Golang: how to specify certificate in TLS config f

2019-03-25 15:55发布

I have a cert file, that location is: /usr/abc/my.crt and I want to use that cert for my tls config, so that my http client uses that certificate when communicate with other servers. My current code is as follows:

mTLSConfig := &tls.Config {
    CipherSuites: []uint16 {
        tls.TLS_RSA_WITH_RC4_128_SHA,
        tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
        tls.TLS_RSA_WITH_AES_128_CBC_SHA,
        tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
        tls.TLS_RSA_WITH_AES_128_CBC_SHA,
        tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    }
}

mTLSConfig.PreferServerCipherSuites = true
mTLSConfig.MinVersion = tls.VersionTLS10
mTLSConfig.MaxVersion = tls.VersionTLS10

tr := &http.Transport{
    TLSClientConfig: mTLSConfig,
}

c := &http.Client{Transport: tr}

So how to assign a certificate in my TLS config? I see the certificate settings at http://golang.org/pkg/crypto/tls/#Config can someone suggest how to config my cert location there?

mTLSConfig.Config{Certificates: []tls.Certificate{'/usr/abc/my.crt'}} <-- is wrong because I am passing string.right? I DON'T have ANY other files such as .pem or .key etc, just only this my.cert. I am blank how to do it?

Earlier, I had edited the go source code http://golang.org/src/pkg/crypto/x509/root_unix.go and added /usr/abc/my.crt after line no. 12 and it worked. But the problem is my certificate file location can change, so I have removed the hardcoded line from root_unix.go and trying to pass it dynamically, when building TLSConfig.

1条回答
霸刀☆藐视天下
2楼-- · 2019-03-25 16:35

You can replace the system CA set by providing a root CA pool in tls.Config.

certs := x509.NewCertPool()

pemData, err := ioutil.ReadFile(pemPath)
if err != nil {
    // do error
}
certs.AppendCertsFromPEM(pemData)
mTLSConfig.RootCAs = certs

If you still want the system's roots however, I think you'll need to recreate the functionality in initSystemRoots(). I don't see any exposed method for merging a cert into the default system roots.

查看更多
登录 后发表回答