All snippets

SSL and TLS in Go

Learn how to implement SSL and TLS in Go for secure network communications using the crypto/tls package

To secure network communications in Go, the language provides support for SSL (Secure Sockets Layer) and TLS (Transport Layer Security) via the crypto/tls package. This guide shows you how to handle SSL/TLS for secure channels.

Basic TLS Server

Here's a simple example of a TLS server in Go:

package main

import (
	"crypto/tls"
	"fmt"
	"log"
	"net"
)

func main() {
	// Load certificate and key files.
	cert, err := tls.LoadX509KeyPair("server.crt", "server.key")
	if err != nil {
		log.Fatal(err)
	}

	// Configure TLS with the loaded certificate.
	config := &tls.Config{Certificates: []tls.Certificate{cert}}

	// Create a TLS listener.
	ln, err := tls.Listen("tcp", ":443", config)
	if err != nil {
		log.Fatal(err)
	}
	defer ln.Close()

	fmt.Println("TLS server listening on port 443")
	for {
		conn, err := ln.Accept()
		if err != nil {
			log.Println(err)
			continue
		}
		go handleConnection(conn)
	}
}

func handleConnection(conn net.Conn) {
	defer conn.Close()
	fmt.Fprintf(conn, "Welcome to the TLS Server\n")
}

Basic TLS Client

Below is an example of a TLS client that connects to the TLS server:

package main

import (
	"crypto/tls"
	"fmt"
	"log"
)

func main() {
	// Configure client TLS settings.
	conf := &tls.Config{
		InsecureSkipVerify: true, // Note: only for testing; validate certificates in production
	}

	// Connect to the server.
	conn, err := tls.Dial("tcp", "localhost:443", conf)
	if err != nil {
		log.Fatal(err)
	}
	defer conn.Close()

	fmt.Println("Connected to the server")

	// Read message from server.
	buf := make([]byte, 512)
	n, err := conn.Read(buf)
	if err != nil {
		log.Fatal(err)
	}

	fmt.Printf("Server: %s\n", string(buf[:n]))
}

Best Practices

  • Certificate Validation: Always validate certificates in production; avoid InsecureSkipVerify.
  • Certificate Renewal: Regularly renew SSL/TLS certificates to maintain secure communications.
  • Keep Keys Secure: Ensure your key files are stored securely and not accessible to unauthorized users.

Common Pitfalls

  • Misconfigured Certificates: Ensure that the server certificate matches the domain name and is signed by a trusted CA.
  • Hostname Validation: Skipping hostname validation (using InsecureSkipVerify) can expose your client to man-in-the-middle attacks.
  • Improper Error Handling: Always handle errors effectively and log them to diagnose issues.

Performance Tips

  • Session Resumption: Utilize session resumption options (like tickets or session IDs) if supported to reduce handshake overhead.
  • Optimize Certificates: Ensure certificates have an appropriate key length and expiry for optimal security and performance balance.
  • Concurrency: Support concurrent connections to better utilize resources and improve throughput. Use goroutines for handling connections.

By implementing SSL/TLS as illustrated, you ensure secure communications over networks, safeguarding data from potential eavesdropping and tampering.