英文:
How to set TLS cipher for Go server?
问题
你好!你目前正在使用以下的ListenAndServeTLS
命令来运行一个安全的WebSocket/文件服务器:
http.ListenAndServeTLS(":443", "site.crt", "site.key", router)
然而,你想要将密码设置为TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
,并且设置一个最低的SSL/TLS版本。
你可以如何实现这个呢?
我认为你需要以某种方式使用这个Config结构体,但我不确定具体如何操作。
英文:
I'm currently using the following listen and serve command to run a secure websocket/file server:
http.ListenAndServeTLS(":443", "site.crt","site.key", router)
However, I want to set the cipher to TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and also set a min SSL/TLS version.
How can I do this?
I think I need to use this Config structure somehow, but I'm not sure how to do this.
答案1
得分: 9
2015年:你可以在secrpc/tls_server.go
中看到一个示例:
tls.Listen("tcp", addr, &tls.Config{
Certificates: []tls.Certificate{cert},
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
},
MinVersion: tls.VersionTLS12,
PreferServerCipherSuites: true,
})
还可以参考go/issues/11047中使用ListenAndServeTLS的示例:一旦你定义了Config
,你就可以定义你的服务器:
server := &http.Server{Addr: ":4000", Handler: nil, TLSConfig: config}
server.L
在2021年,还有来自Filippo Valsorda的"自动密码套件排序在crypto/tls中":
> 最近发布的Go 1.17接管了所有Go用户的密码套件偏好排序。
>
> 虽然Config.CipherSuites
仍然控制启用的TLS 1.0-1.2密码套件,但它不用于排序,而Config.PreferServerCipherSuites
现在被忽略。
>
> 相反,crypto/tls
根据可用的密码套件、本地硬件和推断的远程硬件能力做出所有排序决策。
英文:
2015: You can see an example in secrpc/tls_server.go
:
tls.Listen("tcp", addr, &tls.Config{
Certificates: []tls.Certificate{cert},
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
},
MinVersion: tls.VersionTLS12,
PreferServerCipherSuites: true,
})
See also go/issues/11047 for an example using ListenAndServeTLS: once you have defined your Config
, you define your server:
server := &http.Server{Addr: ":4000", Handler: nil, TLSConfig: config}
server.L
In 2021, you also have "Automatic cipher suite ordering in crypto/tls" from Filippo Valsorda:
> Go 1.17, recently released, takes over cipher suite preference ordering for all Go users.
>
> While Config.CipherSuites
still controls which TLS 1.0–1.2 cipher suites are enabled, it is not used for ordering, and Config.PreferServerCipherSuites
is now ignored.
>
> Instead, crypto/tls
makes all ordering decisions, based on the available cipher suites, the local hardware, and the inferred remote hardware capabilities.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论