dongqing904999 2019-04-22 05:33
浏览 271
已采纳

如何在golang中创建没有证书的TLS连接?

From the source:

// Listen creates a TLS listener accepting connections on the
// given network address using net.Listen.
// The configuration config must be non-nil and must include
// at least one certificate or else set GetCertificate.
func Listen(network, laddr string, config *Config) (net.Listener, error) {
    if config == nil || (len(config.Certificates) == 0 && config.GetCertificate == nil) {
        return nil, errors.New("tls: neither Certificates nor GetCertificate set in Config")
    }
    l, err := net.Listen(network, laddr)
    if err != nil {
        return nil, err
    }
    return NewListener(l, config), nil
}

The problem is that the certificates cannot be nil:

// The configuration config must be non-nil and must include
// at least one certificate or else set GetCertificate.

How can I use a tls connection listening without certificates? What I need is the tls encryption but not the authentication.

I tried making a tls.Config with an empty certificate like this:

&tls.Config{
            Certificates: []tls.Certificate{tls.Certificate{}},
}

But the connections failed with tls: handshake failure. Is this even possible?

  • 写回答

2条回答 默认 最新

  • dousu5608 2019-04-22 07:35
    关注

    TLS without certificates would require support for cipher suites which don't use certificates.

    Looking at the source code for crypto/tls one can find the supported cipher suites in crypto/tls/cipher_suites.go. One can see there that only cipher suites using either RSA or ECDSA authentication are supported, which means that you need to have a certificate with either RSA or ECC key.

    To have support for TLS without certificates there need to be ciphers for PSK, SRP .. or similar authentication methods which don't require certificates or for the NULL authentication (anonymous, i.e. no authentication). But these are not supported.

    What I need is the tls encryption but not the authentication.

    In most cases such requirement is flawed in the first place. TLS without authentication would mean that an active and undetectable man in the middle attack is usually easily possible, which would essentially make all the encryption provided by TLS meaningless. TLS without authentication would only make sense if the client could securely (i.e.resistant against MITM attacks) authenticate the server after the TLS connection was established and before any application payload is transmitted.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥30 vmware exsi重置后的密码
  • ¥15 易盾点选的cb参数怎么解啊
  • ¥15 MATLAB运行显示错误,如何解决?
  • ¥15 c++头文件不能识别CDialog
  • ¥15 Excel发现不可读取的内容
  • ¥15 关于#stm32#的问题:CANOpen的PDO同步传输问题
  • ¥20 yolov5自定义Prune报错,如何解决?
  • ¥15 电磁场的matlab仿真
  • ¥15 mars2d在vue3中的引入问题
  • ¥50 h5唤醒支付宝并跳转至向小荷包转账界面