Golang:如何在HTTP客户端的TLS配置中指定证书。

huangapple go评论94阅读模式
英文:

Golang: how to specify certificate in TLS config for http client

问题

我有一个证书文件,位置是:/usr/abc/my.crt,我想在我的TLS配置中使用该证书,这样我的HTTP客户端在与其他服务器通信时可以使用该证书。我的当前代码如下:

mTLSConfig := &tls.Config{
    CipherSuites: []uint16{
        tls.TLS_RSA_WITH_RC4_128_SHA,
        tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
        tls.TLS_RSA_WITH_AES_128_CBC_SHA,
        tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
        tls.TLS_RSA_WITH_AES_128_CBC_SHA,
        tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    },
    PreferServerCipherSuites: true,
    MinVersion:               tls.VersionTLS10,
    MaxVersion:               tls.VersionTLS10,
}

tr := &http.Transport{
    TLSClientConfig: mTLSConfig,
}

c := &http.Client{Transport: tr}

那么如何在我的TLS配置中指定证书呢?我在http://golang.org/pkg/crypto/tls/#Config 上看到了证书设置,有人可以建议如何在那里配置我的证书位置吗?

mTLSConfig.Config{Certificates: []tls.Certificate{'/usr/abc/my.crt'}} <-- 这是错误的,因为我传递的是字符串,对吗?我没有任何其他文件,如.pem或.key等,只有这个my.cert文件。我不知道该怎么做。

之前,我编辑了go源代码http://golang.org/src/pkg/crypto/x509/root_unix.go,并在第12行后添加了/usr/abc/my.crt,它起作用了。但问题是我的证书文件位置可能会改变,所以我已经从root_unix.go中删除了硬编码的行,并尝试在构建TLSConfig时动态传递它。

英文:

I have a cert file, that location is: /usr/abc/my.crt and I want to use that cert for my tls config, so that my http client uses that certificate when communicate with other servers. My current code is as follows:

mTLSConfig := &amp;tls.Config {
    CipherSuites: []uint16 {
        tls.TLS_RSA_WITH_RC4_128_SHA,
        tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
        tls.TLS_RSA_WITH_AES_128_CBC_SHA,
        tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
        tls.TLS_RSA_WITH_AES_128_CBC_SHA,
        tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    }
}

mTLSConfig.PreferServerCipherSuites = true
mTLSConfig.MinVersion = tls.VersionTLS10
mTLSConfig.MaxVersion = tls.VersionTLS10

tr := &amp;http.Transport{
    TLSClientConfig: mTLSConfig,
}

c := &amp;http.Client{Transport: tr}

So how to assign a certificate in my TLS config? I see the certificate settings at http://golang.org/pkg/crypto/tls/#Config can someone suggest how to config my cert location there?

mTLSConfig.Config{Certificates: []tls.Certificate{&#39;/usr/abc/my.crt&#39;}} <-- is wrong because I am passing string.right? I DON'T have ANY other files such as .pem or .key etc, just only this my.cert. I am blank how to do it?

Earlier, I had edited the go source code http://golang.org/src/pkg/crypto/x509/root_unix.go and added /usr/abc/my.crt after line no. 12 and it worked. But the problem is my certificate file location can change, so I have removed the hardcoded line from root_unix.go and trying to pass it dynamically, when building TLSConfig.

答案1

得分: 28

你可以通过在tls.Config中提供一个根CA池来替换系统的CA集合。

certs := x509.NewCertPool()

pemData, err := ioutil.ReadFile(pemPath)
if err != nil {
    // 处理错误
}
certs.AppendCertsFromPEM(pemData)
mTLSConfig.RootCAs = certs

如果你仍然想要使用系统的根证书,我认为你需要在initSystemRoots()中重新创建这个功能。我没有看到任何公开的方法来将证书合并到默认的系统根证书中。

英文:

You can replace the system CA set by providing a root CA pool in tls.Config.

certs := x509.NewCertPool()

pemData, err := ioutil.ReadFile(pemPath)
if err != nil {
    // do error
}
certs.AppendCertsFromPEM(pemData)
mTLSConfig.RootCAs = certs

If you still want the system's roots however, I think you'll need to recreate the functionality in initSystemRoots(). I don't see any exposed method for merging a cert into the default system roots.

huangapple
  • 本文由 发表于 2014年2月5日 04:05:35
  • 转载请务必保留本文链接:https://go.coder-hub.com/21562269.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定