Reputation: 42688
How can I create a TLS connection without certificates in golang?
From the source:
// Listen creates a TLS listener accepting connections on the
// given network address using net.Listen.
// The configuration config must be non-nil and must include
// at least one certificate or else set GetCertificate.
func Listen(network, laddr string, config *Config) (net.Listener, error) {
if config == nil || (len(config.Certificates) == 0 && config.GetCertificate == nil) {
return nil, errors.New("tls: neither Certificates nor GetCertificate set in Config")
}
l, err := net.Listen(network, laddr)
if err != nil {
return nil, err
}
return NewListener(l, config), nil
}
The problem is that the certificates cannot be nil:
// The configuration config must be non-nil and must include
// at least one certificate or else set GetCertificate.
How can I use a tls connection listening without certificates?
What I need is the tls encryption but not the authentication.
I tried making a tls.Config with an empty certificate like this:
&tls.Config{
Certificates: []tls.Certificate{tls.Certificate{}},
}
But the connections failed with tls: handshake failure.
Is this even possible?
Upvotes: 3
Views: 4316
Answers (2)
Reputation: 123320
TLS without certificates would require support for cipher suites which don't use certificates.
Looking at the source code for crypto/tls one can find the supported cipher suites in crypto/tls/cipher_suites.go. One can see there that only cipher suites using either RSA or ECDSA authentication are supported, which means that you need to have a certificate with either RSA or ECC key.
To have support for TLS without certificates there need to be ciphers for PSK, SRP .. or similar authentication methods which don't require certificates or for the NULL authentication (anonymous, i.e. no authentication). But these are not supported.
What I need is the tls encryption but not the authentication.
In most cases such requirement is flawed in the first place. TLS without authentication would mean that an active and undetectable man in the middle attack is usually easily possible, which would essentially make all the encryption provided by TLS meaningless. TLS without authentication would only make sense if the client could securely (i.e.resistant against MITM attacks) authenticate the server after the TLS connection was established and before any application payload is transmitted.
Upvotes: 6
Reputation: 1036
set InsecureSkipVerify to true at tls.Config
&tls.Config{InsecureSkipVerify: true}
and add that config to Transport
&http.Transport{TLSClientConfig: tlsConfig}
https://golang.org/pkg/crypto/tls/#Config
Upvotes: 0
Related Questions
- How to send a https request with a certificate golang
- How to set up an https server with a self-signed certificate in golang
- Issues with TLS connection in Golang
- How do you build a tls.Certficate chain in Go?
- How to create a tls client with ca certificates in GO?
- golang: Send http request with certificate
- Go TLS connection
- Golang SSL TCP socket certificate configuration
- Simple GoLang SSL example
- Golang: how to specify certificate in TLS config for http client