fasthttp tls client

[Yashar Vasegh]

Hello,

I need to implement client tls under fasthttp. when I set Client TLSConfig it is not even make a request and status code 200 return, could someone help me over it?

package main

import (

  "fmt"

  log "github.com/Sirupsen/logrus"

  "github.com/valyala/fasthttp"

  "crypto/tls"

  "crypto/x509"

  "io/ioutil"

)

func req(method string, url string, data []byte) (int, []byte) {

    cert, err := tls.LoadX509KeyPair("a.txt", "a.key")

    if err != nil {

      log.Fatal(err)

    }

    // Load CA cert

    caCert, err := ioutil.ReadFile("a.csr")

    if err != nil {

      log.Fatal(err)

    }

    caCertPool := x509.NewCertPool()

    caCertPool.AppendCertsFromPEM(caCert)

    // Setup HTTPS client

    tlsConfig := &tls.Config{

      Certificates: []tls.Certificate{cert},

      RootCAs:      caCertPool,

    }

  req := fasthttp.AcquireRequest()

  req.SetRequestURI(url)

  req.Header.SetMethod(method)

  req.SetBody(data)

  resp := fasthttp.AcquireResponse()

  

  client := &fasthttp.Client{

    TLSConfig: tlsConfig,

  }

  client.Do(req, resp)  

  statusCode := resp.StatusCode()

  body := resp.Body()

  return statusCode, body

}

func main(){

  a, b := req("GET", "https://google.com", nil)

  fmt.Printf(string(b))

  fmt.Println(a)

}

 

[Brian Candler]

I suspect you may have misunderstood what a "CA Certificate" is.  It's not the Certificate Signing Request (CSR) that you created for your own public key.  It's the public key of the certificate authority which signed the server's certificate (i.e. google.com).

However, since google.com is signed by one of the standard public CAs, you don't need to specify a CA certificate at all, and it will use your system's default set of root CAs.

The following variation of your code works for me.  I removed the client cert/key as well, since google doesn't require you to present a client cert.

package main

import (

  "fmt"

  //log "github.com/sirupsen/logrus"

  "github.com/valyala/fasthttp"

  "crypto/tls"

  //"crypto/x509"

  //"io/ioutil"

)

func req(method string, url string, data []byte) (int, []byte) {

    // Setup HTTPS client

    tlsConfig := &tls.Config{

      Certificates: []tls.Certificate{},

    }

  req := fasthttp.AcquireRequest()

  req.SetRequestURI(url)

  req.Header.SetMethod(method)

  req.SetBody(data)

  resp := fasthttp.AcquireResponse()

  client := &fasthttp.Client{

    TLSConfig: tlsConfig,

  }

  client.Do(req, resp)

  statusCode := resp.StatusCode()

  body := resp.Body()

  return statusCode, body

}

func main(){

  a, b := req("GET", "https://google.com", nil)

  fmt.Printf(string(b))

  fmt.Println(a)

}

The result:

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">

<TITLE>301 Moved</TITLE></HEAD><BODY>

<H1>301 Moved</H1>

The document has moved

<A HREF="https://www.google.com/">here</A>.

</BODY></HTML>

301

(and if you change https://google.com to https://www.google.com then you get the search page)

[Yashar Vasegh]

thank you for your response,

This is for ""Clients TLS" not "Server TLS", and the target url is not google.com it is another server which supports "Clients tls". and even when I change the (and if you change https://google.com to https://www.google.com then you get the search page) I get no result.

any body have idea why it returns 200 even without make a request?

[Yashar Vasegh]

Yes, it works, thank you. I still not understand why root CA cause problem here, but I was expecting for "Client side TLS AUTH" I need to add CA.

On Friday, October 9, 2020 at 12:40:16 PM UTC-4 b.ca...@pobox.com wrote:

[Brian Candler]

On Friday, 9 October 2020 20:15:06 UTC+1, Yashar Vasegh wrote:

Yes, it works, thank you. I still not understand why root CA cause problem here, but I was expecting for "Client side TLS AUTH" I need to add CA.

No: it's symmetrical.

* A server has a *server private key* and a *server certificate*.  The other side (the client) uses the *CA public key* of the CA which signed the server certificate, to verify it.

* A client has a *client private key* and a *client certificate*.  The other side (the server) uses the *CA public key* of the CA which signed the client certificate, to verify it.

Therefore, the only CA key that the client needs is the one which signed the server certificate.  If the server certificate was signed by a well-known root CA (i.e. one which is already in the client's default set of trusted root CAs) then no CA configuration is required at all on the client side.