dongqing904999
2019-04-22 05:33
浏览 245
已采纳

如何在golang中创建没有证书的TLS连接?

From the source:

// Listen creates a TLS listener accepting connections on the
// given network address using net.Listen.
// The configuration config must be non-nil and must include
// at least one certificate or else set GetCertificate.
func Listen(network, laddr string, config *Config) (net.Listener, error) {
    if config == nil || (len(config.Certificates) == 0 && config.GetCertificate == nil) {
        return nil, errors.New("tls: neither Certificates nor GetCertificate set in Config")
    }
    l, err := net.Listen(network, laddr)
    if err != nil {
        return nil, err
    }
    return NewListener(l, config), nil
}

The problem is that the certificates cannot be nil:

// The configuration config must be non-nil and must include
// at least one certificate or else set GetCertificate.

How can I use a tls connection listening without certificates? What I need is the tls encryption but not the authentication.

I tried making a tls.Config with an empty certificate like this:

&tls.Config{
            Certificates: []tls.Certificate{tls.Certificate{}},
}

But the connections failed with tls: handshake failure. Is this even possible?

  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

2条回答 默认 最新

  • dousu5608 2019-04-22 07:35
    已采纳

    TLS without certificates would require support for cipher suites which don't use certificates.

    Looking at the source code for crypto/tls one can find the supported cipher suites in crypto/tls/cipher_suites.go. One can see there that only cipher suites using either RSA or ECDSA authentication are supported, which means that you need to have a certificate with either RSA or ECC key.

    To have support for TLS without certificates there need to be ciphers for PSK, SRP .. or similar authentication methods which don't require certificates or for the NULL authentication (anonymous, i.e. no authentication). But these are not supported.

    What I need is the tls encryption but not the authentication.

    In most cases such requirement is flawed in the first place. TLS without authentication would mean that an active and undetectable man in the middle attack is usually easily possible, which would essentially make all the encryption provided by TLS meaningless. TLS without authentication would only make sense if the client could securely (i.e.resistant against MITM attacks) authenticate the server after the TLS connection was established and before any application payload is transmitted.

    已采纳该答案
    打赏 评论
  • doufu2396 2019-04-22 06:43

    set InsecureSkipVerify to true at tls.Config

    &tls.Config{InsecureSkipVerify: true}
    

    and add that config to Transport

    &http.Transport{TLSClientConfig: tlsConfig}
    

    https://golang.org/pkg/crypto/tls/#Config

    打赏 评论

相关推荐 更多相似问题