SSL certification golang
So here I am trying to connect a socket to an SSL connection. However, he cannot complete the handshake. At startup
sudo openssl s_client -CApath /etc/ssl/certs/ -connect localhost:8080
He cannot verify the first certificate.
I have very little experience with these SSLs. Can anyone please help?
cert, err := tls.LoadX509KeyPair("positivessl.crt", "key.pem")
Error.CheckError(err)
rootCert, err := ioutil.ReadFile("AddTrustExternalCARoot.crt")
checkError(err)
trustCert, err := ioutil.ReadFile("COMODORSAAddTrustCA.crt")
checkError(err)
validationCert, err := ioutil.ReadFile("COMODORSADomainValidationSecureServerCA.crt")
checkError(err)
certs := x509.NewCertPool()
certs.AppendCertsFromPEM(validationCert)
certs.AppendCertsFromPEM(trustCert)
certs.AppendCertsFromPEM(rootCert)
sslConfig := tls.Config{RootCAs: certs,Certificates: []tls.Certificate{cert}}
sslConfig.Rand = rand.Reader
listener, err := tls.Listen("tcp", service, &sslConfig)
+3
source to share
1 answer
I'm not familiar with myself, but from the documentation at http://golang.org/pkg/crypto/tls/ they are similar to other SSL stacks:
-
rootCert
should not be chained. The root certificate is the actual trusted core used for validation in the certificate chain on the client, and hence the client should already know and trust it. -
RootCA
are trusted certificates that are used to validate a certificate. They are not sent to the peer but are used instead, as trust bindings are verified when the received certificates are received. So this setting is important for the client side to validate the server's certificate, and possibly the server side when the client also sends certificates. - Instead, any certificates that you want to send to a partner must be included in the
Certificates
. That is, not only sheet certificatescert
, but also circuit certificatesvalidationCert
andtrustCert
. You must include them in the correct order so that they create a chain that the client can complete with a trusted root certificate.
+2
source to share