So, here I am trying to have a socket listen on an SSL connection. However, it isn't able to make the handshake. Upon running
sudo openssl s_client -CApath /etc/ssl/certs/ -connect localhost:8080
It is unable to verify the first cert.
I have very little experience with these SSL. Can anyone help?
cert, err := tls.LoadX509KeyPair("positivessl.crt", "key.pem")
Error.CheckError(err)
rootCert, err := ioutil.ReadFile("AddTrustExternalCARoot.crt")
checkError(err)
trustCert, err := ioutil.ReadFile("COMODORSAAddTrustCA.crt")
checkError(err)
validationCert, err := ioutil.ReadFile("COMODORSADomainValidationSecureServerCA.crt")
checkError(err)
certs := x509.NewCertPool()
certs.AppendCertsFromPEM(validationCert)
certs.AppendCertsFromPEM(trustCert)
certs.AppendCertsFromPEM(rootCert)
sslConfig := tls.Config{RootCAs: certs,Certificates: []tls.Certificate{cert}}
sslConfig.Rand = rand.Reader
listener, err := tls.Listen("tcp", service, &sslConfig)
I'm not familiar with go itself, but from the documentation at http://golang.org/pkg/crypto/tls/ they look similar to other SSL stacks:
rootCert should not be included in the chain. The root cert is the actual trust anchor used for verification at the certificate chain at the client and thus the client must already know it and trust it.RootCA are the trusted certificates which are used to verify the certificate. These are not send to the peer but used instead as the trust anchors when verifying the received certificates. Thus this setting is relevant for the client side to verify the servers certificate and maybe for the server side when the client send certificates too.Certificates. That is, not only the leaf certificates cert, but also the chain certificates validationCert and trustCert. You have to include them in the correct order so that they build a chain which the client then can finish with the trusted root certificate.