Hello.
I’m trying to understand ssl settings for golang.
I have not found a complete example for ssl, only a pieces of code.
Note: We use openssl, as the most common tool for creating certificates.
We create a self-signed root-certificate: ca.key and ca.crt.
Then we create a server certificate (server.crt and server.key ) and signs it using the root certificate (ca.key and ca.crt).
Then we create a client certificate (client01.crt and client01.key ) and signs it using the root certificate (ca.key and ca.crt)
Then create server Program:
package main
import (
“crypto/tls”
"crypto/x509"
“io/ioutil”
“log”
“net/http”
)
func handler(w http.ResponseWriter, req *http.Request) {
w.Header().Set(“Content-Type”, “text/plain”)
w.Write([]byte(“This is an example server.\n”))
}
func main() {
mux := http.NewServeMux()
mux.HandleFunc("/", handler)
// caCertCli, err := ioutil.ReadFile("client01.crt")
// if err != nil {
// log.Fatal(err)
// }
// caCertPool := x509.NewCertPool()
// caCertPool.AppendCertsFromPEM(caCertCli)
caCertRoot, err := ioutil.ReadFile("ca.crt")
if err != nil {
log.Fatal(err)
}
caCertPoolRoot := x509.NewCertPool()
caCertPoolRoot.AppendCertsFromPEM(caCertRoot)
// caCertPoolRoot.AppendCertsFromPEM(caCertCli)
cfg := &tls.Config{
ClientCAs: caCertPoolRoot,
ClientAuth: tls.RequireAndVerifyClientCert,
}
s := &http.Server{
Addr: ":10443",
Handler: mux,
TLSConfig: cfg,
}
log.Printf("About to listen on 10443. Go to https://127.0.0.1:10443/")
err = s.ListenAndServeTLS("server.crt", "server.key")
log.Fatal(err)
}
I do not install the root certificate into the operating system. I want to client and server software using the root certificate for yourself.
So far I’m using curl to check.
I have not tested the client-program on go, because I have not worked example of curl.
curl -k --key client01.key --cert client01.crt --cacert ca.crt --url https://127.0.0.1:10443/
Curl output:
curl: (35) error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
server program output:
2016/11/04 11:40:48 About to listen on 10443. Go to https://127.0.0.1:10443/
2016/11/04 11:40:53 http: TLS handshake error from 127.0.0.1:4937: tls: failed to verify client’s certificate: x509: certificate signed by unknown authority (possibly because of “x509: cannot verify signature: insecure algorithm MD5-RSA” while trying to verify candidate authority certificate “etc”)
I think the problem is that the server can not see the root certificate.
I have some questions:
- How to set up a root certificate on the server program?
- How to configure the server to connect strictly specific clients? For example, to allow connections only from client01 (have certificate and private key), but does not allow connections from other clients (they have a certificate signed by the same root certificate).
- Work golang client example (but only after the curl will work).