A Go programmer's guide to secure connections

676c8aec28ade455c442e648abfa1db5?s=47 Liz Rice
August 30, 2018

A Go programmer's guide to secure connections

If you've ever been confused by certificates, keys and CAs I hope this talk will help! Presented at GopherCon 2018 and live-blogged here: https://t.co/yb81lQGSEi
The demo code is here: github.com/lizrice/secure-connections

676c8aec28ade455c442e648abfa1db5?s=128

Liz Rice

August 30, 2018
Tweet

Transcript

  1. 1.

    Copyright @ 2018 Aqua Security Software Ltd. All Rights Reserved.

    @lizrice A Go programmer’s guide to Secure Connections Liz Rice
  2. 4.

    4 @lizrice A guide to TLS connections ▪ As a

    Go programmer, how do I secure my connections? ▪ What do these error messages mean? ▪ What the hell are all these .crt, .key, .csr and .pem files?
  3. 5.

    5 @lizrice Hello, I’m Liz Hi! I’m your bank Great!

    Here’s $500 Establishing identity is critical
  4. 6.

    6 @lizrice Hello, I’m Liz Hi! I’m your bank Great!

    Here’s $500 Encrypted traffic prevents interception
  5. 8.

    8 @lizrice HTTP(S) runs over TCP ▪ Create TCP connection

    ▪ TLS - encrypt TCP connection ▪ Skip if regular HTTP ▪ Send HTTP packets on connection “hi” “hi” blah blah blah
  6. 10.

    10 @lizrice HELLO <server name> HELLO <Server certificate> SYN ACK

    Verify certificate, then call VerifyPeerCertificate GetCertificate (or Certificate) HELLO DONE Generate Pre-Master Secret Generate session key from Pre-Master Secret Change cipher <session key> Symmetric encryption with session key FINISHED FINISHED Symmetric encryption with session key <Pre-Master Secret> (encrypted with server key) blah blah blah Generate session key from Pre-Master Secret <Client certificate> Verify certificate, then call VerifyPeerCertificate GetClientCertificate (or Certificate) Establishing TCP TLS Handshake
  7. 12.

    12 @lizrice Public / private key encryption ▪ Public key

    can be freely distributed and is used to encrypt ▪ Private key must be kept private and is used to decrypt “hello” “hello” <encrypted>
  8. 13.

    13 @lizrice Public / private key signatures ▪ Private key

    must be kept private and is used to sign message ▪ Public key is used to verify signature “hello” + = signature “hello” + signature “hello” + signature
  9. 14.

    14 @lizrice Sharing a public key Need a trusted authority

    in common “Certificate Authority” Hi, I’m Liz. Here’s my public key. Why should I believe you?
  10. 15.

    15 @lizrice This is to certify that liz-server has public

    key abcdef X.509 certificate ▪ Subject name ▪ Subject’s public key ▪ Issuer (CA) name ▪ Validity Certificate signed by issuer (CA) CA
  11. 16.

    16 @lizrice Subject Name ▪ Your certs should use Subject

    alternative names (SAN) ▪ Common Name deprecated in 2000 ▪ Can ignore in Go 1.11 with GODEBUG setting
  12. 18.

    18 @lizrice Trusted Certificate Authorities ▪ Like Let’s Encrypt ▪

    Known in system certificate pools ▪ Create a Certificate Signing Request ▪ openssl req -key private-key -new -out csr ▪ For public-facing domains ▪ Not for internal components in a distributed system
  13. 19.

    19 @lizrice CLI tools ▪ openssl ▪ See contents of

    certificate: openssl x509 -text ▪ Doesn’t easily support SANs (Subject Alternative Names) ▪ cfssl ▪ Comprehensive toolkit ▪ mkcert ▪ Local development ▪ Installs CA into your system & browsers ▪ minica ▪ Easy generation of key & certs
  14. 22.
  15. 23.

    23 @lizrice To establish your identity You will need: ▪

    A private key ▪ A certificate for your identity The other end needs to trust the Certificate Authority that signed your certificate. This may require appending the CA’s certificate.
  16. 24.

    24 @lizrice Setting up a secure connection Server: ▪ ListenAndServeTLS(cert,

    key) ▪ or TLSConfig.Certificates ▪ or TLSConfig.GetCertificate Client: ▪ tls.Dial ▪ or make HTTP request to “https” ▪ May need to add CA cert to TLSConfig.RootCAs ▪ TLSConfig.InsecureSkipVerify ▪ Don’t check server’s certificate
  17. 25.

    25 @lizrice Mutually authenticated TLS Server ▪ TLSConfig.ClientAuth: tls.RequireAndVerifyClientCert ▪

    May need to add CA cert in TLSConfig.ClientCAs Client ▪ TLSConfig.Certificates ▪ or TLSConfig.GetClientCertificate
  18. 26.

    26 @lizrice File extensions Inconsistently used ▪ Information type :

    .crt for certificate, .key for private key... ▪ Or file format: .pem PEM files are base64-encoded and tell you what they contain ▪ openssl can tell you about the contents
  19. 27.

    27 @lizrice Common error messages ▪ Connection refused ▪ Check

    you’re connecting to the right port ▪ Certificate signed by unknown authority ▪ Received a certificate, but it’s not trusted ▪ Examine CA in certificate to see if it should be known to receiver ▪ Remote error ▪ It’s the other end that’s complaining
  20. 28.

    Copyright @ 2018 Aqua Security Software Ltd. All Rights Reserved.

    @lizrice github.com/lizrice/secure-connections
  21. 29.
  22. 30.

    30 @lizrice openssl.org Welcome to OpenSSL! OpenSSL is a robust,

    commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library.
  23. 31.

    31 @lizrice OpenSSL for keys & certificates ▪ openssl genrsa

    # generate private key ▪ openssl req # CSRs ▪ openssl req -new # generate CSR ▪ openssl req -x509 # generate X.509 certificate ▪ openssl x509 # read X.509 certs ▪ openssl x509 -req # generate signed cert from CSR