TLS

Encryption/decryption schemes are of limited use if you have to do all the heavy lifting yourself. The most popular mechanism on the internet to give support for encrypted message passing is currently TLS (Transport Layer Security) which was formerly SSL (Secure Sockets Layer).

In TLS, a client and a server negotiate identity using X.509 certificates. Once this is complete, a secret key is invented between them, and all encryption/decryption is done using this key. The negotiation is relatively slow, but once complete a faster private key mechanism is used.

A server is

  1. /* TLSEchoServer
  2.  */
  3. package main
  5. import (
  6.     "crypto/rand"
  7.     "crypto/tls"
  8.     "fmt"
  9.     "net"
  10.     "os"
  11.     "time"
  12. )
  14. func main() {
  16.     cert, err := tls.LoadX509KeyPair("jan.newmarch.name.pem", "private.pem")
  17.     checkError(err)
  18.     config := tls.Config{Certificates: []tls.Certificate{cert}}
  20.     now := time.Now()
  21.     config.Time = func() time.Time { return now }
  22.     config.Rand = rand.Reader
  24.     service := "0.0.0.0:1200"
  26.     listener, err := tls.Listen("tcp", service, &config)
  27.     checkError(err)
  28.     fmt.Println("Listening")
  29.     for {
  30.         conn, err := listener.Accept()
  31.         if err != nil {
  32.             fmt.Println(err.Error())
  33.             continue
  34.         }
  35.         fmt.Println("Accepted")
  36.         go handleClient(conn)
  37.     }
  38. }
  40. func handleClient(conn net.Conn) {
  41.     defer conn.Close()
  43.     var buf [512]byte
  44.     for {
  45.         fmt.Println("Trying to read")
  46.         n, err := conn.Read(buf[0:])
  47.         if err != nil {
  48.             fmt.Println(err)
  49.         }
  50.         _, err2 := conn.Write(buf[0:n])
  51.         if err2 != nil {
  52.             return
  53.         }
  54.     }
  55. }
  57. func checkError(err error) {
  58.     if err != nil {
  59.         fmt.Println("Fatal error ", err.Error())
  60.         os.Exit(1)
  61.     }
  62. }

The server works with the following client:

  1. /* TLSEchoClient
  2.  */
  3. package main
  5. import (
  6.     "fmt"
  7.     "os"
  8.     "crypto/tls"
  9. )
  11. func main() {
  12.     if len(os.Args) != 2 {
  13.         fmt.Println("Usage: ", os.Args[0], "host:port")
  14.         os.Exit(1)
  15.     }
  16.     service := os.Args[1]
  18.     conn, err := tls.Dial("tcp", service, nil)
  19.     checkError(err)
  21.     for n := 0; n < 10; n++ {
  22.         fmt.Println("Writing...")
  23.         conn.Write([]byte("Hello " + string(n+48)))
  25.         var buf [512]byte
  26.         n, err := conn.Read(buf[0:])
  27.         checkError(err)
  29.         fmt.Println(string(buf[0:n]))
  30.     }
  31.     os.Exit(0)
  32. }
  34. func checkError(err error) {
  35.     if err != nil {
  36.         fmt.Println("Fatal error ", err.Error())
  37.         os.Exit(1)
  38.     }
  39. }

Conclusion

Security is a huge area in itself, and in this chapter we have barely touched on it. However, the major concepts have been covered. What has not been stressed is how much security needs to be built into the design phase: security as an afterthought is nearly always a failure.