TLS authentication of the client

piona · May 23, 2018, 1:00pm

Is there a way to use the TLS for authenticating a browser?

The Software I develop provides a web interface and I want to limit the access only to a trusted clients (browsers). By “trusted” I mean such that have a proper “certificate” file installed manually.

In other words, I was wondering if there is a way to generate some special cert+key files (for the http.ListenAndServeTLS function), together with an additional “secret” file to be imported into a client browser certificate storage.
All to make sure that only the browsers that have imported this “secret” file can access the web interface.

I don’t care about trusting the server - only about trusting the client.

CurtGreen · May 25, 2018, 3:57am

When I first saw your question I was plagued by a slough of thoughts about what is and isn’t appropriate for authentication, and so I dived into why one might do this. I found some good answers as to why you would use it and here is some help with getting the server to require a certificate: https://stackoverflow.com/questions/24181081/request-client-certificate-for-authentication

For more detailed information on what settings are available with regards to tls in Go’s standard library, refer to this: https://godoc.org/crypto/tls#Config

Thanks for your question, gave me the opportunity to learn something I wouldn’t have thought to do.

piona · May 25, 2018, 8:29am

Thank you - that’s very helpful.

The only remaining question is: how do I create the client certificate?

CurtGreen · May 25, 2018, 7:51pm

Main way would be with command line utility: https://gist.github.com/mtigas/952344 Has a cli tutorial about generating certs

piona · May 26, 2018, 10:21am

Thank you!

FYI, to have it working, I had to add “ca.crt” to “server.TLSConfig.ClientCAs”

func start_ssl_server() {
	fi, _ := os.Stat("ca.key")
	if fi == nil || fi.Size() < 100 {
		println("ca.key not found")
		return
	}

	// try to start SSL server...
	dat, err := ioutil.ReadFile("ca.crt")
	if err != nil {
		println("ca.crt not found")
		// no "ca.crt" file - do not start SSL server
		return
	}

	server := &http.Server{
		Addr: ":4433",
		TLSConfig: &tls.Config{
			ClientAuth: tls.RequireAndVerifyClientCert,
		},
	}
	server.TLSConfig.ClientCAs = x509.NewCertPool()
	ok := server.TLSConfig.ClientCAs.AppendCertsFromPEM(dat)
	if !ok {
		println("AppendCertsFromPEM error")
		return
	}

	println("Starting SSL server at port 4433...")
	err = server.ListenAndServeTLS("ca.crt", "ca.key")
	if err != nil {
		println(err.Error())
	}
}

system · August 24, 2018, 10:21am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.