尝试将具有https客户端证书身份验证的有效Java代码迁移到golang,但出现tls握手错误
go版本go1.12.9 linux / amd64
客户证书详细信息
openssl pkcs12 -info -in p12file.p12
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted dat..
Certificate bag
Bag Attributes
friendlyName: test
localKeyID:..
subject=CN = *....com
issuer=C = US, O = DigiCert Inc...
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Certificate bag
Bag Attributes: <No Attributes>
subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidS...
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
....
有效的Java代码
url = new URL(https_url);
HttpsURLConnection con = (HttpsURLConnection)url.openConnection();
BufferedReader br = new BufferedReader(new InputStreamReader(con.getInputStream()));
//geting 405 status - so its working
able to establish https connection with this arg -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStore=./p12file.p12 -Djavax.net.ssl.keyStorePassword=password
golang问题(已删除错误处理部分)
fb, err := ioutil.ReadFile(p12file)
b, err := pkcs12.ToPEM(fb, password)
cert, err := tls.X509KeyPair(pem.EncodeToMemory(b[0]), pem.EncodeToMemory(b[2]))
//b[0] and b[1] is CERTIFICATE, b[2] is PRIVATE KEY, with 1&2 getting 'private key does not match public key'
//also tried
// openssl pkcs12 -in ./p12file.p12 -clcerts -nokeys -out certfile.crt
// openssl pkcs12 -in ./p12file.p12 -nocerts -nodes -out keyfile.key
// cert, err := tls.LoadX509KeyPair(certFile, keyFile)
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cert},
InsecureSkipVerify: true,
}
tlsConfig.BuildNameToCertificate()
transport := &http.Transport{TLSClientConfig: tlsConfig}
client := &http.Client{Transport: transport}
resp, err := client.Get(url)
获取“远程错误:tls:握手失败”