usr/local/apache -enable-ssl -with-ssl=/usr/local/opensslmake make installConfigure ssl in apacheopenssl req -new -x509 -days 30 -keyout server.key -outserver.crt -subj '/CN=Test Only Certifiecate'或者Openssl req -new -x509 -days 365 -sha1 -nodes -newkey rsa:1024 keyout server.key -out server.crt -subj ‘/O=Seccure/OU=Seccure Labs/CN=’Cpy the .key and .crt file to the proper directory //一般都是存放在apache的conf 目录下面,具体存放路径是在apache的配置文件中定义的Vi httpd.conf&IfModule mod_ssl.c&Include conf/ssl.conf //ssl 的配置文件被包含在conf/ssl.conf&/IfModule&Vi conf/ssl.confSSLCertificateKeyFile/usr/local/apache/conf/ssl.crt/server.key //server.key存放路径SSLCertificateFile/usr/local/apache/conf/ssl.crt/server.crt //server.crt 存放路径Apache2.2直接启动apache服务就可以启动SSLApache2.0启动ssl:apachectlstartssl //端口号为443端口Vi conf/ssl.conf&Directory /&SSLRequireSSL //此目录只允许使用https协议访问&/Directory&&Directory /usr/local/apache/htdocs/ssldemo& SSLRequireSSL &/Directory&
//ssldemo这个目录必须使用https协议访 问,应为利用ssl安全访问存在着密钥的 加密解密以及传送,所以访问会很慢,所 以一般都是把一些需要中到https协议访 访问的程序放在一个目录中,而其他的站 点依然用http协议访问一、*** Openssl? 下载 openssl 源代码:? wgethttp://www.openssl.org/source/ openssl-0.9.8k.tar.gz? 解压缩:? tar zxvfopenssl-0.9.8k.tar.gz? 设定Openssl ***,( --prefix )参数为欲***之目录,也就是***后的档案会出现在该目录下:? cd openssl-0.9.8k? ./config--prefix=/root/openssl? 编译 Openssl:? make? *** Openssl:? make install? 修改配置文件:? cat ~/openssl/f? 修改其中的配置内容1) dir=/home/blave/openssl/ssl/misc/demoCA # 设定存取凭证的路径, 并将blave 改成您自己2) default_days= 3650 # 设定凭证可使用之天数3) default_bits = 2048 # 设定密钥长度(bits)二、产生 CA 凭证? 我们所产生的 CA 凭证,将放置在 ~/openssl/ssl/misc/demoCA下,以下我们将介绍怎样产生出最上层的 CA 凭证。? 执行CA 凭证产生程式:? cd ~/openssl/ssl/misc? ./CA.sh -newca? 确定CA 凭证及密钥是否产生:? cd~/openssl/ssl/misc/demoCA? ls? cacert.pem certs crlindex.txt newcerts private serial? 可见「cacert.pem」即是CA 之凭证,而「private」目录即是存放CA 私钥之处。? 对 CA ***请求进行签名:u openssl ca -selfsign-in careq.pem -out cacert.pem? 设定CA 凭证之存取权限,仅允许本人能存取,他人必须限制其存取权限:? chmod -R 660~/openssl/ssl/misc/ demoCA三、以 CA 产生次级凭证? 在CA 凭证产生完之后,我们便能够产生使用者或公司所需要之凭证,此次级凭证产生后,使用者便可应用于Email 签章加密或https 等ssl 传输加密。? 产生使用者之密钥档及CSR 档(CertificateSigning Request) :? cd~/openssl/ssl/misc/demoCA? openssl req -nodes-new -keyout test_key.pem /-out test_req.pem -days 3650 -config~/openssl/f? 此处「-keyout 」即为产生Privatekey 之文档名,这里以「test_key.pem」为例,您可自行设定。而「-out 」则产生CSR 档,我们以「test_req.pem」为例。? 产生使用者之凭证:? openssl ca -config~/openssl/f /-policy policy_anything -out test_cert.pem -infilestest_req.pem? 检查凭证是否产生:? cd~/openssl/ssl/misc/demoCA? ls? 当前目录内容:cacert.pemcrl index.txt.attr test_cert.pem test_req.pem private serial.old certs index.txt index.txt.old test_key.pem newcerts serial? 以上可见,test_cert.pem、test_req.pem及test_key.pem分别为刚刚所产生出来的凭证、CSR 及PrivateKey 。四、 Openssl 应用? 以cacert 验证产生出来的使用者cert :? openssl verify -CApath. /-CAfile cacert.pem test_cert.pem? 检查产生的序号:? openssl x509 -noout-serial -in test_cert.pem? 检查发行者资讯:? openssl x509 -noout-issuer -in test_cert.pem? 检查凭证起始及终止日期时间:? openssl x509 -noout-in test_cert.pem -dates? 检查个人凭证资讯subject :? openssl x509 -noout-in test_cert.pem -subject? 检查MD5fingerprint 或SHA-1fingerprint :? openssl x509 -noout-in islab_cert.pem -fingerprint -md5/-sha1? 由PEM 转至PKCS12 。MicrosoftOutlook Express 使用PKCS12 格式,因此欲使用MicrosoftOutlook Express 寄出签章信件,只要将产生出来的“*.p12”文档***在Windows 即可使用:? openssl pkcs12 -export-in test_cert.pem -out test_cert.p12 -name "My Certificate" -inkeytest_key.pem? 由PKCS12 转至PEM:? openssl pkcs12 -intest_cert.p12 -out test_key2.pem? 再由PrivateKey 产生凭证:? openssl x509 -intest_key2.pem -text /-out test_cert2.pem? 文档加密: 「test_cert.pem 」为个人凭证,能够公开给大家,因此某人欲加密传送一文档给我,便能够依下列方式加密。编辑一个纯文字档,在此我们预设档名为「document.txt 」,而经加密码之档名为「document.enc 」:? echo "This is atext file." & document.txt? cat document.txt? openssl smime -encrypt-in document.txt /-out document.enc islab_cert.pem? cat document.enc? 文档解密: 倘若我们收到了某人传送的「document.enc」,我们便能使用PrivateKey 来进行解密:? openssl smime -decrypt-in document.enc /-recip test_cert.pem -inkey test_key.pem? 文档签章: 为文档签章可证实文档的来源为本人无误,并且能够验证文档是否被篡改。我们依前例,为一纯文字档「document.txt」签章,签章后文档名为「document.sig」:? openssl smime -sign-inkey test_key.pem /-signer test_cert.pem -in document.txt -out document.sig? 文档签章验证: 当某人收到这份文档时,可利用我们的凭证(test_cert.pem) 连同CA 凭证(cacert.pem) 来验证文档:? openssl smime -verify-in document.sig /-signer islab_cert.pem -out document.txt -CAfile cacert.pem? 因此我们能够知道,验证方必须事先取得 CA 凭证( cacert.pem ) 方可验证文档。? 文档加密并签章:我们已知怎样加解密连同签章验证的方法了,因此要将文档加密并签章实非难事。我们必须先将文档进行签章再加密,而收方则以相反步骤进行解密再验证即可。Linux下Openssl的***全过程1、下载地址:http://www.openssl.org/source/ 下一个新版本的OpenSSL,我下的版本是:openssl-1.0.0e.tar.gz2、在下载的GZ目录中,用命令执行:tar -xzfopenssl-openssl-1.0.0e.tar.gz3、进入解压的目录:openssl-1.0.0e [.......]#cd openssl-1.0.0e4、[.....openssl-1.0.0e]#./config --prefix=/usr/local/openssl5[...../openssl-1.0.0e]# ./config -t6[...../openssl-1.0.0e]# make depend7[...../openssl-1.0.0e]# cd /usr/local8/usr/local]# ln -s openssl ssl9在/etc/ld.so.conf文件的最后面,添加如下内容:/usr/local/openssl/lib10...]# ldconfig11添加OPESSL的环境变量:在etc/的profile的最后一行,添加:export OPENSSL=/usr/local/openssl/binexport PATH=$OPENSSL:$PATH:$HOME/bin12退出命令界面,再从新登录。13、以上OPENSSL就***完毕,下面进行一些检查。14依次如下执行:[root@localhost /]# cd /usr/local[root@localhost local]# ldd/usr/local/openssl/bin/openssl会出现类似如下信息:linux-vdso.so.1 =& (0x00007fff3bc73000)libdl.so.2 =& /lib64/libdl.so.2 (0x0d7000)libc.so.6 =& /lib64/libc.so.6 (0x0000)/lib64/ld-linux-x86-64.so.2 (0x0db000)15查看路径...]# which openssl/usr/local/openssl/bin/openssl16查看版本...]# openssl versionOpenSSL 1.0.0e 6 Sep 2011
相关搜索:
相关阅读:
相关频道:
&&&&&&&&&&&&
系统综合最近更新
