/
04_tls_client_server.go
116 lines (97 loc) · 2.88 KB
/
04_tls_client_server.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
package main
import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"net/http"
"time"
)
var (
privateKeyPath = "key.pem"
certPath = "cert.pem"
)
const port = ":8080"
func main() {
certBytes, err := ioutil.ReadFile(certPath)
if err != nil {
panic(err)
}
clientCertPool := x509.NewCertPool()
if ok := clientCertPool.AppendCertsFromPEM(certBytes); !ok {
panic("can't add certificate to certificate pool!")
}
tlsConfigServer := &tls.Config{
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: clientCertPool,
PreferServerCipherSuites: true,
MinVersion: tls.VersionTLS12,
}
tlsConfigServer.BuildNameToCertificate()
mainRouter := http.NewServeMux()
mainRouter.HandleFunc("/", handler)
httpServer := &http.Server{
Addr: port,
TLSConfig: tlsConfigServer,
Handler: mainRouter,
}
go func() {
fmt.Println("Serving https://localhost" + port)
// func (srv *Server) ListenAndServeTLS(certFile, keyFile string) error
if err := httpServer.ListenAndServeTLS(certPath, privateKeyPath); err != nil {
panic(err)
}
}()
time.Sleep(time.Second)
func() {
fmt.Println("Sending client requests...")
tlsCert, err := tls.LoadX509KeyPair(certPath, privateKeyPath)
if err != nil {
panic(err)
}
certBytes, err := ioutil.ReadFile(certPath)
if err != nil {
panic(err)
}
clientCertPool := x509.NewCertPool()
if ok := clientCertPool.AppendCertsFromPEM(certBytes); !ok {
panic("can't add certificate to certificate pool!")
}
tlsConfigClient := &tls.Config{
Certificates: []tls.Certificate{tlsCert},
RootCAs: clientCertPool,
}
tlsConfigClient.BuildNameToCertificate()
httpClient := http.DefaultClient
httpClient.Transport = &http.Transport{TLSClientConfig: tlsConfigClient}
resp, err := httpClient.Get("https://localhost" + port)
if err != nil {
panic(err)
}
defer resp.Body.Close()
rb, err := ioutil.ReadAll(resp.Body)
if err != nil {
panic(err)
}
fmt.Println("response:", string(rb))
}()
}
func handler(w http.ResponseWriter, req *http.Request) {
switch req.Method {
case "GET":
fmt.Fprintln(w, "Hello World!")
fmt.Fprintf(w, "req.TLS: %+v\n", req.TLS)
fmt.Fprintf(w, "DNSNames: %#q\n", req.TLS.PeerCertificates[0].DNSNames)
fmt.Fprintf(w, "EmailAddresses: %#q\n", req.TLS.PeerCertificates[0].EmailAddresses)
default:
http.Error(w, "Method Not Allowed", 405)
}
}
/*
Serving https://localhost:8080
Sending client requests...
response: Hello World!
req.TLS: &{Version:771 HandshakeComplete:true DidResume:false CipherSuite:49199 NegotiatedProtocol: NegotiatedProtocolIsMutual:true ServerName:localhost PeerCertificates:[0xc82017e000] VerifiedChains:[[0xc82017e000 0xc8200a4000]] SignedCertificateTimestamps:[] OCSPResponse:[] TLSUnique:[156 55 205 75 79 27 21 192 84 244 36 226]}
DNSNames: [`localhost`]
EmailAddresses: [`test@test.com`]
*/