Hello good day,
I’am here again about TLS communication.
I tried to create test client-server app, communicate over the TLS. the certificate is created using
cfssl.
What I did so far, I created a CA then create the server cert and key, and client cert and key. distribute the cert and key with the CA certificate.
My question is if an attacker able to copy the client certificate and key and the CA certificate, would it be the he can do an MITM attack between the client and the server?
the client and server config on creating the cert is almost identical except on the organization and the organization unit.
here is my server main.go
func main() {
log.SetFlags(log.LstdFlags | log.Lshortfile)
cer, err := tls.LoadX509KeyPair("server.pem", "server-key.pem")
if err != nil {
log.Println(err)
return
}
certPool := x509.NewCertPool()
ca, err := ioutil.ReadFile("intermediate.pem")
if err != nil {
log.Println(err)
return
}
if ok := certPool.AppendCertsFromPEM(ca); !ok {
log.Println("failed to append ca certificate")
return
}
tlsC := &tls.Config{
ClientAuth: tls.RequireAndVerifyClientCert,
Certificates: []tls.Certificate{cer},
ClientCAs: certPool,
}
ln, err := tls.Listen("tcp", ":443", tlsC)
if err != nil {
log.Println(err)
return
}
defer ln.Close()
for {
conn, err := ln.Accept()
if err != nil {
log.Println(err)
return
}
go handleConnection(conn)
}
}
func handleConnection(conn net.Conn) {
defer conn.Close()
r := bufio.NewReader(conn)
for {
msg, err := r.ReadString('\n')
if err != nil {
log.Println(err)
return
}
println(msg)
n, err := conn.Write([]byte("world\n"))
if err != nil {
log.Println(n, err)
return
}
}
}
and this is my main.go for the client
func main() {
log.SetFlags(log.LstdFlags | log.Lshortfile)
cer, err := tls.LoadX509KeyPair("client.pem", "client-key.pem")
if err != nil {
log.Println(err)
return
}
certPool := x509.NewCertPool()
ca, err := ioutil.ReadFile("intermediate.pem")
if err != nil {
log.Println(err)
return
}
if ok := certPool.AppendCertsFromPEM(ca); !ok {
log.Println("failed to append ca certificate")
return
}
tlsC := &tls.Config{
ServerName: "localhost",
Certificates: []tls.Certificate{cer},
RootCAs: certPool,
}
con, err := tls.Dial("tcp", "192.168.10.1:443", tlsC)
if err != nil {
log.Println(err)
return
}
log.Println("192.168.10.1:443")
defer con.Close()
n, err := con.Write([]byte("hello\n"))
if err != nil {
log.Println(err)
return
}
buf := make([]byte, 100)
n, err = con.Read(buf)
if err != nil {
log.Println(err)
return
}
println(string(buf[:n]))
}
Thanks.