Golang TLS 问题
source link: https://www.v2ex.com/t/834111
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
用 Golang 写一个 TLS 隧道,不想验证域名(SNI),双向验证两端证书是否为同个 CA 证书签发,该如何实现。。
试过 VerifyPeerCertificate 但是在本地网络下可以运行,到了远程就报错,不知为何
路过大佬求点拨,以下是两端配置,谢谢。。。
======== Server ========
tlsConfig := tls.Config{} tlsConfig.InsecureSkipVerify = true tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert tlsConfig.Certificates = []tls.Certificate{func() tls.Certificate { CertKey, err := tls.X509KeyPair(ServerCert, ServerKey) if err != nil { panic(err) } return CertKey }()} tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { Roots := x509.NewCertPool() Roots.AppendCertsFromPEM(CA) cert, _ := x509.ParseCertificate(rawCerts[0]) opts := x509.VerifyOptions{ DNSName: "", Roots: Roots, } _, err := cert.Verify(opts) if err != nil { return err } return nil }
===== Client =====
tlsConfig := tls.Config{} tlsConfig.InsecureSkipVerify = true tlsConfig.Certificates = []tls.Certificate{func() tls.Certificate { CertKey, err := tls.X509KeyPair(ClientCert, ClientKey) if err != nil { panic(err) } return CertKey }()} tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { Roots := x509.NewCertPool() Roots.AppendCertsFromPEM(CA) cert, _ := x509.ParseCertificate(rawCerts[0]) opts := x509.VerifyOptions{ DNSName: "", Roots: Roots, } _, err := cert.Verify(opts) if err != nil { return err } return nil }
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK