denji
golang-tls

Simple Golang HTTPS/TLS Examples

Last updated Apr 24, 2026
1.3k
Stars
159
Forks
4
Issues
0
Stars/day
Attention Score
45
Language breakdown
No language data available.
β–Έ Files click to expand
README
Generate private key (.key)
# Key considerations for algorithm "RSA" β‰₯ 2048-bit
openssl genrsa -out server.key 2048

Key considerations for algorithm "ECDSA" (X25519 || β‰₯ secp384r1)

https://safecurves.cr.yp.to/

List ECDSA the supported curves (openssl ecparam -list_curves)

openssl ecparam -genkey -name secp384r1 -out server.key
Generation of self-signed(x509) public key (PEM-encodings .pem|.crt) based on the private (.key)
openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650

Simple Golang HTTPS/TLS Server

package main

import ( // "fmt" // "io" "net/http" "log" )

func HelloServer(w http.ResponseWriter, req *http.Request) { w.Header().Set("Content-Type", "text/plain") w.Write([]byte("This is an example server.\n")) // fmt.Fprintf(w, "This is an example server.\n") // io.WriteString(w, "This is an example server.\n") }

func main() { http.HandleFunc("/hello", HelloServer) err := http.ListenAndServeTLS(":443", "server.crt", "server.key", nil) if err != nil { log.Fatal("ListenAndServe: ", err) } }

Hint: visit, please do not forget to use https begins, otherwise chrome will download a file as follows:

$ curl -sL https://localhost:443 | xxd
0000000: 1503 0100 0202 0a                        .......

TLS (transport layer security) β€” Server

package main

import ( "log" "crypto/tls" "net" "bufio" )

func main() { log.SetFlags(log.Lshortfile)

cer, err := tls.LoadX509KeyPair("server.crt", "server.key") if err != nil { log.Println(err) return }

config := &tls.Config{Certificates: []tls.Certificate{cer}} ln, err := tls.Listen("tcp", ":443", config) if err != nil { log.Println(err) return } defer ln.Close()

for { conn, err := ln.Accept() if err != nil { log.Println(err) continue } go handleConnection(conn) } }

func handleConnection(conn net.Conn) { defer conn.Close() r := bufio.NewReader(conn) for { msg, err := r.ReadString('\n') if err != nil { log.Println(err) return }

println(msg)

n, err := conn.Write([]byte("world\n")) if err != nil { log.Println(n, err) return } } }

TLS (transport layer security) β€” Client

package main

import ( "log" "crypto/tls" )

func main() { log.SetFlags(log.Lshortfile)

conf := &tls.Config{ //InsecureSkipVerify: true, }

conn, err := tls.Dial("tcp", "127.0.0.1:443", conf) if err != nil { log.Println(err) return } defer conn.Close()

n, err := conn.Write([]byte("hello\n")) if err != nil { log.Println(n, err) return }

buf := make([]byte, 100) n, err = conn.Read(buf) if err != nil { log.Println(n, err) return }

println(string(buf[:n])) }

Perfect SSL Labs Score with Go
package main

import ( "crypto/tls" "log" "net/http" )

func main() { mux := http.NewServeMux() mux.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) { w.Header().Add("Strict-Transport-Security", "max-age=63072000; includeSubDomains") w.Write([]byte("This is an example server.\n")) }) cfg := &tls.Config{ MinVersion: tls.VersionTLS12, CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}, PreferServerCipherSuites: true, CipherSuites: []uint16{ tls.TLSECDHERSAWITHAES256GCM_SHA384, tls.TLSECDHERSAWITHAES256CBC_SHA, tls.TLSRSAWITHAES256GCMSHA384, tls.TLSRSAWITHAES256CBCSHA, }, } srv := &http.Server{ Addr: ":443", Handler: mux, TLSConfig: cfg, TLSNextProto: make(map[string]func(http.Server, tls.Conn, http.Handler), 0), } log.Fatal(srv.ListenAndServeTLS("tls.crt", "tls.key")) }

Generation of self-sign a certificate with a private (.key) and public key (PEM-encodings .pem|.crt) in one command:

# ECDSA recommendation key β‰₯ secp384r1

List ECDSA the supported curves (openssl ecparam -list_curves)

openssl req -x509 -nodes -newkey ec:secp384r1 -keyout server.ecdsa.key -out server.ecdsa.crt -days 3650

openssl req -x509 -nodes -newkey ec:<(openssl ecparam -name secp384r1) -keyout server.ecdsa.key -out server.ecdsa.crt -days 3650

-pkeyopt ecparamgencurve:… / ec:<(openssl ecparam -name …) / -newkey ec:…

ln -sf server.ecdsa.key server.key ln -sf server.ecdsa.crt server.crt

RSA recommendation key β‰₯ 2048-bit

openssl req -x509 -nodes -newkey rsa:2048 -keyout server.rsa.key -out server.rsa.crt -days 3650 ln -sf server.rsa.key server.key ln -sf server.rsa.crt server.crt

.crt β€” Alternate synonymous most common among nix systems .pem (pubkey). .csr β€” Certficate Signing Requests (synonymous most common among nix systems).

  • .cer β€” Microsoft alternate form of .crt, you can use MS to convert .crt to .cer (DER encoded .cer, or base64[PEM] encoded .cer).
  • .pem = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a «—– BEGIN …» line. These files may also bear the cer or the crt extension.
  • .der β€” The DER extension is used for binary DER encoded certificates.

Generating the Certficate Signing Request

openssl req -new -sha256 -key server.key -out server.csr openssl x509 -req -sha256 -in server.csr -signkey server.key -out server.crt -days 3650

ECDSA & RSA β€” FAQ


  • Validate the elliptic curve parameters -check
  • List "ECDSA" the supported curves openssl ecparam -list_curves
  • Encoding to explicit "ECDSA" -param_enc explicit
  • Conversion form to compressed "ECDSA" -conv_form compressed
  • "EC" parameters and a private key -genkey
CA Bundle Path

| Distro | Package | Path to CA | |-------------------------------------------------------------- |----------------- |------------------------------------------ | | Fedora, RHEL, CentOS | ca-certificates | /etc/pki/tls/certs/ca-bundle.crt | | Debian, Ubuntu, Gentoo, Arch Linux | ca-certificates | /etc/ssl/certs/ca-certificates.crt | | SUSE, openSUSE | ca-certificates | /etc/ssl/ca-bundle.pem | | FreeBSD | carootnss | /usr/local/share/certs/ca-root-nss.crt | | Cygwin | - | /usr/ssl/certs/ca-bundle.crt | | macOS (MacPorts) | curl-ca-bundle | /opt/local/share/curl/curl-ca-bundle.crt | | Default cURL CA bunde path (without --with-ca-bundle option) | | /usr/local/share/curl/curl-ca-bundle.crt | | Really old RedHat? | | /usr/share/ssl/certs/ca-bundle.crt |

Reference Link


* https://www.openssl.org/docs/manmaster/man1/ecparam.html * https://www.openssl.org/docs/manmaster/man1/ec.html * https://www.openssl.org/docs/manmaster/man1/req.html
  • https://digitalelf.net/2016/02/creating-ssl-certificates-in-3-easy-steps/
  • HTTPS and Go – kaihag.com
  • The complete guide to Go net/http timeouts – blog.cloudflare.com
  • Certificate fetcher in Go – gist.github.com
  • How to redirect HTTP to HTTPS with a golang webserver – gist.github.com
  • XCA - X Certificate and key management
  • Package tcplisten provides customizable TCP net.Listener with various performance-related options
  • https://github.com/bifurcation/mint β€” minimal TLS 1.3 Implementation in Go
  • https://github.com/cloudflare/tls-tris β€” crypto/tls, now with 100% more 1.3
  • https://github.com/Xeoncross/secureserver
  • https://github.com/cloudflare/cfssl
  • https://github.com/google/certificate-transparency
  • https://cipherli.st/
  • https://github.com/cmrunton/tls-dashboard β€” dashboard written in JavaScript & HTML to check the remaining time before a TLS certificate expires.
  • https://github.com/tomato42/tlsfuzzer
  • https://github.com/mozilla/tls-observatory (https://observatory.mozilla.org/)
  • https://dev.ssllabs.com/ssltest/
  • https://indieweb.org/HTTPS
  • https://github.com/konklone/shaaaaaaaaaaaaa (https://shaaaaaaaaaaaaa.com/)
  • https://securityheaders.io/
  • https://testssl.sh/
  • https://github.com/nabla-c0d3/sslyze
  • https://github.com/iSECPartners/sslyze
  • https://github.com/mozilla/cipherscan
  • https://github.com/ssllabs/ssllabs-scan
  • https://github.com/chromium/badssl.com (https://badssl.com)
  • https://github.com/datatheorem/TrustKit
  • https://github.com/certifi/gocertifi
  • https://github.com/unrolled/secure
  • https://github.com/tidwall/modern-server
  • https://github.com/genkiroid/cert
  • https://github.com/zmap/zlint
  • https://github.com/globalsign/certlint
  • https://github.com/google/certificate-transparency-go
  • https://github.com/Evolix/chexpire
  • https://github.com/mimoo/cryptobible/blob/master/protocols/tls.mediawiki
  • https://posener.github.io/http2/
  • https://seclists.org/oss-sec/2018/q4/123
  • …

πŸ”— More in this category

Β© 2026 GitRepoTrend Β· denji/golang-tls Β· Updated daily from GitHub