Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Baltimore Go June Meeting - Go to the Rescue: Saving DevOps from TLS Turmoil

Baltimore Go June Meeting - Go to the Rescue: Saving DevOps from TLS Turmoil

Find out about a use case that created a need for testing certificate chains, appropriate web server security settings, and the Go code used for testing.


Chris Short

June 05, 2018


  1. Go to the Rescue: Saving DevOps from TLS Turmoil Chris

    Short SJ Technologies Baltimore Go June Meeting
  2. whoami @ChrisShort devopsish.com

  3. I'm also a Gopher Chris Short in Gopher Form via

    Gopherize.me All Gopher Artwork provided by Ashley McNamara (CC BY-SA 4.0) @ChrisShort devopsish.com
  4. @ChrisShort devopsish.com

  5. None
  6. Let's Talk Certificate Chains Three Main Parts: 1. Root certificate

    2. Intermediate certificate(s) 3. Your certificate SSL is dead; TLS is alive and well NOTE: TLS 1.0 is not good Mozilla SSL Configuration Generator @ChrisShort devopsish.com
  7. This is the Goal @ChrisShort devopsish.com

  8. Are You %&$#?@! Kidding? @ChrisShort devopsish.com

  9. @ChrisShort devopsish.com

  10. So What Does Any Good Engineer Do? @ChrisShort devopsish.com

  11. log The Go log package is pretty self explanatory Needed

    a spectacular failure at the sign of trouble log has three helper functions: print, fatal, and panic @ChrisShort devopsish.com
  12. tls Go's tls package partially implements TLS 1.2, as specified

    in RFC-5246 Package configures usable SSL/TLS versions Identifies preferred cipher suites and elliptic curves used during handshakes This is the package that handles connections securely @ChrisShort devopsish.com
  13. http Go implementation of HTTP http has a function called

    ListenAndServeTLS ListenAndServeTLS provides the desired certificate checking functionality "certFile should be the concatenation of the server's certificate, any intermediates, and the CA's certificate." @ChrisShort devopsish.com
  14. main: mux, cfg, srv mux, short for multiplexer mux has

    a function that creates an HTTP server with headers and content (Hello World!) cfg brings in all the TLS bits seen in a solid web server config srv puts the pieces together and defines what port to listen on @ChrisShort devopsish.com
  15. @ChrisShort devopsish.com https://github.com/chris-short/ssl-tester

  16. Fail Spectacularly I ❤ DevOps and I embrace failure Defines

    path of certificate files to use Logs a fatal error if certificate is not valid Fails Fast @ChrisShort devopsish.com
  17. It Works @ChrisShort devopsish.com

  18. It Really WORKS! @ChrisShort devopsish.com

  19. 50 lines of code!!! I ❤ Go! Static binary is

    a self contained web server Compiles 6MB!!! I ❤ Go! Can be safely deployed to any public server External testing run against it for extra vetting @ChrisShort devopsish.com Conclusion They won't let me talk forever
  20. @ChrisShort devopsish.com