Blog    Bookmark    Note    Photo    Password Manager    About Me    Settings    Sign out



Goalng CA certificate and HTTPs requests


When a client sends  an HTTPs request to a TLS server, the client verifies the server's certificate during the handshake. To do so, the client side must have a root CA certificate.  However, for many OS such as Linux, Mac OS or Windows, the system usually automatically loads a set of root CAs after installation. So depending on the http clients you use, you may not need to provide a root CA manaually, for example, a browser or curl. Golang http client loads root CAs by default, so you don't need to provide any thing for it.

// /go/src/crypto/x509/root.go

var (    
    once           sync.Once
    systemRoots    *CertPool
    systemRootsErr error
)        
         
func systemRootsPool() *CertPool {
    once.Do(initSystemRoots)
    return systemRoots
}        
         
func initSystemRoots() {
    systemRoots, systemRootsErr = loadSystemRoots()
    if systemRootsErr != nil {
        systemRoots = nil                                                                                                   
    }    
} 


In crypto/x509/root.go, systemRoots is initialized by loadSystemRoots() function. 

// go/src/crypto/x509/root_unix.go

func loadSystemRoots() (*CertPool, error) {
    roots := NewCertPool()
                                                                                                                            
    files := certFiles
    if f := os.Getenv(certFileEnv); f != "" {
        files = []string{f}
    }  

//... omitted

}

loadSystemRoots() looks up system root CAs first and  then environment virables. The certFiles is the preloaded rootCAs as in crypto/x509/root_linux.go.

// go/src/crypto/x509/root_linux.go

package x509
 
// Possible certificate files; stop after finding one.
var certFiles = []string{
    "/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
    "/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
    "/etc/ssl/ca-bundle.pem",                            // OpenSUSE
    "/etc/pki/tls/cacert.pem",                           // OpenELEC
    "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
}


An example of https request.

    
func main() {       
    client := http.Client{}
    resp, err := client.Get("https://yiznix.com")
    if err != nil { 
        fmt.Println(err)
    }               
    defer resp.Body.Close()
    
    data, err := ioutil.ReadAll(resp.Body)
    if err != nil { 
        fmt.Printf("ERR: %v", err)
    }
                    
    fmt.Println(string(data))
}                      





  


Comments:

  Anonymous user  May 30, 2019

test4


  Anonymous user  May 30, 2019

test 5


  Anonymous user  May 30, 2019

test6


  Anonymous user  May 30, 2019

test7


  Anonymous user  May 30, 2019

test 8


  changer  May 30, 2019

test


  Anonymous user  May 30, 2019

test 9


Write a comment
Anonymous

Captcha image

Reload

Type the number you see in the image above: