dongqing904999 2019-04-22 05:33
浏览 271
已采纳

如何在golang中创建没有证书的TLS连接?

From the source:

// Listen creates a TLS listener accepting connections on the
// given network address using net.Listen.
// The configuration config must be non-nil and must include
// at least one certificate or else set GetCertificate.
func Listen(network, laddr string, config *Config) (net.Listener, error) {
    if config == nil || (len(config.Certificates) == 0 && config.GetCertificate == nil) {
        return nil, errors.New("tls: neither Certificates nor GetCertificate set in Config")
    }
    l, err := net.Listen(network, laddr)
    if err != nil {
        return nil, err
    }
    return NewListener(l, config), nil
}

The problem is that the certificates cannot be nil:

// The configuration config must be non-nil and must include
// at least one certificate or else set GetCertificate.

How can I use a tls connection listening without certificates? What I need is the tls encryption but not the authentication.

I tried making a tls.Config with an empty certificate like this:

&tls.Config{
            Certificates: []tls.Certificate{tls.Certificate{}},
}

But the connections failed with tls: handshake failure. Is this even possible?

  • 写回答

2条回答 默认 最新

  • dousu5608 2019-04-22 07:35
    关注

    TLS without certificates would require support for cipher suites which don't use certificates.

    Looking at the source code for crypto/tls one can find the supported cipher suites in crypto/tls/cipher_suites.go. One can see there that only cipher suites using either RSA or ECDSA authentication are supported, which means that you need to have a certificate with either RSA or ECC key.

    To have support for TLS without certificates there need to be ciphers for PSK, SRP .. or similar authentication methods which don't require certificates or for the NULL authentication (anonymous, i.e. no authentication). But these are not supported.

    What I need is the tls encryption but not the authentication.

    In most cases such requirement is flawed in the first place. TLS without authentication would mean that an active and undetectable man in the middle attack is usually easily possible, which would essentially make all the encryption provided by TLS meaningless. TLS without authentication would only make sense if the client could securely (i.e.resistant against MITM attacks) authenticate the server after the TLS connection was established and before any application payload is transmitted.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 求差集那个函数有问题,有无佬可以解决
  • ¥15 【提问】基于Invest的水源涵养
  • ¥20 微信网友居然可以通过vx号找到我绑的手机号
  • ¥15 寻一个支付宝扫码远程授权登录的软件助手app
  • ¥15 解riccati方程组
  • ¥15 display:none;样式在嵌套结构中的已设置了display样式的元素上不起作用?
  • ¥15 使用rabbitMQ 消息队列作为url源进行多线程爬取时,总有几个url没有处理的问题。
  • ¥15 Ubuntu在安装序列比对软件STAR时出现报错如何解决
  • ¥50 树莓派安卓APK系统签名
  • ¥65 汇编语言除法溢出问题