Where can I place the SSLCertificateChainFile in http.ListenAndServeTLS? Any BEAST prevention setup recommendations?

[uticdmar...@gmail.com]

I recently tested comodo ssl analyzer and beast against my apache setup,
It seems that I have taken the necessary steps to prevent it for apache.

Now I would like to achieve the same thing with a golang server setup.

I did generate my adequatech.ca key with java keytool, then did a cert request and submitted it to comodo instant ssl.
It takes some finagling to convert the java key into an apache key.  The recipe is here:
http://pnkumaresh.wordpress.com/2010/11/12/exporting-tomcat-ssl-keys-to-apache-httpd/
That gives me:  adequatech.ca-comodoinstantssl-exported-privatekey-rsa-ForApache.key

Comodo, after lots of time and paperwork validation, finally sends me back a zip file adequatech_ca.zip which contains the following 3 files:
COMODOHigh-AssuranceSecureServerCA.crt
AddTrustExternalCARoot.crt 
adequatech_ca.crt

I needed to generate a adequatech.ca-certbundle with the following command:
cat comodoSigned/COMODOHigh-AssuranceSecureServerCA.crt comodoSigned/AddTrustExternalCARoot.crt > adequatech.ca-certbundle

In apache's /etc/apache/sites-enabled/adequatech.caPort443, I have:
SSLCertificateKeyFile...got it.adequatech.ca-comodoinstantssl-exported-privatekey-rsa-ForApache.key
SSLCertificateFile...got it.adequatech_ca.crt
SSLCertificateChainFile...got it... adequatech.ca-certbundle

I tested the apache setup against following comodo/beast tests:
https://sslanalyzer.comodoca.com/?url=adequatech.ca
https://www.ssllabs.com/ssltest/analyze.html?d=adequatech.ca

NOW in golang http server, here is what I have:
if err = http.ListenAndServeTLS(":5555",
"adequatech_ca.crt", //SSLCertificateFile
"adequatech.ca-comodoinstantssl-exported-privatekey-rsa-ForApache.key", //SSLCertificateKeyFile
 router)

Where can I place the SSLCertificateChainFile(adequatech.ca-certbundle)?

Does anybody have any recent beast prevention setup recommendations for golang http?

Thanks

[Karl J. Smith]

http://golang.org/pkg/net/http/#ListenAndServeTLS

The cert file is the cert and the intermediates all concatenated together in one file.

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[uticdmar...@gmail.com]

As recommended by COMODO, SSLCertificateChainFile has a particular order for apache.

cat comodoSigned/COMODOHigh-

AssuranceSecureServerCA.crt comodoSigned/AddTrustExternalCARoot.crt > adequatech.ca-certbundle

golang's doc's for ListenAndServeTLS say: "the certFile should be the concatenation of the server's certificate followed by the CA's certificate", but there could be a number of CA's certificates, in my case there are only two, but for COMODO, it was clear their order in the bundle file is important.

So for golang's certFile, which is more appropriate to do?

cat comodoSigned/adequatech_ca.crt \
comodoSigned/COMODOHigh-AssuranceSecureServerCA.crt \
comodoSigned/AddTrustExternalCARoot.crt \
> golangCertFile

or

cat comodoSigned/adequatech_ca.crt \
comodoSigned/AddTrustExternalCARoot.crt \
comodoSigned/COMODOHigh-AssuranceSecureServerCA.crt \
> golangCertFile

?

I'll try them both, but thank you for taking the time.  Cheers.

[uticdmar...@gmail.com]

They both seem to work, but I couldn't test the BEAST vulnerability because that tool only allows to test on port 443.
The SSL Validator seemed to show firefox and internet explorer trusting the website:5555 with the CA certs in any order.

[Karl J. Smith]

I try to put them order to follow the chain, cert at the top, intermediate, next intermediate, etc.

You can do "openssl x509 -text -noout -in blah.crt | less" and look at the Issuer and Subjects to help you figure them out.

Once it's live, you can do "openssl s_client -showcerts -connect www.example.com:443" to see the chain in order according to an ssl client.

But it seems that the order doesn't matter, as you tested it. :)

[agl]

On Tuesday, July 30, 2013 5:40:18 PM UTC-4, uticdmar...@gmail.com wrote:

They both seem to work, but I couldn't test the BEAST vulnerability because that tool only allows to test on port 443.
The SSL Validator seemed to show firefox and internet explorer trusting the website:5555 with the CA certs in any order.

Many clients will reorder the certificates for you, but you shouldn't depend on it. The order in the file should be the leaf certificate followed by any intermediates. (Don't include the root.) 

You can set PreferServerCipherSuites and configure the list of server ciphersuites in the tls.Config: http://golang.org/pkg/crypto/tls/#Config. Prioritising RC4 will `fix' BEAST in the eyes of scanners.

Cheers

AGL

[uticdmar...@gmail.com]

Here is the before and after code:

    //cat comodoSigned/adequatech_ca.crt comodoSigned/COMODOHigh-AssuranceSecureServerCA.crt comodoSigned/AddTrustExternalCARoot.crt > golangCertFile1
    // if err = http.ListenAndServeTLS(":5555", "/home/loongson/webServerKeysV2/golangCertFile1", "/home/loongson/webServerKeysV2/adequatech.ca-comodoinstantssl-exported-privatekey-rsa-ForApache.key", router); err != nil {
    //     panic(err)
    // }

    //cat comodoSigned/adequatech_ca.crt comodoSigned/AddTrustExternalCARoot.crt comodoSigned/COMODOHigh-AssuranceSecureServerCA.crt > golangCertFile2
    // if err = http.ListenAndServeTLS(":5555", "/home/loongson/webServerKeysV2/golangCertFile2", "/home/loongson/webServerKeysV2/adequatech.ca-comodoinstantssl-exported-privatekey-rsa-ForApache.key", router); err != nil {
    //     panic(err)
    // }

    myTLSConfig := &tls.Config{
        CipherSuites: []uint16{
            tls.TLS_RSA_WITH_RC4_128_SHA,
            tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
            tls.TLS_RSA_WITH_AES_128_CBC_SHA,
            tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},}
    myTLSConfig.PreferServerCipherSuites = true
    const myWebServerListenAddress = "0.0.0.0:5555"
    myTLSWebServer := &http.Server{Addr: myWebServerListenAddress, TLSConfig: myTLSConfig, Handler: router}
    if err = myTLSWebServer.ListenAndServeTLS("/home/loongson/webServerKeysV2/golangCertFile2", "/home/loongson/webServerKeysV2/adequatech.ca-comodoinstantssl-exported-privatekey-rsa-ForApache.key"); err != nil {
        panic(err)

    }

>>>(Don't include the root.)

Did you mean not to include "comodoSigned/AddTrustExternalCARoot.crt" as part of the CertFile?
For example: 
cat comodoSigned/adequatech_ca.crt comodoSigned/COMODOHigh-AssuranceSecureServerCA.crt > golangCertFile3

Thanks again for taking a look at this.

Cheers

[greivi...@gmail.com]

Did you manage to make this work?

If true.  Can you please write the steps to make it happen?  I never install a SSL certificate before and my production server is written in GO so this information would really help me.

Thank you very much in advance.

[David Marceau]

Thank you for taking the time to read my emails on golang. I'm happy to
see it is useful for someone.
https://github.com/omac777/t1

cacert.org provides free certificates but to make it work without
annoying popups in web browsers is a bit of work most users don't want
to have to go through. For testing your stuff yourself, this is a good
approach to go. Recipes for making it happen are there.

The non-free approach which eventually you will have to resort to for
anything truly serious will be to buy an ssl cert from somewhere like
which sslstore.com provides other ssl certificates that won't require
any user intervention in their web browser because they come
pre-installed in all web browsers. They also have recipes for creating
the ssl certs along with how to integrate them in your apache/tomcat web
server which is similar enough to golang certificate setup.

[David Marceau]

Hello Greivin,

I don't know martini source, but you need to find the ssl/tls framework
within that api. The api key you referred to has nothing to do with
ssl/tls.

Please read about keytool, openssl and ExportPriv.java.
https://github.com/omac777/t1/blob/master/README
-change the line to use your with your public cert and private key.
http.ListenAndServeTLS(":5555",
"/home/youruser/yourpubliccert.crt===golangCertFile",
"/home/youruser/yourprivatekey.key"

Whatever web server you use needs to make use of .key, .crt, .jks files.

cd comodoSigned/
mv ../adequatech_ca.zip .
unzip adequatech_ca.zip
cd ..
cd comodoSigned/
cp adequatech_ca.crt adequatech.ca.comodoinstantssl.crt
mv adequatech.ca.comodoinstantssl.crt ..
cd ..
keytool -import -alias adequatech.ca -file
adequatech.ca.comodoinstantssl.crt -keystore
adequatech_ca_comodoinstantssl_keystore.jks
keytool -export -alias adequatech.ca -keystore
adequatech_ca_comodoinstantssl_keystore.jks -file
adequatech.ca-comodoinstantssl-exported-publickey-der.crt
openssl x509 -noout -text -in
adequatech.ca-comodoinstantssl-exported-publickey-der.crt -inform der
openssl x509 -out
adequatech.ca-comodoinstantssl-exported-publickey-pem.crt -outform pem
-in adequatech.ca-comodoinstantssl-exported-publickey-der.crt -inform der
java ExportPriv adequatech_ca_comodoinstantssl_keystore.jks
http://adequatech.ca PASSWORDPASSWORDPASSWORD >
adequatech.ca-comodoinstantssl-exported-privatekey-pkcs8.key
openssl pkcs8 -inform PEM -nocrypt -in
adequatech.ca-comodoinstantssl-exported-privatekey-pkcs8.key -out
adequatech.ca-comodoinstantssl-exported-privatekey-rsa-ForApache.key
openssl pkcs12 -export -out adequatech.ca-exported-client.p12 -inkey
adequatech.ca-comodoinstantssl-exported-privatekey-rsa-ForApache.key -in
adequatech.ca-comodoinstantssl-exported-publickey-pem.crt

keytool -list -keystore adequatech_ca_comodoinstantssl_keystore.jks
keytool -delete -alias adequatech.ca -keystore
adequatech_ca_comodoinstantssl_keystore.jks
keytool -list -keystore adequatech_ca_comodoinstantssl_keystore.jks

#follow this recipe to install the comodo certs in the right order.
# 1. Import Root Certificate
keytool -import -trustcacerts -alias AddTrustExternalCARoot -file
comodoSigned/AddTrustExternalCARoot.crt -keystore
adequatech_ca_comodoinstantssl_keystore.jks
# 2. Import Intermediate(s)
keytool -import -trustcacerts -alias COMODOHigh-AssuranceSecureServerCA
-file comodoSigned/COMODOHigh-AssuranceSecureServerCA.crt -keystore
adequatech_ca_comodoinstantssl_keystore.jks
# 3. Import Entity/Domain certificate
keytool -import -trustcacerts -alias adequatech.ca -file
comodoSigned/adequatech_ca.crt -keystore
adequatech_ca_comodoinstantssl_keystore.jks

# order might need to be switched
#cat comodoSigned/COMODOHigh-AssuranceSecureServerCA.crt
comodoSigned/AddTrustExternalCARoot.crt > adequatech.ca-certbundle

cat comodoSigned/adequatech_ca.crt
comodoSigned/COMODOHigh-AssuranceSecureServerCA.crt
comodoSigned/AddTrustExternalCARoot.crt > golangCertFile

I wish you well.

Cheers,
David Marceau
http://adequatech.ca




On 12/14/2013 10:31 PM, Greivin López wrote:
> Hi David,
>
> Thank you for your quick response.
>
> Actually I already bought my certificate from SSL.com. The sent these
> files to me:
>
> * AddTrustExternalCARoot.crt - Root CA Certificate
> * SSLcomAddTrustSSLCA.crt - Intermediate CA Certificate
> * Your Certificate (X.509) - mydomain_com
>
> Those are three .crt files but I don't know how to make then work with
> the *ListenAndServeTLS
> *function*.*
>
> I use martini <http://martini.codegangsta.io/> as my web framework. So my
> code goes something like:
>
>
> m := martini.Classic()
>
> // Validate an API key: Authorization
> m.Use(func(res http.ResponseWriter, req *http.Request) {
> if req.Header.Get("X-API-KEY") != API_KEY {
> serviceResponse(res, http.StatusUnauthorized, "You are not authorized to
> access this resource.")
> }
> })
>
> // Owners
> m.Post("/owners", createOwner)
> m.Any("/owners", NotAllowed)
>
>
>
>
>
> On Sat, Dec 14, 2013 at 9:16 PM, David Marceau
> <uticdmar...@gmail.com>wrote:

[Alex Skinner]

Why use/suggest keytool or jks? As the name implies, those are meant for java. Just convert to pem and dump them in a file if using almost anything other than jvm, including Go.
Also, startcom/startssl offers a free certificate which is great for personal use/testing as browsers trust its root.

Thanks,
Alex

[Greivin López]

Hi people.

I guess my question is how I must combine these files the CA sent to me:

* AddTrustExternalCARoot.crt - Root CA Certificate
* SSLcomAddTrustSSLCA.crt - Intermediate CA Certificate
* Your Certificate (X.509) - mydomain_com

In order to create the single certificate file GO expected as parameter for http.ListenAndServeTLS

And as a matter of fact I'm not testing this, I'm trying to make it run on my production site with real certificate files (but the product is under development yet so nothing will broke anyway).

Again, thank you very much for any help you can provide.

--
You received this message because you are subscribed to a topic in the Google Groups "golang-nuts" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/golang-nuts/TnwfKyotEIY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to golang-nuts...@googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.

--
Atentamente: Greivin López P.

[Alex Skinner]

You just need to put your certificate in a file first, call in cert.pem.  If the certificate issued is DER format, you can convert using "openssl x509 -in myfile.crt -inform DER -out cert.pem".  If it's already PEM format, you can just copy it "cp mycetificate.crt cert.pem".

Then, if SSLcomAddTrustSSLCA.crt is DER, do the same for it, but give it a different out name(ex.  intermediate.pem).   Then just do something like "cat intermediate.pem >> cert.pem"  to combine the two.  This file, cert.pem, is the one to use are the parameter - containing both certificate and intermediate in one file.

Please let me know if you need more.

Thanks,

Alex

[greivi...@gmail.com]

Great!  Thank you very much Alex.

I'll try your suggestion and let you know how it works

Regards,

Greivin.

[greivi...@gmail.com]

This works great!

Thanks to all of you for your help.