我正在创建一个Go TCP服务器(不是http / s),我试图将其配置为使用SSL。我有一个StartCom免费SSL证书,我正尝试使用它来完成此操作。我的服务器代码如下所示:
cert,err:= tls.LoadX509KeyPair(example.pem,example .key) if err!= nil { fmt.Println(Error loading certificate。,err)} trustCert,err:= ioutil.ReadFile (sub.class1.server.ca.pem) if err!= nil { fmt.Println(加载信任证书错误,错误)} validationCert,err:= ioutil.ReadFile(ca.pem) if err!= nil { fmt.Println(Error loading validation。,err)} 证书:= x509.NewCertPool() if!certs.AppendCertsFromPEM(validationCert){ fmt.Println(Error installation validation certificate。)} if! certs.AppendCertsFromPEM(trustCert){ fmt.Println(安装信任证书时出错)} sslConfig:= tls.Config {RootCAs:certs,Certificates:[ ] tls.Certificate {cert}} 服务:=:5555 tcpAddr,error:= net.ResolveTCPAddr(tcp,service) if error!= nil { fmt.Println(Error:Could not resolve address)} else { netListen,错误:= tls.Listen(tcpAddr.Network(),tcpAddr.String(),& sslConfig) if error!= nil { fmt.Println(error) $ else {推迟netListen.Close() 为{ fmt.Println(等待客户端)连接,错误:= netListen。接受()我试过转换证书的顺序,不包括某些证书等但是从 openssl s_client -CApath / etc / ssl / certs / -connect localhost:5555 的输出基本保持不变, verify error:num = 20:无法获得本地发行者证书。有关完整输出,请参见此处。我似乎正在做中间证书的问题,但我不知道是什么。我一直在做这个工作几天,大量的谷歌搜索和搜索,但没有什么似乎很适合我的情况。我已经在Apache和HAProxy中设置了许多证书,但这确实让我难以忍受。 解决方案
RootCAs 字段用于验证服务器证书的客户端。我假设你只想提供验证证书,所以你需要的任何东西都应该加载到 Certificates 切片中。
这是一个简单的例子:
cert,err:= tls.LoadX509KeyPair(example.pem,example.key)如果err!= nil { log.Fatal(Error loading certificate。,err)} tlsCfg:=& tls.Config {Certificates:[] tls.Certificate {cert}} listener,err:= tls.Listen(tcp4 ,127.0.0.1:5555,tlsCfg) if err!= nil { log.Fatal(err)} 推迟listener.Close() for { log.Println(等待客户) conn,err:= listener.Accept() if err!= nil { log。致命(错误)} 去处理(conn)}即使您没有使用HTTPS,也可能会从 http.ListenAndServeTLS 。
I'm creating a Go TCP server (NOT http/s) and I'm trying to configure it to use SSL. I have a StartCom free SSL certificate which I am trying to use to accomplish this. My server code looks like this:
cert, err := tls.LoadX509KeyPair("example.pem", "example.key") if err != nil { fmt.Println("Error loading certificate. ",err) } trustCert, err := ioutil.ReadFile("sub.class1.server.ca.pem") if err != nil { fmt.Println("Error loading trust certificate. ",err) } validationCert, err := ioutil.ReadFile("ca.pem") if err != nil { fmt.Println("Error loading validation certificate. ",err) } certs := x509.NewCertPool() if !certs.AppendCertsFromPEM(validationCert) { fmt.Println("Error installing validation certificate.") } if !certs.AppendCertsFromPEM(trustCert) { fmt.Println("Error installing trust certificate.") } sslConfig := tls.Config{RootCAs: certs,Certificates: []tls.Certificate{cert}} service := ":5555" tcpAddr, error := net.ResolveTCPAddr("tcp", service) if error != nil { fmt.Println("Error: Could not resolve address") } else { netListen, error := tls.Listen(tcpAddr.Network(), tcpAddr.String(), &sslConfig) if error != nil { fmt.Println(error) } else { defer netListen.Close() for { fmt.Println("Waiting for clients") connection, error := netListen.Accept()I've tried switching around the order of the certs, not including some certs, etc. but the output from openssl s_client -CApath /etc/ssl/certs/ -connect localhost:5555 remains essentially the same, verify error:num=20:unable to get local issuer certificate. See here for full output. I seem to be doing something wrong with the intermediate certificates, but I have no idea what. I have been working on this for a few days, lots of googling and SO'ing, but nothing seemed to quite fit my situation. I have set up many certificates in Apache and HAProxy, but this really has me stumped.
解决方案The RootCAs field is for clients verifying server certificates. I assume you only want to present a cert for verification, so anything you need should be loaded into the Certificates slice.
Here is a minimal example:
cert, err := tls.LoadX509KeyPair("example.pem", "example.key") if err != nil { log.Fatal("Error loading certificate. ", err) } tlsCfg := &tls.Config{Certificates: []tls.Certificate{cert}} listener, err := tls.Listen("tcp4", "127.0.0.1:5555", tlsCfg) if err != nil { log.Fatal(err) } defer listener.Close() for { log.Println("Waiting for clients") conn, err := listener.Accept() if err != nil { log.Fatal(err) } go handle(conn) }Even though you're not using HTTPS, it may still be useful to walk through the server setup starting at http.ListenAndServeTLS.
更多推荐
Golang SSL TCP套接字证书配置
发布评论