Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

TLS with selfsigned certificate

Tags:

ssl

go

I'm trying to establish a TLS connection with the use of a self signed server certificate.

I generated the certificate with this example code: http://golang.org/src/pkg/crypto/tls/generate_cert.go

My relevant client code looks like that:

// server cert is self signed -> server_cert == ca_cert CA_Pool := x509.NewCertPool() severCert, err := ioutil.ReadFile("./cert.pem") if err != nil {     log.Fatal("Could not load server certificate!") } CA_Pool.AppendCertsFromPEM(severCert)  config := tls.Config{RootCAs: CA_Pool}  conn, err := tls.Dial("tcp", "127.0.0.1:8000", &config) if err != nil {     log.Fatalf("client: dial: %s", err) } 

And the relevant server code like that:

cert, err := tls.LoadX509KeyPair("./cert.pem", "./key.pem") config := tls.Config{Certificates: []tls.Certificate{cert}} listener, err := tls.Listen("tcp", "127.0.0.1:8000", &config)  for {     conn, err := listener.Accept()     if err != nil {         log.Printf("server: accept: %s", err)         break     }     log.Printf("server: accepted from %s", conn.RemoteAddr())     go handleConnection(conn) } 

Because the server certificate is self signed is use the same certificate for the server and the clients CA_Pool however this does not seem to work since i always get this error:

client: dial: x509: certificate signed by unknown authority  (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify  candidate authority certificate "serial:0") 

What's my mistake?

like image 803
Zap Avatar asked Mar 26 '14 15:03

Zap


People also ask

Can you use a self-signed certificate for TLS?

If you want to secure your website with an SSL/TLS certificate, you can use a free self-signed SSL/TLS certificate.

What is the problem with self-signed certificate?

Compromised self-signed certificates can pose many security challenges, since attackers can spoof the identity of the victim. Unlike CA-issued certificates, self-signed certificates cannot be revoked. The inability to quickly find and revoke private key associated with a self-signed certificate creates serious risk.

What is the point of a self-signed certificate?

By having a self-signed certificate you are effectively on your own, without the backing of a trusted certificate authority and application of the latest cryptographic methods necessary to ensure proper authentication and encryption of data, devices, and applications.

Are self-signed certificates still encrypted?

A self signed certificate will still encrypt the communication between the client (browser) and your server.


2 Answers

It finally worked with the go built in x509.CreateCertificate, the problem was that I did not set the IsCA:true flag, I only set the x509.KeyUsageCertSign which made creating the self signed certificate work, but crashed while verifying the cert chain.

like image 90
Zap Avatar answered Oct 08 '22 00:10

Zap


The problem is that you need a CA certificate in the server-side config, and this CA must have signed the server's certificate.

I have written some Go code that will generate a CA certificate, but it hasn't been reviewed by anyone and is mostly a toy for playing around with client certs. The safest bet is probably to use openssl ca to generate and sign the certificate. The basic steps will be:

  1. Generate a CA Certificate
  2. Generate a Server key
  3. Sign the Server key with the CA certificate
  4. Add the CA Certificate to the client's tls.Config RootCAs
  5. Set up the server's tls.Config with the Server key and signed certificate.
like image 27
Kyle Lemons Avatar answered Oct 08 '22 02:10

Kyle Lemons