Two-way SSL

2,099 views
Skip to first unread message

Iacob Nasca

unread,
Aug 28, 2013, 1:00:13 PM8/28/13
to golan...@googlegroups.com
I looked at every function in the http package but could not find any. Is there a way to make a two-way ssl call ?
There is an API that requires two-way ssl that I need to integrate with and I cannot for the life of me make it work. All I need to do is post a JSON to some secure endpoint but it seems I have to also encrypt my request with a certificate. The initial certificate they provided me with was a .jks and I managed to extract the private key and the certificate from it (that was a joy ride as well). As a side note here, is there a simple way to just use the .jks and not a suite of applications to convert it back to .pem ?
Anyway...back to the issue. The certificate they provided me is also password encrypted. I saw that encode/pem package provides a decryption method but the http package client certificate requires you to provide a certificate and a key as filenames and so it fails to apply the certificate/key pair since they are encrypted. How...how ?

Kyle Lemons

unread,
Aug 28, 2013, 2:40:03 PM8/28/13
to Iacob Nasca, golang-nuts
All SSL connections are two-way.  I assume you mean a connection in which both the client and server authenticate one another by their certificates.

Don't use ListenAndServeTLS if it's not precisely what you need; it's a pretty straightforward wrapper that you can copy, paste, and edit to suit your needs (including loading more certificates and/or from something other than a file).


--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Iacob Nasca

unread,
Aug 28, 2013, 2:49:28 PM8/28/13
to golan...@googlegroups.com, Iacob Nasca
I don't use ListenAndServe. I am the client. I use http.Post('https://.....), (well, not directly http.Post, I'm creating a http.Client because I need custom headers too). And my request must be signed by my client certificate as well.

Kyle Lemons

unread,
Aug 28, 2013, 3:02:45 PM8/28/13
to Iacob Nasca, golang-nuts
Oh, right, I knew that...

Create a http://golang.org/pkg/net/http/#Transport with the TLSConfig set up with your client certificate, use that to create a Client, and then call (*Client).Post

Iacob Nasca

unread,
Aug 28, 2013, 3:10:39 PM8/28/13
to golan...@googlegroups.com, Iacob Nasca
I already tried with tls.LoadX509KeyPair("cert.pem", "key.pem") to load up the certificate and the key and obtain the the tls.Certificate but the key is password protected. They gave me the certificate and the password. But how do I decrypt it ? the tls doesn't have to many methods. Actually it only has two: LoadX509KeyPair(filename, filename string) and  X509KeyPair(data, data []byte).

Martin Schnabel

unread,
Aug 28, 2013, 3:14:54 PM8/28/13
to golan...@googlegroups.com
On 08/28/2013 09:10 PM, Iacob Nasca wrote:
> I already tried with tls.LoadX509KeyPair("cert.pem", "key.pem") to load
> up the certificate and the key and obtain the the tls.Certificate but
> the key is password protected. They gave me the certificate and the
> password. But how do I decrypt it ? the tls doesn't have to many
> methods. Actually it only has two: LoadX509KeyPair(filename, filename
> string) and X509KeyPair(data, data []byte).

you can strip the password from the key with openssl. something like
this should work:

$ openssl rsa -in key.pem -out key.pem.unencrypted

hope that works for you!

Iacob Nasca

unread,
Aug 28, 2013, 3:32:36 PM8/28/13
to golan...@googlegroups.com
Excellent. Thanks a lot mb0. I finally get an answer from the API other than 403.
They should add a new method to the tls package to accept a password as well. :)

Iacob Nasca

unread,
Aug 29, 2013, 3:36:35 AM8/29/13
to golan...@googlegroups.com
k, this is for posterity in case anyone ever looks for something like this. A very simple example..

package main

import(
    "crypto/rand"
    "crypto/tls"
    "io/ioutil"
    "log"
    "net"
    "net/http"
    "compress/gzip"
    "strings"
    "time"
)

func main() {
    cert, err := tls.LoadX509KeyPair("certificate.pem", "key.pem")
    if err != nil {
        log.Fatalf("Failed to load X509 key pair: %s", err)
    }

    ssl: = &tls.Config{
        Certificates: []tls.Certificate{cert},
        InsecureSkipVerify: true,
    }
    ssl.Rand = rand.Reader

    client: = &http.Client{
        Transport: &http.Transport{
            Dial: func(network, addr string)(net.Conn, error) {
                return net.DialTimeout(network, addr, time.Duration(time.Second*3))
            },
            TLSClientConfig: ssl,
        },
    }

    requestBody := strings.NewReader("{}");
    req, _ := http.NewRequest("POST", "https://www....", requestBody)

    // some custom headers
    req.Header.Add("Content-Type", "application/json")
    req.Header.Add("Accept", "application/json")

    response, err := client.Do(req)
    if err != nil {
        log.Fatalf("Failed to make request: %s", err)
    }

    if response.StatusCode != 200 {
        log.Fatalf("FAILED: Got status: " + response.Status)
    }

    defer response.Body.Close()
    // in case response is gziped, run that through the gzip reader to de decompress
    if strings.Contains(response.Header.Get("Content-Encoding"), "gzip") {
        response.Body, err = gzip.NewReader(response.Body)
        if err != nil {
            return
        }
    }

    data, err := ioutil.ReadAll(response.Body)
    if err != nil {
        log.Fatalf("Could not read response body: %s", err)
    }
    log.Println(string(data))
}

john...@gmail.com

unread,
Aug 29, 2013, 5:08:35 PM8/29/13
to golan...@googlegroups.com
On Thursday, August 29, 2013 3:36:35 AM UTC-4, Iacob Nasca wrote:
k, this is for posterity in case anyone ever looks for something like this. A very simple example..

Thank you so much, I was just looking for some steps on getting this working.  Perfect timing. 
Reply all
Reply to author
Forward
0 new messages