英文:
Golang: how to specify certificate in TLS config for http client
问题
我有一个证书文件,位置是:/usr/abc/my.crt,我想在我的TLS配置中使用该证书,这样我的HTTP客户端在与其他服务器通信时可以使用该证书。我的当前代码如下:
mTLSConfig := &tls.Config{
CipherSuites: []uint16{
tls.TLS_RSA_WITH_RC4_128_SHA,
tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
},
PreferServerCipherSuites: true,
MinVersion: tls.VersionTLS10,
MaxVersion: tls.VersionTLS10,
}
tr := &http.Transport{
TLSClientConfig: mTLSConfig,
}
c := &http.Client{Transport: tr}
那么如何在我的TLS配置中指定证书呢?我在http://golang.org/pkg/crypto/tls/#Config 上看到了证书设置,有人可以建议如何在那里配置我的证书位置吗?
mTLSConfig.Config{Certificates: []tls.Certificate{'/usr/abc/my.crt'}} <-- 这是错误的,因为我传递的是字符串,对吗?我没有任何其他文件,如.pem或.key等,只有这个my.cert文件。我不知道该怎么做。
之前,我编辑了go源代码http://golang.org/src/pkg/crypto/x509/root_unix.go,并在第12行后添加了/usr/abc/my.crt,它起作用了。但问题是我的证书文件位置可能会改变,所以我已经从root_unix.go中删除了硬编码的行,并尝试在构建TLSConfig时动态传递它。
英文:
I have a cert file, that location is: /usr/abc/my.crt and I want to use that cert for my tls config, so that my http client uses that certificate when communicate with other servers. My current code is as follows:
mTLSConfig := &tls.Config {
CipherSuites: []uint16 {
tls.TLS_RSA_WITH_RC4_128_SHA,
tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
}
}
mTLSConfig.PreferServerCipherSuites = true
mTLSConfig.MinVersion = tls.VersionTLS10
mTLSConfig.MaxVersion = tls.VersionTLS10
tr := &http.Transport{
TLSClientConfig: mTLSConfig,
}
c := &http.Client{Transport: tr}
So how to assign a certificate in my TLS config? I see the certificate settings at http://golang.org/pkg/crypto/tls/#Config can someone suggest how to config my cert location there?
mTLSConfig.Config{Certificates: []tls.Certificate{'/usr/abc/my.crt'}} <-- is wrong because I am passing string.right? I DON'T have ANY other files such as .pem or .key etc, just only this my.cert. I am blank how to do it?
Earlier, I had edited the go source code http://golang.org/src/pkg/crypto/x509/root_unix.go and added /usr/abc/my.crt after line no. 12 and it worked. But the problem is my certificate file location can change, so I have removed the hardcoded line from root_unix.go and trying to pass it dynamically, when building TLSConfig.
答案1
得分: 28
你可以通过在tls.Config中提供一个根CA池来替换系统的CA集合。
certs := x509.NewCertPool()
pemData, err := ioutil.ReadFile(pemPath)
if err != nil {
// 处理错误
}
certs.AppendCertsFromPEM(pemData)
mTLSConfig.RootCAs = certs
如果你仍然想要使用系统的根证书,我认为你需要在initSystemRoots()中重新创建这个功能。我没有看到任何公开的方法来将证书合并到默认的系统根证书中。
英文:
You can replace the system CA set by providing a root CA pool in tls.Config.
certs := x509.NewCertPool()
pemData, err := ioutil.ReadFile(pemPath)
if err != nil {
// do error
}
certs.AppendCertsFromPEM(pemData)
mTLSConfig.RootCAs = certs
If you still want the system's roots however, I think you'll need to recreate the functionality in initSystemRoots(). I don't see any exposed method for merging a cert into the default system roots.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论