http.ListenAndServeTLS with multiple certificates

huangapple go评论90阅读模式
英文:

http.ListenAndServeTLS with multiple certificates

问题

如何在多个域名上使用ListenAndServeTLS?我看到该函数接受一个证书和密钥文件,但我相信密钥文件可能只包含一个单独的私钥。我有几个私钥,用于不同的证书链。

英文:

How do I ListenAndServeTLS with multiple domains? I see the function accepts a cert and key file, but I believe the key file may only contain a single private key. I have a few private keys, for different certificate chains.

答案1

得分: 13

http.ListenAndServeTLS旨在提供一个最简配置。如果你想添加其他选项,可以使用自定义的tls.Config创建一个http.Server。然后,你可以手动映射tls.Config.NameToCertificate中的名称,或者调用BuildNameToCertificate()来以编程方式构建映射。

然而,你仍然可以使用Server.ListenAndServeTLS,因为它会加载配置中的证书,以及通过方法参数传递的证书。

cfg := &tls.Config{}

cert, err := tls.LoadX509KeyPair("cert_one.pem", "key_one.pem")
if err != nil {
    log.Fatal(err)
}

cfg.Certificates = append(cfg.Certificates, cert)
// 继续将剩余的证书添加到cfg.Certificates

cfg.BuildNameToCertificate()

server := http.Server{
    Addr:      "127.0.0.1:443",
    Handler:   myHandler,
    TLSConfig: cfg,
}

server.ListenAndServeTLS("", "")
英文:

http.ListenAndServeTLS is meant to be present a bare minimal configuration. If you want to add other options, you can create an http.Server with a custom tls.Config. You can then either manually map names in tls.Config.NameToCertificate, or call BuildNameToCertificate() to build the map programatically.

You can still use Server.ListenAndServeTLS however, since it will load the certs in the config as well a cert passed in via the methods args.

cfg := &tls.Config{}

cert, err := tls.LoadX509KeyPair("cert_one.pem", "key_one.pem")
if err != nil {
	log.Fatal(err)
}

cfg.Certificates = append(cfg.Certificates, cert)
// keep adding remaining certs to cfg.Certificates

cfg.BuildNameToCertificate()

server := http.Server{
	Addr:      "127.0.0.1:443",
	Handler:   myHandler,
	TLSConfig: cfg,
}

server.ListenAndServeTLS("", "")

答案2

得分: 2

我自己不是Go用户,但是如果你想在同一个TLS监听器上使用多个证书,你必须有一种方法来决定在客户端连接后应该使用哪个证书,因为在TLS握手中只能发送一个证书+链。

这种情况的主要用例是服务器名称指示(SNI)。使用SNI,你可以拥有多个证书,并且希望根据客户端在TLS握手中请求的名称选择适当的证书。

搜索go sni server会得到2013年的这篇帖子。这篇帖子显示使用ListenAndServeTLS无法实现多个证书(或者在2013年是不可能的),但它也展示了如何实现所需的功能。

英文:

I'm no Go user myself but if you want to use multiple certificates on the same TLS listener you must have some way to decide which certificate should be used once a client connects because only a single certificate + chain can be sent inside the TLS handshake.

The main use case for this is Server Name Indication (SNI). With SNI you have multiple certificates and you want to select the appropriate one based on the name the client asked for within the TLS handshake.

Searching for go sni server results in this post from 2013. This post shows that using multiple certificates with ListenAndServeTLS is not possible (or was in 2013) but it also shows how to achieve the necessary functionality.

huangapple
  • 本文由 发表于 2015年8月24日 13:58:27
  • 转载请务必保留本文链接:https://go.coder-hub.com/32175300.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定