Golang tls

Generate private key (.key)

shCopy
# Key considerations for algorithm "RSA" ≥ 2048-bit
openssl genrsa -out server.key 2048

# Key considerations for algorithm "ECDSA" (X25519 || ≥ secp384r1)
# https://safecurves.cr.yp.to/
# List ECDSA the supported curves (openssl ecparam -list_curves)
openssl ecparam -genkey -name secp384r1 -out server.key

Generation of self-signed(x509) public key (PEM-encodings .pem|.crt) based on the private (.key)

shCopy
openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650

---

Simple Golang HTTPS/TLS Server

goCopy
package main

import (
    // "fmt"
    // "io"
    "net/http"
    "log"
)

func HelloServer(w http.ResponseWriter, req *http.Request) {
    w.Header().Set("Content-Type", "text/plain")
    w.Write([]byte("This is an example server.\n"))
    // fmt.Fprintf(w, "This is an example server.\n")
    // io.WriteString(w, "This is an example server.\n")
}

func main() {
    http.HandleFunc("/hello", HelloServer)
    err := http.ListenAndServeTLS(":443", "server.crt", "server.key", nil)
    if err != nil {
        log.Fatal("ListenAndServe: ", err)
    }
}

Hint: visit, please do not forget to use https begins, otherwise chrome will download a file as follows:

bashCopy
$ curl -sL https://localhost:443 | xxd
0000000: 1503 0100 0202 0a                        .......

TLS (transport layer security) — Server

goCopy
package main

import (
    "log"
    "crypto/tls"
    "net"
    "bufio"
)

func main() {
    log.SetFlags(log.Lshortfile)

    cer, err := tls.LoadX509KeyPair("server.crt", "server.key")
    if err != nil {
        log.Println(err)
        return
    }

    config := &tls.Config{Certificates: []tls.Certificate{cer}}
    ln, err := tls.Listen("tcp", ":443", config) 
    if err != nil {
        log.Println(err)
        return
    }
    defer ln.Close()

    for {
        conn, err := ln.Accept()
        if err != nil {
            log.Println(err)
            continue
        }
        go handleConnection(conn)
    }
}

func handleConnection(conn net.Conn) {
    defer conn.Close()
    r := bufio.NewReader(conn)
    for {
        msg, err := r.ReadString('\n')
        if err != nil {
            log.Println(err)
            return
        }

        println(msg)

        n, err := conn.Write([]byte("world\n"))
        if err != nil {
            log.Println(n, err)
            return
        }
    }
}

TLS (transport layer security) — Client

goCopy
package main

import (
    "log"
    "crypto/tls"
)

func main() {
    log.SetFlags(log.Lshortfile)

    conf := &tls.Config{
         //InsecureSkipVerify: true,
    }

    conn, err := tls.Dial("tcp", "127.0.0.1:443", conf)
    if err != nil {
        log.Println(err)
        return
    }
    defer conn.Close()

    n, err := conn.Write([]byte("hello\n"))
    if err != nil {
        log.Println(n, err)
        return
    }

    buf := make([]byte, 100)
    n, err = conn.Read(buf)
    if err != nil {
        log.Println(n, err)
        return
    }

    println(string(buf[:n]))
}

Perfect SSL Labs Score with Go

goCopy
package main

import (
    "crypto/tls"
    "log"
    "net/http"
)

func main() {
    mux := http.NewServeMux()
    mux.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
        w.Header().Add("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
        w.Write([]byte("This is an example server.\n"))
    })
    cfg := &tls.Config{
        MinVersion:               tls.VersionTLS12,
        CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
        PreferServerCipherSuites: true,
        CipherSuites: []uint16{
            tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
            tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
            tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
            tls.TLS_RSA_WITH_AES_256_CBC_SHA,
        },
    }
    srv := &http.Server{
        Addr:         ":443",
        Handler:      mux,
        TLSConfig:    cfg,
        TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0),
    }
    log.Fatal(srv.ListenAndServeTLS("tls.crt", "tls.key"))
}

Generation of self-sign a certificate with a private (.key) and public key (PEM-encodings .pem|.crt) in one command:

shCopy
# ECDSA recommendation key ≥ secp384r1
# List ECDSA the supported curves (openssl ecparam -list_curves)
openssl req -x509 -nodes -newkey ec:secp384r1 -keyout server.ecdsa.key -out server.ecdsa.crt -days 3650
# openssl req -x509 -nodes -newkey ec:<(openssl ecparam -name secp384r1) -keyout server.ecdsa.key -out server.ecdsa.crt -days 3650
# -pkeyopt ec_paramgen_curve:… / ec:<(openssl ecparam -name …) / -newkey ec:…
ln -sf server.ecdsa.key server.key
ln -sf server.ecdsa.crt server.crt

# RSA recommendation key ≥ 2048-bit
openssl req -x509 -nodes -newkey rsa:2048 -keyout server.rsa.key -out server.rsa.crt -days 3650
ln -sf server.rsa.key server.key
ln -sf server.rsa.crt server.crt

• .crt — Alternate synonymous most common among *nix systems .pem (pubkey).
• .csr — Certficate Signing Requests (synonymous most common among *nix systems).
• .cer — Microsoft alternate form of .crt, you can use MS to convert .crt to .cer (DER encoded .cer, or base64[PEM] encoded .cer).
• .pem = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a «—– BEGIN …» line. These files may also bear the cer or the crt extension.
• .der — The DER extension is used for binary DER encoded certificates.

Generating the Certficate Signing Request

openssl req -new -sha256 -key server.key -out server.csr
openssl x509 -req -sha256 -in server.csr -signkey server.key -out server.crt -days 3650

ECDSA & RSA — FAQ

• Validate the elliptic curve parameters -check
• List "ECDSA" the supported curves openssl ecparam -list_curves
• Encoding to explicit "ECDSA" -param_enc explicit
• Conversion form to compressed "ECDSA" -conv_form compressed
• "EC" parameters and a private key -genkey

CA Bundle Path

Distro	Package	Path to CA
Fedora, RHEL, CentOS	ca-certificates	/etc/pki/tls/certs/ca-bundle.crt
Debian, Ubuntu, Gentoo, Arch Linux	ca-certificates	/etc/ssl/certs/ca-certificates.crt
SUSE, openSUSE	ca-certificates	/etc/ssl/ca-bundle.pem
FreeBSD	ca_root_nss	/usr/local/share/certs/ca-root-nss.crt
Cygwin	-	/usr/ssl/certs/ca-bundle.crt
macOS (MacPorts)	curl-ca-bundle	/opt/local/share/curl/curl-ca-bundle.crt
Default cURL CA bunde path (without --with-ca-bundle option)		/usr/local/share/curl/curl-ca-bundle.crt
Really old RedHat?		/usr/share/ssl/certs/ca-bundle.crt

Reference Link

• https://github.com/smallstep/certificates
• https://github.com/FiloSottile/mkcert
• https://getgophish.com/blog/post/2018-12-02-building-web-servers-in-go/
• Go programming language secure coding practices guide
• Achieving a Perfect SSL Labs Score with Go – blog.bracelab.com
• Automatic HTTPS With Free SSL Certificates Using Go + Let's Encrypt
• https://golang.org/pkg/crypto/tls/
• OpenSSL without prompt – superuser.com (Stack Exchange)
• TLS server and client — gist.github.com/spikebike
• Echo, a fast and unfancy micro web framework for Go — echo.labstack.com/guide
• https://kjur.github.io/jsrsasign/sample-ecdsa.html
• Creating Self-Signed ECDSA SSL Certificate using OpenSSL – guyrutenberg.com
• https://www.openssl.org/docs/manmaster/
• https://www.openssl.org/docs/manmaster/man1/ecparam.html
• https://www.openssl.org/docs/manmaster/man1/ec.html
• https://www.openssl.org/docs/manmaster/man1/req.html
• https://digitalelf.net/2016/02/creating-ssl-certificates-in-3-easy-steps/
• HTTPS and Go – kaihag.com
• The complete guide to Go net/http timeouts – blog.cloudflare.com
• Certificate fetcher in Go – gist.github.com
• How to redirect HTTP to HTTPS with a golang webserver – gist.github.com
• XCA - X Certificate and key management
• Package tcplisten provides customizable TCP net.Listener with various performance-related options
• https://github.com/bifurcation/mint — minimal TLS 1.3 Implementation in Go
• https://github.com/cloudflare/tls-tris — crypto/tls, now with 100% more 1.3
• https://github.com/Xeoncross/secureserver
• https://github.com/cloudflare/cfssl
• https://github.com/google/certificate-transparency
• https://cipherli.st/
• https://github.com/cmrunton/tls-dashboard — dashboard written in JavaScript & HTML to check the remaining time before a TLS certificate expires.
• https://github.com/tomato42/tlsfuzzer
• https://github.com/mozilla/tls-observatory (https://observatory.mozilla.org/)
• https://dev.ssllabs.com/ssltest/
• https://indieweb.org/HTTPS
• https://github.com/konklone/shaaaaaaaaaaaaa (https://shaaaaaaaaaaaaa.com/)
• https://securityheaders.io/
• https://testssl.sh/
• https://github.com/nabla-c0d3/sslyze
• https://github.com/iSECPartners/sslyze
• https://github.com/mozilla/cipherscan
• https://github.com/ssllabs/ssllabs-scan
• https://github.com/chromium/badssl.com (https://badssl.com)
• https://github.com/datatheorem/TrustKit
• https://github.com/certifi/gocertifi
• https://github.com/unrolled/secure
• https://github.com/tidwall/modern-server
• https://github.com/genkiroid/cert
• https://github.com/zmap/zlint
• https://github.com/globalsign/certlint
• https://github.com/google/certificate-transparency-go
• https://github.com/Evolix/chexpire
• https://github.com/mimoo/cryptobible/blob/master/protocols/tls.mediawiki
• https://posener.github.io/http2/
• https://seclists.org/oss-sec/2018/q4/123
• …