Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
4.1k views
in Technique[技术] by (71.8m points)

go - https on macos using openssl CA certificate as trusted

Inspired from this github I am trying to make a https connection to a macos big sur(11.1)

I keep getting:

"Safari Can't Open the Page "mydomain.com" because Safari can't establish a secure connection to the server "mydomain.com"

Note you need openssl from brew

1.Create rootKey

openssl ecparam -name prime256v1 -genkey -noout -out rootCA.key

2.Create root certificate

/usr/local/opt/openssl/bin/openssl req -x509 -nodes -days 825 
    -key rootCA.key 
    -subj "/C=US/ST=CA/O=MyDomain, Inc./CN=mydomain.com" 
    -addext "extendedKeyUsage = serverAuth" 
    -out rootCA.crt

3.Create domain certificate

openssl ecparam -name prime256v1 -genkey -noout -out mydomain.com.key

4.Create Certificate Request

/usr/local/opt/openssl/bin/openssl req 
-key mydomain.com.key 
-subj "/C=US/ST=CA/O=Mydomain, Inc./CN=mydomain.com" 
-addext "subjectAltName = IP:<x.x.x.x>,DNS:mydomain.com" 
-out mydomain.com.csr

5.Generate certificate using CA Root certificate

openssl x509 -req -in mydoamin.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 825 -sha256

6.Add Certificate Authority to Keychain - on the machine connecting via Safari(just use the same machine)

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain rootCA.crt

Sample go code - remember if you have firewall turned on, you need to give permission to incomming connection in settings/Security & Privacy "Firewall Options..." allow :

package main

import (
    "crypto/tls"
    "fmt"
    "io/ioutil"
    "log"
    "net/http"
    "time"
)

func main() {
    server := &http.Server{
        Addr:         ":443",
        ReadTimeout:  5 * time.Second,
        WriteTimeout: 10 * time.Second,
        TLSConfig:    tlsConfig(),
    }

    //// Having this does not change anything but just showing.
    //// go get -u golang.org/x/net/http2
    //if err := http2.ConfigureServer(server, nil); err != nil {
    //  log.Fatal(err)
    //}

    http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
        w.Write([]byte(fmt.Sprintf("Protocol: %s", r.Proto)))
    })

    if err := server.ListenAndServeTLS("", ""); err != nil {
        log.Fatal(err)
    }
}

func tlsConfig() *tls.Config {
    crt, err := ioutil.ReadFile("mydomain.com.crt")
    if err != nil {
        log.Fatal(err)
    }

    key, err := ioutil.ReadFile("mydomain.com.key")
    if err != nil {
        log.Fatal(err)
    }

    cert, err := tls.X509KeyPair(crt, key)
    if err != nil {
        log.Fatal(err)
    }

    return &tls.Config{
        Certificates: []tls.Certificate{cert},
        ServerName:   "mydomain.com",
    }
}

Go code writes:

tls: client using inappropriate protocol fallback

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)
等待大神答复

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

2.1m questions

2.1m answers

60 comments

57.0k users

...