Shulou(Shulou.com)06/01 Report--

Go language how to achieve HTTPS encryption protocol, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

Go language

Go is a new programming language introduced by Google, which can reduce the complexity of code without compromising the performance of the application. The Go language is specially optimized for the programming of multiprocessor system applications. Programs compiled with Go can match the speed of C or C++ code, and are more secure and support parallel processes.

HTTPS

HTTPS is added to the SSL (Secure Sockets Layer secure Sockets layer) layer under HTTP. The security basis of HTTPS is SSL, so the details of encryption need SSL.

SSL and its successors Transport layer Security (Transport Layer Security,TLS) is a security protocol that provides security and data integrity for network communications. TLS and SSL encrypt the network connection at the transport layer.

The client CA verifies its server certificate as follows:

One: no verification of its certificate

1, simple https web server

Server.go:

Package main

Import (

"fmt"

"net/http"

)

/ *

As long as the ServerHTTP method is implemented, the web server can be built.

, /

Func handler (w http.ResponseWriter, r * http.Request) {

Fmt.Println ("Hi, This is an example of https service in golang!")

}

Func main () {

Http.HandleFunc ("/", handler) / / sets the route and the corresponding processing function and implements the ServerHTTP method

Http.ListenAndServeTLS ("192.168.20.162 http.ListenAndServeTLS 8001", "server.crt"

"server.key", nil) / / server.crt: server certificate contains server public key information server.key: server private key

/ *

Generate the private key:

Openssl genrsa-out server.key 2048

Generate certificate information:

Openssl req-new-x509-key server.key-out server.crt-days 365

, /

}

Client.go:

Package main

Import (

"crypto/tls"

"fmt"

"io/ioutil"

"net/http"

)

Func main () {

Tr: = & http.Transport {

TLSClientConfig: & tls.Config {InsecureSkipVerify: true}

}

/ *

When client communicates with server, client also verifies the digital certificate returned by server.

Because the server self-signed certificate is invalid for client to communicate with server normally.

Skip certificate verification by setting the client

TLSClientConfig: {& tls.Config {InsecureSkipVerify: true}

True: skip certificate verification

, /

Client: = & http.Client {Transport: tr}

Resp, err: = client.Get ("https://192.168.20.162:8002")

If err! = nil {

Fmt.Println (err)

Return

}

Defer resp.Body.Close ()

Body, err: = ioutil.ReadAll (resp.Body)

Fmt.Println (string (body))

}

1-1, execute go run server.go

1-2. The browser accesses https://192.168.20.162:8001 as follows:

1-3, continue to click add exception to continue access

The reason for this is:

When the browser uses its own CA to verify the validity of the digital certificate returned by the server, it finds that the digital certificate is self-signed, distrustful and invalid, so that it cannot continue to be accessed.

1-4, execute go run client.go to access the server normally (because the client skips certificate verification at this time)

Second, check its server certificate

1. Some authoritative CA (such as Symantec, Globalsign, GDCA) are built into the browser itself.

2the CA certificate itself also contains its own public key information, as well as some information related to the certificate, such as which CA (certificate authority) issued the certificate, the signature from the issuing authority, etc.

3. The client verifies the certificate from the server by using the CA certificate to verify whether the signature from the certificate from the server is signed by this CA

3-1 CA verification server digital certificate signing process:

1. The client uses the signature algorithm in its CA certificate to hash the content of the server certificate (part C) to get the hash value (that is, to sign the content using its own hash algorithm)

2. The client compares the hash value with the certificate signature of the server's digital certificate

If it is the same, the server certificate is issued by the CA, otherwise it is not issued by the CA

4, the code is as follows

First, prepare the private key of the server and the CA certificate of the certificate client

4-1, use the openssl command to generate relevant private keys and certificates

1, generate the CA private key

Openssl genrsa-out ca.key 2048

2, generate CA certificate

Openssl req-x509-new-nodes-key ca.key-subj "/ CN=ca_host"-days 5000-out ca.crt

"CN=ca_host": set the certificate to be generated by that server (if only client-to-server certificate verification is performed, you can enter it here at will.)

3. Generate the server private key

Openssl genrsa-out server.key 2048

4. Generate server certificate authentication request

Openssl req-new-key server.key-subj "/ CN=gc_host"-out server.csr

CN=gc_host: you must fill in the host name of which server device the server plays according to the truth.

Different client devices need to configure server device ip and hostname in their own device / etc/hosts when calling

Because the client only recognizes the CN of the server certificate in the request url

The certificate authentication request is not a certificate. It requires the private key of CA to sign before the certificate.

5. Generate server certificate

Openssl x509-req-in server.csr-CA ca.crt-CAkey ca.key-CAcreateserial-out server.crt-days 5000

Server.go:

Package main

Import (

"fmt"

"net/http"

)

Func handler (w http.ResponseWriter, r * http.Request) {

Fmt.Fprintf (w)

"Hi, This is an example of http service in golang!")

}

Func main () {

Http.HandleFunc ("/", handler)

Http.ListenAndServeTLS ("192.168.20.162 virtual 8003"

"server.crt", "server.key", nil)

}

Client.go:

Package main

Import (

"crypto/tls"

"crypto/x509"

"fmt"

"io/ioutil"

"net/http"

)

/ *

If the client wants to verify the digital certificate of the server, it needs to load the CA certificate before sending the request.

, /

Func main () {

Pool: = x509.NewCertPool ()

CaCertPath: = "ca.crt"

CaCrt, err: = ioutil.ReadFile (caCertPath)

If err! = nil {

Fmt.Println ("ReadFile err:", err)

Return

}

Pool.AppendCertsFromPEM (caCrt) / / client adds ca certificate

Tr: = & http.Transport {

TLSClientConfig: & tls.Config {RootCAs: pool}, / / client loads ca certificate

DisableCompression: true

}

Client: = & http.Client {Transport: tr}

Resp, err: = client.Get ("https://gc_host:8003/")

If err! = nil {

Fmt.Println ("Get error:", err)

Return

}

Defer resp.Body.Close ()

Body, err: = ioutil.ReadAll (resp.Body)

Fmt.Println (string (body))

}

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.