Documentation ¶
Overview ¶
Package tls partially implements TLS 1.2, as specified in RFC 5246.
Index ¶
- Constants
- Variables
- func Listen(network, laddr string, config *Config) (net.Listener, error)
- func NewListener(inner net.Listener, config *Config) net.Listener
- type ALPNExtension
- type CacheKeyGenerator
- type Certificate
- type Certificates
- type CipherSuite
- type ClientAuthType
- type ClientExtension
- type ClientFingerprintConfiguration
- type ClientHello
- type ClientHelloInfo
- type ClientKeyExchange
- type ClientSessionCache
- type ClientSessionState
- type CompressionMethod
- type Config
- type ConfigJSON
- type Conn
- func (c *Conn) CheckHeartbleed(b []byte) (n int, err error)
- func (c *Conn) ClientCiphers() []CipherSuite
- func (c *Conn) ClientHelloRaw() []byte
- func (c *Conn) Close() error
- func (c *Conn) Config() *Config
- func (c *Conn) ConnectionState() ConnectionState
- func (c *Conn) GetHandshakeLog() *ServerHandshake
- func (c *Conn) GetHeartbleedLog() *Heartbleed
- func (c *Conn) Handshake() error
- func (c *Conn) InCipher() (cipher interface{})
- func (c *Conn) InSeq() []byte
- func (c *Conn) LocalAddr() net.Addr
- func (c *Conn) OCSPResponse() []byte
- func (c *Conn) OutCipher() (cipher interface{})
- func (c *Conn) OutSeq() []byte
- func (c *Conn) Read(b []byte) (n int, err error)
- func (c *Conn) RemoteAddr() net.Addr
- func (c *Conn) SetDeadline(t time.Time) error
- func (c *Conn) SetReadDeadline(t time.Time) error
- func (c *Conn) SetWriteDeadline(t time.Time) error
- func (c *Conn) VerifyHostname(host string) error
- func (c *Conn) Write(b []byte) (int, error)
- type ConnectionState
- type CurveID
- type DigitalSignature
- type ExtendedMasterSecretExtension
- type FakeAddr
- type FakeConn
- func (fConn FakeConn) Close() error
- func (fConn FakeConn) LocalAddr() net.Addr
- func (fConn FakeConn) Read(b []byte) (int, error)
- func (fConn FakeConn) RemoteAddr() net.Addr
- func (fConn FakeConn) SetDeadline(t time.Time) error
- func (fConn FakeConn) SetReadDeadline(t time.Time) error
- func (fConn FakeConn) SetWriteDeadline(t time.Time) error
- func (fConn FakeConn) Write(b []byte) (int, error)
- type Finished
- type HeartbeatExtension
- type Heartbleed
- type KeyMaterial
- type MasterSecret
- type NextProtocolNegotiationExtension
- type NullExtension
- type ParsedAndRawSCT
- type PointFormat
- type PointFormatExtension
- type PreMasterSecret
- type SCTExtension
- type SNIExtension
- type SecureRenegotiationExtension
- type ServerHandshake
- type ServerHello
- type ServerKeyExchange
- type SessionTicket
- type SessionTicketExtension
- type SigAndHash
- type SignatureAlgorithmExtension
- type SignatureAndHash
- type SignatureScheme
- type SimpleCertificate
- type StatusRequestExtension
- type SupportedCurvesExtension
- type TLSVersion
Examples ¶
Constants ¶
const ( TLS_NULL_WITH_NULL_NULL = 0x0000 TLS_RSA_WITH_NULL_MD5 = 0x0001 TLS_RSA_WITH_NULL_SHA = 0x0002 TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003 TLS_RSA_WITH_RC4_128_MD5 = 0x0004 TLS_RSA_WITH_RC4_128_SHA = 0x0005 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006 TLS_RSA_WITH_IDEA_CBC_SHA = 0x0007 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008 TLS_RSA_WITH_DES_CBC_SHA = 0x0009 TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B TLS_DH_DSS_WITH_DES_CBC_SHA = 0x000C TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E TLS_DH_RSA_WITH_DES_CBC_SHA = 0x000F TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010 TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011 TLS_DHE_DSS_WITH_DES_CBC_SHA = 0x0012 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013 TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014 TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x0015 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016 TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017 TLS_DH_ANON_WITH_RC4_128_MD5 = 0x0018 TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019 TLS_DH_ANON_WITH_DES_CBC_SHA = 0x001A TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001B SSL_FORTEZZA_KEA_WITH_NULL_SHA = 0x001C SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = 0x001D TLS_KRB5_WITH_DES_CBC_SHA = 0x001E TLS_KRB5_WITH_3DES_EDE_CBC_SHA = 0x001F TLS_KRB5_WITH_RC4_128_SHA = 0x0020 TLS_KRB5_WITH_IDEA_CBC_SHA = 0x0021 TLS_KRB5_WITH_DES_CBC_MD5 = 0x0022 TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = 0x0023 TLS_KRB5_WITH_RC4_128_MD5 = 0x0024 TLS_KRB5_WITH_IDEA_CBC_MD5 = 0x0025 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = 0x0026 TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = 0x0027 TLS_KRB5_EXPORT_WITH_RC4_40_SHA = 0x0028 TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = 0x0029 TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = 0x002A TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = 0x002B TLS_PSK_WITH_NULL_SHA = 0x002C TLS_DHE_PSK_WITH_NULL_SHA = 0x002D TLS_RSA_PSK_WITH_NULL_SHA = 0x002E TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030 TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031 TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032 TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033 TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034 TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035 TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036 TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037 TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038 TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039 TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A TLS_RSA_WITH_NULL_SHA256 = 0x003B TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = 0x003E TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = 0x003F TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = 0x0040 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041 TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042 TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045 TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA = 0x0046 TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 = 0x0060 TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 = 0x0061 TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062 TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064 TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065 TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067 TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = 0x0068 TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = 0x0069 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x006A TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B TLS_DH_ANON_WITH_AES_128_CBC_SHA256 = 0x006C TLS_DH_ANON_WITH_AES_256_CBC_SHA256 = 0x006D TLS_GOSTR341094_WITH_28147_CNT_IMIT = 0x0080 TLS_GOSTR341001_WITH_28147_CNT_IMIT = 0x0081 TLS_GOSTR341094_WITH_NULL_GOSTR3411 = 0x0082 TLS_GOSTR341001_WITH_NULL_GOSTR3411 = 0x0083 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084 TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085 TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088 TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089 TLS_PSK_WITH_RC4_128_SHA = 0x008A TLS_PSK_WITH_3DES_EDE_CBC_SHA = 0x008B TLS_PSK_WITH_AES_128_CBC_SHA = 0x008C TLS_PSK_WITH_AES_256_CBC_SHA = 0x008D TLS_DHE_PSK_WITH_RC4_128_SHA = 0x008E TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA = 0x008F TLS_DHE_PSK_WITH_AES_128_CBC_SHA = 0x0090 TLS_DHE_PSK_WITH_AES_256_CBC_SHA = 0x0091 TLS_RSA_PSK_WITH_RC4_128_SHA = 0x0092 TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA = 0x0093 TLS_RSA_PSK_WITH_AES_128_CBC_SHA = 0x0094 TLS_RSA_PSK_WITH_AES_256_CBC_SHA = 0x0095 TLS_RSA_WITH_SEED_CBC_SHA = 0x0096 TLS_DH_DSS_WITH_SEED_CBC_SHA = 0x0097 TLS_DH_RSA_WITH_SEED_CBC_SHA = 0x0098 TLS_DHE_DSS_WITH_SEED_CBC_SHA = 0x0099 TLS_DHE_RSA_WITH_SEED_CBC_SHA = 0x009A TLS_DH_ANON_WITH_SEED_CBC_SHA = 0x009B TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x009F TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = 0x00A0 TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = 0x00A1 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = 0x00A3 TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = 0x00A4 TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = 0x00A5 TLS_DH_ANON_WITH_AES_128_GCM_SHA256 = 0x00A6 TLS_DH_ANON_WITH_AES_256_GCM_SHA384 = 0x00A7 TLS_PSK_WITH_AES_128_GCM_SHA256 = 0x00A8 TLS_PSK_WITH_AES_256_GCM_SHA384 = 0x00A9 TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = 0x00AA TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = 0x00AB TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = 0x00AC TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = 0x00AD TLS_PSK_WITH_AES_128_CBC_SHA256 = 0x00AE TLS_PSK_WITH_AES_256_CBC_SHA384 = 0x00AF TLS_PSK_WITH_NULL_SHA256 = 0x00B0 TLS_PSK_WITH_NULL_SHA384 = 0x00B1 TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = 0x00B2 TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = 0x00B3 TLS_DHE_PSK_WITH_NULL_SHA256 = 0x00B4 TLS_DHE_PSK_WITH_NULL_SHA384 = 0x00B5 TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = 0x00B6 TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = 0x00B7 TLS_RSA_PSK_WITH_NULL_SHA256 = 0x00B8 TLS_RSA_PSK_WITH_NULL_SHA384 = 0x00B9 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BA TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BB TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BC TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BD TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BE TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BF TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C0 TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C1 TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C2 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C3 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C4 TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5 TLS_RENEGO_PROTECTION_REQUEST = 0x00FF TLS_FALLBACK_SCSV = 0x5600 TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xC001 TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xC002 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC003 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xC004 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xC005 TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xC006 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xC007 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC008 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A TLS_ECDH_RSA_WITH_NULL_SHA = 0xC00B TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xC00C TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xC00D TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xC00E TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xC00F TLS_ECDHE_RSA_WITH_NULL_SHA = 0xC010 TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xC011 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xC012 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014 TLS_ECDH_ANON_WITH_NULL_SHA = 0xC015 TLS_ECDH_ANON_WITH_RC4_128_SHA = 0xC016 TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA = 0xC017 TLS_ECDH_ANON_WITH_AES_128_CBC_SHA = 0xC018 TLS_ECDH_ANON_WITH_AES_256_CBC_SHA = 0xC019 TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA = 0xC01C TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA = 0xC01F TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020 TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021 TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA = 0xC022 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC023 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC024 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC025 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC026 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xC028 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = 0xC029 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = 0xC02A TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02B TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02C TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02D TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02E TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xC02F TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0xC030 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xC031 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = 0xC032 TLS_ECDHE_PSK_WITH_RC4_128_SHA = 0xC033 TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA = 0xC034 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA = 0xC035 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA = 0xC036 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 = 0xC037 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 = 0xC038 TLS_ECDHE_PSK_WITH_NULL_SHA = 0xC039 TLS_ECDHE_PSK_WITH_NULL_SHA256 = 0xC03A TLS_ECDHE_PSK_WITH_NULL_SHA384 = 0xC03B TLS_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC03C TLS_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC03D TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 = 0xC03E TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 = 0xC03F TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC040 TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC041 TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 = 0xC042 TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 = 0xC043 TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC044 TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC045 TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256 = 0xC046 TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384 = 0xC047 TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 = 0xC048 TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 = 0xC049 TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 = 0xC04A TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 = 0xC04B TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC04C TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC04D TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC04E TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC04F TLS_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC050 TLS_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC051 TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC052 TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC053 TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC054 TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC055 TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 = 0xC056 TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 = 0xC057 TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 = 0xC058 TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 = 0xC059 TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256 = 0xC05A TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384 = 0xC05B TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 = 0xC05C TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 = 0xC05D TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 = 0xC05E TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 = 0xC05F TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC060 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC061 TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC062 TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC063 TLS_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC064 TLS_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC065 TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC066 TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC067 TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC068 TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC069 TLS_PSK_WITH_ARIA_128_GCM_SHA256 = 0xC06A TLS_PSK_WITH_ARIA_256_GCM_SHA384 = 0xC06B TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 = 0xC06C TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 = 0xC06D TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 = 0xC06E TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 = 0xC06F TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC070 TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC071 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC072 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC073 TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC074 TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC075 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC076 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC077 TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC078 TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC079 TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC07A TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC07B TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC07C TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC07D TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC07E TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC07F TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 = 0xC080 TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 = 0xC081 TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 = 0xC082 TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 = 0xC083 TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256 = 0xC084 TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384 = 0xC085 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC086 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC087 TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC088 TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC089 TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC08A TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC08B TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC08C TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC08D TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 = 0xC08E TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 = 0xC08F TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 = 0xC090 TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 = 0xC091 TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 = 0xC092 TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 = 0xC093 TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC094 TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC095 TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC096 TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC097 TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC098 TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC099 TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC09A TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC09B TLS_RSA_WITH_AES_128_CCM = 0xC09C TLS_RSA_WITH_AES_256_CCM = 0xC09D TLS_DHE_RSA_WITH_AES_128_CCM = 0xC09E TLS_DHE_RSA_WITH_AES_256_CCM = 0xC09F TLS_RSA_WITH_AES_128_CCM_8 = 0xC0A0 TLS_RSA_WITH_AES_256_CCM_8 = 0xC0A1 TLS_DHE_RSA_WITH_AES_128_CCM_8 = 0xC0A2 TLS_DHE_RSA_WITH_AES_256_CCM_8 = 0xC0A3 TLS_PSK_WITH_AES_128_CCM = 0xC0A4 TLS_PSK_WITH_AES_256_CCM = 0xC0A5 TLS_DHE_PSK_WITH_AES_128_CCM = 0xC0A6 TLS_DHE_PSK_WITH_AES_256_CCM = 0xC0A7 TLS_PSK_WITH_AES_128_CCM_8 = 0xC0A8 TLS_PSK_WITH_AES_256_CCM_8 = 0xC0A9 TLS_PSK_DHE_WITH_AES_128_CCM_8 = 0xC0AA TLS_PSK_DHE_WITH_AES_256_CCM_8 = 0xC0AB TLS_ECDHE_ECDSA_WITH_AES_128_CCM = 0xC0AC TLS_ECDHE_ECDSA_WITH_AES_256_CCM = 0xC0AD TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = 0xC0AE TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = 0xC0AF TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 = 0xCAFE TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCCA8 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCCA9 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAA // Old ids for Chacha20 ciphers TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD = 0xCC13 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD = 0xCC14 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD = 0xCC15 //SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE //SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xFEFF //SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xFFE0 //SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFFE1 SSL_RSA_WITH_RC2_CBC_MD5 = 0xFF80 SSL_RSA_WITH_IDEA_CBC_MD5 = 0xFF81 SSL_RSA_WITH_DES_CBC_MD5 = 0xFF82 SSL_RSA_WITH_3DES_EDE_CBC_MD5 = 0xFF83 SSL_EN_RC2_128_CBC_WITH_MD5 = 0xFF03 OP_PCL_TLS10_AES_128_CBC_SHA512 = 0xFF85 )
A list of the possible cipher suite ids. Taken from http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
const ( VersionSSL30 = 0x0300 VersionTLS10 = 0x0301 VersionTLS11 = 0x0302 VersionTLS12 = 0x0303 )
Variables ¶
var ChromeCiphers []uint16 = []uint16{ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_3DES_EDE_CBC_SHA, }
var ChromeNoDHECiphers []uint16 = []uint16{ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_3DES_EDE_CBC_SHA, }
var DHECiphers []uint16 = []uint16{ TLS_DHE_DSS_WITH_DES_CBC_SHA, TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_DES_CBC_SHA, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_RC4_128_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, }
WARN: DSS: Certificate not supported/implemented
var DHEExportCiphers []uint16 = []uint16{ TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5, TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA, }
var ECDHECiphers []uint16 = []uint16{ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, }
var ErrCertsOnly = errors.New("handshake abandoned per CertsOnly option")
Error type raised by doFullHandshake() when the CertsOnly option is in use
var ErrNoMutualCipher error = errors.New("no mutual cipher suite")
var ErrUnimplementedCipher error = errors.New("unimplemented cipher suite")
var ExportCiphers []uint16 = []uint16{ TLS_RSA_EXPORT_WITH_RC4_40_MD5, TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, TLS_RSA_EXPORT_WITH_DES40_CBC_SHA, TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5, TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5, TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_RSA_EXPORT1024_WITH_RC4_56_MD5, TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, }
WARN: Anonymous, Non-ephemeral DH Kex: Not supported/implemented WARN: DSS: Certificate not supported/implemented WARN: KRB5: Supported?
var FirefoxCiphers []uint16 = []uint16{ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, }
var FirefoxNoDHECiphers []uint16 = []uint16{ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, }
var (
HeartbleedError = errors.New("Error after Heartbleed")
)
var PortableCiphers []uint16 = []uint16{ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_MD5, TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_DES_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, TLS_RSA_EXPORT_WITH_RC4_40_MD5, }
var RSA512ExportCiphers []uint16 = []uint16{ TLS_RSA_EXPORT_WITH_RC4_40_MD5, TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, TLS_RSA_EXPORT_WITH_DES40_CBC_SHA, }
var RSACiphers = []uint16{ TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, }
RSA Ciphers
var RSAExportCiphers []uint16 = []uint16{ TLS_RSA_EXPORT_WITH_RC4_40_MD5, TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, TLS_RSA_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_EXPORT1024_WITH_RC4_56_MD5, TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, }
var SChannelSuites []uint16 = []uint16{ TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_RC4_128_SHA, }
var SafariCiphers []uint16 = []uint16{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5, }
var SafariNoDHECiphers []uint16 = []uint16{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5, }
Functions ¶
Types ¶
type ALPNExtension ¶
type ALPNExtension struct {
Protocols []string
}
func (*ALPNExtension) CheckImplemented ¶
func (e *ALPNExtension) CheckImplemented() error
func (*ALPNExtension) Marshal ¶
func (e *ALPNExtension) Marshal() []byte
func (*ALPNExtension) WriteToConfig ¶
func (e *ALPNExtension) WriteToConfig(c *Config) error
type CacheKeyGenerator ¶
type Certificate ¶
type Certificate struct { Certificate [][]byte `json:"certificate_chain,omitempty"` // supported types: *rsa.PrivateKey, *ecdsa.PrivateKey // OCSPStaple contains an optional OCSP response which will be served // to clients that request it. // Don't expose the private key by default (can be marshalled manually) PrivateKey crypto.PrivateKey `json:"-"` OCSPStaple []byte `json:"ocsp_staple,omitempty"` // Leaf is the parsed form of the leaf certificate, which may be // initialized using x509.ParseCertificate to reduce per-handshake // processing for TLS clients doing client authentication. If nil, the // leaf certificate will be parsed as needed. Leaf *x509.Certificate `json:"leaf,omitempty"` }
A Certificate is a chain of one or more certificates, leaf first.
func LoadX509KeyPair ¶
func LoadX509KeyPair(certFile, keyFile string) (cert Certificate, err error)
LoadX509KeyPair reads and parses a public/private key pair from a pair of files. The files must contain PEM encoded data.
func X509KeyPair ¶
func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (cert Certificate, err error)
X509KeyPair parses a public/private key pair from a pair of PEM encoded data.
type Certificates ¶
type Certificates struct { Certificate SimpleCertificate `json:"certificate,omitempty"` Chain []SimpleCertificate `json:"chain,omitempty"` Validation *x509.Validation `json:"validation,omitempty"` }
Certificates represents a TLS certificates message in a format friendly to the golang JSON library. ValidationError should be non-nil whenever Valid is false.
type CipherSuite ¶
type CipherSuite uint16
func (CipherSuite) Bytes ¶
func (cs CipherSuite) Bytes() []byte
func (*CipherSuite) MarshalJSON ¶
func (cs *CipherSuite) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshler interface
func (CipherSuite) String ¶
func (cs CipherSuite) String() string
func (*CipherSuite) UnmarshalJSON ¶
func (cs *CipherSuite) UnmarshalJSON(b []byte) error
UnmarshalJSON implements the json.Unmarshaler interface
type ClientAuthType ¶
type ClientAuthType int
ClientAuthType declares the policy the server will follow for TLS Client Authentication.
const ( // Values have no meaning (were previously 'iota') // Values added IOT allow dereference to name for JSON NoClientCert ClientAuthType = 0 RequestClientCert ClientAuthType = 1 RequireAnyClientCert ClientAuthType = 2 VerifyClientCertIfGiven ClientAuthType = 3 RequireAndVerifyClientCert ClientAuthType = 4 )
func (*ClientAuthType) MarshalJSON ¶
func (authType *ClientAuthType) MarshalJSON() ([]byte, error)
func (*ClientAuthType) String ¶
func (authType *ClientAuthType) String() string
func (*ClientAuthType) UnmarshalJSON ¶
func (authType *ClientAuthType) UnmarshalJSON(b []byte) error
type ClientExtension ¶
type ClientExtension interface { // Produce the bytes on the wire for this extension, type and length included Marshal() []byte // Function will return an error if zTLS does not implement the necessary features for this extension CheckImplemented() error // Modifies the config to reflect the state of the extension WriteToConfig(*Config) error }
type ClientFingerprintConfiguration ¶
type ClientFingerprintConfiguration struct { // Version in the handshake header HandshakeVersion uint16 // if len == 32, it will specify the client random. // Otherwise, the field will be random // except the top 4 bytes if InsertTimestamp is true ClientRandom []byte InsertTimestamp bool // if RandomSessionID > 0, will overwrite SessionID w/ that many // random bytes when a session resumption occurs RandomSessionID int SessionID []byte // These fields will appear exactly in order in the ClientHello CipherSuites []uint16 CompressionMethods []uint8 Extensions []ClientExtension // Optional, both must be non-nil, or neither. // Custom Session cache implementations allowed SessionCache ClientSessionCache CacheKey CacheKeyGenerator }
func (*ClientFingerprintConfiguration) CheckImplementedExtensions ¶
func (c *ClientFingerprintConfiguration) CheckImplementedExtensions() error
func (*ClientFingerprintConfiguration) WriteToConfig ¶
func (c *ClientFingerprintConfiguration) WriteToConfig(config *Config) error
type ClientHello ¶
type ClientHello struct { Version TLSVersion `json:"version"` Random []byte `json:"random"` SessionID []byte `json:"session_id,omitempty"` CipherSuites []CipherSuite `json:"cipher_suites"` CompressionMethods []CompressionMethod `json:"compression_methods"` OcspStapling bool `json:"ocsp_stapling"` TicketSupported bool `json:"ticket"` SecureRenegotiation bool `json:"secure_renegotiation"` HeartbeatSupported bool `json:"heartbeat"` ExtendedRandom []byte `json:"extended_random,omitempty"` ExtendedMasterSecret bool `json:"extended_master_secret"` NextProtoNeg bool `json:"next_protocol_negotiation"` ServerName string `json:"server_name,omitempty"` Scts bool `json:"scts"` SupportedCurves []CurveID `json:"supported_curves,omitempty"` SupportedPoints []PointFormat `json:"supported_point_formats,omitempty"` SessionTicket *SessionTicket `json:"session_ticket,omitempty"` SignatureAndHashes []SignatureAndHash `json:"signature_and_hashes,omitempty"` SctEnabled bool `json:"sct_enabled"` AlpnProtocols []string `json:"alpn_protocols,omitempty"` UnknownExtensions [][]byte `json:"unknown_extensions,omitempty"` }
type ClientHelloInfo ¶
type ClientHelloInfo struct { // CipherSuites lists the CipherSuites supported by the client (e.g. // TLS_RSA_WITH_RC4_128_SHA). CipherSuites []uint16 // ServerName indicates the name of the server requested by the client // in order to support virtual hosting. ServerName is only set if the // client is using SNI (see // http://tools.ietf.org/html/rfc4366#section-3.1). ServerName string // SupportedCurves lists the elliptic curves supported by the client. // SupportedCurves is set only if the Supported Elliptic Curves // Extension is being used (see // http://tools.ietf.org/html/rfc4492#section-5.1.1). SupportedCurves []CurveID // SupportedPoints lists the point formats supported by the client. // SupportedPoints is set only if the Supported Point Formats Extension // is being used (see // http://tools.ietf.org/html/rfc4492#section-5.1.2). SupportedPoints []uint8 // SignatureSchemes lists the signature and hash schemes that the client // is willing to verify. SignatureSchemes is set only if the Signature // Algorithms Extension is being used (see // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1). SignatureSchemes []SignatureScheme // SupportedProtos lists the application protocols supported by the client. // SupportedProtos is set only if the Application-Layer Protocol // Negotiation Extension is being used (see // https://tools.ietf.org/html/rfc7301#section-3.1). // // Servers can select a protocol by setting Config.NextProtos in a // GetConfigForClient return value. SupportedProtos []string // SupportedVersions lists the TLS versions supported by the client. // For TLS versions less than 1.3, this is extrapolated from the max // version advertised by the client, so values other than the greatest // might be rejected if used. SupportedVersions []uint16 // Conn is the underlying net.Conn for the connection. Do not read // from, or write to, this connection; that will cause the TLS // connection to fail. Conn net.Conn // Add a pointer to the entire tls handshake structure so that it can // be retrieved without hijacking the connection from higher-level // packages HandshakeLog *ServerHandshake }
ClientHelloInfo contains information from a ClientHello message in order to guide certificate selection in the GetCertificate callback.
func (*ClientHelloInfo) MarshalJSON ¶
func (info *ClientHelloInfo) MarshalJSON() ([]byte, error)
func (*ClientHelloInfo) UnmarshalJSON ¶
func (info *ClientHelloInfo) UnmarshalJSON(b []byte) error
type ClientKeyExchange ¶
type ClientKeyExchange struct { Raw []byte `json:"-"` RSAParams *jsonKeys.RSAClientParams `json:"rsa_params,omitempty"` DHParams *jsonKeys.DHParams `json:"dh_params,omitempty"` ECDHParams *jsonKeys.ECDHParams `json:"ecdh_params,omitempty"` }
ClientKeyExchange represents the raw key data sent by the client in TLS key exchange message
type ClientSessionCache ¶
type ClientSessionCache interface { // Get searches for a ClientSessionState associated with the given key. // On return, ok is true if one was found. Get(sessionKey string) (session *ClientSessionState, ok bool) // Put adds the ClientSessionState to the cache with the given key. Put(sessionKey string, cs *ClientSessionState) }
ClientSessionCache is a cache of ClientSessionState objects that can be used by a client to resume a TLS session with a given server. ClientSessionCache implementations should expect to be called concurrently from different goroutines.
func NewLRUClientSessionCache ¶
func NewLRUClientSessionCache(capacity int) ClientSessionCache
NewLRUClientSessionCache returns a ClientSessionCache with the given capacity that uses an LRU strategy. If capacity is < 1, a default capacity is used instead.
type ClientSessionState ¶
type ClientSessionState struct {
// contains filtered or unexported fields
}
ClientSessionState contains the state needed by clients to resume TLS sessions.
func (*ClientSessionState) MakeLog ¶
func (m *ClientSessionState) MakeLog() *SessionTicket
type CompressionMethod ¶
type CompressionMethod uint8
func (*CompressionMethod) MarshalJSON ¶
func (cm *CompressionMethod) MarshalJSON() ([]byte, error)
func (CompressionMethod) String ¶
func (cm CompressionMethod) String() string
func (*CompressionMethod) UnmarshalJSON ¶
func (cm *CompressionMethod) UnmarshalJSON(b []byte) error
type Config ¶
type Config struct { // Rand provides the source of entropy for nonces and RSA blinding. // If Rand is nil, TLS uses the cryptographic random reader in package // crypto/rand. // The Reader must be safe for use by multiple goroutines. Rand io.Reader // Time returns the current time as the number of seconds since the epoch. // If Time is nil, TLS uses time.Now. Time func() time.Time // Certificates contains one or more certificate chains // to present to the other side of the connection. // Server configurations must include at least one certificate. Certificates []Certificate // NameToCertificate maps from a certificate name to an element of // Certificates. Note that a certificate name can be of the form // '*.example.com' and so doesn't have to be a domain name as such. // See Config.BuildNameToCertificate // The nil value causes the first element of Certificates to be used // for all connections. NameToCertificate map[string]*Certificate // RootCAs defines the set of root certificate authorities // that clients use when verifying server certificates. // If RootCAs is nil, TLS uses the host's root CA set. RootCAs *x509.CertPool // NextProtos is a list of supported, application level protocols. NextProtos []string // ServerName is used to verify the hostname on the returned // certificates unless InsecureSkipVerify is given. It is also included // in the client's handshake to support virtual hosting. ServerName string // ClientAuth determines the server's policy for // TLS Client Authentication. The default is NoClientCert. ClientAuth ClientAuthType // ClientCAs defines the set of root certificate authorities // that servers use if required to verify a client certificate // by the policy in ClientAuth. ClientCAs *x509.CertPool // InsecureSkipVerify controls whether a client verifies the // server's certificate chain and host name. // If InsecureSkipVerify is true, TLS accepts any certificate // presented by the server and any host name in that certificate. // In this mode, TLS is susceptible to man-in-the-middle attacks. // This should be used only for testing. InsecureSkipVerify bool // CipherSuites is a list of supported cipher suites. If CipherSuites // is nil, TLS uses a list of suites supported by the implementation. CipherSuites []uint16 // PreferServerCipherSuites controls whether the server selects the // client's most preferred ciphersuite, or the server's most preferred // ciphersuite. If true then the server's preference, as expressed in // the order of elements in CipherSuites, is used. PreferServerCipherSuites bool // SessionTicketsDisabled may be set to true to disable session ticket // (resumption) support. SessionTicketsDisabled bool // SessionTicketKey is used by TLS servers to provide session // resumption. See RFC 5077. If zero, it will be filled with // random data before the first server handshake. // // If multiple servers are terminating connections for the same host // they should all have the same SessionTicketKey. If the // SessionTicketKey leaks, previously recorded and future TLS // connections using that key are compromised. SessionTicketKey [32]byte // SessionCache is a cache of ClientSessionState entries for TLS session // resumption. ClientSessionCache ClientSessionCache // MinVersion contains the minimum SSL/TLS version that is acceptable. // If zero, then SSLv3 is taken as the minimum. MinVersion uint16 // MaxVersion contains the maximum SSL/TLS version that is acceptable. // If zero, then the maximum version supported by this package is used, // which is currently TLS 1.2. MaxVersion uint16 // CurvePreferences contains the elliptic curves that will be used in // an ECDHE handshake, in preference order. If empty, the default will // be used. CurvePreferences []CurveID // If enabled, empty CurvePreferences indicates that there are no curves // supported for ECDHE key exchanges ExplicitCurvePreferences bool // If enabled, specifies the signature and hash algorithms to be accepted by // a server, or sent by a client SignatureAndHashes []SigAndHash // Add all ciphers in CipherSuites to Client Hello even if unimplemented // Client-side Only ForceSuites bool // Export RSA Key ExportRSAKey *rsa.PrivateKey // HeartbeatEnabled sets whether the heartbeat extension is sent HeartbeatEnabled bool // ClientDSAEnabled sets whether a TLS client will accept server DSA keys // and DSS signatures ClientDSAEnabled bool // Use extended random ExtendedRandom bool // Force Client Hello to send TLS Session Ticket extension ForceSessionTicketExt bool // Enable use of the Extended Master Secret extension ExtendedMasterSecret bool SignedCertificateTimestampExt bool // Explicitly set Client random ClientRandom []byte // Explicitly set ClientHello with raw data ExternalClientHello []byte // If non-null specifies the contents of the client-hello // WARNING: Setting this may invalidate other fields in the Config object ClientFingerprintConfiguration *ClientFingerprintConfiguration // GetConfigForClient, if not nil, is called after a ClientHello is // received from a client. It may return a non-nil Config in order to // change the Config that will be used to handle this connection. If // the returned Config is nil, the original Config will be used. The // Config returned by this callback may not be subsequently modified. // // If GetConfigForClient is nil, the Config passed to Server() will be // used for all connections. // // Uniquely for the fields in the returned Config, session ticket keys // will be duplicated from the original Config if not set. // Specifically, if SetSessionTicketKeys was called on the original // config but not on the returned config then the ticket keys from the // original config will be copied into the new config before use. // Otherwise, if SessionTicketKey was set in the original config but // not in the returned config then it will be copied into the returned // config before use. If neither of those cases applies then the key // material from the returned config will be used for session tickets. GetConfigForClient func(*ClientHelloInfo) (*Config, error) // CertsOnly is used to cause a client to close the TLS connection // as soon as the server's certificates have been received CertsOnly bool // DontBufferHandshakes causes Handshake() to act like older versions of the go crypto library, where each TLS packet is sent in a separate Write. DontBufferHandshakes bool // contains filtered or unexported fields }
A Config structure is used to configure a TLS client or server. After one has been passed to a TLS function it must not be modified. A Config may be reused; the tls package will also not modify it.
func (*Config) BuildNameToCertificate ¶
func (c *Config) BuildNameToCertificate()
BuildNameToCertificate parses c.Certificates and builds c.NameToCertificate from the CommonName and SubjectAlternateName fields of each of the leaf certificates.
func (*Config) Clone ¶
Clone returns a shallow clone of c. It is safe to clone a Config that is being used concurrently by a TLS client or server.
func (*Config) MarshalJSON ¶
func (*Config) SetSessionTicketKeys ¶
SetSessionTicketKeys updates the session ticket keys for a server. The first key will be used when creating new tickets, while all keys can be used for decrypting tickets. It is safe to call this function while the server is running in order to rotate the session ticket keys. The function will panic if keys is empty.
func (*Config) UnmarshalJSON ¶
type ConfigJSON ¶
type ConfigJSON struct { Certificates []Certificate `json:"certificates,omitempty"` RootCAs *x509.CertPool `json:"root_cas,omitempty"` NextProtos []string `json:"next_protocols,omitempty"` ServerName string `json:"server_name,omitempty"` ClientAuth ClientAuthType `json:"client_auth_type"` ClientCAs *x509.CertPool `json:"client_cas,omitempty"` InsecureSkipVerify bool `json:"skip_verify"` CipherSuites []CipherSuite `json:"cipher_suites,omitempty"` PreferServerCipherSuites bool `json:"prefer_server_cipher_suites"` SessionTicketsDisabled bool `json:"session_tickets_disabled"` SessionTicketKey []byte `json:"session_ticket_key,omitempty"` ClientSessionCache ClientSessionCache `json:"client_session_cache,omitempty"` MinVersion TLSVersion `json:"min_tls_version,omitempty"` MaxVersion TLSVersion `json:"max_tls_version,omitempty"` CurvePreferences []CurveID `json:"curve_preferences,omitempty"` ExplicitCurvePreferences bool `json:"explicit_curve_preferences"` ForceSuites bool `json:"force_cipher_suites"` ExportRSAKey *rsa.PrivateKey `json:"export_rsa_key,omitempty"` HeartbeatEnabled bool `json:"heartbeat_enabled"` ClientDSAEnabled bool `json:"client_dsa_enabled"` ExtendedRandom bool `json:"extended_random_enabled"` ForceSessionTicketExt bool `json:"session_ticket_ext_enabled"` ExtendedMasterSecret bool `json:"extended_master_secret_enabled"` SignedCertificateTimestampExt bool `json:"sct_ext_enabled"` ClientRandom []byte `json:"client_random,omitempty"` ExternalClientHello []byte `json:"external_client_hello,omitempty"` ClientFingerprintConfiguration *ClientFingerprintConfiguration `json:"client_fingerprint_config,omitempty"` DontBufferHandshakes bool `json:"dont_buffer_handshakes"` }
type Conn ¶
type Conn struct {
// contains filtered or unexported fields
}
A Conn represents a secured connection. It implements the net.Conn interface.
func Client ¶
Client returns a new TLS client side connection using conn as the underlying transport. The config cannot be nil: users must set either ServerName or InsecureSkipVerify in the config.
func Dial ¶
Dial connects to the given network address using net.Dial and then initiates a TLS handshake, returning the resulting TLS connection. Dial interprets a nil configuration as equivalent to the zero configuration; see the documentation of Config for the defaults.
Example ¶
package main import ( "github.com/haempel/zcrypto/tls" "github.com/haempel/zcrypto/x509" ) func main() { // Connecting with a custom root-certificate set. const rootPEM = ` -----BEGIN CERTIFICATE----- MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7 qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY /iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/ zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6 yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx -----END CERTIFICATE-----` // First, create the set of root certificates. For this example we only // have one. It's also possible to omit this in order to use the // default root set of the current operating system. roots := x509.NewCertPool() ok := roots.AppendCertsFromPEM([]byte(rootPEM)) if !ok { panic("failed to parse root certificate") } conn, err := tls.Dial("tcp", "mail.google.com:443", &tls.Config{ RootCAs: roots, }) if err != nil { panic("failed to connect: " + err.Error()) } conn.Close() }
Output:
func DialWithDialer ¶
DialWithDialer connects to the given network address using dialer.Dial and then initiates a TLS handshake, returning the resulting TLS connection. Any timeout or deadline given in the dialer apply to connection and TLS handshake as a whole.
DialWithDialer interprets a nil configuration as equivalent to the zero configuration; see the documentation of Config for the defaults.
func Server ¶
Server returns a new TLS server side connection using conn as the underlying transport. The configuration config must be non-nil and must have at least one certificate.
func (*Conn) ClientCiphers ¶
func (c *Conn) ClientCiphers() []CipherSuite
func (*Conn) ClientHelloRaw ¶
func (*Conn) ConnectionState ¶
func (c *Conn) ConnectionState() ConnectionState
ConnectionState returns basic TLS details about the connection.
func (*Conn) GetHandshakeLog ¶
func (c *Conn) GetHandshakeLog() *ServerHandshake
func (*Conn) GetHeartbleedLog ¶
func (c *Conn) GetHeartbleedLog() *Heartbleed
func (*Conn) Handshake ¶
Handshake runs the client or server handshake protocol if it has not yet been run. Most uses of this package need not call Handshake explicitly: the first Read or Write will call it automatically.
func (*Conn) OCSPResponse ¶
OCSPResponse returns the stapled OCSP response from the TLS server, if any. (Only valid for client connections.)
func (*Conn) Read ¶
Read can be made to time out and return a net.Error with Timeout() == true after a fixed time limit; see SetDeadline and SetReadDeadline.
func (*Conn) RemoteAddr ¶
RemoteAddr returns the remote network address.
func (*Conn) SetDeadline ¶
SetDeadline sets the read and write deadlines associated with the connection. A zero value for t means Read and Write will not time out. After a Write has timed out, the TLS state is corrupt and all future writes will return the same error.
func (*Conn) SetReadDeadline ¶
SetReadDeadline sets the read deadline on the underlying connection. A zero value for t means Read will not time out.
func (*Conn) SetWriteDeadline ¶
SetWriteDeadline sets the write deadline on the underlying connection. A zero value for t means Write will not time out. After a Write has timed out, the TLS state is corrupt and all future writes will return the same error.
func (*Conn) VerifyHostname ¶
VerifyHostname checks that the peer certificate chain is valid for connecting to host. If so, it returns nil; if not, it returns an error describing the problem.
type ConnectionState ¶
type ConnectionState struct { Version uint16 // TLS version used by the connection (e.g. VersionTLS12) HandshakeComplete bool // TLS handshake is complete DidResume bool // connection resumes a previous TLS connection CipherSuite uint16 // cipher suite in use (TLS_RSA_WITH_RC4_128_SHA, ...) NegotiatedProtocol string // negotiated next protocol (from Config.NextProtos) NegotiatedProtocolIsMutual bool // negotiated protocol was advertised by server ServerName string // server name requested by client, if any (server side only) PeerCertificates []*x509.Certificate // certificate chain presented by remote peer VerifiedChains []x509.CertificateChain // verified chains built from PeerCertificates }
ConnectionState records basic TLS details about the connection.
type CurveID ¶
type CurveID uint16
CurveID is the type of a TLS identifier for an elliptic curve. See http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8
func (*CurveID) MarshalJSON ¶
func (*CurveID) UnmarshalJSON ¶
type DigitalSignature ¶
type DigitalSignature struct { Raw []byte `json:"raw"` Type string `json:"type,omitempty"` Valid bool `json:"valid"` SigHashExtension *SignatureAndHash `json:"signature_and_hash_type,omitempty"` Version TLSVersion `json:"tls_version"` }
DigitalSignature represents a signature for a digitally-signed-struct in the TLS record protocol. It is dependent on the version of TLS in use. In TLS 1.2, the first two bytes of the signature specify the signature and hash algorithms. These are contained the TLSSignature.Raw field, but also parsed out into TLSSignature.SigHashExtension. In older versions of TLS, the signature and hash extension is not used, and so TLSSignature.SigHashExtension will be empty. The version string is stored in TLSSignature.TLSVersion.
type ExtendedMasterSecretExtension ¶
type ExtendedMasterSecretExtension struct { }
func (*ExtendedMasterSecretExtension) CheckImplemented ¶
func (e *ExtendedMasterSecretExtension) CheckImplemented() error
func (*ExtendedMasterSecretExtension) Marshal ¶
func (e *ExtendedMasterSecretExtension) Marshal() []byte
func (*ExtendedMasterSecretExtension) WriteToConfig ¶
func (e *ExtendedMasterSecretExtension) WriteToConfig(c *Config) error
type FakeConn ¶
type FakeConn struct {
// contains filtered or unexported fields
}
FakeConn and FakeAddr are to allow unmarshaling of tls objects that contain net.Conn objects With the exeption of recovering the net.Addr strings contained in the JSON, any attempt to use these objects will result in a runtime panic()
func (FakeConn) RemoteAddr ¶
type Finished ¶
type Finished struct {
VerifyData []byte `json:"verify_data"`
}
Finished represents a TLS Finished message
type HeartbeatExtension ¶
type HeartbeatExtension struct {
Mode byte
}
func (*HeartbeatExtension) CheckImplemented ¶
func (e *HeartbeatExtension) CheckImplemented() error
func (*HeartbeatExtension) Marshal ¶
func (e *HeartbeatExtension) Marshal() []byte
func (*HeartbeatExtension) WriteToConfig ¶
func (e *HeartbeatExtension) WriteToConfig(c *Config) error
type Heartbleed ¶
type KeyMaterial ¶
type KeyMaterial struct { MasterSecret *MasterSecret `json:"master_secret,omitempty"` PreMasterSecret *PreMasterSecret `json:"pre_master_secret,omitempty"` }
KeyMaterial explicitly represent the cryptographic values negotiated by the client and server
type MasterSecret ¶
type NextProtocolNegotiationExtension ¶
type NextProtocolNegotiationExtension struct {
Protocols []string
}
func (*NextProtocolNegotiationExtension) CheckImplemented ¶
func (e *NextProtocolNegotiationExtension) CheckImplemented() error
func (*NextProtocolNegotiationExtension) Marshal ¶
func (e *NextProtocolNegotiationExtension) Marshal() []byte
func (*NextProtocolNegotiationExtension) WriteToConfig ¶
func (e *NextProtocolNegotiationExtension) WriteToConfig(c *Config) error
type NullExtension ¶
type NullExtension struct { }
func (*NullExtension) CheckImplemented ¶
func (e *NullExtension) CheckImplemented() error
func (*NullExtension) Marshal ¶
func (e *NullExtension) Marshal() []byte
func (*NullExtension) WriteToConfig ¶
func (e *NullExtension) WriteToConfig(c *Config) error
type ParsedAndRawSCT ¶
type ParsedAndRawSCT struct { Raw []byte `json:"raw,omitempty"` Parsed *ct.SignedCertificateTimestamp `json:"parsed,omitempty"` }
type PointFormat ¶
type PointFormat uint8
func (*PointFormat) MarshalJSON ¶
func (pFormat *PointFormat) MarshalJSON() ([]byte, error)
func (PointFormat) String ¶
func (pFormat PointFormat) String() string
func (*PointFormat) UnmarshalJSON ¶
func (pFormat *PointFormat) UnmarshalJSON(b []byte) error
type PointFormatExtension ¶
type PointFormatExtension struct {
Formats []uint8
}
func (*PointFormatExtension) CheckImplemented ¶
func (e *PointFormatExtension) CheckImplemented() error
func (*PointFormatExtension) Marshal ¶
func (e *PointFormatExtension) Marshal() []byte
func (*PointFormatExtension) WriteToConfig ¶
func (e *PointFormatExtension) WriteToConfig(c *Config) error
type PreMasterSecret ¶
type SCTExtension ¶
type SCTExtension struct { }
func (*SCTExtension) CheckImplemented ¶
func (e *SCTExtension) CheckImplemented() error
func (*SCTExtension) Marshal ¶
func (e *SCTExtension) Marshal() []byte
func (*SCTExtension) WriteToConfig ¶
func (e *SCTExtension) WriteToConfig(c *Config) error
type SNIExtension ¶
func (*SNIExtension) CheckImplemented ¶
func (e *SNIExtension) CheckImplemented() error
func (*SNIExtension) Marshal ¶
func (e *SNIExtension) Marshal() []byte
func (*SNIExtension) WriteToConfig ¶
func (e *SNIExtension) WriteToConfig(c *Config) error
type SecureRenegotiationExtension ¶
type SecureRenegotiationExtension struct { }
func (*SecureRenegotiationExtension) CheckImplemented ¶
func (e *SecureRenegotiationExtension) CheckImplemented() error
func (*SecureRenegotiationExtension) Marshal ¶
func (e *SecureRenegotiationExtension) Marshal() []byte
func (*SecureRenegotiationExtension) WriteToConfig ¶
func (e *SecureRenegotiationExtension) WriteToConfig(c *Config) error
type ServerHandshake ¶
type ServerHandshake struct { ClientHello *ClientHello `json:"client_hello,omitempty" zgrab:"debug"` ServerHello *ServerHello `json:"server_hello,omitempty"` ServerCertificates *Certificates `json:"server_certificates,omitempty"` ServerKeyExchange *ServerKeyExchange `json:"server_key_exchange,omitempty"` ClientKeyExchange *ClientKeyExchange `json:"client_key_exchange,omitempty"` ClientFinished *Finished `json:"client_finished,omitempty"` SessionTicket *SessionTicket `json:"session_ticket,omitempty"` ServerFinished *Finished `json:"server_finished,omitempty"` KeyMaterial *KeyMaterial `json:"key_material,omitempty"` }
ServerHandshake stores all of the messages sent by the server during a standard TLS Handshake. It implements zgrab.EventData interface
type ServerHello ¶
type ServerHello struct { Version TLSVersion `json:"version"` Random []byte `json:"random"` SessionID []byte `json:"session_id"` CipherSuite CipherSuite `json:"cipher_suite"` // TODO FIXME: Why is this a raw uint8, not a CompressionMethod? CompressionMethod uint8 `json:"compression_method"` OcspStapling bool `json:"ocsp_stapling"` TicketSupported bool `json:"ticket"` SecureRenegotiation bool `json:"secure_renegotiation"` HeartbeatSupported bool `json:"heartbeat"` ExtendedRandom []byte `json:"extended_random,omitempty"` ExtendedMasterSecret bool `json:"extended_master_secret"` SignedCertificateTimestamps []ParsedAndRawSCT `json:"scts,omitempty"` AlpnProtocol string `json:"alpn_protocol,omitempty"` }
type ServerKeyExchange ¶
type ServerKeyExchange struct { Raw []byte `json:"-"` RSAParams *jsonKeys.RSAPublicKey `json:"rsa_params,omitempty"` DHParams *jsonKeys.DHParams `json:"dh_params,omitempty"` ECDHParams *jsonKeys.ECDHParams `json:"ecdh_params,omitempty"` Digest []byte `json:"digest,omitempty"` Signature *DigitalSignature `json:"signature,omitempty"` SignatureError string `json:"signature_error,omitempty"` }
ServerKeyExchange represents the raw key data sent by the server in TLS key exchange message
type SessionTicket ¶
type SessionTicket struct { Value []uint8 `json:"value,omitempty"` Length int `json:"length,omitempty"` LifetimeHint uint32 `json:"lifetime_hint,omitempty"` }
SessionTicket represents the new session ticket sent by the server to the client
type SessionTicketExtension ¶
func (*SessionTicketExtension) CheckImplemented ¶
func (e *SessionTicketExtension) CheckImplemented() error
func (*SessionTicketExtension) Marshal ¶
func (e *SessionTicketExtension) Marshal() []byte
func (*SessionTicketExtension) WriteToConfig ¶
func (e *SessionTicketExtension) WriteToConfig(c *Config) error
type SigAndHash ¶
type SigAndHash struct {
Signature, Hash uint8
}
SigAndHash mirrors the TLS 1.2, SignatureAndHashAlgorithm struct. See RFC 5246, section A.4.1.
type SignatureAlgorithmExtension ¶
type SignatureAlgorithmExtension struct {
SignatureAndHashes []uint16
}
func (*SignatureAlgorithmExtension) CheckImplemented ¶
func (e *SignatureAlgorithmExtension) CheckImplemented() error
func (*SignatureAlgorithmExtension) Marshal ¶
func (e *SignatureAlgorithmExtension) Marshal() []byte
func (*SignatureAlgorithmExtension) WriteToConfig ¶
func (e *SignatureAlgorithmExtension) WriteToConfig(c *Config) error
type SignatureAndHash ¶
type SignatureAndHash SigAndHash
SignatureAndHash is a SigAndHash that implements json.Marshaler and json.Unmarshaler
func (*SignatureAndHash) MarshalJSON ¶
func (sh *SignatureAndHash) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface
func (*SignatureAndHash) UnmarshalJSON ¶
func (sh *SignatureAndHash) UnmarshalJSON(b []byte) error
UnmarshalJSON implements the json.Unmarshaler interface
type SignatureScheme ¶
type SignatureScheme uint16
SignatureScheme identifies a signature algorithm supported by TLS. See https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.3.
const ( PKCS1WithSHA1 SignatureScheme = 0x0201 PKCS1WithSHA256 SignatureScheme = 0x0401 PKCS1WithSHA384 SignatureScheme = 0x0501 PKCS1WithSHA512 SignatureScheme = 0x0601 PSSWithSHA256 SignatureScheme = 0x0804 PSSWithSHA384 SignatureScheme = 0x0805 PSSWithSHA512 SignatureScheme = 0x0806 ECDSAWithP256AndSHA256 SignatureScheme = 0x0403 ECDSAWithP384AndSHA384 SignatureScheme = 0x0503 ECDSAWithP521AndSHA512 SignatureScheme = 0x0603 EdDSAWithEd25519 SignatureScheme = 0x0807 EdDSAWithEd448 SignatureScheme = 0x0808 )
func (*SignatureScheme) Bytes ¶
func (sigScheme *SignatureScheme) Bytes() []byte
func (*SignatureScheme) MarshalJSON ¶
func (sigScheme *SignatureScheme) MarshalJSON() ([]byte, error)
func (*SignatureScheme) String ¶
func (sigScheme *SignatureScheme) String() string
func (*SignatureScheme) UnmarshalJSON ¶
func (sigScheme *SignatureScheme) UnmarshalJSON(b []byte) error
type SimpleCertificate ¶
type SimpleCertificate struct { Raw []byte `json:"raw,omitempty"` Parsed *x509.Certificate `json:"parsed,omitempty"` }
SimpleCertificate holds a *x509.Certificate and a []byte for the certificate
type StatusRequestExtension ¶
type StatusRequestExtension struct { }
func (*StatusRequestExtension) CheckImplemented ¶
func (e *StatusRequestExtension) CheckImplemented() error
func (*StatusRequestExtension) Marshal ¶
func (e *StatusRequestExtension) Marshal() []byte
func (*StatusRequestExtension) WriteToConfig ¶
func (e *StatusRequestExtension) WriteToConfig(c *Config) error
type SupportedCurvesExtension ¶
type SupportedCurvesExtension struct {
Curves []CurveID
}
func (*SupportedCurvesExtension) CheckImplemented ¶
func (e *SupportedCurvesExtension) CheckImplemented() error
func (*SupportedCurvesExtension) Marshal ¶
func (e *SupportedCurvesExtension) Marshal() []byte
func (*SupportedCurvesExtension) WriteToConfig ¶
func (e *SupportedCurvesExtension) WriteToConfig(c *Config) error
type TLSVersion ¶
type TLSVersion uint16
func (TLSVersion) Bytes ¶
func (v TLSVersion) Bytes() []byte
func (*TLSVersion) MarshalJSON ¶
func (v *TLSVersion) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshler interface
func (TLSVersion) String ¶
func (v TLSVersion) String() string
func (*TLSVersion) UnmarshalJSON ¶
func (v *TLSVersion) UnmarshalJSON(b []byte) error
UnmarshalJSON implements the json.Unmarshaler interface