如何在Go HTTPS服务器中获取客户端证书

I'm trying to understand how to get client's certificates in Go web server. Here is a server code:

package main

import (
    "log"
    "net/http"
    "net/http/httputil"
)

func defaultHandler(w http.ResponseWriter, r *http.Request) {
    dump, err := httputil.DumpRequest(r, true)
    log.Println("HTTP request", r, string(dump), err)
    log.Println("HTTP TLS", r.TLS, string(r.TLS.TLSUnique))
    certs := r.TLS.PeerCertificates
    log.Println("HTTP CERTS", certs)
    w.WriteHeader(http.StatusMethodNotAllowed)
    w.Write([]byte("Hello"))
}

func main() {
    http.HandleFunc("/", defaultHandler)
    http.ListenAndServeTLS(":8080", "server.crt", "server.key", nil)
}

and here is client code

package main

import (
    "crypto/tls"
    "io/ioutil"
    "log"
    "net/http"
    "os"
)

func HttpClient() (client *http.Client) {
    uckey := os.Getenv("X509_USER_KEY")
    ucert := os.Getenv("X509_USER_CERT")
    x509cert, err := tls.LoadX509KeyPair(ucert, uckey)
    if err != nil {
        panic(err.Error())
    }
    certs := []tls.Certificate{x509cert}
    if len(certs) == 0 {
       client = &http.Client{}
       return
    }
    tr := &http.Transport{
        TLSClientConfig: &tls.Config{Certificates: certs,
        InsecureSkipVerify: true},
    }
    client = &http.Client{Transport: tr}
    return
}

func main() {
    rurl := "https://localhost:8080"
    client := HttpClient()
    req, err := http.NewRequest("GET", rurl, nil)
    if err != nil {
       log.Println("Unable to make GET request", err)
       os.Exit(1)
    }
    req.Header.Add("Accept", "*/*")
    resp, err := client.Do(req)
    if err != nil {
        log.Println(err)
        os.Exit(1)
    }
    defer resp.Body.Close()
    data, err := ioutil.ReadAll(resp.Body)
    log.Println(string(data))
}

If I run both server and a client I see the following on a server side:

2017/02/08 15:46:49 HTTP request &{GET / HTTP/1.1 1 1 map[User-Agent:[Go-http-client/1.1] Accept:[*/*] Accept-Encoding:[gzip]] {} 0 [] false localhost:8080 map[] map[] <nil> map[] 127.0.0.1:58941 / 0xc4204ef080 <nil> <nil> 0xc420014d40} GET / HTTP/1.1
Host: localhost:8080
Accept: */*
Accept-Encoding: gzip
User-Agent: Go-http-client/1.1

 <nil>
2017/02/08 15:46:49 HTTP TLS &{771 true false 49195  true localhost [] [] []   [] [203 144 196 105 155 216 89 105 83 90 93 4]} ːiSZ]
2017/02/08 15:46:49 HTTP CERTS []

As you can see the client's certificates are empty.

While if I invoke curl call to a server providing my certificates, then I can see server certificates:

curl -L -k --key mykey.key --cert mycert.pem -vvv https://localhost:8080
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /opt/local/share/curl/curl-ca-bundle.crt
    CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=NY; L=Town; O=Bla-Bla
*  start date: Feb  8 14:12:06 2017 GMT
*  expire date: Feb  6 14:12:06 2027 GMT
*  issuer: C=US; ST=NY; L=Ithaca; O=Cornell
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET / HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.52.1
> Accept: */*

As you can see SSL negotiation is in place and curl client successfully reports server certificate. What I need is to access client's certificate on a server side to do proper authentication. But so far I can't see any client's certificate.

Any help is really welcome. Thanks, Valentin.

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
doulandai0641 2017-02-08 21:19
关注
The client shouldn't send a certificate unless requested. Set ClientAuth in the tls.Config to an appropriate tls.ClientAuthType.

For example, to only request that a client send a certificate, you can use:

server := &http.Server{ Addr: ":8080", TLSConfig: &tls.Config{ ClientAuth: tls.RequestClientCert, }, } server.ListenAndServeTLS("server.crt", "server.key")
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

如何在Go HTTPS服务器中获取客户端证书 https ssl
2017-02-08 21:02

回答 1 已采纳 The client shouldn't send a certificate unless requested. Set ClientAuth in the tls.Config to an a
在Go gRPC处理程序中从客户端证书获取主题DN
2017-11-09 06:58

回答 1 已采纳 You can use peer.Peer from ctx context.Context for access to the OID registry in x509.Certificate.
如何在Go中从http客户端获取x509证书
2019-02-28 17:01

回答 1 已采纳 The response has a TLS *tls.ConnectionState field, which in turn has: type ConnectionState struct
服务器如何获取客户端证书,如何在Go HTTPS服务器中获取客户端证书
2021-07-30 01:20

向往真善美吧的博客这里是一个服务器代码：如何在Go HTTPS服务器中获取客户端证书package mainimport ("log""net/http""net/http/httputil")func defaultHandler(w http.ResponseWriter, r *http.Request) {dump, err := httputil.Du.....
如何在Golang中针对CRL验证客户端证书？ ssl
2016-05-05 19:02

回答 1 已采纳 Is it possible to also verify the client certs against a provided CRL? Yes, it is possible, b
在Go中从服务器获取EOF作为客户端
2015-04-28 19:17

回答 2 已采纳 [JimB just beat me to an answer but here goes anyway.] The root issue is that you did body = body
Golang HTTPS / TLS POST客户端/服务器 https
2016-10-16 17:04

回答 1 已采纳 You didn't share the error message, but I assume the client.Post call wasn't allowing a string as
服务器客户端证书,客户端如何验证HTTPS服务端证书信息
2021-07-29 00:31

weixin_29200485的博客通过一个例子说明客户端如何验证HTTPS服务端的证书信息。类型浏览器如何验证WEB服务器的证书信息。生成服务器端证书，以及CA证书# generate ca certificate$ openssl genrsa -out ca-key.pem 2048$ openssl req -new...
gRPC：如何使用Go服务器在Java客户端中获取多个返回值 java
2017-05-22 12:08

回答 2 已采纳 In Go, the error returned by your Login method will get converted into the wire format status code
如何在Golang的UDP服务器上获取客户端ip地址？ udp
2014-06-15 16:59

回答 1 已采纳 In connected mode, you can use the LocalAddr() and RemoteAddr() methods of the connection object.
Golang：如何在HTTP客户端的TLS配置中指定证书 ssl
2014-02-04 20:05

回答 1 已采纳 You can replace the system CA set by providing a root CA pool in tls.Config. certs := x509.NewCer
Golang_15: Go语言网络编程：HTTP/HTTPS Client 客户端
2023-05-26 20:30

谢TS的博客 Go 语言内置的 net/http 包提供了简洁而又完善的 HTTP 客户端 和服务端的实现，并且 客户端 和服务端均支持 HTTP/2.0。
比较go中的客户端证书
2019-09-01 09:50

回答 2 已采纳 A certificate is more than its public key. The entire x509.Certificate object represents the certi
Golang_16: Go语言网络编程：HTTP/HTTPS Server 服务端
2023-05-26 20:45

谢TS的博客 Go 语言内置的 net/http 包除了支持 HTTP 客户端，还支持 HTTP 和 HTTPS 服务端（并且支持 HTTP/2.0 版本的服务端）。
基于GO语言实现的X.509证书
2022-07-06 11:26

biyezuopinvip的博客在密码学中，X.509是公钥证书的格式标准，在许多互联网协议中得到应用。X.509对公钥证书的格式，撤销证书列表（CRLs），证书验证路径算法等进行了规定...提交的程序中使用 Go 语言编写读取 X.509的程序，调用了 Go 语言
没有解决我的问题, 去提问

悬赏问题

¥15 如何在scanpy上做差异基因和通路富集？
¥20 关于#硬件工程#的问题，请各位专家解答！
¥15 关于#matlab#的问题：期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707，使系统具有较小的超调量
¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
¥30 截图中的mathematics程序转换成matlab
¥15 动力学代码报错，维度不匹配
¥15 Power query添加列问题
¥50 Kubernetes&Fission&Eleasticsearch
¥15 報錯：Person is not mapped，如何解決？
¥15 c++头文件不能识别CDialog

如何在Go HTTPS服务器中获取客户端证书

1条回答 默认 最新

悬赏问题

1条回答默认最新