Closed shekharHPE closed 5 years ago
It looks like you are dialing the server using "localhost:7777". What SANs do you have on your server certificate? If your server isn't for "localhost" (e.g. contains a DNS SAN for "localhost"), the client is going to reject the server during the handshake.
No it is for localhost. The same certificates work for the code in https://github.com/jcbsmpsn/golang-https-example So it should work for openssl package as well - which its not! Any help is appreciated :)
In order for me to make any more sense of this i need to know:
1) the contents of the server certificate (output from openssl x509 -text
is fine)
2) what the TLSClientConfig
looks like in the code that works.
In the "http.go" in spacemonkey git repo, it says the http.Client integration is not supported. Is this the reason why it is not working ?
Answers for your questions:
Certificate: Data: Version: 3 (0x2) Serial Number: c0:8a:38:0c:37:1b:1b:60 Signature Algorithm: sha256WithRSAEncryption Issuer: C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN= Validity Not Before: Apr 8 18:37:59 2019 GMT Not After : Apr 5 18:37:59 2029 GMT Subject: C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN= Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a9:a1:10:a7:13:45:3d:67:52:8f:af:32:29:a9: 9f:d8:76:72:f4:01:ab:5b:f2:d9:60:ca:e1:a7:6b: b7:b3:6b:1c:e4:e4:e9:c6:ed:a6:f6:fb:65:b2:b7: 31:6c:fb:80:9b:d9:b3:40:c3:f6:82:00:b0:84:0d: ba:da:b0:f5:62:3a:e3:b3:18:2c:33:6f:3a:95:66: a6:0c:e3:b1:eb:01:97:36:29:16:be:16:0c:58:98: ea:44:f8:48:25:08:5d:a7:d5:c9:16:d4:b0:c0:4d: c9:44:13:98:aa:20:09:09:9f:0d:11:3e:c5:b1:27: b2:2e:c7:f7:38:aa:f3:b5:4c:dd:c1:fa:a8:92:6b: 0f:25:0d:2a:aa:1e:b9:4d:57:3f:28:4d:ae:bb:0e: b0:84:4c:89:04:8c:02:4d:2b:16:23:e5:81:73:08: a9:4b:1e:81:08:a8:6e:8d:b1:28:cc:35:0d:0c:be: 31:fa:54:13:02:7b:74:28:6a:c1:c3:9d:99:94:c6: 6f:32:57:6f:13:12:f7:32:01:59:23:63:44:11:a8: 1c:68:a2:43:78:b3:07:b4:ed:3d:c9:55:4c:ba:12: ac:08:15:98:75:34:8a:93:84:01:97:33:7a:fd:ce: ce:5b:9e:29:17:0e:34:15:bd:aa:42:7c:a7:c1:c6: c8:8f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: C8:85:6D:F5:1C:42:59:0F:78:26:42:30:F5:6E:14:55:01:21:17:0F X509v3 Authority Key Identifier: keyid:C8:85:6D:F5:1C:42:59:0F:78:26:42:30:F5:6E:14:55:01:21:17:0F
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
------>
caCert, err := ioutil.ReadFile("server.crt") if err != nil { log.Fatal(err) } caCertPool := x509.NewCertPool() caCertPool.AppendCertsFromPEM(caCert)
cert, err := tls.LoadX509KeyPair("client.crt", "client.key")
if err != nil {
log.Fatal(err)
}
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: caCertPool,
Certificates: []tls.Certificate{cert},
},
},
}
resp, err := client.Get("https://localhost:8443")
if err != nil {
log.Println(err)
return
}
Server Code: func main() { caCert, err := ioutil.ReadFile("./client.crt") if err != nil { log.Fatal(err) } ctx, err := openssl.NewCtxFromFiles("./server.crt", "./server.key") if err != nil { log.Fatal(err) } certStore := ctx.GetCertificateStore() certStore.LoadCertificatesFromPEM(caCert) l, err := openssl.Listen("tcp", ":7777", ctx) if err != nil { fmt.Println("Error listening:", err.Error()) os.Exit(1) } // Close the listener when the application closes. defer l.Close() for { // Listen for an incoming connection. conn, err := l.Accept() if err != nil { fmt.Println("Error accepting: ", err.Error()) os.Exit(1) } // Handle connections in a new goroutine. go handleRequest(conn) } }
Client Code:
func main() { caCert, err := ioutil.ReadFile("./server.crt") if err != nil { log.Fatal(err) } ctx, err := openssl.NewCtxFromFiles("./client.crt", "./client.key") if err != nil { log.Fatal(err) } certStore := ctx.GetCertificateStore() certStore.LoadCertificatesFromPEM(caCert) fmt.Println("here1:") conn, err := openssl.Dial("tcp", "localhost:7777", ctx, 0) fmt.Println("here2:") if err != nil { fmt.Println(err.Error()) } // Send a message to server. conn.Write([]byte("Shekhar.")) // Make a buffer to hold incoming data. buf := make([]byte, 1024) // Read the incoming connection into the buffer. recLen, err := conn.Read(buf) if err != nil { fmt.Println("Error reading:", err.Error()) } fmt.Println(recLen) fmt.Println("Recieved from Server:", buf) }
From the client I get "Host validation error" Not sure what I am doing wrong