dousiyou1058 2015-03-06 12:23
浏览 217
已采纳

Golang SSL TCP套接字证书配置

I'm creating a Go TCP server (NOT http/s) and I'm trying to configure it to use SSL. I have a StartCom free SSL certificate which I am trying to use to accomplish this. My server code looks like this:

    cert, err := tls.LoadX509KeyPair("example.com.pem", "example.com.key")
    if err != nil {
        fmt.Println("Error loading certificate. ",err)
    }
    trustCert, err := ioutil.ReadFile("sub.class1.server.ca.pem")
    if err != nil {
        fmt.Println("Error loading trust certificate. ",err)
    }
    validationCert, err := ioutil.ReadFile("ca.pem")
    if err != nil {
        fmt.Println("Error loading validation certificate. ",err)
    }
    certs := x509.NewCertPool()
    if !certs.AppendCertsFromPEM(validationCert) {
        fmt.Println("Error installing validation certificate.")
    }
    if !certs.AppendCertsFromPEM(trustCert) {
        fmt.Println("Error installing trust certificate.")
    }

    sslConfig := tls.Config{RootCAs: certs,Certificates: []tls.Certificate{cert}}

    service := ":5555"
    tcpAddr, error := net.ResolveTCPAddr("tcp", service)
    if error != nil {
        fmt.Println("Error: Could not resolve address")
    } else {
        netListen, error := tls.Listen(tcpAddr.Network(), tcpAddr.String(), &sslConfig)
        if error != nil {
            fmt.Println(error)
        } else {
            defer netListen.Close()

            for {
                fmt.Println("Waiting for clients")
                connection, error := netListen.Accept()

I've tried switching around the order of the certs, not including some certs, etc. but the output from openssl s_client -CApath /etc/ssl/certs/ -connect localhost:5555 remains essentially the same, verify error:num=20:unable to get local issuer certificate. See here for full output. I seem to be doing something wrong with the intermediate certificates, but I have no idea what. I have been working on this for a few days, lots of googling and SO'ing, but nothing seemed to quite fit my situation. I have set up many certificates in Apache and HAProxy, but this really has me stumped.

  • 写回答

1条回答 默认 最新

  • dongzongzi0379 2015-03-06 22:14
    关注

    The RootCAs field is for clients verifying server certificates. I assume you only want to present a cert for verification, so anything you need should be loaded into the Certificates slice.

    Here is a minimal example:

    cert, err := tls.LoadX509KeyPair("example.com.pem", "example.com.key")
    if err != nil {
        log.Fatal("Error loading certificate. ", err)
    }
    
    tlsCfg := &tls.Config{Certificates: []tls.Certificate{cert}}
    
    listener, err := tls.Listen("tcp4", "127.0.0.1:5555", tlsCfg)
    if err != nil {
        log.Fatal(err)
    }
    defer listener.Close()
    
    for {
        log.Println("Waiting for clients")
        conn, err := listener.Accept()
        if err != nil {
            log.Fatal(err)
        }
        go handle(conn)
    }
    

    Even though you're not using HTTPS, it may still be useful to walk through the server setup starting at http.ListenAndServeTLS.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 目标计数模型训练过程中的问题
  • ¥100 Acess连接SQL 数据库后 不能用中文筛选
  • ¥15 用友U9Cloud的webapi
  • ¥20 电脑拓展屏桌面被莫名遮挡
  • ¥20 ensp,用局域网解决
  • ¥15 Python语言实验
  • ¥15 我每周要在投影仪优酷上自动连续播放112场电影,我每一周遥控操作一次投影仪,并使得电影永远不重复播放,请问怎样操作好呢?有那么多电影看吗?
  • ¥20 电脑重启停留在grub界面,引导出错需修复
  • ¥15 matlab透明图叠加
  • ¥50 基于stm32l4系列 使用blunrg-ms的ble gatt 创建 hid 服务失败