Golang - 带有自签名证书的TLS [英] Golang - TLS with selfsigned certificate
问题描述
我使用下面的示例代码生成了证书: http://golang.org/src/pkg/crypto/tls/generate_cert.go
我的相关客户端代码如下所示:
//服务器证书是自签名的 - > server_cert == ca_cert
CA_Pool:= x509.NewCertPool()
severCert,err:= ioutil.ReadFile(./ cert.pem)
if err!= nil {
log.Fatal(无法加载服务器证书!)
}
CA_Pool.AppendCertsFromPEM(severCert)
config:= tls.Config {RootCAs:CA_Pool}
$ b conn,err:= tls.Dial(tcp,127.0.0.1:8000,& config)
if err!= nil {
log.Fatalf(客户:拨号:%s,err)
}
那:
cert,err:= tls.LoadX509KeyPair(./ cert.pem ,./key.pem)
config:= tls.Config {Certificates:[] tls.Certificate {cert}}
listener,err:= tls.Listen(tcp,127.0 .0.1:8000,& config)
for {
conn,err:= listener.Accept()
if err!= nil {
log。 printf(server:accept:%s,err)
break
}
log.Printf(server:accepted from%s,conn.RemoteAddr())
去handleConnection (conn)
}
因为服务器证书是自签名的,所以使用相同的证书服务器和客户端CA_Pool,但这似乎不工作,因为我总是得到这个错误:
pre $ 客户端:拨号:x509:由未知权威机构签名的证书
(可能是因为x509:无效签名:父证书
无法签署这种证书,同时试图验证
候选机构证书serial:0)
我的错误是什么?
它终于在x509.CreateCertificate,
中构建的过程中工作,问题在于我没有设置IsCA:true标志,
我只设置了创建自签名证书的x509.KeyUsageCertSign ,但在验证证书链时崩溃。
I'm trying to establish a TLS connection with the use of a self signed server certificate.
I generated the certificate with this example code: http://golang.org/src/pkg/crypto/tls/generate_cert.go
My relevant client code looks like that:
// server cert is self signed -> server_cert == ca_cert
CA_Pool := x509.NewCertPool()
severCert, err := ioutil.ReadFile("./cert.pem")
if err != nil {
log.Fatal("Could not load server certificate!")
}
CA_Pool.AppendCertsFromPEM(severCert)
config := tls.Config{RootCAs: CA_Pool}
conn, err := tls.Dial("tcp", "127.0.0.1:8000", &config)
if err != nil {
log.Fatalf("client: dial: %s", err)
}
And the relevant server code like that:
cert, err := tls.LoadX509KeyPair("./cert.pem", "./key.pem")
config := tls.Config{Certificates: []tls.Certificate{cert}}
listener, err := tls.Listen("tcp", "127.0.0.1:8000", &config)
for {
conn, err := listener.Accept()
if err != nil {
log.Printf("server: accept: %s", err)
break
}
log.Printf("server: accepted from %s", conn.RemoteAddr())
go handleConnection(conn)
}
Because the server certificate is self signed is use the same certificate for the server and the clients CA_Pool however this does not seem to work since i always get this error:
client: dial: x509: certificate signed by unknown authority
(possibly because of "x509: invalid signature: parent certificate
cannot sign this kind of certificate" while trying to verify
candidate authority certificate "serial:0")
What's my mistake?
It finally worked with the go built in x509.CreateCertificate, the problem was that I did not set the IsCA:true flag, I only set the x509.KeyUsageCertSign which made creating the self signed certificate work, but crashed while verifying the cert chain.
这篇关于Golang - 带有自签名证书的TLS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!