问题

我正在创建一个Go TCP服务器（非http/s），并尝试配置它使用SSL。我有一个StartCom免费的SSL证书，我正在尝试使用它来实现这个目标。我的服务器代码如下所示：

cert, err := tls.LoadX509KeyPair("example.com.pem", "example.com.key")
if err != nil {
    fmt.Println("Error loading certificate. ",err)
}
trustCert, err := ioutil.ReadFile("sub.class1.server.ca.pem")
if err != nil {
    fmt.Println("Error loading trust certificate. ",err)
}
validationCert, err := ioutil.ReadFile("ca.pem")
if err != nil {
    fmt.Println("Error loading validation certificate. ",err)
}
certs := x509.NewCertPool()
if !certs.AppendCertsFromPEM(validationCert) {
    fmt.Println("Error installing validation certificate.")
}
if !certs.AppendCertsFromPEM(trustCert) {
    fmt.Println("Error installing trust certificate.")
}

sslConfig := tls.Config{RootCAs: certs,Certificates: []tls.Certificate{cert}}

service := ":5555"
tcpAddr, error := net.ResolveTCPAddr("tcp", service)
if error != nil {
    fmt.Println("Error: Could not resolve address")
} else {
    netListen, error := tls.Listen(tcpAddr.Network(), tcpAddr.String(), &sslConfig)
    if error != nil {
        fmt.Println(error)
    } else {
        defer netListen.Close()

        for {
            fmt.Println("Waiting for clients")
            connection, error := netListen.Accept()

我尝试过调整证书的顺序，不包括某些证书等等，但是openssl s_client -CApath /etc/ssl/certs/ -connect localhost:5555的输出基本上保持不变，即verify error:num=20:unable to get local issuer certificate。完整的输出请参见这里。我似乎在处理中间证书方面做错了什么，但我不知道具体是什么问题。我已经花了几天的时间在这个问题上，进行了大量的搜索和查找，但似乎没有找到适合我情况的解决方案。我在Apache和HAProxy中设置了许多证书，但这个问题真的让我困惑。

英文:

I'm creating a Go TCP server (NOT http/s) and I'm trying to configure it to use SSL. I have a StartCom free SSL certificate which I am trying to use to accomplish this. My server code looks like this:

    cert, err := tls.LoadX509KeyPair(&quot;example.com.pem&quot;, &quot;example.com.key&quot;)
	if err != nil {
		fmt.Println(&quot;Error loading certificate. &quot;,err)
	}
	trustCert, err := ioutil.ReadFile(&quot;sub.class1.server.ca.pem&quot;)
	if err != nil {
		fmt.Println(&quot;Error loading trust certificate. &quot;,err)
	}
	validationCert, err := ioutil.ReadFile(&quot;ca.pem&quot;)
	if err != nil {
		fmt.Println(&quot;Error loading validation certificate. &quot;,err)
	}
	certs := x509.NewCertPool()
	if !certs.AppendCertsFromPEM(validationCert) {
		fmt.Println(&quot;Error installing validation certificate.&quot;)
	}
	if !certs.AppendCertsFromPEM(trustCert) {
		fmt.Println(&quot;Error installing trust certificate.&quot;)
	}

	sslConfig := tls.Config{RootCAs: certs,Certificates: []tls.Certificate{cert}}

	service := &quot;:5555&quot;
	tcpAddr, error := net.ResolveTCPAddr(&quot;tcp&quot;, service)
	if error != nil {
		fmt.Println(&quot;Error: Could not resolve address&quot;)
	} else {
		netListen, error := tls.Listen(tcpAddr.Network(), tcpAddr.String(), &amp;sslConfig)
		if error != nil {
			fmt.Println(error)
		} else {
			defer netListen.Close()

			for {
				fmt.Println(&quot;Waiting for clients&quot;)
				connection, error := netListen.Accept()

I've tried switching around the order of the certs, not including some certs, etc. but the output from openssl s_client -CApath /etc/ssl/certs/ -connect localhost:5555 remains essentially the same, verify error:num=20:unable to get local issuer certificate. See <a href="http://pastebin.com/hALjVZb3">here</a> for full output. I seem to be doing something wrong with the intermediate certificates, but I have no idea what. I have been working on this for a few days, lots of googling and SO'ing, but nothing seemed to quite fit my situation. I have set up many certificates in Apache and HAProxy, but this really has me stumped.

答案1

得分: 8

RootCAs字段用于客户端验证服务器证书。我假设你只想提供一个用于验证的证书，所以你需要加载到Certificates切片中的任何内容。

以下是一个最简化的示例：

cert, err := tls.LoadX509KeyPair("example.com.pem", "example.com.key")
if err != nil {
    log.Fatal("加载证书出错：", err)
}

tlsCfg := &tls.Config{Certificates: []tls.Certificate{cert}}

listener, err := tls.Listen("tcp4", "127.0.0.1:5555", tlsCfg)
if err != nil {
    log.Fatal(err)
}
defer listener.Close()

for {
    log.Println("等待客户端连接")
    conn, err := listener.Accept()
    if err != nil {
        log.Fatal(err)
    }
    go handle(conn)
}

即使你没有使用HTTPS，从http.ListenAndServeTLS开始逐步设置服务器仍然可能有用。

英文:

The RootCAs field is for clients verifying server certificates. I assume you only want to present a cert for verification, so anything you need should be loaded into the Certificates slice.

Here is a minimal example:

cert, err := tls.LoadX509KeyPair(&quot;example.com.pem&quot;, &quot;example.com.key&quot;)
if err != nil {
	log.Fatal(&quot;Error loading certificate. &quot;, err)
}

tlsCfg := &amp;tls.Config{Certificates: []tls.Certificate{cert}}

listener, err := tls.Listen(&quot;tcp4&quot;, &quot;127.0.0.1:5555&quot;, tlsCfg)
if err != nil {
	log.Fatal(err)
}
defer listener.Close()

for {
	log.Println(&quot;Waiting for clients&quot;)
	conn, err := listener.Accept()
	if err != nil {
		log.Fatal(err)
	}
	go handle(conn)
}

Even though you're not using HTTPS, it may still be useful to walk through the server setup starting at http.ListenAndServeTLS.

通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库，让每个人都能够通过互相帮助和分享经验来进步。

Golang SSL TCP套接字证书配置

问题

答案1

golang中的map接口 – panic: 将值分配给空map的条目

使用Golang发送电子邮件并附加多个文件。

为什么我不能在期望 *interface{} 的地方使用指向特定类型的指针？

golang sync.WaitGroup永远不会完成

What's the correct way to type hint an empty list as a literal in python?

如何在Highcharts Gantt中更改本地化的星期名称

如何在同一个流中使用多个过滤器和映射函数？

如何使用Map/Set来将代码优化到O(n)？

.NET MAUI Android在GitHub Actions上构建失败，错误代码为1。

如何在Playwright视觉比较中屏蔽多个定位器？

在C++中，可以使用可变模板参数来检索类型的内部类型。

selenium.common.exceptions.StaleElementReferenceException: Message: stale element reference: stale element not found

Creating and opening a URL to log in to Website via Basic Auth with Robot Framework/Selenium (Python)

AG Grid 在上下文菜单中以大文本形式打开

发表评论