search

spacemonkeygo / openssl

OpenSSL bindings for Go
http://godoc.org/github.com/spacemonkeygo/openssl
Apache License 2.0
473 stars 236 forks source link

Certificate store issue in client : Host validation error #118

Closed shekharHPE closed 5 years ago

shekharHPE commented 5 years ago

Server Code: func main() { caCert, err := ioutil.ReadFile("./client.crt") if err != nil { log.Fatal(err) } ctx, err := openssl.NewCtxFromFiles("./server.crt", "./server.key") if err != nil { log.Fatal(err) } certStore := ctx.GetCertificateStore() certStore.LoadCertificatesFromPEM(caCert) l, err := openssl.Listen("tcp", ":7777", ctx) if err != nil { fmt.Println("Error listening:", err.Error()) os.Exit(1) } // Close the listener when the application closes. defer l.Close() for { // Listen for an incoming connection. conn, err := l.Accept() if err != nil { fmt.Println("Error accepting: ", err.Error()) os.Exit(1) } // Handle connections in a new goroutine. go handleRequest(conn) } }

Client Code:

func main() { caCert, err := ioutil.ReadFile("./server.crt") if err != nil { log.Fatal(err) } ctx, err := openssl.NewCtxFromFiles("./client.crt", "./client.key") if err != nil { log.Fatal(err) } certStore := ctx.GetCertificateStore() certStore.LoadCertificatesFromPEM(caCert) fmt.Println("here1:") conn, err := openssl.Dial("tcp", "localhost:7777", ctx, 0) fmt.Println("here2:") if err != nil { fmt.Println(err.Error()) } // Send a message to server. conn.Write([]byte("Shekhar.")) // Make a buffer to hold incoming data. buf := make([]byte, 1024) // Read the incoming connection into the buffer. recLen, err := conn.Read(buf) if err != nil { fmt.Println("Error reading:", err.Error()) } fmt.Println(recLen) fmt.Println("Recieved from Server:", buf) }

From the client I get "Host validation error" Not sure what I am doing wrong

azdagron commented 5 years ago

It looks like you are dialing the server using "localhost:7777". What SANs do you have on your server certificate? If your server isn't for "localhost" (e.g. contains a DNS SAN for "localhost"), the client is going to reject the server during the handshake.

shekharHPE commented 5 years ago

No it is for localhost. The same certificates work for the code in https://github.com/jcbsmpsn/golang-https-example So it should work for openssl package as well - which its not! Any help is appreciated :)

azdagron commented 5 years ago

In order for me to make any more sense of this i need to know: 1) the contents of the server certificate (output from openssl x509 -text is fine) 2) what the TLSClientConfig looks like in the code that works.

shekharHPE commented 5 years ago

In the "http.go" in spacemonkey git repo, it says the http.Client integration is not supported. Is this the reason why it is not working ?

Answers for your questions:

  1. Certificate: Data: Version: 3 (0x2) Serial Number: c0:8a:38:0c:37:1b:1b:60 Signature Algorithm: sha256WithRSAEncryption Issuer: C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN= Validity Not Before: Apr 8 18:37:59 2019 GMT Not After : Apr 5 18:37:59 2029 GMT Subject: C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN= Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a9:a1:10:a7:13:45:3d:67:52:8f:af:32:29:a9: 9f:d8:76:72:f4:01:ab:5b:f2:d9:60:ca:e1:a7:6b: b7:b3:6b:1c:e4:e4:e9:c6:ed:a6:f6:fb:65:b2:b7: 31:6c:fb:80:9b:d9:b3:40:c3:f6:82:00:b0:84:0d: ba:da:b0:f5:62:3a:e3:b3:18:2c:33:6f:3a:95:66: a6:0c:e3:b1:eb:01:97:36:29:16:be:16:0c:58:98: ea:44:f8:48:25:08:5d:a7:d5:c9:16:d4:b0:c0:4d: c9:44:13:98:aa:20:09:09:9f:0d:11:3e:c5:b1:27: b2:2e:c7:f7:38:aa:f3:b5:4c:dd:c1:fa:a8:92:6b: 0f:25:0d:2a:aa:1e:b9:4d:57:3f:28:4d:ae:bb:0e: b0:84:4c:89:04:8c:02:4d:2b:16:23:e5:81:73:08: a9:4b:1e:81:08:a8:6e:8d:b1:28:cc:35:0d:0c:be: 31:fa:54:13:02:7b:74:28:6a:c1:c3:9d:99:94:c6: 6f:32:57:6f:13:12:f7:32:01:59:23:63:44:11:a8: 1c:68:a2:43:78:b3:07:b4:ed:3d:c9:55:4c:ba:12: ac:08:15:98:75:34:8a:93:84:01:97:33:7a:fd:ce: ce:5b:9e:29:17:0e:34:15:bd:aa:42:7c:a7:c1:c6: c8:8f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: C8:85:6D:F5:1C:42:59:0F:78:26:42:30:F5:6E:14:55:01:21:17:0F X509v3 Authority Key Identifier: keyid:C8:85:6D:F5:1C:42:59:0F:78:26:42:30:F5:6E:14:55:01:21:17:0F

        X509v3 Basic Constraints: 
        CA:TRUE

    Signature Algorithm: sha256WithRSAEncryption

------>

  1. Client Config and code:

caCert, err := ioutil.ReadFile("server.crt") if err != nil { log.Fatal(err) } caCertPool := x509.NewCertPool() caCertPool.AppendCertsFromPEM(caCert)

cert, err := tls.LoadX509KeyPair("client.crt", "client.key")
if err != nil {
    log.Fatal(err)
}

client := &http.Client{
    Transport: &http.Transport{
        TLSClientConfig: &tls.Config{
            RootCAs:      caCertPool,
            Certificates: []tls.Certificate{cert},
        },
    },
}

resp, err := client.Get("https://localhost:8443")
if err != nil {
    log.Println(err)
    return
}