Documentation ¶
Overview ¶
Package openssl is a light wrapper around OpenSSL for Go.
It strives to provide a near-drop-in replacement for the Go standard library tls package, while allowing for:
Performance ¶
OpenSSL is battle-tested and optimized C. While Go's built-in library shows great promise, it is still young and in some places, inefficient. This simple OpenSSL wrapper can often do at least 2x with the same cipher and protocol.
On my lappytop, I get the following benchmarking speeds:
BenchmarkSHA1Large_openssl 1000 2611282 ns/op 401.56 MB/s BenchmarkSHA1Large_stdlib 500 3963983 ns/op 264.53 MB/s BenchmarkSHA1Small_openssl 1000000 3476 ns/op 0.29 MB/s BenchmarkSHA1Small_stdlib 5000000 550 ns/op 1.82 MB/s BenchmarkSHA256Large_openssl 200 8085314 ns/op 129.69 MB/s BenchmarkSHA256Large_stdlib 100 18948189 ns/op 55.34 MB/s BenchmarkSHA256Small_openssl 1000000 4262 ns/op 0.23 MB/s BenchmarkSHA256Small_stdlib 1000000 1444 ns/op 0.69 MB/s BenchmarkOpenSSLThroughput 100000 21634 ns/op 47.33 MB/s BenchmarkStdlibThroughput 50000 58974 ns/op 17.36 MB/s
Interoperability ¶
Many systems support OpenSSL with a variety of plugins and modules for things, such as hardware acceleration in embedded devices.
Greater flexibility and configuration ¶
OpenSSL allows for far greater configuration of corner cases and backwards compatibility (such as support of SSLv2). You shouldn't be using SSLv2 if you can help but, but sometimes you can't help it.
Security ¶
Yeah yeah, Heartbleed. But according to the author of the standard library's TLS implementation, Go's TLS library is vulnerable to timing attacks. And whether or not OpenSSL received the appropriate amount of scrutiny pre-Heartbleed, it sure is receiving it now.
Usage ¶
Starting an HTTP server that uses OpenSSL is very easy. It's as simple as:
log.Fatal(openssl.ListenAndServeTLS( ":8443", "my_server.crt", "my_server.key", myHandler))
Getting a net.Listener that uses OpenSSL is also easy:
ctx, err := openssl.NewCtxFromFiles("my_server.crt", "my_server.key") if err != nil { log.Fatal(err) } l, err := openssl.Listen("tcp", ":7777", ctx)
Making a client connection is straightforward too:
ctx, err := NewCtx() if err != nil { log.Fatal(err) } err = ctx.LoadVerifyLocations("/etc/ssl/certs/ca-certificates.crt", "") if err != nil { log.Fatal(err) } conn, err := openssl.Dial("tcp", "localhost:7777", ctx, 0)
Help wanted: To get this library to work with net/http's client, we had to fork net/http. It would be nice if an alternate http client library supported the generality needed to use OpenSSL instead of crypto/tls.
Index ¶
- Constants
- Variables
- func Listen(network, laddr string, ctx *Ctx) (net.Listener, error)
- func ListenAndServeTLS(addr string, cert_file string, key_file string, handler http.Handler) error
- func NewListener(inner net.Listener, ctx *Ctx) net.Listener
- func Nid2ShortName(nid int) (string, error)
- func SHA1(data []byte) (result [20]byte, err error)
- func SHA256(data []byte) (result [32]byte, err error)
- func ServerListenAndServeTLS(srv *http.Server, cert_file, key_file string) error
- type Certificate
- func (c *Certificate) CheckEmail(email string, flags CheckFlags) error
- func (c *Certificate) CheckHost(host string, flags CheckFlags) error
- func (c *Certificate) CheckIP(ip net.IP, flags CheckFlags) error
- func (c *Certificate) GetSerialNumberHex() (serial string)
- func (c *Certificate) MarshalPEM() (pem_block []byte, err error)
- func (c *Certificate) PublicKey() (PublicKey, error)
- func (c *Certificate) VerifyHostname(host string) error
- func (c *Certificate) X509NamePrintEx() (out []byte, err error)
- type CertificateStore
- type CertificateStoreCtx
- type CertificateStoreLookup
- type CheckFlags
- type Cipher
- type CipherCtx
- type Conn
- func (c *Conn) Close() error
- func (c *Conn) ConnectionState() (rv ConnectionState)
- func (c *Conn) GetVerifyResults() error
- func (c *Conn) Handshake() error
- func (c *Conn) LocalAddr() net.Addr
- func (c *Conn) PeerCertificate() (*Certificate, error)
- func (c *Conn) PeerCertificateChain() (rv []*Certificate, err error)
- func (c *Conn) Read(b []byte) (n int, err error)
- func (c *Conn) RemoteAddr() net.Addr
- func (c *Conn) SetDeadline(t time.Time) error
- func (c *Conn) SetReadDeadline(t time.Time) error
- func (c *Conn) SetWriteDeadline(t time.Time) error
- func (c *Conn) UnderlyingConn() net.Conn
- func (c *Conn) VerifyHostname(host string) error
- func (c *Conn) Write(b []byte) (written int, err error)
- type ConnectionState
- type Ctx
- func (c *Ctx) AddChainCertificate(cert *Certificate) error
- func (c *Ctx) CheckPrivateKey() error
- func (c *Ctx) GetCertificateStore() *CertificateStore
- func (c *Ctx) GetMode() Modes
- func (c *Ctx) LoadVerifyLocations(ca_file string, ca_path string) error
- func (c *Ctx) SetCipherList(list string) error
- func (c *Ctx) SetClientCAList(caList *StackOfX509Name)
- func (c *Ctx) SetMode(modes Modes) Modes
- func (c *Ctx) SetOptions(options Options) Options
- func (c *Ctx) SetSessionCacheMode(modes SessionCacheModes) SessionCacheModes
- func (c *Ctx) SetSessionId(session_id []byte) error
- func (c *Ctx) SetVerify(options VerifyOptions, verify_cb VerifyCallback)
- func (c *Ctx) SetVerifyCallback(verify_cb VerifyCallback)
- func (c *Ctx) SetVerifyDepth(depth int)
- func (c *Ctx) SetVerifyMode(options VerifyOptions)
- func (c *Ctx) UseCertificate(cert *Certificate) error
- func (c *Ctx) UseCertificateChainFile(cert_file string) error
- func (c *Ctx) UsePrivateKey(key PrivateKey) error
- func (c *Ctx) UsePrivateKeyFile(key_file string, file_type Filetypes) error
- func (c *Ctx) UsePrivateKeyFileWithPassword(key_file string, file_type Filetypes, password string) error
- func (c *Ctx) VerifyMode() VerifyOptions
- type DecryptionCipherCtx
- type DialFlags
- type EllipticCurve
- type EncryptionCipherCtx
- type Engine
- type Filetypes
- type Method
- type Modes
- type Options
- type PrivateKey
- type PublicKey
- type SHA1Hash
- type SHA256Hash
- type SSLVersion
- type SessionCacheModes
- type StackOfX509Name
- type VerifyCallback
- type VerifyOptions
- type X509LookupMethod
- type X509VerificationFlag
Constants ¶
const (
GCM_TAG_MAXLEN = 16
)
const (
SSLRecordSize = 16 * 1024
)
Variables ¶
var (
ValidationError = errors.New("Host validation error")
)
Functions ¶
func Listen ¶
Listen is a wrapper around net.Listen that wraps incoming connections with an OpenSSL server connection using the provided context ctx.
func ListenAndServeTLS ¶
ListenAndServeTLS will take an http.Handler and serve it using OpenSSL over the given tcp address, configured to use the provided cert and key files.
func NewListener ¶
NewListener wraps an existing net.Listener such that all accepted connections are wrapped as OpenSSL server connections using the provided context ctx.
func Nid2ShortName ¶
Types ¶
type Certificate ¶
type Certificate struct {
// contains filtered or unexported fields
}
func LoadCertificateFromPEM ¶
func LoadCertificateFromPEM(pem_block []byte) (*Certificate, error)
LoadCertificateFromPEM loads an X509 certificate from a PEM-encoded block.
func (*Certificate) CheckEmail ¶
func (c *Certificate) CheckEmail(email string, flags CheckFlags) error
CheckEmail checks that the X509 certificate is signed for the provided email address. See http://www.openssl.org/docs/crypto/X509_check_host.html for more. Specifically returns ValidationError if the Certificate didn't match but there was no internal error.
func (*Certificate) CheckHost ¶
func (c *Certificate) CheckHost(host string, flags CheckFlags) error
CheckHost checks that the X509 certificate is signed for the provided host name. See http://www.openssl.org/docs/crypto/X509_check_host.html for more. Note that CheckHost does not check the IP field. See VerifyHostname. Specifically returns ValidationError if the Certificate didn't match but there was no internal error.
func (*Certificate) CheckIP ¶
func (c *Certificate) CheckIP(ip net.IP, flags CheckFlags) error
CheckIP checks that the X509 certificate is signed for the provided IP address. See http://www.openssl.org/docs/crypto/X509_check_host.html for more. Specifically returns ValidationError if the Certificate didn't match but there was no internal error.
func (*Certificate) GetSerialNumberHex ¶
func (c *Certificate) GetSerialNumberHex() (serial string)
GetSerialNumberHex returns the certificate's serial number in hex format
func (*Certificate) MarshalPEM ¶
func (c *Certificate) MarshalPEM() (pem_block []byte, err error)
MarshalPEM converts the X509 certificate to PEM-encoded format
func (*Certificate) PublicKey ¶
func (c *Certificate) PublicKey() (PublicKey, error)
PublicKey returns the public key embedded in the X509 certificate.
func (*Certificate) VerifyHostname ¶
func (c *Certificate) VerifyHostname(host string) error
VerifyHostname is a combination of CheckHost and CheckIP. If the provided hostname looks like an IP address, it will be checked as an IP address, otherwise it will be checked as a hostname. Specifically returns ValidationError if the Certificate didn't match but there was no internal error.
func (*Certificate) X509NamePrintEx ¶
func (c *Certificate) X509NamePrintEx() (out []byte, err error)
type CertificateStore ¶
type CertificateStore struct {
// contains filtered or unexported fields
}
func (*CertificateStore) AddCertificate ¶
func (s *CertificateStore) AddCertificate(cert *Certificate) error
AddCertificate marks the provided Certificate as a trusted certificate in the given CertificateStore.
func (*CertificateStore) AddLookup ¶
func (s *CertificateStore) AddLookup(method X509LookupMethod) (*CertificateStoreLookup, error)
AddLookup creates a CertificateStoreLookup of type X509LookupMethod in the CertificateStore
func (*CertificateStore) SetFlags ¶
func (s *CertificateStore) SetFlags(flags X509VerificationFlag) error
type CertificateStoreCtx ¶
type CertificateStoreCtx struct {
// contains filtered or unexported fields
}
func (*CertificateStoreCtx) Depth ¶
func (self *CertificateStoreCtx) Depth() int
func (*CertificateStoreCtx) Err ¶
func (self *CertificateStoreCtx) Err() error
func (*CertificateStoreCtx) GetCurrentCert ¶
func (self *CertificateStoreCtx) GetCurrentCert() *Certificate
the certicate returned is only valid for the lifetime of the underlying X509_STORE_CTX
type CertificateStoreLookup ¶
type CertificateStoreLookup struct {
// contains filtered or unexported fields
}
func (*CertificateStoreLookup) LoadCRLFile ¶
func (l *CertificateStoreLookup) LoadCRLFile(crl_file string) error
LoadCRLFile adds a file to a CertificateStoreLookup in the CertificateStore I suspect that the CertificateStoreLookup needs to have been created with X509LookupFile as the lookup method
type CheckFlags ¶
type CheckFlags int
const ( AlwaysCheckSubject CheckFlags = C.X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT NoWildcards CheckFlags = C.X509_CHECK_FLAG_NO_WILDCARDS )
type Cipher ¶
type Cipher struct {
// contains filtered or unexported fields
}
func GetCipherByName ¶
func GetCipherByNid ¶
type Conn ¶
type Conn struct {
// contains filtered or unexported fields
}
func Client ¶
Client wraps an existing stream connection and puts it in the connect state for any subsequent handshakes.
IMPORTANT NOTE: if you use this method instead of Dial to construct an SSL connection, you are responsible for verifying the peer's hostname. Otherwise, you are vulnerable to MITM attacks.
Client also does not set up SNI for you like Dial does.
Client connections probably won't work for you unless you set a verify location or add some certs to the certificate store of the client context you're using. This library is not nice enough to use the system certificate store by default for you yet.
func Dial ¶
Dial will connect to network/address and then wrap the corresponding underlying connection with an OpenSSL client connection using context ctx. If flags includes InsecureSkipHostVerification, the server certificate's hostname will not be checked to match the hostname in addr. Otherwise, flags should be 0.
Dial probably won't work for you unless you set a verify location or add some certs to the certificate store of the client context you're using. This library is not nice enough to use the system certificate store by default for you yet.
func Server ¶
Server wraps an existing stream connection and puts it in the accept state for any subsequent handshakes.
func (*Conn) Close ¶
Close shuts down the SSL connection and closes the underlying wrapped connection.
func (*Conn) ConnectionState ¶
func (c *Conn) ConnectionState() (rv ConnectionState)
func (*Conn) GetVerifyResults ¶
GetVerifyResult gets result of peer certificate verification SSL_get_verify_result() returns the result of the verification of the X509 certificate presented by the peer, if any. See https://www.openssl.org/docs/ssl/SSL_get_verify_result.html
func (*Conn) Handshake ¶
Handshake performs an SSL handshake. If a handshake is not manually triggered, it will run before the first I/O on the encrypted stream.
func (*Conn) PeerCertificate ¶
func (c *Conn) PeerCertificate() (*Certificate, error)
PeerCertificate returns the Certificate of the peer with which you're communicating. Only valid after a handshake.
func (*Conn) PeerCertificateChain ¶
func (c *Conn) PeerCertificateChain() (rv []*Certificate, err error)
PeerCertificateChain returns the certificate chain of the peer. If called on the client side, the stack also contains the peer's certificate; if called on the server side, the peer's certificate must be obtained separately using PeerCertificate.
func (*Conn) Read ¶
Read reads up to len(b) bytes into b. It returns the number of bytes read and an error if applicable. io.EOF is returned when the caller can expect to see no more data.
func (*Conn) RemoteAddr ¶
RemoteAddr returns the underlying connection's remote address
func (*Conn) SetDeadline ¶
SetDeadline calls SetDeadline on the underlying connection.
func (*Conn) SetReadDeadline ¶
SetReadDeadline calls SetReadDeadline on the underlying connection.
func (*Conn) SetWriteDeadline ¶
SetWriteDeadline calls SetWriteDeadline on the underlying connection.
func (*Conn) UnderlyingConn ¶
func (*Conn) VerifyHostname ¶
VerifyHostname pulls the PeerCertificate and calls VerifyHostname on the certificate.
type ConnectionState ¶
type ConnectionState struct { Certificate *Certificate CertificateError error CertificateChain []*Certificate CertificateChainError error }
type Ctx ¶
type Ctx struct {
// contains filtered or unexported fields
}
func NewCtxFromFiles ¶
NewCtxFromFiles calls NewCtx, loads the provided files, and configures the context to use them.
func NewCtxWithVersion ¶
func NewCtxWithVersion(version SSLVersion) (*Ctx, error)
NewCtxWithVersion creates an SSL context that is specific to the provided SSL version. See http://www.openssl.org/docs/ssl/SSL_CTX_new.html for more.
func (*Ctx) AddChainCertificate ¶
func (c *Ctx) AddChainCertificate(cert *Certificate) error
AddChainCertificate adds a certificate to the chain presented in the handshake.
func (*Ctx) CheckPrivateKey ¶
CheckPrivateKey verifies that the private key agrees with the corresponding public key in the certificate
func (*Ctx) GetCertificateStore ¶
func (c *Ctx) GetCertificateStore() *CertificateStore
GetCertificateStore returns the context's certificate store that will be used for peer validation.
func (*Ctx) GetMode ¶
GetMode returns context modes. See http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html
func (*Ctx) LoadVerifyLocations ¶
LoadVerifyLocations tells the context to trust all certificate authorities provided in either the ca_file or the ca_path. See http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html for more.
func (*Ctx) SetCipherList ¶
SetCipherList sets the list of available ciphers. The format of the list is described at http://www.openssl.org/docs/apps/ciphers.html, but see http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html for more.
func (*Ctx) SetClientCAList ¶
func (c *Ctx) SetClientCAList(caList *StackOfX509Name)
SetClientCAList sets the list of CAs sent to the client when requesting a client certificate for Ctx. See https://www.openssl.org/docs/ssl/SSL_CTX_set_client_CA_list.html
func (*Ctx) SetMode ¶
SetMode sets context modes. See http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html
func (*Ctx) SetOptions ¶
SetOptions sets context options. See http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
func (*Ctx) SetSessionCacheMode ¶
func (c *Ctx) SetSessionCacheMode(modes SessionCacheModes) SessionCacheModes
SetSessionCacheMode enables or disables session caching. See http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html
func (*Ctx) SetSessionId ¶
func (*Ctx) SetVerify ¶
func (c *Ctx) SetVerify(options VerifyOptions, verify_cb VerifyCallback)
SetVerify controls peer verification settings. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
func (*Ctx) SetVerifyCallback ¶
func (c *Ctx) SetVerifyCallback(verify_cb VerifyCallback)
func (*Ctx) SetVerifyDepth ¶
SetVerifyDepth controls how many certificates deep the certificate verification logic is willing to follow a certificate chain. See https://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
func (*Ctx) SetVerifyMode ¶
func (c *Ctx) SetVerifyMode(options VerifyOptions)
func (*Ctx) UseCertificate ¶
func (c *Ctx) UseCertificate(cert *Certificate) error
UseCertificate configures the context to present the given certificate to peers.
func (*Ctx) UseCertificateChainFile ¶
UseCertificateChainFromFile loads a certificate chain from file into ctx. The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA. See https://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html
func (*Ctx) UsePrivateKey ¶
func (c *Ctx) UsePrivateKey(key PrivateKey) error
UsePrivateKey configures the context to use the given private key for SSL handshakes.
func (*Ctx) UsePrivateKeyFile ¶
UsePrivateKeyFile adds the first private key found in file to the *Ctx, c. The formatting type of the certificate must be specified from the known types FiletypePEM, and FiletypeASN1
func (*Ctx) UsePrivateKeyFileWithPassword ¶
func (*Ctx) VerifyMode ¶
func (c *Ctx) VerifyMode() VerifyOptions
type DecryptionCipherCtx ¶
type DecryptionCipherCtx interface { CipherCtx // pass in ciphertext, get back plaintext. can be called // multiple times as needed DecryptUpdate(input []byte) ([]byte, error) // call after all ciphertext has been passed in; may return // additional plaintext if needed to finish off a block DecryptFinal() ([]byte, error) }
func NewDecryptionCipherCtx ¶
func NewDecryptionCipherCtx(c *Cipher, e *Engine, key, iv []byte) ( DecryptionCipherCtx, error)
type EllipticCurve ¶
type EllipticCurve int
EllipticCurve repesents the ASN.1 OID of an elliptic curve. see https://www.openssl.org/docs/apps/ecparam.html for a list of implemented curves.
const ( // P-256: X9.62/SECG curve over a 256 bit prime field Prime256v1 EllipticCurve = C.NID_X9_62_prime256v1 // P-384: NIST/SECG curve over a 384 bit prime field Secp384r1 EllipticCurve = C.NID_secp384r1 )
type EncryptionCipherCtx ¶
type EncryptionCipherCtx interface { CipherCtx // pass in plaintext, get back ciphertext. can be called // multiple times as needed EncryptUpdate(input []byte) ([]byte, error) // call after all plaintext has been passed in; may return // additional ciphertext if needed to finish off a block // or extra padding information EncryptFinal() ([]byte, error) }
func NewEncryptionCipherCtx ¶
func NewEncryptionCipherCtx(c *Cipher, e *Engine, key, iv []byte) ( EncryptionCipherCtx, error)
type Filetypes ¶
type Filetypes int
const ( FiletypePEM Filetypes = C.SSL_FILETYPE_PEM FiletypeASN1 Filetypes = C.SSL_FILETYPE_ASN1 )
type Modes ¶
type Modes int
const ( // ReleaseBuffers is only valid if you are using OpenSSL 1.0.1 or newer ReleaseBuffers Modes = C.SSL_MODE_RELEASE_BUFFERS AutoRetry Modes = C.SSL_MODE_AUTO_RETRY )
type Options ¶
type Options int
const ( // NoCompression is only valid if you are using OpenSSL 1.0.1 or newer NoCompression Options = C.SSL_OP_NO_COMPRESSION NoSSLv2 Options = C.SSL_OP_NO_SSLv2 NoSSLv3 Options = C.SSL_OP_NO_SSLv3 NoTLSv1 Options = C.SSL_OP_NO_TLSv1 CipherServerPreference Options = C.SSL_OP_CIPHER_SERVER_PREFERENCE NoSessionResumptionOrRenegotiation Options = C.SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION OpAll Options = C.SSL_OP_ALL )
type PrivateKey ¶
type PrivateKey interface { PublicKey // Signs the data using PKCS1.15 SignPKCS1v15(Method, []byte) ([]byte, error) // MarshalPKCS1PrivateKeyPEM converts the private key to PEM-encoded PKCS1 // format MarshalPKCS1PrivateKeyPEM() (pem_block []byte, err error) // MarshalPKCS1PrivateKeyDER converts the private key to DER-encoded PKCS1 // format MarshalPKCS1PrivateKeyDER() (der_block []byte, err error) }
func LoadPrivateKeyFromPEM ¶
func LoadPrivateKeyFromPEM(pem_block []byte) (PrivateKey, error)
LoadPrivateKeyFromPEM loads a private key from a PEM-encoded block.
type PublicKey ¶
type PublicKey interface { // Verifies the data signature using PKCS1.15 VerifyPKCS1v15(method Method, data, sig []byte) error // MarshalPKIXPublicKeyPEM converts the public key to PEM-encoded PKIX // format MarshalPKIXPublicKeyPEM() (pem_block []byte, err error) // MarshalPKIXPublicKeyDER converts the public key to DER-encoded PKIX // format MarshalPKIXPublicKeyDER() (der_block []byte, err error) // contains filtered or unexported methods }
func LoadPublicKeyFromDER ¶
LoadPublicKeyFromDER loads a public key from a DER-encoded block.
func LoadPublicKeyFromPEM ¶
LoadPublicKeyFromPEM loads a public key from a PEM-encoded block.
type SHA1Hash ¶
type SHA1Hash struct {
// contains filtered or unexported fields
}
func NewSHA1Hash ¶
func NewSHA1HashWithEngine ¶
type SHA256Hash ¶
type SHA256Hash struct {
// contains filtered or unexported fields
}
func NewSHA256Hash ¶
func NewSHA256Hash() (*SHA256Hash, error)
func NewSHA256HashWithEngine ¶
func NewSHA256HashWithEngine(e *Engine) (*SHA256Hash, error)
func (*SHA256Hash) Close ¶
func (s *SHA256Hash) Close()
func (*SHA256Hash) Reset ¶
func (s *SHA256Hash) Reset() error
func (*SHA256Hash) Sum ¶
func (s *SHA256Hash) Sum() (result [32]byte, err error)
type SSLVersion ¶
type SSLVersion int
const ( SSLv3 SSLVersion = 0x02 TLSv1 SSLVersion = 0x03 TLSv1_1 SSLVersion = 0x04 TLSv1_2 SSLVersion = 0x05 AnyVersion SSLVersion = 0x06 )
type SessionCacheModes ¶
type SessionCacheModes int
const ( SessionCacheOff SessionCacheModes = C.SSL_SESS_CACHE_OFF SessionCacheClient SessionCacheModes = C.SSL_SESS_CACHE_CLIENT SessionCacheServer SessionCacheModes = C.SSL_SESS_CACHE_SERVER SessionCacheBoth SessionCacheModes = C.SSL_SESS_CACHE_BOTH NoAutoClear SessionCacheModes = C.SSL_SESS_CACHE_NO_AUTO_CLEAR NoInternalLookup SessionCacheModes = C.SSL_SESS_CACHE_NO_INTERNAL_LOOKUP NoInternalStore SessionCacheModes = C.SSL_SESS_CACHE_NO_INTERNAL_STORE NoInternal SessionCacheModes = C.SSL_SESS_CACHE_NO_INTERNAL )
type StackOfX509Name ¶
type StackOfX509Name struct {
// contains filtered or unexported fields
}
func LoadClientCAFile ¶
func LoadClientCAFile(ca_file string) (*StackOfX509Name, error)
LoadClientCAFile reads certificates from file and returns a StackOfX509Name with the subject names found. See https://www.openssl.org/docs/ssl/SSL_load_client_CA_file.html
type VerifyCallback ¶
type VerifyCallback func(ok bool, store *CertificateStoreCtx) bool
type VerifyOptions ¶
type VerifyOptions int
const ( VerifyNone VerifyOptions = C.SSL_VERIFY_NONE VerifyPeer VerifyOptions = C.SSL_VERIFY_PEER VerifyFailIfNoPeerCert VerifyOptions = C.SSL_VERIFY_FAIL_IF_NO_PEER_CERT VerifyClientOnce VerifyOptions = C.SSL_VERIFY_CLIENT_ONCE )
type X509LookupMethod ¶
type X509LookupMethod *C.X509_LOOKUP_METHOD
an X509LookupMethod is required to build a a CertificateStoreLookup in a CertificateStore. The X509LookupMethod indicates the type or functionality of the CertificateStoreLookup
func X509LookupFile ¶
func X509LookupFile() X509LookupMethod
CertificateStoreLookups with X509LookupFile methods look for certs in a file
func X509LookupHashDir ¶
func X509LookupHashDir() X509LookupMethod
CertificateStoreLookups with X509LookupHashDir methods look for certs in a directory
type X509VerificationFlag ¶
type X509VerificationFlag int
const ( CBIssuerCheck X509VerificationFlag = C.X509_V_FLAG_CB_ISSUER_CHECK UseCheckTime X509VerificationFlag = C.X509_V_FLAG_USE_CHECK_TIME CRLCheck X509VerificationFlag = C.X509_V_FLAG_CRL_CHECK CRLCheckAll X509VerificationFlag = C.X509_V_FLAG_CRL_CHECK_ALL IgnoreCritical X509VerificationFlag = C.X509_V_FLAG_IGNORE_CRITICAL X509Strict X509VerificationFlag = C.X509_V_FLAG_X509_STRICT AllowProxyCerts X509VerificationFlag = C.X509_V_FLAG_ALLOW_PROXY_CERTS PolicyCheck X509VerificationFlag = C.X509_V_FLAG_POLICY_CHECK ExplicitPolicy X509VerificationFlag = C.X509_V_FLAG_EXPLICIT_POLICY InhibitAny X509VerificationFlag = C.X509_V_FLAG_INHIBIT_ANY InhibitMap X509VerificationFlag = C.X509_V_FLAG_INHIBIT_MAP NotifyPolicy X509VerificationFlag = C.X509_V_FLAG_NOTIFY_POLICY // ExtendedCRLSupport X509VerificationFlag = C.X509_V_FLAG_EXTENDED_CRL_SUPPORT // UseDeltas X509VerificationFlag = C.X509_V_FLAG_USE_DELTAS // CheckSsSignature X509VerificationFlag = C.X509_V_FLAG_CHECK_SS_SIGNATURE // TrustedFirst X509VerificationFlag = C.X509_V_FLAG_TRUSTED_FIRST PolicyMask X509VerificationFlag = C.X509_V_FLAG_POLICY_MASK )
See https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html