Golang + C#中的TLS配置问题

huangapple go评论96阅读模式
英文:

Configuration problems with TLS in Golang + C#

问题

我正在开发一个视频游戏,对于客户端和服务器之间的安全通信问题感到相当困惑。如果有人能给我一些建议,我将非常感激。

我的项目基于客户端(C# - Unity)+ 服务器(Go),它们通过TCP套接字进行通信。现在我正在添加TLS 1.2的安全性,虽然我按照几篇文章和帖子的指导得到了一个看起来有效的解决方案,但我认为我并没有真正实现安全通信,因为即使我将客户端的数字证书更改为完全不同且与密钥无关的证书,一切仍然正常工作,这让我觉得可能有一些配置不正确。

关于使用RSA密钥,我正在使用以下方案:

  • 服务器:使用私钥(.pem)生成数字证书 + 使用私钥创建套接字(.pem)
//// 服务器 Go ////

cert, _ := tls.LoadX509KeyPair(PemCertPath, PrivateKeyPath)
config := tls.Config{MinVersion: tls.VersionTLS12, Certificates: []tls.Certificate{cert}}
service := ServerAddress + ":" + strconv.Itoa(ServerPort)

socket, _ := tls.Listen("tcp", service, &config)
  • 客户端:使用私钥(.pem)生成数字证书以连接到套接字。
//// 客户端 C# ////

byte[] certBytes = Convert.FromBase64String("AS9ggSEPw5yp7+IH5S9ingq+.........."); //Cert .pem
X509Certificate2 cert = new X509Certificate2(certBytes);
X509CertificateCollection certCollection = new X509CertificateCollection(new X509Certificate[] { cert });

tcpClient = new TcpClient(serverAddress, serverPort);
sslStreamSerma = new SslStream(tcpClient.GetStream(), false, ValidateCertificate); 

sslStreamSerma.AuthenticateAsClient(sermaName, certCollection, SslProtocols.Tls12, false);

我对此感到非常困惑...我不明白为什么无论客户端使用哪个数字证书,通信都能继续工作...我应该创建两对密钥,一对用于客户端,一对用于服务器吗?证书应该使用公钥生成吗?

如果有人能帮助我,我将非常感激...

英文:

I am developing a video game and I am quite lost in the subject of secure communication between client and server. If anyone can give me a cable I would really appreciate it.

My project is based on a client (c # - Unity) + server (Go) that communicate through a TCP socket. Now I am adding security with TLS 1.2, and although following several articles and posts I have gotten a solution that apparently works, I think that I am not really getting a secure communication since although I change the client's digital certificate for a totally different one and unrelated to the keys everything still works the same, which makes me think that something I have not configured correctly

Regarding the use of RSA keys, I am using the following scheme:

  • Server: Digital certificate generated with the private key (.pem) + private key to create the socket (.pem)
    <pre><code>
    <i>//// Server Go ////</i>

cert, _ := <b>tls.LoadX509KeyPair(PemCertPath, PrivateKeyPath)</b>
config := tls.Config{MinVersion: tls.VersionTLS12, Certificates: []tls.Certificate{cert}}
service := ServerAddress + ":" + strconv.Itoa(ServerPort)

socket, _ := tls.Listen("tcp", service, &config)
</code></pre>

  • Client: Digital certificate generated with the private key (.pem) to connect to the socket.

<pre><code>
<i>//// Client C# ////</i>

byte[] certBytes = <b>Convert.FromBase64String("AS9ggSEPw5yp7+IH5S9ingq+.........."); </b><i>//Cert .pem</i>
X509Certificate2 cert = <b>new X509Certificate2(certBytes);</b>
X509CertificateCollection certCollection = new X509CertificateCollection(new X509Certificate[] { cert });

tcpClient = new TcpClient(serverAddress, serverPort);
sslStreamSerma = new SslStream(tcpClient.GetStream(), false, ValidateCertificate);

sslStreamSerma.AuthenticateAsClient(sermaName, certCollection, SslProtocols.Tls12, false);
</code></pre>

I am quite confused with this ... I do not understand what is happening here so that regardless of the digital certificate that the client uses, the communication continues to work ... Should I create 2 pairs of keys, one for the client and one for the server? Should the certificate be generated with the public key?

If anyone can help me I would really appreciate it ...

答案1

得分: 0

问题是您的客户端证书没有关联的私钥,而执行客户端身份验证是需要私钥的。

byte[] certBytes = Convert.FromBase64String("AS9ggSEPw5yp7+IH5S9ingq+.........."); //Cert .pem
X509Certificate2 cert = new X509Certificate2(certBytes);

这段代码只读取了证书的公共部分,而没有读取私钥。

英文:

The problem is that your client certificate doesn't have associated private key which is required to perform client authentication.

byte[] certBytes = Convert.FromBase64String(&quot;AS9ggSEPw5yp7+IH5S9ingq+..........&quot;); //Cert .pem
X509Certificate2 cert = new X509Certificate2(certBytes);

this code part reads only public part of the certificate, not private key.

huangapple
  • 本文由 发表于 2021年6月23日 01:04:32
  • 转载请务必保留本文链接:https://go.coder-hub.com/68087934.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定