如何为Go服务器设置TLS密码套件?

huangapple go评论90阅读模式
英文:

How to set TLS cipher for Go server?

问题

你好!你目前正在使用以下的ListenAndServeTLS命令来运行一个安全的WebSocket/文件服务器:

http.ListenAndServeTLS(":443", "site.crt", "site.key", router)

然而,你想要将密码设置为TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,并且设置一个最低的SSL/TLS版本。

你可以如何实现这个呢?

我认为你需要以某种方式使用这个Config结构体,但我不确定具体如何操作。

英文:

I'm currently using the following listen and serve command to run a secure websocket/file server:

http.ListenAndServeTLS(":443", "site.crt","site.key", router)

However, I want to set the cipher to TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and also set a min SSL/TLS version.

How can I do this?

I think I need to use this Config structure somehow, but I'm not sure how to do this.

答案1

得分: 9

2015年:你可以在secrpc/tls_server.go中看到一个示例:

tls.Listen("tcp", addr, &tls.Config{
    Certificates: []tls.Certificate{cert},
    CipherSuites: []uint16{
        tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
        tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
    },
    MinVersion:               tls.VersionTLS12,
    PreferServerCipherSuites: true,
})

还可以参考go/issues/11047中使用ListenAndServeTLS的示例:一旦你定义了Config,你就可以定义你的服务器:

server := &http.Server{Addr: ":4000", Handler: nil, TLSConfig: config}
server.L

在2021年,还有来自Filippo Valsorda的"自动密码套件排序在crypto/tls中":

> 最近发布的Go 1.17接管了所有Go用户的密码套件偏好排序。
>
> 虽然Config.CipherSuites仍然控制启用的TLS 1.0-1.2密码套件,但它不用于排序,而Config.PreferServerCipherSuites现在被忽略。
>
> 相反,crypto/tls 根据可用的密码套件、本地硬件和推断的远程硬件能力做出所有排序决策。

英文:

2015: You can see an example in secrpc/tls_server.go:

tls.Listen("tcp", addr, &tls.Config{
	Certificates: []tls.Certificate{cert},
	CipherSuites: []uint16{
		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
	},
	MinVersion:               tls.VersionTLS12,
	PreferServerCipherSuites: true,
})

See also go/issues/11047 for an example using ListenAndServeTLS: once you have defined your Config, you define your server:

server := &http.Server{Addr: ":4000", Handler: nil, TLSConfig: config}
server.L

In 2021, you also have "Automatic cipher suite ordering in crypto/tls" from Filippo Valsorda:

> Go 1.17, recently released, takes over cipher suite preference ordering for all Go users.
>
> While Config.CipherSuites still controls which TLS 1.0–1.2 cipher suites are enabled, it is not used for ordering, and Config.PreferServerCipherSuites is now ignored.
>
> Instead, crypto/tls makes all ordering decisions, based on the available cipher suites, the local hardware, and the inferred remote hardware capabilities.

huangapple
  • 本文由 发表于 2015年7月5日 08:08:29
  • 转载请务必保留本文链接:https://go.coder-hub.com/31226131.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定