如何使用Go TLS手动验证客户端证书？

We are building a server in Golang that opens a TCP port over SSL.

We would like to enable mutual-authentication between the client and the server. But also detect when a client attempts to connect to our server without a valid client certificate and return them a error message over SSL - such as "invalid client certificate detected, please contact company ABC for assistance".

Just to be clear: we are adamant about our requirement to return data over SSL to clients that fail to mutually authenticate with the server. We do not want to disconnect them.

The approach we have taken is to use the 'VerifyClientCertIfGiven' configuration setting for TLS.

Whereby, we verify the client certificate if it is given, but we still allow an SSL connection to be established if it isn't.

How can we find out:

Was a client certificate provided?
If so, did it pass the mutual authentication checks performed by TLS?

Below is the code of our server:

package main

import(
  "fmt"
  "io/ioutil"
  "crypto/tls"
  "crypto/x509"
)

func main(){
  // Configure SSL
  cert, err := tls.LoadX509KeyPair("server.crt", "server.key")
  caCert, _ := ioutil.ReadFile("client.crt")
  caCertPool := x509.NewCertPool()
  caCertPool.AppendCertsFromPEM(caCert)
  config := &tls.Config{
    Certificates: []tls.Certificate{cert},
    ClientCAs: caCertPool,
    ClientAuth: tls.VerifyClientCertIfGiven,
  }
  config.BuildNameToCertificate()
  // Listen on port 443
  listener, _ := tls.Listen("tcp", ":443", config)
  defer listener.Close()
  // Accept incoming connection
  conn, _ := listener.Accept()
  defer conn.Close()
  // Print ConnectionState
  tlscon, _ := conn.(*tls.Conn)
  fmt.Println(tlscon.ConnectionState())
}

And below is the code of our client:

package main
import (
  "io/ioutil"
  "crypto/tls"
  "crypto/x509"
)

func main(){
  //Configure SSL
  cert, _ := tls.LoadX509KeyPair("client.crt", "client.key"
  caCert, _ := io.util.ReadFile("server.crt")
  caCertPool := x509.NewCertPool()
  caCertPool.AppendCertsFromPEM(caCert)
  config := &tls.Config{
    Certificates: []tls.Certificate{cert},
    RootCAs:      caCertPool,
  }
  config.BuildNameToCertificate()
  // Connect to server
  conn, _ := tls.Dial("tcp", "127.0.0.1:443", config)
  defer conn.Close()
}

The output:

{0 false false 0  false  [] [] [] [] []}

We've tried implementing conn.ConnectionState().PeerCertificates on the server but in all our attempts, it was an empty byte array.

Thank you in advance. We appreciate your time trying to help us.

Kind Regards,

Julian

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
douxian9706 2017-04-25 09:36
关注
I spent the best of my afternoon on this one too.

Once the server accepts the connection you will need to explicitely call tlscon.Handshake() to get the client's certificate, otherwise the tls package will do it automatically after the first i/o. https://golang.org/pkg/crypto/tls/#Conn.Handshake

You can see a example here.

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

如何在Golang中针对CRL验证客户端证书？ ssl
2016-05-05 19:02

回答 1 已采纳 Is it possible to also verify the client certs against a provided CRL? Yes, it is possible, b
如何使Go接受用于TLS客户端身份验证的自签名证书？ ssl
2016-03-30 18:37

回答 1 已采纳 @JohnWeldon's comment led me to the solution, which is that I need to modify the client Certificat
如何在GO中使用CA证书创建TLS客户端？ https ssl
2016-07-26 06:54

回答 1 已采纳 package main import ( "crypto/tls" "crypto/x509" "flag" "io/ioutil" "log"
chefstarter:使用 HTTP 基本身份验证远程启动厨师客户端
2021-06-27 00:31

使用 HTTP 基本身份验证和 TLS 支持远程启动厨师客户端。用 Go 编写。为什么我管理着一个技术运营团队，负责由 Chef 提供的 400 多个 Linux 实例。我们经常发现自己需要调用一个在大量机器上手动运行的厨师...
使用golang相互TLS身份验证信任特定客户端 ssl
2018-01-23 19:41

回答 1 已采纳 There is no mechanism to do this for you, but starting with go 1.8 you can specify your own callba
Golang：如何在HTTP客户端的TLS配置中指定证书 ssl
2014-02-04 20:05

回答 1 已采纳 You can replace the system CA set by providing a root CA pool in tls.Config. certs := x509.NewCer
如何验证我的TLS服务器正在加密流量？ [关闭] https ssl
2018-04-20 01:26

回答 1 已采纳 You can use a sniffer, here are two: Charles Proxy, it has a 30 day free trial period and is easy
使用acme sh(手动验证)生成Let‘s Encrypt 证书
2024-03-25 19:20

阿峰爱学习的博客使用acme.sh(手动DNS验证)生成Let's Encrypt 证书
[golang]是否可以编写没有证书的TLS服务器？ https
2017-02-15 22:17

回答 1 已采纳 No, as @JimB told you, TLS can't work without certificates. The reasoning is simple: TLS is all a
TLS身份验证：每个证书需要包含哪些内容？
2014-10-17 14:24

回答 2 已采纳 You can use a normal server certificate like the ones you use in a web server for the server. Go
在Go gRPC处理程序中从客户端证书获取主题DN
2017-11-09 06:58

回答 1 已采纳 You can use peer.Peer from ctx context.Context for access to the OID registry in x509.Certificate.
tls证书和ssl证书_如何在几分钟内免费使用ssl tls证书保护您的网站
2020-09-19 18:00

weixin_26636643的博客 tls证书和ssl证书什么是SSL或TLS？ (What’s SSL or TLS?) Transport Layer Security (TLS) is a cryptographic protocol which provides authentication and data encryption between machines over a network. In...
golang TLS是否支持IE8？
2012-09-28 15:11

回答 2 已采纳 moved from question as OP didn't made a proper answer This problem can be resolved by this patch,
wireshark tls_使用Wireshark进行调试：TLS
2020-07-12 09:35

cumei1658的博客这就是Wireshark有用的原因：您可以避免手动解码网络上的数据，而让Wireshark为您代劳！ To see how Wireshark displays things, let’s start by looking at packet 1, which in my case is a TCP SYN segment: 要...
2021-05-01-手动生成ca证书搭建fabric网络
2021-09-17 14:39

Soulmate_666的博客 title: 手动生成ca证书搭建fabric网络 date: 2021-05-01 17:16:17 categories: Hyperledger Fabric tags: Hyperledger Fabric fabric-ca 亲测有效【摘要】之前介绍了使用官方脚本自动化启动一个Fabric网络，...
没有解决我的问题, 去提问

悬赏问题

¥60 版本过低apk如何修改可以兼容新的安卓系统
¥25 由IPR导致的DRIVER_POWER_STATE_FAILURE蓝屏
¥50 有数据，怎么建立模型求影响全要素生产率的因素
¥50 有数据，怎么用matlab求全要素生产率
¥15 TI的insta-spin例程
¥15 完成下列问题完成下列问题
¥15 C#算法问题, 不知道怎么处理这个数据的转换
¥15 YoloV5 第三方库的版本对照问题
¥15 请完成下列相关问题！
¥15 drone 推送镜像时候 purge: true 推送完毕后没有删除对应的镜像,手动拷贝到服务器执行结果正确在样才能让指令自动执行成功删除对应镜像，如何解决？

如何使用Go TLS手动验证客户端证书？

1条回答 默认 最新

悬赏问题

1条回答默认最新