问题
I can implement HTTP using "win sockets" easily , but I've been struggling to implement HTTPS using "SChannel" which is pretty much poorly documented "at least for me". How can I establish a secure connection for HTTPS communication and is there any security or performance considerations I should be aware of?
回答1:
SChannel integrated quite well with Windows and allows you to perform authentication without asking the user's credentials. Schannel works on a lower level than HTTP. It allows you to open secure tcp connections (ssl socket). You need to implement you own HTTP stack to send HTTPS requests or find a library. To get used to Schannel the best place to start is to understand Microsoft's samples which is a client-server example:
Client
Server
They are pretty simple examples but enough to understand the basics.
Curl has been using Schannel for a while and you can find some very useful code for your exercise https://github.com/curl/curl/blob/master/lib/vtls/schannel.c.
Security is a big topic and that's the purpose of Schannel. You will inherit the security risks of the operating system. Microsoft usually patches security issues quickly. If you are targeting Windows only, it is a good choice because of the deep integration to the Windows ecosystem. For example, you don't have to deploy your own ssl certificates like you do with openssl, Schannel will read the system certs automatically. You can also implement NTLM and Kerberos authentication easily without having to ask for credentials, Schannel will get a credentials handle from the user running your software. In general, it is pretty good library and as far as I know there is no performance penalty compared to other SSL libraries. It well tested and deployed to millions of machines around the world.
来源:https://stackoverflow.com/questions/34114163/schannel-ssl-implementation