CURL и ГОСТ под Windows

[AnrDaemon]

OpenSSL всегда идёт вместе с сырцами. Требование GPL. Так что за отмазу не канает.

 

[Активист]

Судя по тексту исходников 7.43.0 проблема (отказ чтения файла конфигурации openssl.cfg с подключением ГОСТ-алгоритмов) не должна проявляться (lib\vtls\openssl.c), судя по присутствию вызова функции CONF_modules_load_file(NULL, NULL ...

Не, как надо было костыль вставлять в библиотеку openssl пыха, так и надо. Не цепляет он openssl.cfg

root@serv001:/usr/src/smoke# /opt/openssl/bin/openssl s_client -connect zakupki.gov.ru:443
CONNECTED(00000003)
depth=1 unstructuredName = Server CA, emailAddress = [email protected], ST = 77 \D0\B3. \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, 1.2.643.3.131.1.1 = #120C303037373130353638373630, 1.2.643.100.1 =
... CN = zakupki.gov.ru
verify return:1
---
Certificate chain
0 s:/1.2.643.3.131.1.1=007710568760/1.2.643.100.3=03874146675/1.2.643.100.1.
...CN=zakupki.gov.ru
   i:/unstructuredName=Server CA/[email protected]/ST=77 \xD0\xB3.
.....
---
Server certificate
-----BEGIN CERTIFICATE-----
...
z0QRkWyE
-----END CERTIFICATE-----
...
No client certificate CA names sent
---
SSL handshake has read 2402 bytes and written 509 bytes
---
New, TLSv1/SSLv3, Cipher is GOST2001-GOST89-GOST89
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : GOST2001-GOST89-GOST89
    Session-ID:
    Session-ID-ctx:
    Master-Key: ABAC821619A3637571437D4309CB9507CB220D4D911E3D99CC41F1A4FABAFDC0F44A76A73F81518721087135CB1069D4
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1439446257
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Собиралось так:

SRC="/usr/src/openssl/1.0.1-stable"
if [ ! -d $SRC ];
then
git clone https://github.com/openssl/openssl.git -b OpenSSL_1_0_1-stable $SRC
else
cd $SRC
git pull
fi;
cd $SRC
read -p "Press enter to continue or ^C to break?" REPLY
./config --prefix=/opt/openssl no-idea enable-tlsext no-ssl2 no-ssl3 enable-rfc3779 enable-rfc3779
read -p "Press enter to make depend or ^C to stop?" REPLY
make depend
read -p "Press enter to make or ^C to break?" REPLY
make
read -p "Press enter to make install or ^C to break?" REPLY
make install
read -p "Press enter to copy certs or ^C to break?" REPLY
cp -RPL /etc/ssl/certs/* /opt/openssl/ssl/certs
/opt/openssl/bin/c_rehash /opt/openssl/ssl/certs
cat /opt/openssl/ssl/certs/*.pem > /opt/openssl/ssl/certs/ca-certificates.crt

wget 'http://zakupki.gov.ru/wps/wcm/connect/f6c0b180404d418bafd2bf8ba952f72a/%D0%9A%D0%BE%D1%80%D0%BD%D0%B5%D0%B2%D0%BE%D0%B9+%D1%81%D0%B5%D1%80%D1%82%D0%B8%D1%84%D0%B8%D0%BA%D0%B0%D1%82+%D0%A3%D0%A3%D0%A6+%D0%A4%D0%9A+%D0%BD%D0%BE%D0%B2%D0%BE%D0%B3%D0%BE+%D1%84%D0%BE%D1%80%D0%BC%D0%B0%D1%82%D0%B0+%282013%D0%B3%29.zip?MOD=AJPERES&CACHEID=f6c0b180404d418bafd2bf8ba952f72a' -O 1.zip
unzip 1.zip
openssl x509 -in 'root2013.cer' -inform DES -out /opt/openssl/ssl/certs/ROOT_ROSPIL.pem
chmod 644 /opt/openssl/ssl/certs/ROOT_ROSPIL.pem
/opt/openssl/bin/c_rehash /opt/openssl/ssl/certs
cat /opt/openssl/ssl/certs/*.pem > /opt/openssl/ssl/certs/ca-certificates.crt
/opt/openssl/bin/c_rehash /opt/openssl/ssl/certs

При этом CURL собирается отдельно к пыху

# Curl
git clone  https://github.com/bagder/curl
git checkout tags/curl-7_44_0
./buildconf
./configure --prefix=/opt/curl --with-ssl=/opt/openssl --disable-file --without-pic --disable-shared --without-ca-bundle --with-ca-path=/opt/openssl/ssl/certs
make -j10
make install

Пых с свою очередь собирается с этими либами

./configure --prefix="$PREFIX"\
--enable-cgi \
--enable-static \
\
--enable-mbstring \
--enable-soap \
--enable-zip \
--enable-calendar \
--enable-sockets \
--enable-bcmath \
\
--with-zlib\
--with-openssl=/opt/openssl \
--with-curl=/opt/curl \
--with-gettext=shared \
\
--with-gd=shared \
--enable-gd-native-ttf \
--with-freetype-dir=/usr \
\
--with-mcrypt \
--with-mysql \
--with-mysqli \
--with-pdo-mysql \
\
--with-jpeg-dir=/usr \
--with-png-dir=/usr \
--with-config-file-path="$CFG" \
--with-config-file-scan-dir="$CFG/conf.d"

При этом ни curl не тянет

root@serv001:/usr/src/smoke# php ./test.php
* About to connect() to zakupki.gov.ru port 443 (#0)
*   Trying 194.105.148.87... * connected
* Connected to zakupki.gov.ru (194.105.148.87) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* error:140920F8:SSL routines:SSL3_GET_SERVER_HELLO:unknown cipher returned
* Closing connection #0
bool(false)
root@serv001:/usr/src/smoke#

 

[Mishall]

спасибо, Активист, за развернутый ответ

а что выдает # curl --engine list ?
и

print_r(openssl_get_cipher_methods());
print_r(openssl_get_md_methods());

При этом ни curl не тянет

 

[Активист]

спасибо, Активист, за развернутый ответ

а что выдает # curl --engine list ?
и

print_r(openssl_get_cipher_methods());
print_r(openssl_get_md_methods());

root@serv001:/usr/src/smoke# /opt/curl/bin/curl --engine list 
Build-time engines:
  rsax
  dynamic
  4758cca
  aep
  atalla
  cswift
  chil
  nuron
  sureware
  ubsec
  gost
root@serv001:/usr/src/smoke#

root@serv001:/usr/src/smoke# /opt/php-5.5/bin/php -r 'print_r(openssl_get_cipher_methods());';
Array
(
    [0] => AES-128-CBC
    [1] => AES-128-CBC-HMAC-SHA1
    [2] => AES-128-CFB
    [3] => AES-128-CFB1
    [4] => AES-128-CFB8
    [5] => AES-128-CTR
    [6] => AES-128-ECB
    [7] => AES-128-OFB
    [8] => AES-128-XTS
    [9] => AES-192-CBC
    [10] => AES-192-CFB
    [11] => AES-192-CFB1
    [12] => AES-192-CFB8
    [13] => AES-192-CTR
    [14] => AES-192-ECB
    [15] => AES-192-OFB
    [16] => AES-256-CBC
    [17] => AES-256-CBC-HMAC-SHA1
    [18] => AES-256-CFB
    [19] => AES-256-CFB1
    [20] => AES-256-CFB8
    [21] => AES-256-CTR
    [22] => AES-256-ECB
    [23] => AES-256-OFB
    [24] => AES-256-XTS
    [25] => BF-CBC
    [26] => BF-CFB
    [27] => BF-ECB
    [28] => BF-OFB
    [29] => CAMELLIA-128-CBC
    [30] => CAMELLIA-128-CFB
    [31] => CAMELLIA-128-CFB1
    [32] => CAMELLIA-128-CFB8
    [33] => CAMELLIA-128-ECB
    [34] => CAMELLIA-128-OFB
    [35] => CAMELLIA-192-CBC
    [36] => CAMELLIA-192-CFB
    [37] => CAMELLIA-192-CFB1
    [38] => CAMELLIA-192-CFB8
    [39] => CAMELLIA-192-ECB
    [40] => CAMELLIA-192-OFB
    [41] => CAMELLIA-256-CBC
    [42] => CAMELLIA-256-CFB
    [43] => CAMELLIA-256-CFB1
    [44] => CAMELLIA-256-CFB8
    [45] => CAMELLIA-256-ECB
    [46] => CAMELLIA-256-OFB
    [47] => CAST5-CBC
    [48] => CAST5-CFB
    [49] => CAST5-ECB
    [50] => CAST5-OFB
    [51] => DES-CBC
    [52] => DES-CFB
    [53] => DES-CFB1
    [54] => DES-CFB8
    [55] => DES-ECB
    [56] => DES-EDE
    [57] => DES-EDE-CBC
    [58] => DES-EDE-CFB
    [59] => DES-EDE-OFB
    [60] => DES-EDE3
    [61] => DES-EDE3-CBC
    [62] => DES-EDE3-CFB
    [63] => DES-EDE3-CFB1
    [64] => DES-EDE3-CFB8
    [65] => DES-EDE3-OFB
    [66] => DES-OFB
    [67] => DESX-CBC
    [68] => GOST 28147-89
    [69] => RC2-40-CBC
    [70] => RC2-64-CBC
    [71] => RC2-CBC
    [72] => RC2-CFB
    [73] => RC2-ECB
    [74] => RC2-OFB
    [75] => RC4
    [76] => RC4-40
    [77] => RC4-HMAC-MD5
    [78] => SEED-CBC
    [79] => SEED-CFB
    [80] => SEED-ECB
    [81] => SEED-OFB
    [82] => aes-128-cbc
    [83] => aes-128-cbc-hmac-sha1
    [84] => aes-128-cfb
    [85] => aes-128-cfb1
    [86] => aes-128-cfb8
    [87] => aes-128-ctr
    [88] => aes-128-ecb
    [89] => aes-128-gcm
    [90] => aes-128-ofb
    [91] => aes-128-xts
    [92] => aes-192-cbc
    [93] => aes-192-cfb
    [94] => aes-192-cfb1
    [95] => aes-192-cfb8
    [96] => aes-192-ctr
    [97] => aes-192-ecb
    [98] => aes-192-gcm
    [99] => aes-192-ofb
    [100] => aes-256-cbc
    [101] => aes-256-cbc-hmac-sha1
    [102] => aes-256-cfb
    [103] => aes-256-cfb1
    [104] => aes-256-cfb8
    [105] => aes-256-ctr
    [106] => aes-256-ecb
    [107] => aes-256-gcm
    [108] => aes-256-ofb
    [109] => aes-256-xts
    [110] => bf-cbc
    [111] => bf-cfb
    [112] => bf-ecb
    [113] => bf-ofb
    [114] => camellia-128-cbc
    [115] => camellia-128-cfb
    [116] => camellia-128-cfb1
    [117] => camellia-128-cfb8
    [118] => camellia-128-ecb
    [119] => camellia-128-ofb
    [120] => camellia-192-cbc
    [121] => camellia-192-cfb
    [122] => camellia-192-cfb1
    [123] => camellia-192-cfb8
    [124] => camellia-192-ecb
    [125] => camellia-192-ofb
    [126] => camellia-256-cbc
    [127] => camellia-256-cfb
    [128] => camellia-256-cfb1
    [129] => camellia-256-cfb8
    [130] => camellia-256-ecb
    [131] => camellia-256-ofb
    [132] => cast5-cbc
    [133] => cast5-cfb
    [134] => cast5-ecb
    [135] => cast5-ofb
    [136] => des-cbc
    [137] => des-cfb
    [138] => des-cfb1
    [139] => des-cfb8
    [140] => des-ecb
    [141] => des-ede
    [142] => des-ede-cbc
    [143] => des-ede-cfb
    [144] => des-ede-ofb
    [145] => des-ede3
    [146] => des-ede3-cbc
    [147] => des-ede3-cfb
    [148] => des-ede3-cfb1
    [149] => des-ede3-cfb8
    [150] => des-ede3-ofb
    [151] => des-ofb
    [152] => desx-cbc
    [153] => gost89
    [154] => gost89-cnt
    [155] => id-aes128-GCM
    [156] => id-aes192-GCM
    [157] => id-aes256-GCM
    [158] => rc2-40-cbc
    [159] => rc2-64-cbc
    [160] => rc2-cbc
    [161] => rc2-cfb
    [162] => rc2-ecb
    [163] => rc2-ofb
    [164] => rc4
    [165] => rc4-40
    [166] => rc4-hmac-md5
    [167] => seed-cbc
    [168] => seed-cfb
    [169] => seed-ecb
    [170] => seed-ofb
)
root@serv001:/usr/src/smoke#

root@serv001:/usr/src/smoke# /opt/php-5.5/bin/php -r 'print_r(openssl_get_md_methods());'
Array
(
    [0] => DSA
    [1] => DSA-SHA
    [2] => GOST 28147-89 MAC
    [3] => GOST R 34.11-94
    [4] => MD4
    [5] => MD5
    [6] => MDC2
    [7] => RIPEMD160
    [8] => SHA
    [9] => SHA1
    [10] => SHA224
    [11] => SHA256
    [12] => SHA384
    [13] => SHA512
    [14] => dsaEncryption
    [15] => dsaWithSHA
    [16] => ecdsa-with-SHA1
    [17] => gost-mac
    [18] => md4
    [19] => md5
    [20] => md_gost94
    [21] => mdc2
    [22] => ripemd160
    [23] => sha
    [24] => sha1
    [25] => sha224
    [26] => sha256
    [27] => sha384
    [28] => sha512
    [29] => whirlpool
)
root@serv001:/usr/src/smoke#

Поддержка есть, а все равно конфиг не цепляет по умолчанию:

root@serv001:/usr/src/smoke# /opt/php-5.5/bin/php ./php-test-gost.php 
* Rebuilt URL to: https://zakupki.gov.ru/
*   Trying 194.105.148.87...
* Connected to zakupki.gov.ru (194.105.148.87) port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /opt/openssl/ssl/certs
* error:140920F8:SSL routines:SSL3_GET_SERVER_HELLO:unknown cipher returned
* Closing connection 0
bool(false)
root@serv001:/usr/src/smoke# cat php-test-gost.php 
<?php

$ch = curl_init("https://zakupki.gov.ru");
curl_setopt($ch, CURLOPT_VERBOSE, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
#curl_setopt($ch, CURL_SSLVERSION_TLSv1_2, 1);
var_dump( curl_exec( $ch ) );

root@serv001:/usr/src/smoke#

 

[Mishall]

скомпилировал CURL под Win с учетом следующего порядка:

1. Установка WinOpenSSL,
2. Установка Windows Platform SDK.
3. Компиляция Curl (nmake /f Makefile.vc mode=static WITH_SSL=static WITH_DEVEL=C:\OpenSSL-Win32 VC=11 ENABLE_SSPI=no ENABLE_IDN=no ENABLE_WINSSL=no DEBUG=no MACHINE=x86 GEN_PDB=no ENABLE_IPV6=yes)

сразу после успешной компиляции и запуска curl.exe получаю ошибку библиотеки

The ordinal 3182 could be located in the dynamic link library LIBEAY32.dll

для устранения копирую в папку с curl.exe библиотеку LIBEAY32.dll из C:\OpenSSL-Win32

в результате через curl.exe --version получаю

-release-static-ssl-static-ipv6\bin\curl.exe --version
curl 7.43.0 (i386-pc-win32) libcurl/7.43.0 OpenSSL/1.0.1p
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile NTLM SSL

а проверка поддержки ГОСТ - curl.exe --engine list не выдает поддержку gost-движка

curl.exe --engine list
Build-time engines:
<none>

при этом openssl.exe ciphers выводит поддержку гост

после применения патча для файла "build\lib\vtls\openssl.c" и функции int Curl_ossl_init(void), см.соседнюю ветку

curl.exe -V
GOST engine already loaded
curl 7.43.0 (i386-pc-win32) libcurl/7.43.0 OpenSSL/1.0.1p
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile NTLM SSL

curl.exe --engine list
GOST engine already loaded
Build-time engines:
<none>

почему GOST не попал в список build-time engines по аналогии с примером Активист?

 

[Активист]

Попробуйте скомпилить libcurl как описывает тут: http://curl.haxx.se/docs/install.html , к сожалению венды нет, проверить не могу.

 

[Mishall]

не удалось-таки добиться поддержки ГОСТ на уровне CURL
реализовал через туннель от stunnel в редакции КриптоПРО

возможно чуть позже вернусь к компиляции CURL
огромное всем спасибо за советы!