Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Baltimore Go June Meeting - Go to the Rescue: Saving DevOps from TLS Turmoil

Baltimore Go June Meeting - Go to the Rescue: Saving DevOps from TLS Turmoil

Find out about a use case that created a need for testing certificate chains, appropriate web server security settings, and the Go code used for testing.

Chris Short

June 05, 2018

More Decks by Chris Short

Other Decks in Technology


  1. Go to the Rescue: Saving DevOps from TLS Turmoil Chris

    Short SJ Technologies Baltimore Go June Meeting
  2. I'm also a Gopher Chris Short in Gopher Form via

    Gopherize.me All Gopher Artwork provided by Ashley McNamara (CC BY-SA 4.0) @ChrisShort devopsish.com
  3. Let's Talk Certificate Chains Three Main Parts: 1. Root certificate

    2. Intermediate certificate(s) 3. Your certificate SSL is dead; TLS is alive and well NOTE: TLS 1.0 is not good Mozilla SSL Configuration Generator @ChrisShort devopsish.com
  4. log The Go log package is pretty self explanatory Needed

    a spectacular failure at the sign of trouble log has three helper functions: print, fatal, and panic @ChrisShort devopsish.com
  5. tls Go's tls package partially implements TLS 1.2, as specified

    in RFC-5246 Package configures usable SSL/TLS versions Identifies preferred cipher suites and elliptic curves used during handshakes This is the package that handles connections securely @ChrisShort devopsish.com
  6. http Go implementation of HTTP http has a function called

    ListenAndServeTLS ListenAndServeTLS provides the desired certificate checking functionality "certFile should be the concatenation of the server's certificate, any intermediates, and the CA's certificate." @ChrisShort devopsish.com
  7. main: mux, cfg, srv mux, short for multiplexer mux has

    a function that creates an HTTP server with headers and content (Hello World!) cfg brings in all the TLS bits seen in a solid web server config srv puts the pieces together and defines what port to listen on @ChrisShort devopsish.com
  8. Fail Spectacularly I ❤ DevOps and I embrace failure Defines

    path of certificate files to use Logs a fatal error if certificate is not valid Fails Fast @ChrisShort devopsish.com
  9. 50 lines of code!!! I ❤ Go! Static binary is

    a self contained web server Compiles 6MB!!! I ❤ Go! Can be safely deployed to any public server External testing run against it for extra vetting @ChrisShort devopsish.com Conclusion They won't let me talk forever