Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Go programmer's guide to secure connections

676c8aec28ade455c442e648abfa1db5?s=47 Liz Rice
August 30, 2018

A Go programmer's guide to secure connections

If you've ever been confused by certificates, keys and CAs I hope this talk will help! Presented at GopherCon 2018 and live-blogged here: https://t.co/yb81lQGSEi
The demo code is here: github.com/lizrice/secure-connections


Liz Rice

August 30, 2018


  1. Copyright @ 2018 Aqua Security Software Ltd. All Rights Reserved.

    @lizrice A Go programmer’s guide to Secure Connections Liz Rice
  2. 2 @lizrice

  3. 3 @lizrice

  4. 4 @lizrice A guide to TLS connections ▪ As a

    Go programmer, how do I secure my connections? ▪ What do these error messages mean? ▪ What the hell are all these .crt, .key, .csr and .pem files?
  5. 5 @lizrice Hello, I’m Liz Hi! I’m your bank Great!

    Here’s $500 Establishing identity is critical
  6. 6 @lizrice Hello, I’m Liz Hi! I’m your bank Great!

    Here’s $500 Encrypted traffic prevents interception
  7. 7 @lizrice

  8. 8 @lizrice HTTP(S) runs over TCP ▪ Create TCP connection

    ▪ TLS - encrypt TCP connection ▪ Skip if regular HTTP ▪ Send HTTP packets on connection “hi” “hi” blah blah blah
  9. 9 @lizrice TCP connection “Connection refused” = wrong

    port (nearly always)
  10. 10 @lizrice HELLO <server name> HELLO <Server certificate> SYN ACK

    Verify certificate, then call VerifyPeerCertificate GetCertificate (or Certificate) HELLO DONE Generate Pre-Master Secret Generate session key from Pre-Master Secret Change cipher <session key> Symmetric encryption with session key FINISHED FINISHED Symmetric encryption with session key <Pre-Master Secret> (encrypted with server key) blah blah blah Generate session key from Pre-Master Secret <Client certificate> Verify certificate, then call VerifyPeerCertificate GetClientCertificate (or Certificate) Establishing TCP TLS Handshake
  11. Keys and certificates

  12. 12 @lizrice Public / private key encryption ▪ Public key

    can be freely distributed and is used to encrypt ▪ Private key must be kept private and is used to decrypt “hello” “hello” <encrypted>
  13. 13 @lizrice Public / private key signatures ▪ Private key

    must be kept private and is used to sign message ▪ Public key is used to verify signature “hello” + = signature “hello” + signature “hello” + signature
  14. 14 @lizrice Sharing a public key Need a trusted authority

    in common “Certificate Authority” Hi, I’m Liz. Here’s my public key. Why should I believe you?
  15. 15 @lizrice This is to certify that liz-server has public

    key abcdef X.509 certificate ▪ Subject name ▪ Subject’s public key ▪ Issuer (CA) name ▪ Validity Certificate signed by issuer (CA) CA
  16. 16 @lizrice Subject Name ▪ Your certs should use Subject

    alternative names (SAN) ▪ Common Name deprecated in 2000 ▪ Can ignore in Go 1.11 with GODEBUG setting
  17. Creating keys & certificates

  18. 18 @lizrice Trusted Certificate Authorities ▪ Like Let’s Encrypt ▪

    Known in system certificate pools ▪ Create a Certificate Signing Request ▪ openssl req -key private-key -new -out csr ▪ For public-facing domains ▪ Not for internal components in a distributed system
  19. 19 @lizrice CLI tools ▪ openssl ▪ See contents of

    certificate: openssl x509 -text ▪ Doesn’t easily support SANs (Subject Alternative Names) ▪ cfssl ▪ Comprehensive toolkit ▪ mkcert ▪ Local development ▪ Installs CA into your system & browsers ▪ minica ▪ Easy generation of key & certs
  20. 20 @lizrice

  21. Mutually-authenticated TLS (mTLS)

  22. Takeaways

  23. 23 @lizrice To establish your identity You will need: ▪

    A private key ▪ A certificate for your identity The other end needs to trust the Certificate Authority that signed your certificate. This may require appending the CA’s certificate.
  24. 24 @lizrice Setting up a secure connection Server: ▪ ListenAndServeTLS(cert,

    key) ▪ or TLSConfig.Certificates ▪ or TLSConfig.GetCertificate Client: ▪ tls.Dial ▪ or make HTTP request to “https” ▪ May need to add CA cert to TLSConfig.RootCAs ▪ TLSConfig.InsecureSkipVerify ▪ Don’t check server’s certificate
  25. 25 @lizrice Mutually authenticated TLS Server ▪ TLSConfig.ClientAuth: tls.RequireAndVerifyClientCert ▪

    May need to add CA cert in TLSConfig.ClientCAs Client ▪ TLSConfig.Certificates ▪ or TLSConfig.GetClientCertificate
  26. 26 @lizrice File extensions Inconsistently used ▪ Information type :

    .crt for certificate, .key for private key... ▪ Or file format: .pem PEM files are base64-encoded and tell you what they contain ▪ openssl can tell you about the contents
  27. 27 @lizrice Common error messages ▪ Connection refused ▪ Check

    you’re connecting to the right port ▪ Certificate signed by unknown authority ▪ Received a certificate, but it’s not trusted ▪ Examine CA in certificate to see if it should be known to receiver ▪ Remote error ▪ It’s the other end that’s complaining
  28. Copyright @ 2018 Aqua Security Software Ltd. All Rights Reserved.

    @lizrice github.com/lizrice/secure-connections
  29. openssl

  30. 30 @lizrice openssl.org Welcome to OpenSSL! OpenSSL is a robust,

    commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library.
  31. 31 @lizrice OpenSSL for keys & certificates ▪ openssl genrsa

    # generate private key ▪ openssl req # CSRs ▪ openssl req -new # generate CSR ▪ openssl req -x509 # generate X.509 certificate ▪ openssl x509 # read X.509 certs ▪ openssl x509 -req # generate signed cert from CSR