Tweet
Tweet

Slide 1

Slide 1 text

Go to the Rescue: Saving DevOps from TLS Turmoil Chris Short SJ Technologies Baltimore Go June Meeting

Slide 2

Slide 2 text

whoami @ChrisShort devopsish.com

Slide 3

Slide 3 text

I'm also a Gopher Chris Short in Gopher Form via Gopherize.me All Gopher Artwork provided by Ashley McNamara (CC BY-SA 4.0) @ChrisShort devopsish.com

Slide 4

Slide 4 text

@ChrisShort devopsish.com

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

Let's Talk Certificate Chains Three Main Parts: 1. Root certificate 2. Intermediate certificate(s) 3. Your certificate SSL is dead; TLS is alive and well NOTE: TLS 1.0 is not good Mozilla SSL Configuration Generator @ChrisShort devopsish.com

Slide 7

Slide 7 text

This is the Goal @ChrisShort devopsish.com

Slide 8

Slide 8 text

Are You %&$#?@! Kidding? @ChrisShort devopsish.com

Slide 9

Slide 9 text

@ChrisShort devopsish.com

Slide 10

Slide 10 text

So What Does Any Good Engineer Do? @ChrisShort devopsish.com

Slide 11

Slide 11 text

log The Go log package is pretty self explanatory Needed a spectacular failure at the sign of trouble log has three helper functions: print, fatal, and panic @ChrisShort devopsish.com

Slide 12

Slide 12 text

tls Go's tls package partially implements TLS 1.2, as specified in RFC-5246 Package configures usable SSL/TLS versions Identifies preferred cipher suites and elliptic curves used during handshakes This is the package that handles connections securely @ChrisShort devopsish.com

Slide 13

Slide 13 text

http Go implementation of HTTP http has a function called ListenAndServeTLS ListenAndServeTLS provides the desired certificate checking functionality "certFile should be the concatenation of the server's certificate, any intermediates, and the CA's certificate." @ChrisShort devopsish.com

Slide 14

Slide 14 text

main: mux, cfg, srv mux, short for multiplexer mux has a function that creates an HTTP server with headers and content (Hello World!) cfg brings in all the TLS bits seen in a solid web server config srv puts the pieces together and defines what port to listen on @ChrisShort devopsish.com

Slide 15

Slide 15 text

@ChrisShort devopsish.com https://github.com/chris-short/ssl-tester

Slide 16

Slide 16 text

Fail Spectacularly I ❤ DevOps and I embrace failure Defines path of certificate files to use Logs a fatal error if certificate is not valid Fails Fast @ChrisShort devopsish.com

Slide 17

Slide 17 text

It Works @ChrisShort devopsish.com

Slide 18

Slide 18 text

It Really WORKS! @ChrisShort devopsish.com

Slide 19

Slide 19 text

50 lines of code!!! I ❤ Go! Static binary is a self contained web server Compiles 6MB!!! I ❤ Go! Can be safely deployed to any public server External testing run against it for extra vetting @ChrisShort devopsish.com Conclusion They won't let me talk forever

Slide 20

Slide 20 text

@ChrisShort devopsish.com