为 Linux 配置 OpenSSLConfigure OpenSSL for Linux

使用 1.9.0 之前的任何语音 SDK 版本时,会将 OpenSSL 动态配置为主机系统版本。When using any Speech SDK version before 1.9.0, OpenSSL is dynamically configured to the host-system version. 在更高版本的语音 SDK 中,OpenSSL(版本为 1.1.1 b)会静态链接到语音 SDK 的核心库。In later versions of the Speech SDK, OpenSSL (version 1.1.1b) is statically linked to the core library of the Speech SDK.

若要确保连接性,请验证是否在系统中安装了 OpenSSL 证书。To ensure connectivity, verify that OpenSSL certificates have been installed in your system. 运行命令:Run a command:

openssl version -d

基于 Ubuntu/Debian 的系统上的输出应为:The output on Ubuntu/Debian based systems should be:

OPENSSLDIR: "/usr/lib/ssl"

检查 OPENSSLDIR 下是否存在 certs 子目录。Check whether there is certs subdirectory under OPENSSLDIR. 在上面的示例中,它会是 /usr/lib/ssl/certsIn the example above, it would be /usr/lib/ssl/certs.

  • 如果有 /usr/lib/ssl/certs 并且它包含多个单独的证书文件(扩展名为 .crt.pem),则无需执行进一步的操作。If there is /usr/lib/ssl/certs and it contains many individual certificate files (with .crt or .pem extension), there is no need for further actions.

  • 如果 OPENSSLDIR 不是 /usr/lib/ssl,并且/或者存在单个证书绑定文件而不是多个单独的文件,则需设置相应的 SSL 环境变量来指示可在何处找到证书。If OPENSSLDIR is something else than /usr/lib/ssl and/or there is a single certificate bundle file instead of multiple individual files, you need to set an appropriate SSL environment variable to indicate where the certificates can be found.

示例Examples

  • OPENSSLDIR 为 /opt/sslOPENSSLDIR is /opt/ssl. 存在 certs 子目录,其中包含许多 .crt.pem 文件。There is certs subdirectory with many .crt or .pem files. 在运行使用语音 SDK 的程序之前,请将环境变量 SSL_CERT_DIR 设置为指向 /opt/ssl/certsSet environment variable SSL_CERT_DIR to point at /opt/ssl/certs before running a program that uses the Speech SDK. 例如:For example:
export SSL_CERT_DIR=/opt/ssl/certs
  • OPENSSLDIR 是 /etc/pki/tls(类似于基于 RHEL/CentOS 的系统)。OPENSSLDIR is /etc/pki/tls (like on RHEL/CentOS based systems). 存在 certs 子目录,其中包含证书绑定文件(例如 ca-bundle.crt)。There is certs subdirectory with a certificate bundle file, for example ca-bundle.crt. 在运行使用语音 SDK 的程序之前,请将环境变量 SSL_CERT_FILE 设置为指向该文件。Set environment variable SSL_CERT_FILE to point at that file before running a program that uses the Speech SDK. 例如:For example:
export SSL_CERT_FILE=/etc/pki/tls/certs/ca-bundle.crt

证书吊销检查Certificate Revocation Checks

在连接到语音服务时,语音 SDK 会验证语音服务使用的 TLS 证书是否尚未吊销。When connecting to the Speech Service, the Speech SDK will verify that the TLS certificate used by the Speech Service has not been revoked. 为了执行此检查,语音 SDK 需要访问 Azure 使用的证书颁发机构的 CRL 分发点。To conduct this check, the Speech SDK will need access to the CRL distribution points for Certificate Authorities used by Azure. 此文档中可以找到可以下载 CRL 的位置的列表。A list of possible CRL download locations can be found in this document. 如果证书已被吊销或无法下载 CRL,语音 SDK 会中止连接并引发“已取消”事件。If a certificate has been revoked or the CRL cannot be downloaded the Speech SDK will abort the connection and raise the Canceled event.

如果从中使用语音 SDK 的网络配置为不允许访问 CRL 下载位置,那么,在无法检索 CRL 的情况下,可以禁用 CRL 检查或将其设置为不会失败。In the event the network where the Speech SDK is being used from is configured in a manner that does not permit access to the CRL download locations, the CRL check can either be disabled or set to not fail if the CRL cannot be retrieved. 此配置是通过用于创建识别器对象的配置对象完成的。This configuration is done through the configuration object used to create a Recognizer object.

若要在无法检索 CRL 时继续进行连接,请设置属性 OPENSSL_CONTINUE_ON_CRL_DOWNLOAD_FAILURE。To continue with the connection when a CRL cannot be retrieved set the property OPENSSL_CONTINUE_ON_CRL_DOWNLOAD_FAILURE.

config.SetProperty("OPENSSL_CONTINUE_ON_CRL_DOWNLOAD_FAILURE", "true");
config->SetProperty("OPENSSL_CONTINUE_ON_CRL_DOWNLOAD_FAILURE", "true");
config.setProperty("OPENSSL_CONTINUE_ON_CRL_DOWNLOAD_FAILURE", "true");
speech_config.set_property_by_name("OPENSSL_CONTINUE_ON_CRL_DOWNLOAD_FAILURE", "true")?
[config setPropertyTo:@"true" byName:"OPENSSL_CONTINUE_ON_CRL_DOWNLOAD_FAILURE"];

在设置为“true”时,将会尝试检索 CRL。如果检索成功,则会检查证书的吊销状态;如果检索失败,则会允许继续进行连接。When set to "true" an attempt will be made to retrieve the CRL and if the retrieval is successful the certificate will be checked for revocation, if the retrieval fails, the connection will be allowed to continue.

若要完全禁用证书吊销检查,请将属性 OPENSSL_DISABLE_CRL_CHECK 设置为“true”。To completely disable certificate revocation checks, set the property OPENSSL_DISABLE_CRL_CHECK to "true".

config.SetProperty("OPENSSL_DISABLE_CRL_CHECK", "true");
config->SetProperty("OPENSSL_DISABLE_CRL_CHECK", "true");
config.setProperty("OPENSSL_DISABLE_CRL_CHECK", "true");
speech_config.set_property_by_name("OPENSSL_DISABLE_CRL_CHECK", "true")?
[config setPropertyTo:@"true" byName:"OPENSSL_DISABLE_CRL_CHECK"];

备注

另外需要注意,有些 Linux 发行版没有定义 TMP 或 TMPDIR 环境变量。It is also worth noting that some distributions of Linux do not have a TMP or TMPDIR environment variable defined. 这会导致语音 SDK 每次都下载证书吊销列表 (CRL),而不是将 CRL 缓存到磁盘重复使用,直至它们过期。This will cause the Speech SDK to download the Certificate Revocation List (CRL) every time, rather than caching the CRL to disk for reuse until they expire. 为了提高初始连接性能,可以创建名为 TMPDIR 的环境变量并将其设置为所选临时目录的路径To improve initial connection performance you can create an environment variable named TMPDIR and set it to the path of your chosen temporary directory..

后续步骤Next steps