A simple demo of the TLS protocol on Ubuntu 16.04.3 TLS

Last Update:2018-07-26 Source: Internet

Author: User

Tags openssl openssl x509

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Purpose
Familiar with OpenSSL generate key and certificate pair, familiar with CRYPTO/TLS usage in Go

noun explanation
Pem-privacy Enhanced Mail, open the Look text format, start with "-–begin ...", End with "-–end ..." and the content is BASE64 encoded.
Apache and *nix servers tend to use this encoding format.
View information for PEM format certificates: OpenSSL x509-in certificate.pem-text-noout

der-distinguished Encoding Rules, open look is binary format, unreadable.
Java and Windows servers tend to use this encoding format.
View information for der format certificates: OpenSSL x509-in certificate.der-inform der-text-noout

X509
The/s is a very common certificate format. All certificates are in accordance with ITU-T international standards, so certificates created for one application can be used for any other application that complies with the standard.
X509 certificates generally use three classes of text, KEY,CSR,CRT.
Key is the private key OpenSSL format, usually the RSA algorithm.
A CSR is a certificate request file that is used to request a certificate. When making a CSR file, you must use your private key to sign it, and you can set a key.
The CRT is the certificate of the CA certification, (under Windows, in fact, the CRT), signed by the signer with their own key to sign your credentials.

Here's my real record.

generating keys and certificates with the OpenSSL command line
In fact, we just need to execute the following command to generate the certificate and the private key.
OpenSSL req-new-nodes-x509-out server.crt-keyout server.key-days 3650-subj "/c=de/st=nrw/l=earth/o=random Company/O U=it/cn=www.random.com/emailaddress=tao_627@aliyun.com "

Use the following command to view certificate information in PEM format OpenSSL x509-in server.pem-text-noout

Server and client writing the TLS protocol
Put the code under the project directory under Gopath

Server-side Code TLS_SERVER.GO

Package main

Import (
	"Bufio" "Crypto/tls" "
	Log"
	"NET"
)

func main () {
	log. SetFlags (log. Lshortfile)

	CRT, err: = TLS. Loadx509keypair ("Server.crt", "Server.key")
	if err! = Nil {
		log. PRINTLN (Err)
		return
	}

	config: = &tls. Config{certificates: []tls. CERTIFICATE{CRT}}
	ln, err: = TLS. Listen ("TCP", ": 443", config)
	if err! = Nil {
		log. PRINTLN (Err)
		return
	}

	defer ln. Close ()

	for {
		conn, err: = ln. Accept ()
		if err! = Nil {
			log. PRINTLN (Err)
			continue
		}/
		/per connection Create a co-process
		go handleconnection (conn)
	}
}

// In each process processing receives the data, and sends the data the detail, appears any error, immediately returns the
func handleconnection (conn net. Conn) {
	defer Conn. Close ()

	r: = Bufio. Newreader (conn)
	for {
		msg, err: = r.readstring (' \ n ')
		if err! = Nil {
			log. PRINTLN (Err)
			return
		}

		Println (msg)

		N, err: = conn. Write ([]byte ("==welcome==\n"))
		if err! = Nil {
			log. PRINTLN (n, Err)
			return
		}
	}
}

Client code Tls_client.go

Package main

Import (
	"Crypto/tls"
	"Log"
)

func main () {
	log. SetFlags (log. Lshortfile)

	conf: = &tls. config{
		insecureskipverify:false,
	}

	conn, err: = TLS. Dial ("TCP", "127.0.0.1:443", conf)
	if err! = Nil {
		log. PRINTLN (Err)
		return
	}

	defer conn. Close ()

	n, err: = conn. Write ([]byte ("Hi, my name is tao_627\n"))
	if err! = Nil {
		log. PRINTLN (n, Err)
		return
	}

	buf: = Make ([]byte, +)
	N, err = conn. Read (BUF)
	if err! = Nil {
		log. PRINTLN (n, Err)
		return
	}

	Println (String (buf[:n))
}

compiling
Compile the client and server executable files Tls_client and tls_server one by one
Go Build Tls_client.go
Go Build Tls_server.go

Run
Execute separately in two terminal windows

sudo./tls_server

./tls_client

issues to note
Writing client code here is important to note: Insecureskipverify:true
That is, the client does not validate the server-side certificate in the above code. The client side of the
Go implementation is also the default to verify the digital certificate passed to the server, but it is indicated by the clients that the certificate was issued by an unknown CA.

references
[1].https://studygolang.com/articles/10776

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More