Simple Golang HTTPS/TLS Examples
Generate private key (.key)
# Key considerations for algorithm "RSA" β₯ 2048-bit
openssl genrsa -out server.key 2048
Key considerations for algorithm "ECDSA" (X25519 || β₯ secp384r1)
https://safecurves.cr.yp.to/
List ECDSA the supported curves (openssl ecparam -list_curves)
openssl ecparam -genkey -name secp384r1 -out server.key
Generation of self-signed(x509) public key (PEM-encodings .pem|.crt) based on the private (.key)
openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650
Simple Golang HTTPS/TLS Server
package main
import ( // "fmt" // "io" "net/http" "log" )
func HelloServer(w http.ResponseWriter, req *http.Request) { w.Header().Set("Content-Type", "text/plain") w.Write([]byte("This is an example server.\n")) // fmt.Fprintf(w, "This is an example server.\n") // io.WriteString(w, "This is an example server.\n") }
func main() { http.HandleFunc("/hello", HelloServer) err := http.ListenAndServeTLS(":443", "server.crt", "server.key", nil) if err != nil { log.Fatal("ListenAndServe: ", err) } }
Hint: visit, please do not forget to use https begins, otherwise chrome will download a file as follows:
$ curl -sL https://localhost:443 | xxd
0000000: 1503 0100 0202 0a .......
TLS (transport layer security) β Server
package main
import ( "log" "crypto/tls" "net" "bufio" )
func main() { log.SetFlags(log.Lshortfile)
cer, err := tls.LoadX509KeyPair("server.crt", "server.key") if err != nil { log.Println(err) return }
config := &tls.Config{Certificates: []tls.Certificate{cer}} ln, err := tls.Listen("tcp", ":443", config) if err != nil { log.Println(err) return } defer ln.Close()
for { conn, err := ln.Accept() if err != nil { log.Println(err) continue } go handleConnection(conn) } }
func handleConnection(conn net.Conn) { defer conn.Close() r := bufio.NewReader(conn) for { msg, err := r.ReadString('\n') if err != nil { log.Println(err) return }
println(msg)
n, err := conn.Write([]byte("world\n")) if err != nil { log.Println(n, err) return } } }
TLS (transport layer security) β Client
package main
import ( "log" "crypto/tls" )
func main() { log.SetFlags(log.Lshortfile)
conf := &tls.Config{ //InsecureSkipVerify: true, }
conn, err := tls.Dial("tcp", "127.0.0.1:443", conf) if err != nil { log.Println(err) return } defer conn.Close()
n, err := conn.Write([]byte("hello\n")) if err != nil { log.Println(n, err) return }
buf := make([]byte, 100) n, err = conn.Read(buf) if err != nil { log.Println(n, err) return }
println(string(buf[:n])) }
Perfect SSL Labs Score with Go
package main
import ( "crypto/tls" "log" "net/http" )
func main() { mux := http.NewServeMux() mux.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) { w.Header().Add("Strict-Transport-Security", "max-age=63072000; includeSubDomains") w.Write([]byte("This is an example server.\n")) }) cfg := &tls.Config{ MinVersion: tls.VersionTLS12, CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}, PreferServerCipherSuites: true, CipherSuites: []uint16{ tls.TLSECDHERSAWITHAES256GCM_SHA384, tls.TLSECDHERSAWITHAES256CBC_SHA, tls.TLSRSAWITHAES256GCMSHA384, tls.TLSRSAWITHAES256CBCSHA, }, } srv := &http.Server{ Addr: ":443", Handler: mux, TLSConfig: cfg, TLSNextProto: make(map[string]func(http.Server, tls.Conn, http.Handler), 0), } log.Fatal(srv.ListenAndServeTLS("tls.crt", "tls.key")) }
Generation of self-sign a certificate with a private (.key) and public key (PEM-encodings .pem|.crt) in one command:
# ECDSA recommendation key β₯ secp384r1
List ECDSA the supported curves (openssl ecparam -list_curves)
openssl req -x509 -nodes -newkey ec:secp384r1 -keyout server.ecdsa.key -out server.ecdsa.crt -days 3650
openssl req -x509 -nodes -newkey ec:<(openssl ecparam -name secp384r1) -keyout server.ecdsa.key -out server.ecdsa.crt -days 3650
-pkeyopt ecparamgencurve:β¦ / ec:<(openssl ecparam -name β¦) / -newkey ec:β¦
ln -sf server.ecdsa.key server.key
ln -sf server.ecdsa.crt server.crt
RSA recommendation key β₯ 2048-bit
openssl req -x509 -nodes -newkey rsa:2048 -keyout server.rsa.key -out server.rsa.crt -days 3650
ln -sf server.rsa.key server.key
ln -sf server.rsa.crt server.crt
.crt β Alternate synonymous most common among nix systems .pem (pubkey). .csr β Certficate Signing Requests (synonymous most common among nix systems).
.cerβ Microsoft alternate form of.crt, you can use MS to convert.crtto.cer(DERencoded.cer, orbase64[PEM]encoded.cer)..pem= The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a Β«ββ BEGIN β¦Β» line. These files may also bear theceror thecrtextension..derβ The DER extension is used for binary DER encoded certificates.
Generating the Certficate Signing Request
openssl req -new -sha256 -key server.key -out server.csr openssl x509 -req -sha256 -in server.csr -signkey server.key -out server.crt -days 3650
ECDSA & RSA β FAQ
- Validate the elliptic curve parameters
-check - List "ECDSA" the supported curves
openssl ecparam -list_curves - Encoding to explicit "ECDSA"
-param_enc explicit - Conversion form to compressed "ECDSA"
-conv_form compressed - "EC" parameters and a private key
-genkey
| Distro | Package | Path to CA | |-------------------------------------------------------------- |----------------- |------------------------------------------ | | Fedora, RHEL, CentOS | ca-certificates | /etc/pki/tls/certs/ca-bundle.crt | | Debian, Ubuntu, Gentoo, Arch Linux | ca-certificates | /etc/ssl/certs/ca-certificates.crt | | SUSE, openSUSE | ca-certificates | /etc/ssl/ca-bundle.pem | | FreeBSD | carootnss | /usr/local/share/certs/ca-root-nss.crt | | Cygwin | - | /usr/ssl/certs/ca-bundle.crt | | macOS (MacPorts) | curl-ca-bundle | /opt/local/share/curl/curl-ca-bundle.crt | | Default cURL CA bunde path (without --with-ca-bundle option) | | /usr/local/share/curl/curl-ca-bundle.crt | | Really old RedHat? | | /usr/share/ssl/certs/ca-bundle.crt |
Reference Link
- https://github.com/smallstep/certificates
- https://github.com/FiloSottile/mkcert
- https://getgophish.com/blog/post/2018-12-02-building-web-servers-in-go/
- Go programming language secure coding practices guide
Achieving a Perfect SSL Labs Score with Go βblog.bracelab.com- Automatic HTTPS With Free SSL Certificates Using Go + Let's Encrypt
- https://golang.org/pkg/crypto/tls/
- OpenSSL without prompt β
superuser.com(Stack Exchange) - TLS server and client β
gist.github.com/spikebike Echo, a fast and unfancy micro web framework for Go βecho.labstack.com/guide- https://kjur.github.io/jsrsasign/sample-ecdsa.html
- Creating Self-Signed ECDSA SSL Certificate using OpenSSL β
guyrutenberg.com - https://www.openssl.org/docs/manmaster/
- https://digitalelf.net/2016/02/creating-ssl-certificates-in-3-easy-steps/
- HTTPS and Go β
kaihag.com - The complete guide to Go net/http timeouts β
blog.cloudflare.com - Certificate fetcher in Go β
gist.github.com - How to redirect HTTP to HTTPS with a golang webserver β
gist.github.com - XCA - X Certificate and key management
- Package tcplisten provides customizable TCP
net.Listenerwith various performance-related options - https://github.com/bifurcation/mint β minimal TLS 1.3 Implementation in Go
- https://github.com/cloudflare/tls-tris β crypto/tls, now with 100% more 1.3
- https://github.com/Xeoncross/secureserver
- https://github.com/cloudflare/cfssl
- https://github.com/google/certificate-transparency
- https://cipherli.st/
- https://github.com/cmrunton/tls-dashboard β dashboard written in JavaScript & HTML to check the remaining time before a TLS certificate expires.
- https://github.com/tomato42/tlsfuzzer
- https://github.com/mozilla/tls-observatory (https://observatory.mozilla.org/)
- https://dev.ssllabs.com/ssltest/
- https://indieweb.org/HTTPS
- https://github.com/konklone/shaaaaaaaaaaaaa (https://shaaaaaaaaaaaaa.com/)
- https://securityheaders.io/
- https://testssl.sh/
- https://github.com/nabla-c0d3/sslyze
- https://github.com/iSECPartners/sslyze
- https://github.com/mozilla/cipherscan
- https://github.com/ssllabs/ssllabs-scan
- https://github.com/chromium/badssl.com (https://badssl.com)
- https://github.com/datatheorem/TrustKit
- https://github.com/certifi/gocertifi
- https://github.com/unrolled/secure
- https://github.com/tidwall/modern-server
- https://github.com/genkiroid/cert
- https://github.com/zmap/zlint
- https://github.com/globalsign/certlint
- https://github.com/google/certificate-transparency-go
- https://github.com/Evolix/chexpire
- https://github.com/mimoo/cryptobible/blob/master/protocols/tls.mediawiki
- https://posener.github.io/http2/
- https://seclists.org/oss-sec/2018/q4/123
- β¦