英文:
golang SSL certification
问题
所以,我在尝试在SSL连接上监听一个套接字,但是它无法进行握手。在运行以下命令时:
sudo openssl s_client -CApath /etc/ssl/certs/ -connect localhost:8080
它无法验证第一个证书。
我对SSL的经验非常有限。有人可以帮忙吗?
cert, err := tls.LoadX509KeyPair("positivessl.crt", "key.pem")
Error.CheckError(err)
rootCert, err := ioutil.ReadFile("AddTrustExternalCARoot.crt")
checkError(err)
trustCert, err := ioutil.ReadFile("COMODORSAAddTrustCA.crt")
checkError(err)
validationCert, err := ioutil.ReadFile("COMODORSADomainValidationSecureServerCA.crt")
checkError(err)
certs := x509.NewCertPool()
certs.AppendCertsFromPEM(validationCert)
certs.AppendCertsFromPEM(trustCert)
certs.AppendCertsFromPEM(rootCert)
sslConfig := tls.Config{RootCAs: certs, Certificates: []tls.Certificate{cert}}
sslConfig.Rand = rand.Reader
listener, err := tls.Listen("tcp", service, &sslConfig)
英文:
So, here I am trying to have a socket listen on an SSL connection. However, it isn't able to make the handshake. Upon running
sudo openssl s_client -CApath /etc/ssl/certs/ -connect localhost:8080
It is unable to verify the first cert.
I have very little experience with these SSL. Can anyone help?
cert, err := tls.LoadX509KeyPair("positivessl.crt", "key.pem")
Error.CheckError(err)
rootCert, err := ioutil.ReadFile("AddTrustExternalCARoot.crt")
checkError(err)
trustCert, err := ioutil.ReadFile("COMODORSAAddTrustCA.crt")
checkError(err)
validationCert, err := ioutil.ReadFile("COMODORSADomainValidationSecureServerCA.crt")
checkError(err)
certs := x509.NewCertPool()
certs.AppendCertsFromPEM(validationCert)
certs.AppendCertsFromPEM(trustCert)
certs.AppendCertsFromPEM(rootCert)
sslConfig := tls.Config{RootCAs: certs,Certificates: []tls.Certificate{cert}}
sslConfig.Rand = rand.Reader
listener, err := tls.Listen("tcp", service, &sslConfig)
答案1
得分: 2
我对Go语言本身不太熟悉,但根据http://golang.org/pkg/crypto/tls/上的文档,它们与其他SSL堆栈相似:
rootCert不应包含在证书链中。根证书是在客户端的证书链验证过程中实际使用的信任锚点,因此客户端必须已经知道并信任它。RootCA是用于验证证书的受信任证书。这些证书不会发送给对等方,而是在验证接收到的证书时用作信任锚点。因此,这个设置对于客户端验证服务器证书可能是相关的,也可能对于服务器端在客户端发送证书时是相关的。- 相反,你想要发送给对等方的所有证书都必须包含在
Certificates中。也就是说,不仅包括叶子证书cert,还包括链证书validationCert和trustCert。你必须按照正确的顺序将它们包含进去,以便构建一个链,客户端可以用受信任的根证书完成验证。
英文:
I'm not familiar with go itself, but from the documentation at http://golang.org/pkg/crypto/tls/ they look similar to other SSL stacks:
- The
rootCertshould not be included in the chain. The root cert is the actual trust anchor used for verification at the certificate chain at the client and thus the client must already know it and trust it. RootCAare the trusted certificates which are used to verify the certificate. These are not send to the peer but used instead as the trust anchors when verifying the received certificates. Thus this setting is relevant for the client side to verify the servers certificate and maybe for the server side when the client send certificates too.- Instead all the certificates you want to send to the peer have to be included in
Certificates. That is, not only the leaf certificatescert, but also the chain certificatesvalidationCertandtrustCert. You have to include them in the correct order so that they build a chain which the client then can finish with the trusted root certificate.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论