网络通信安全已上升至我们国家的战略高度，不论是互联网还是大数据云计算时代，一直都是被关注的热点。安全套接字层SSL协议是目前使用最广泛的传输层安全通信协议，为应用数据安全传输提供保障，在电子政务与电子商务等领域发挥极其重要的作用，但采用传统密码算法的SSL协议满足不了我国商业密码应用的需求，面对日益严峻的安全形势，国家密码管理局发布了国密商用SM系列算法，并且还制定了《国密SSL VPN技术规范》来指导国密SSL VPN的研发。本文主要基于OpenSSL实现国密SM系列算法，再根据《国密SSL VPN技术规范》分析与实现国密SSL VPN协议。具体地讲，主要包括以下三方面：1、借助OpenSSL的Engine密码引擎机制扩展国密SM2、SM3、SM4算法，使OpenSSL Crypto密码库能够支持国密SM系列算法。在实现国密算法基础上，使用OpenSSL自带的PKI工具搭建用于颁发与管理SM2证书的轻量级CA。2、通过分析SSL标准通信协议部分，扩展国密SSL VPN规范中规定的v1.0版本国密SSL协议。重点研究通信双方密码套件的协商过程，并加入在底层调用国密SM系列算法的国密密码套件。3、基于扩展的OpenSSL搭建典型的安全Web应用测试环境，通过配置Web服务器与客户端本地端口代理，使通信双方采用国密SSL协议协商并使用国密密码套件，并抓包验证国密SSL协议实现的正确性。本文的研究成果可以为各类安全应用开发提供传输层安全通信支持，包括HTTPS安全Web通信与国密SSL VPN等。目前仅实现了ECC-SM1-SM3密码套件，后续可以将其《国密SSL VPN技术规范》要求的所有套件均实现，提供更完善的支持。

Network communication security has risen to the strategic height of our country and always been the focus of attention in the age of the Internet. Secure Socket Layer (SSL) protocol is currently the most widely used transport layer security protocol which provides protection for the secure transmission of application data, and plays an extremely important role in areas such as e-government and e-commerce. However, SSL protocol using the traditional cryptographic algorithms can not meet the demand of China's commercial cryptographic applications. Faced with the increasingly grim security situation, the State Encryption Administration issued national commercial cryptographic algorithms -- SM algorithms, and also drafted a guidance called "SSL VPN technical specifications based on Chinese cipher" to direct the development of the SSL VPN using SM algorithms.This article implements national commercial cryptographic algorithms based on OpenSSL. And then the SSL VPN protocol using the national cryptographic algorithms is implemented following the "SSL VPN technical specifications based on Chinese cipher". Specifically, including the following four aspects:1. On the basis of the cryptographic engine mechanism of OpenSSL, the national cryptographic algorithms -- SM2, SM3, SM4 -- are extended into the source code of OpenSSL. Thus, OpenSSL crypto library can support the national commercial cryptographic algorithms, and we could build a lightweight CA using PKI tools of OpenSSL for issuing and managing certificates with SM2.2. By analyzing the traditional SSL protocol, extend SSL protocol to support the national cryptographic algorithms. The negotiation process of cipher suites between communicating parties is analyzed, and the national cipher suites related with cryptographic algorithms are added, which invoked the series of SM algorithms at the low layer.3. Based on the extension of OpenSSL to build a typical web application security testing environment. SSL protocol with Chinese cipher is used to protect the communication by configuring the Web server and local-port agents in client. Lastly, we capture the communication traffict to verify the correctness of the newly extendedSSL protocol.The results of this paper may provide secure communication support of transport layer for all types of security applications, including HTTPS Web communications, SMTPS, SSL VPN and etc. Only ECC-SM1-SM3 cipher suite is implemented currently. All other cipher suites specified in "SSL VPN technical specifications based on Chinese cipher" "National Cryptographic Algorithms SSL VPN technology standard" will be implemented to provide better support.