Moved to git repository: https://github.com/denji/golang-tls
# Key considerations for algorithm "RSA" ≥ 2048-bit
openssl genrsa -out server.key 2048
# Key considerations for algorithm "ECDSA" ≥ secp384r1
# List ECDSA the supported curves (openssl ecparam -list_curves)
openssl ecparam -genkey -name secp384r1 -out server.key
openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650
package main
import (
// "fmt"
// "io"
"net/http"
"log"
)
func HelloServer(w http.ResponseWriter, req *http.Request) {
w.Header().Set("Content-Type", "text/plain")
w.Write([]byte("This is an example server.\n"))
// fmt.Fprintf(w, "This is an example server.\n")
// io.WriteString(w, "This is an example server.\n")
}
func main() {
http.HandleFunc("/hello", HelloServer)
err := http.ListenAndServeTLS(":443", "server.crt", "server.key", nil)
if err != nil {
log.Fatal("ListenAndServe: ", err)
}
}
Hint: visit, please do not forget to use https begins,otherwise chrome will download a file as follows:
$ curl -sL https://localhost:443 | xxd
0000000: 1503 0100 0202 0a .......
package main
import (
"log"
"crypto/tls"
"net"
"bufio"
)
func main() {
log.SetFlags(log.Lshortfile)
cer, err := tls.LoadX509KeyPair("server.crt", "server.key")
if err != nil {
log.Println(err)
return
}
config := &tls.Config{Certificates: []tls.Certificate{cer}}
ln, err := tls.Listen("tcp", ":443", config)
if err != nil {
log.Println(err)
return
}
defer ln.Close()
for {
conn, err := ln.Accept()
if err != nil {
log.Println(err)
continue
}
go handleConnection(conn)
}
}
func handleConnection(conn net.Conn) {
defer conn.Close()
r := bufio.NewReader(conn)
for {
msg, err := r.ReadString('\n')
if err != nil {
log.Println(err)
return
}
println(msg)
n, err := conn.Write([]byte("world\n"))
if err != nil {
log.Println(n, err)
return
}
}
}
package main
import (
"log"
"crypto/tls"
)
func main() {
log.SetFlags(log.Lshortfile)
conf := &tls.Config{
//InsecureSkipVerify: true,
}
conn, err := tls.Dial("tcp", "127.0.0.1:443", conf)
if err != nil {
log.Println(err)
return
}
defer conn.Close()
n, err := conn.Write([]byte("hello\n"))
if err != nil {
log.Println(n, err)
return
}
buf := make([]byte, 100)
n, err = conn.Read(buf)
if err != nil {
log.Println(n, err)
return
}
println(string(buf[:n]))
}
package main
import (
"crypto/tls"
"log"
"net/http"
)
func main() {
mux := http.NewServeMux()
mux.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
w.Header().Add("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
w.Write([]byte("This is an example server.\n"))
})
cfg := &tls.Config{
MinVersion: tls.VersionTLS12,
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
PreferServerCipherSuites: true,
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
},
}
srv := &http.Server{
Addr: ":443",
Handler: mux,
TLSConfig: cfg,
TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0),
}
log.Fatal(srv.ListenAndServeTLS("tls.crt", "tls.key"))
}
Generation of self-sign a certificate with a private (.key
) and public key (PEM-encodings .pem
|.crt
) in one command:
# ECDSA recommendation key ≥ secp384r1
# List ECDSA the supported curves (openssl ecparam -list_curves)
openssl req -x509 -nodes -newkey ec:secp384r1 -keyout server.ecdsa.key -out server.ecdsa.crt -days 3650
# openssl req -x509 -nodes -newkey ec:<(openssl ecparam -name secp384r1) -keyout server.ecdsa.key -out server.ecdsa.crt -days 3650
# -pkeyopt ec_paramgen_curve:… / ec:<(openssl ecparam -name …) / -newkey ec:…
ln -sf server.ecdsa.key server.key
ln -sf server.ecdsa.crt server.crt
# RSA recommendation key ≥ 2048-bit
openssl req -x509 -nodes -newkey rsa:2048 -keyout server.rsa.key -out server.rsa.crt -days 3650
ln -sf server.rsa.key server.key
ln -sf server.rsa.crt server.crt
.crt
— Alternate synonymous most common among *nix systems.pem
(pubkey)..csr
— Certficate Signing Requests (synonymous most common among *nix systems)..cer
— Microsoft alternate form of.crt
, you can use MS to convert.crt
to.cer
(DER
encoded.cer
, orbase64[PEM]
encoded.cer
)..pem
= The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a «—– BEGIN …» line. These files may also bear thecer
or thecrt
extension..der
— The DER extension is used for binary DER encoded certificates.
openssl req -new -sha256 -key server.key -out server.csr
openssl x509 -req -sha256 -in server.csr -signkey server.key -out server.crt -days 3650
- Validate the elliptic curve parameters
-check
- List "ECDSA" the supported curves
openssl ecparam -list_curves
- Encoding to explicit "ECDSA"
-param_enc explicit
- Conversion form to compressed "ECDSA"
-conv_form compressed
- "EC" parameters and a private key
-genkey
Distro | Package | Path to CA |
---|---|---|
Fedora, RHEL, CentOS | ca-certificates | /etc/pki/tls/certs/ca-bundle.crt |
Debian, Ubuntu, Gentoo, Arch Linux | ca-certificates | /etc/ssl/certs/ca-certificates.crt |
SUSE, openSUSE | ca-certificates | /etc/ssl/ca-bundle.pem |
FreeBSD | ca_root_nss | /usr/local/share/certs/ca-root-nss.crt |
Cygwin | - | /usr/ssl/certs/ca-bundle.crt |
macOS (MacPorts) | curl-ca-bundle | /opt/local/share/curl/curl-ca-bundle.crt |
Default cURL CA bunde path (without --with-ca-bundle option) | /usr/local/share/curl/curl-ca-bundle.crt | |
Really old RedHat? | /usr/share/ssl/certs/ca-bundle.crt |
Achieving a Perfect SSL Labs Score with Go –blog.bracelab.com
- OpenSSL without prompt –
superuser.com
(Stack Exchange) - TLS server and client —
gist.github.com/spikebike
Echo, a fast and unfancy micro web framework for Go —echo.labstack.com/guide
- https://kjur.github.io/jsrsasign/sample-ecdsa.html
- Creating Self-Signed ECDSA SSL Certificate using OpenSSL –
guyrutenberg.com
- https://www.openssl.org/docs/manmaster/
- https://www.openssl.org/docs/manmaster/man1/ecparam.html
- https://www.openssl.org/docs/manmaster/man1/ec.html
- https://www.openssl.org/docs/manmaster/man1/req.html
- https://digitalelf.net/2016/02/creating-ssl-certificates-in-3-easy-steps/
- HTTPS and Go –
kaihag.com
- The complete guide to Go net/http timeouts –
blog.cloudflare.com
- Certificate fetcher in Go –
gist.github.com
- How to redirect HTTP to HTTPS with a golang webserver –
gist.github.com
- XCA - X Certificate and key management
- Package tcplisten provides customizable TCP
net.Listener
with various performance-related options - https://github.com/bifurcation/mint — minimal TLS 1.3 Implementation in Go
- https://github.com/cloudflare/tls-tris — crypto/tls, now with 100% more 1.3
- https://github.com/Xeoncross/secureserver
- https://github.com/cloudflare/cfssl
- https://github.com/google/certificate-transparency
- https://cipherli.st/
- https://github.com/cmrunton/tls-dashboard — dashboard written in JavaScript & HTML to check the remaining time before a TLS certificate expires.
- https://github.com/tomato42/tlsfuzzer
- https://github.com/mozilla/tls-observatory (https://observatory.mozilla.org/)
- https://dev.ssllabs.com/ssltest/
- https://indieweb.org/HTTPS
- https://github.com/konklone/shaaaaaaaaaaaaa (https://shaaaaaaaaaaaaa.com/)
- https://securityheaders.io/
- https://testssl.sh/
- https://github.com/nabla-c0d3/sslyze
- https://github.com/iSECPartners/sslyze
- https://github.com/mozilla/cipherscan
- https://github.com/ssllabs/ssllabs-scan
- https://github.com/chromium/badssl.com (https://badssl.com)
- https://github.com/datatheorem/TrustKit
- https://github.com/certifi/gocertifi
- …
Instead of skipping insecure certificates which could expose your service to MITM attacks, you can create a client that accepts your self-signed certificate:
Kudos for examples!