Mutual tls example

211 views
Skip to first unread message

Vasiliy Tolstov

unread,
Apr 21, 2019, 8:09:17 AM4/21/19
to golan...@googlegroups.com
Hi, I'm try to find mutual tls example in go, but can't find simple example that uses crypto/tls. I need server that for some http handler for user request with token returns tls cert for communication, and client that uses this cert to communication after it returned from request. Ideally with ability to rotate keys on client before previous expired.
Does anybody knows it?

Aldrin Leal

unread,
Apr 21, 2019, 8:23:03 AM4/21/19
to Vasiliy Tolstov, golang-nuts
I did a while ago, but I can't share a sample. But you can build one, provided that:

1. build your server as such (note the ClientAuth - thats where magic happens):

...
        rootCAs, _ := x509.SystemCertPool()

        if nil == rootCAs {
                rootCAs = x509.NewCertPool()
        }

        cfg := &tls.Config{
                MinVersion: tls.VersionSSL30,
                /*
                        CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
                        PreferServerCipherSuites: true,
                        CipherSuites: []uint16{
                                tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                                tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                                tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
                                tls.TLS_RSA_WITH_AES_256_CBC_SHA,
                        },
                */
                ClientAuth: tls.VerifyClientCertIfGiven,
                RootCAs:    rootCAs,
        }

        cert, err := tls.LoadX509KeyPair(*publicCertificate, *privateKey)

...



        srv := &http.Server{
                Addr:         ":8043",
                Handler:      handlers.RecoveryHandler(handlers.PrintRecoveryStack(true))(r),
                TLSConfig:    cfg,
                TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0),
        }

        log.Fatal(srv.ListenAndServeTLS(*publicCertificate, *privateKey))


2. Look into http.Request, under TLS.PeerCertificates array


On Sun, Apr 21, 2019 at 7:09 AM Vasiliy Tolstov <v.to...@selfip.ru> wrote:
Hi, I'm try to find mutual tls example in go, but can't find simple example that uses crypto/tls. I need server that for some http handler for user request with token returns tls cert for communication, and client that uses this cert to communication after it returned from request. Ideally with ability to rotate keys on client before previous expired.
Does anybody knows it?

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Vasiliy Tolstov

unread,
Apr 21, 2019, 5:51:52 PM4/21/19
to Aldrin Leal, Vasiliy Tolstov, golang-nuts
Thank you, may be i find mode detailed example
https://diogomonica.com/2017/01/11/hitless-tls-certificate-rotation-in-go/amp/

вс, 21 апр. 2019 г. в 15:22, Aldrin Leal <ald...@leal.eng.br>:
--
Vasiliy Tolstov,
e-mail: v.to...@selfip.ru

Timothy Raymond

unread,
Apr 22, 2019, 1:05:56 PM4/22/19
to golang-nuts
I believe Liz Rice covered this in her GopherCon 2018 talk on TLS connections: https://www.youtube.com/watch?v=kxKLYDLzuHA

Vasiliy Tolstov

unread,
Apr 22, 2019, 5:17:14 PM4/22/19
to Timothy Raymond, golang-nuts
пн, 22 апр. 2019 г. в 20:06, Timothy Raymond <xtjra...@gmail.com>:
>
> I believe Liz Rice covered this in her GopherCon 2018 talk on TLS connections: https://www.youtube.com/watch?v=kxKLYDLzuHA
>


Thank you this is very helpful for me.
Reply all
Reply to author
Forward
0 new messages