Baltimore Go June Meeting - Go to the Rescue: Saving DevOps from TLS Turmoil

Baltimore Go June Meeting - Go to the Rescue: Saving DevOps from TLS Turmoil

Find out about a use case that created a need for testing certificate chains, appropriate web server security settings, and the Go code used for testing.


Chris Short

June 05, 2018


  1. Go to the Rescue: Saving DevOps from TLS Turmoil Chris

    Short SJ Technologies Baltimore Go June Meeting
  2. whoami @ChrisShort

  3. I'm also a Gopher Chris Short in Gopher Form via All Gopher Artwork provided by Ashley McNamara (CC BY-SA 4.0) @ChrisShort
  4. @ChrisShort

  5. None
  6. Let's Talk Certificate Chains Three Main Parts: 1. Root certificate

    2. Intermediate certificate(s) 3. Your certificate SSL is dead; TLS is alive and well NOTE: TLS 1.0 is not good Mozilla SSL Configuration Generator @ChrisShort
  7. This is the Goal @ChrisShort

  8. Are You %&$#?@! Kidding? @ChrisShort

  9. @ChrisShort

  10. So What Does Any Good Engineer Do? @ChrisShort

  11. log The Go log package is pretty self explanatory Needed

    a spectacular failure at the sign of trouble log has three helper functions: print, fatal, and panic @ChrisShort
  12. tls Go's tls package partially implements TLS 1.2, as specified

    in RFC-5246 Package configures usable SSL/TLS versions Identifies preferred cipher suites and elliptic curves used during handshakes This is the package that handles connections securely @ChrisShort
  13. http Go implementation of HTTP http has a function called

    ListenAndServeTLS ListenAndServeTLS provides the desired certificate checking functionality "certFile should be the concatenation of the server's certificate, any intermediates, and the CA's certificate." @ChrisShort
  14. main: mux, cfg, srv mux, short for multiplexer mux has

    a function that creates an HTTP server with headers and content (Hello World!) cfg brings in all the TLS bits seen in a solid web server config srv puts the pieces together and defines what port to listen on @ChrisShort
  15. @ChrisShort

  16. Fail Spectacularly I ❤ DevOps and I embrace failure Defines

    path of certificate files to use Logs a fatal error if certificate is not valid Fails Fast @ChrisShort
  17. It Works @ChrisShort

  18. It Really WORKS! @ChrisShort

  19. 50 lines of code!!! I ❤ Go! Static binary is

    a self contained web server Compiles 6MB!!! I ❤ Go! Can be safely deployed to any public server External testing run against it for extra vetting @ChrisShort Conclusion They won't let me talk forever
  20. @ChrisShort