dosin84644 2016-05-03 17:56
浏览 168

golang tls.Config CiperSuites不限制客户端身份验证

my tls.Config is set to not use ECDHE exchange so i can monitor my traffic in wireshark without having to get the client's keys.

 config = &tls.Config{
     Certificates:             []tls.Certificate{cpair},
     MinVersion:               tls.VersionTLS12,
     PreferServerCipherSuites: true,
     ClientAuth: tls.NoClientCert,
     CipherSuites: []uint16{tls.TLS_RSA_WITH_AES_256_CBC_SHA,
         tls.TLS_RSA_WITH_RC4_128_SHA,
         tls.TLS_RSA_WITH_AES_128_CBC_SHA,
     },
 }

however, when analyzing the traffic in wireshark, i still see the connection being made with a ECDHE ciper suiete:

 62 ssl_decrypt_pre_master_secret: session uses Diffie-Hellman key exchange 
 (cipher suite 0xC014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) 
 and cannot be decrypted using a RSA private key file.
  • 写回答

1条回答 默认 最新

  • duanbeng1923 2016-05-03 20:28
    关注

    turns out i forgot about my reverse proxy on apache.

    wireshark was looking on port 443 for https connections,

    but was filtering out the communication between apache and my server on the server's port

    i was able to successfully limit SSLCipherSuites on ssl.conf in apache's configuration and was able to analyze the traffic

    i'm assuming apache was passing on the data to my go program in the reverse proxy, which caused apache and go to negotiate a connection based on tls.Config, which i didn't see because that communication was on a different port on localhost (i was filtering wireshark based on port 443 on my IP address, not localhost, which is how apache and go are communicating)

    评论

报告相同问题?

悬赏问题

  • ¥15 如何在scanpy上做差异基因和通路富集?
  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?
  • ¥15 c++头文件不能识别CDialog