Simple secure connection over an insecure network (all endpoints are fully controlled)

Question

Simple secure connection over an insecure network (all endpoints are fully controlled)

I need to connect the client and server to an untrusted network. I examined the use of TLS (crypto / tls) , but from what I understand, I first need to create a crypto / x509.Certificate creation . But I feel overwhelmed by all the parameters that I need to pass to the x509.CreateCertificate () function - she says that she needs all of the following fields:

SerialNumber, Subject, NotBefore, NotAfter, KeyUsage, BasicConstraintsValid, IsCA, MaxPathLen, SubjectKeyId, DNSNames, PermittedDNSDomainsCritical, PermittedDNSDomains.

I have full control over both endpoints, so I believe that I do not need any restrictions on expiration or invalidity / parameters (I can change the keys on both the client and the server anytime I want), so I, I can probably skip NotBefore and NotAfter (? Or do I need to install them?). What should I use in all other areas and why to avoid any vulnerabilities? Also, can I use the same private / public key pair for authentication in both directions (from client to server and from server to client), or do I need to use 2 pairs?

Or is there something simpler than TLS that I could use? Please note, however, that I need two-way authentication.

EDIT:

, generate_cert.go - .:

github.com/akavel/tunnel

+5

security authentication go encryption network-programming

akavel 02 . '12 20:37

2

, TLS - . , -.

SSL ( , Verisign ..). . , , , , , .

http://www.eclectica.ca/howto/ssl-cert-howto.php/

0

jimt 02 . '12 21:57

Stephen Weinberg · Accepted Answer · 2012-09-02T22:11:37+0000

Owlstead . OpenSSL. Go TLS . , .

x509

. ( , ):

openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Go TLS

tls.Config. TLS , , :

cert, err := tls.LoadX509KeyPair(cert, key)
config := &tls.Config{
    Certificates: []Certificates{cert},
    ClientAuth: tls.RequireAnyClientCert, // Must be done on server
    InsecureSkipVerify: true, // Must be done on client
}

TLS. 4443:

listener, err := tls.Listen("tcp", ":4443", config)
for {
    conn, err := listener.Accept()
    acceptConn(conn) // your code
}

:

conn, err := tls.Dial("tcp", serverAddr, config)

, , , . - . , :

c := conn.(*tls.Conn) // convert net.Conn from listener to tls conn
err := c.Handshake() // ensure handshake is completed without error
state := c.ConnectionState()
pubKey, err := x509.MarshalPKIXPublicKey(state.PeerCertificates[0])
bytes.Equal(pubKey, knownKey) // compare to known value

Simple secure connection over an insecure network (all endpoints are fully controlled)

x509

Go TLS

More articles: