如何配置SSL身份验证
[英]How to configure SSL authentication
问题描述
I have certificate.pem that I use to perform client authentication with a remote server. 
我有用来与远程服务器执行客户端身份验证的certificate.pem。 When I access the server, normally Chrome pops up, asks if I want to use that certificate, I say yes, then I'm authenticated. 当我访问服务器时,通常会弹出Chrome,询问我是否要使用该证书,然后说是,那么我已通过身份验证。 I'm trying to figure out why it's not sending the certificate with the dialer when I call it programmatically: 我试图弄清楚为什么当我以编程方式调用它时,它不使用拨号程序发送证书:
type DialerHelper func() (io.ReadWriter, error)
func DialIt(addr string, port uint16, config *tls.Config) (Dialer, error) {
address := fmt.Sprintf("%s:%d", addr, port)
return DialerHelper(func() (io.ReadWriter, error) {
return tls.Dial("tcp", address, config)
}), nil
}
caPool := x509.NewCertPool()
cert, err := ioutil.ReadFile("certificate.pem")
if err != nil {
panic(err)
}
ok := caPool.AppendCertsFromPEM(cert)
if !ok {
panic(ok)
}
tlsconfig := &tls.Config{
InsecureSkipVerify: true,
RootCAs: caPool, }
tlsconfig.BuildNameToCertificate()
DialIt("some.address.com", 443, tlsconfig)
I keep getting an error from the server saying there is no client certificate supplied. 我不断从服务器收到错误消息,说没有提供客户端证书。 Am I sending the SSL certificate correctly to the remote server? 我是否可以将SSL证书正确发送到远程服务器? I'm not an expert with SSL. 我不是SSL专家。
Edit: this is the functionality I'm trying to replicate: curl -k --cert /home/me/.ssh/certificate.pem 编辑:这是我要复制的功能: curl -k --cert /home/me/.ssh/certificate.pem
1 个解决方案
解决方案1
0 2016-10-14 09:02:33
If the server is using a cert generated from your own Certificate Authority, then the following code will do the trick. 如果服务器使用的是从您自己的证书颁发机构生成的证书,则以下代码将解决问题。
I've never tried Client Cert Authentication in an environment where the server cert is from a public CA, so I'm not sure how you'd achieve that. 我从未在服务器证书来自公共CA的环境中尝试过客户端证书身份验证,因此我不确定您将如何实现。 Perhaps just leaving out setting config.RootCAs. 也许只是省去设置config.RootCAs。
func loadCertificates(caFileName, certFileName, keyFileName string) (tls.Certificate, *x509.CertPool, error) {
myCert, err := tls.LoadX509KeyPair(certFileName, keyFileName)
if err != nil {
return tls.Certificate{}, nil, err
}
ca, err := ioutil.ReadFile(caFileName)
if err != nil {
return tls.Certificate{}, nil, err
}
certPool := x509.NewCertPool()
if !certPool.AppendCertsFromPEM(ca) {
return tls.Certificate{}, nil, errors.New("Failed appending certs")
}
return myCert, certPool, nil
}
func GetClientTlsConfiguration(caFileName, certFileName, keyFileName string) (*tls.Config, error) {
config := &tls.Config{}
myCert, certPool, err := loadCertificates(caFileName, certFileName, keyFileName)
if err != nil {
return nil, err
}
config.Certificates = make([]tls.Certificate, 1)
config.Certificates[0] = myCert
config.RootCAs = certPool
config.ClientCAs = certPool
return config, nil
}
tlsConfig, err := config.GetClientTlsConfiguration("ca.crt", "client.crt", "client.key")
if err != nil {
log.Fatalf("Error loading tls config - %v", err)
}
client := &http.Client{Transport: &http.Transport{TLSClientConfig: tlsConfig}}
client.Get(.....)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.