Documentation ¶
Overview ¶
Package tls partially implements TLS 1.2, as specified in RFC 5246.
Index ¶
- Constants
- Variables
- func Listen(network, laddr string, config *Config) (net.Listener, error)
- func NewListener(inner net.Listener, config *Config) net.Listener
- type Certificate
- type Certificates
- type CipherSuite
- type ClientAuthType
- type ClientHello
- type ClientSessionCache
- type ClientSessionState
- type Config
- type Conn
- func (c *Conn) CheckHeartbleed(b []byte) (n int, err error)
- func (c *Conn) ClientCiphers() []CipherSuite
- func (c *Conn) ClientHelloRaw() []byte
- func (c *Conn) Close() error
- func (c *Conn) ConnectionState() ConnectionState
- func (c *Conn) GetHandshakeLog() *ServerHandshake
- func (c *Conn) GetHeartbleedLog() *Heartbleed
- func (c *Conn) Handshake() error
- func (c *Conn) LocalAddr() net.Addr
- func (c *Conn) OCSPResponse() []byte
- func (c *Conn) Read(b []byte) (n int, err error)
- func (c *Conn) RemoteAddr() net.Addr
- func (c *Conn) SetDeadline(t time.Time) error
- func (c *Conn) SetReadDeadline(t time.Time) error
- func (c *Conn) SetWriteDeadline(t time.Time) error
- func (c *Conn) VerifyHostname(host string) error
- func (c *Conn) Write(b []byte) (int, error)
- type ConnectionState
- type CurveID
- type DigitalSignature
- type Finished
- type Heartbleed
- type ServerHandshake
- type ServerHello
- type ServerKeyExchange
- type SignatureAndHash
- type SimpleCertificate
- type TLSVersion
Examples ¶
Constants ¶
const ( TLS_NULL_WITH_NULL_NULL = 0x0000 TLS_RSA_WITH_NULL_MD5 = 0x0001 TLS_RSA_WITH_NULL_SHA = 0x0002 TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003 TLS_RSA_WITH_RC4_128_MD5 = 0x0004 TLS_RSA_WITH_RC4_128_SHA = 0x0005 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006 TLS_RSA_WITH_IDEA_CBC_SHA = 0x0007 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008 TLS_RSA_WITH_DES_CBC_SHA = 0x0009 TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B TLS_DH_DSS_WITH_DES_CBC_SHA = 0x000C TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E TLS_DH_RSA_WITH_DES_CBC_SHA = 0x000F TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010 TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011 TLS_DHE_DSS_WITH_DES_CBC_SHA = 0x0012 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013 TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014 TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x0015 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016 TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017 TLS_DH_ANON_WITH_RC4_128_MD5 = 0x0018 TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019 TLS_DH_ANON_WITH_DES_CBC_SHA = 0x001A TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001B SSL_FORTEZZA_KEA_WITH_NULL_SHA = 0x001C SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = 0x001D TLS_KRB5_WITH_DES_CBC_SHA = 0x001E TLS_KRB5_WITH_3DES_EDE_CBC_SHA = 0x001F TLS_KRB5_WITH_RC4_128_SHA = 0x0020 TLS_KRB5_WITH_IDEA_CBC_SHA = 0x0021 TLS_KRB5_WITH_DES_CBC_MD5 = 0x0022 TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = 0x0023 TLS_KRB5_WITH_RC4_128_MD5 = 0x0024 TLS_KRB5_WITH_IDEA_CBC_MD5 = 0x0025 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = 0x0026 TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = 0x0027 TLS_KRB5_EXPORT_WITH_RC4_40_SHA = 0x0028 TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = 0x0029 TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = 0x002A TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = 0x002B TLS_PSK_WITH_NULL_SHA = 0x002C TLS_DHE_PSK_WITH_NULL_SHA = 0x002D TLS_RSA_PSK_WITH_NULL_SHA = 0x002E TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030 TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031 TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032 TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033 TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034 TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035 TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036 TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037 TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038 TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039 TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A TLS_RSA_WITH_NULL_SHA256 = 0x003B TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = 0x003E TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = 0x003F TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = 0x0040 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041 TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042 TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045 TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA = 0x0046 TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 = 0x0060 TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 = 0x0061 TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062 TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064 TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065 TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067 TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = 0x0068 TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = 0x0069 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x006A TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B TLS_DH_ANON_WITH_AES_128_CBC_SHA256 = 0x006C TLS_DH_ANON_WITH_AES_256_CBC_SHA256 = 0x006D TLS_GOSTR341094_WITH_28147_CNT_IMIT = 0x0080 TLS_GOSTR341001_WITH_28147_CNT_IMIT = 0x0081 TLS_GOSTR341094_WITH_NULL_GOSTR3411 = 0x0082 TLS_GOSTR341001_WITH_NULL_GOSTR3411 = 0x0083 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084 TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085 TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088 TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089 TLS_PSK_WITH_RC4_128_SHA = 0x008A TLS_PSK_WITH_3DES_EDE_CBC_SHA = 0x008B TLS_PSK_WITH_AES_128_CBC_SHA = 0x008C TLS_PSK_WITH_AES_256_CBC_SHA = 0x008D TLS_DHE_PSK_WITH_RC4_128_SHA = 0x008E TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA = 0x008F TLS_DHE_PSK_WITH_AES_128_CBC_SHA = 0x0090 TLS_DHE_PSK_WITH_AES_256_CBC_SHA = 0x0091 TLS_RSA_PSK_WITH_RC4_128_SHA = 0x0092 TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA = 0x0093 TLS_RSA_PSK_WITH_AES_128_CBC_SHA = 0x0094 TLS_RSA_PSK_WITH_AES_256_CBC_SHA = 0x0095 TLS_RSA_WITH_SEED_CBC_SHA = 0x0096 TLS_DH_DSS_WITH_SEED_CBC_SHA = 0x0097 TLS_DH_RSA_WITH_SEED_CBC_SHA = 0x0098 TLS_DHE_DSS_WITH_SEED_CBC_SHA = 0x0099 TLS_DHE_RSA_WITH_SEED_CBC_SHA = 0x009A TLS_DH_ANON_WITH_SEED_CBC_SHA = 0x009B TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x009F TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = 0x00A0 TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = 0x00A1 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = 0x00A3 TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = 0x00A4 TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = 0x00A5 TLS_DH_ANON_WITH_AES_128_GCM_SHA256 = 0x00A6 TLS_DH_ANON_WITH_AES_256_GCM_SHA384 = 0x00A7 TLS_PSK_WITH_AES_128_GCM_SHA256 = 0x00A8 TLS_PSK_WITH_AES_256_GCM_SHA384 = 0x00A9 TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = 0x00AA TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = 0x00AB TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = 0x00AC TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = 0x00AD TLS_PSK_WITH_AES_128_CBC_SHA256 = 0x00AE TLS_PSK_WITH_AES_256_CBC_SHA384 = 0x00AF TLS_PSK_WITH_NULL_SHA256 = 0x00B0 TLS_PSK_WITH_NULL_SHA384 = 0x00B1 TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = 0x00B2 TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = 0x00B3 TLS_DHE_PSK_WITH_NULL_SHA256 = 0x00B4 TLS_DHE_PSK_WITH_NULL_SHA384 = 0x00B5 TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = 0x00B6 TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = 0x00B7 TLS_RSA_PSK_WITH_NULL_SHA256 = 0x00B8 TLS_RSA_PSK_WITH_NULL_SHA384 = 0x00B9 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BA TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BB TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BC TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BD TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BE TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BF TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C0 TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C1 TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C2 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C3 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C4 TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5 TLS_RENEGO_PROTECTION_REQUEST = 0x00FF TLS_FALLBACK_SCSV = 0x5600 TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xC001 TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xC002 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC003 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xC004 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xC005 TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xC006 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xC007 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC008 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A TLS_ECDH_RSA_WITH_NULL_SHA = 0xC00B TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xC00C TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xC00D TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xC00E TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xC00F TLS_ECDHE_RSA_WITH_NULL_SHA = 0xC010 TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xC011 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xC012 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014 TLS_ECDH_ANON_WITH_NULL_SHA = 0xC015 TLS_ECDH_ANON_WITH_RC4_128_SHA = 0xC016 TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA = 0xC017 TLS_ECDH_ANON_WITH_AES_128_CBC_SHA = 0xC018 TLS_ECDH_ANON_WITH_AES_256_CBC_SHA = 0xC019 TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA = 0xC01C TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA = 0xC01F TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020 TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021 TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA = 0xC022 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC023 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC024 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC025 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC026 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xC028 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = 0xC029 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = 0xC02A TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02B TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02C TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02D TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02E TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xC02F TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0xC030 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xC031 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = 0xC032 TLS_ECDHE_PSK_WITH_RC4_128_SHA = 0xC033 TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA = 0xC034 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA = 0xC035 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA = 0xC036 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 = 0xC037 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 = 0xC038 TLS_ECDHE_PSK_WITH_NULL_SHA = 0xC039 TLS_ECDHE_PSK_WITH_NULL_SHA256 = 0xC03A TLS_ECDHE_PSK_WITH_NULL_SHA384 = 0xC03B TLS_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC03C TLS_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC03D TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 = 0xC03E TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 = 0xC03F TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC040 TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC041 TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 = 0xC042 TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 = 0xC043 TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC044 TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC045 TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256 = 0xC046 TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384 = 0xC047 TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 = 0xC048 TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 = 0xC049 TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 = 0xC04A TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 = 0xC04B TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC04C TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC04D TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC04E TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC04F TLS_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC050 TLS_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC051 TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC052 TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC053 TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC054 TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC055 TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 = 0xC056 TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 = 0xC057 TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 = 0xC058 TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 = 0xC059 TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256 = 0xC05A TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384 = 0xC05B TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 = 0xC05C TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 = 0xC05D TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 = 0xC05E TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 = 0xC05F TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC060 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC061 TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC062 TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC063 TLS_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC064 TLS_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC065 TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC066 TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC067 TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC068 TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC069 TLS_PSK_WITH_ARIA_128_GCM_SHA256 = 0xC06A TLS_PSK_WITH_ARIA_256_GCM_SHA384 = 0xC06B TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 = 0xC06C TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 = 0xC06D TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 = 0xC06E TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 = 0xC06F TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC070 TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC071 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC072 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC073 TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC074 TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC075 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC076 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC077 TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC078 TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC079 TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC07A TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC07B TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC07C TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC07D TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC07E TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC07F TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 = 0xC080 TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 = 0xC081 TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 = 0xC082 TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 = 0xC083 TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256 = 0xC084 TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384 = 0xC085 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC086 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC087 TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC088 TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC089 TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC08A TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC08B TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC08C TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC08D TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 = 0xC08E TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 = 0xC08F TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 = 0xC090 TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 = 0xC091 TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 = 0xC092 TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 = 0xC093 TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC094 TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC095 TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC096 TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC097 TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC098 TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC099 TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC09A TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC09B TLS_RSA_WITH_AES_128_CCM = 0xC09C TLS_RSA_WITH_AES_256_CCM = 0xC09D TLS_DHE_RSA_WITH_AES_128_CCM = 0xC09E TLS_DHE_RSA_WITH_AES_256_CCM = 0xC09F TLS_RSA_WITH_AES_128_CCM_8 = 0xC0A0 TLS_RSA_WITH_AES_256_CCM_8 = 0xC0A1 TLS_DHE_RSA_WITH_AES_128_CCM_8 = 0xC0A2 TLS_DHE_RSA_WITH_AES_256_CCM_8 = 0xC0A3 TLS_PSK_WITH_AES_128_CCM = 0xC0A4 TLS_PSK_WITH_AES_256_CCM = 0xC0A5 TLS_DHE_PSK_WITH_AES_128_CCM = 0xC0A6 TLS_DHE_PSK_WITH_AES_256_CCM = 0xC0A7 TLS_PSK_WITH_AES_128_CCM_8 = 0xC0A8 TLS_PSK_WITH_AES_256_CCM_8 = 0xC0A9 TLS_PSK_DHE_WITH_AES_128_CCM_8 = 0xC0AA TLS_PSK_DHE_WITH_AES_256_CCM_8 = 0xC0AB TLS_ECDHE_ECDSA_WITH_AES_128_CCM = 0xC0AC TLS_ECDHE_ECDSA_WITH_AES_256_CCM = 0xC0AD TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = 0xC0AE TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = 0xC0AF TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 = 0xCAFE TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC13 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC14 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC15 //SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE //SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xFEFF //SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xFFE0 //SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFFE1 SSL_RSA_WITH_RC2_CBC_MD5 = 0xFF80 SSL_RSA_WITH_IDEA_CBC_MD5 = 0xFF81 SSL_RSA_WITH_DES_CBC_MD5 = 0xFF82 SSL_RSA_WITH_3DES_EDE_CBC_MD5 = 0xFF83 SSL_EN_RC2_128_CBC_WITH_MD5 = 0xFF03 OP_PCL_TLS10_AES_128_CBC_SHA512 = 0xFF85 )
A list of the possible cipher suite ids. Taken from http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
const ( VersionSSL30 = 0x0300 VersionTLS10 = 0x0301 VersionTLS11 = 0x0302 VersionTLS12 = 0x0303 )
Variables ¶
var ChromeCiphers []uint16 = []uint16{ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_3DES_EDE_CBC_SHA, }
var ChromeNoDHECiphers []uint16 = []uint16{ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_3DES_EDE_CBC_SHA, }
var DHECiphers []uint16 = []uint16{ TLS_DHE_DSS_WITH_DES_CBC_SHA, TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_DES_CBC_SHA, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_RC4_128_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, }
var DHEExportCiphers []uint16 = []uint16{ TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5, TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA, }
var ErrNoMutualCipher error = errors.New("no mutual cipher suite")
var ErrUnimplementedCipher error = errors.New("unimplemented cipher suite")
var ExportCiphers []uint16 = []uint16{ TLS_RSA_EXPORT_WITH_RC4_40_MD5, TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, TLS_RSA_EXPORT_WITH_DES40_CBC_SHA, TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5, TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5, TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_RSA_EXPORT1024_WITH_RC4_56_MD5, TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, }
var FirefoxCiphers []uint16 = []uint16{ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, }
var FirefoxNoDHECiphers []uint16 = []uint16{ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, }
var (
HeartbleedError = errors.New("Error after Heartbleed")
)
var RSA512ExportCiphers []uint16 = []uint16{ TLS_RSA_EXPORT_WITH_RC4_40_MD5, TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, TLS_RSA_EXPORT_WITH_DES40_CBC_SHA, }
var RSACiphers = []uint16{ TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, }
RSA Ciphers
var RSAExportCiphers []uint16 = []uint16{ TLS_RSA_EXPORT_WITH_RC4_40_MD5, TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, TLS_RSA_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_EXPORT1024_WITH_RC4_56_MD5, TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, }
var SChannelSuites []uint16 = []uint16{ TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_RC4_128_SHA, }
var SafariCiphers []uint16 = []uint16{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5, }
var SafariNoDHECiphers []uint16 = []uint16{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5, }
Functions ¶
Types ¶
type Certificate ¶
type Certificate struct { Certificate [][]byte PrivateKey crypto.PrivateKey // supported types: *rsa.PrivateKey, *ecdsa.PrivateKey // OCSPStaple contains an optional OCSP response which will be served // to clients that request it. OCSPStaple []byte // Leaf is the parsed form of the leaf certificate, which may be // initialized using x509.ParseCertificate to reduce per-handshake // processing for TLS clients doing client authentication. If nil, the // leaf certificate will be parsed as needed. Leaf *x509.Certificate }
A Certificate is a chain of one or more certificates, leaf first.
func LoadX509KeyPair ¶
func LoadX509KeyPair(certFile, keyFile string) (cert Certificate, err error)
LoadX509KeyPair reads and parses a public/private key pair from a pair of files. The files must contain PEM encoded data.
func X509KeyPair ¶
func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (cert Certificate, err error)
X509KeyPair parses a public/private key pair from a pair of PEM encoded data.
type Certificates ¶
type Certificates struct { Certificate SimpleCertificate `json:"certificate,omitempty"` Chain []SimpleCertificate `json:"chain,omitempty"` Validation *x509.Validation `json:"validation,omitempty"` }
Certificates represents a TLS certificates message in a format friendly to the golang JSON library. ValidationError should be non-nil whenever Valid is false.
type CipherSuite ¶
type CipherSuite uint16
func (*CipherSuite) MarshalJSON ¶
func (cs *CipherSuite) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshler interface
func (CipherSuite) String ¶
func (cs CipherSuite) String() string
func (*CipherSuite) UnmarshalJSON ¶
func (cs *CipherSuite) UnmarshalJSON(b []byte) error
UnmarshalJSON implements the json.Unmarshaler interface
type ClientAuthType ¶
type ClientAuthType int
ClientAuthType declares the policy the server will follow for TLS Client Authentication.
const ( NoClientCert ClientAuthType = iota RequestClientCert RequireAnyClientCert VerifyClientCertIfGiven RequireAndVerifyClientCert )
type ClientHello ¶
type ClientSessionCache ¶
type ClientSessionCache interface { // Get searches for a ClientSessionState associated with the given key. // On return, ok is true if one was found. Get(sessionKey string) (session *ClientSessionState, ok bool) // Put adds the ClientSessionState to the cache with the given key. Put(sessionKey string, cs *ClientSessionState) }
ClientSessionCache is a cache of ClientSessionState objects that can be used by a client to resume a TLS session with a given server. ClientSessionCache implementations should expect to be called concurrently from different goroutines.
func NewLRUClientSessionCache ¶
func NewLRUClientSessionCache(capacity int) ClientSessionCache
NewLRUClientSessionCache returns a ClientSessionCache with the given capacity that uses an LRU strategy. If capacity is < 1, a default capacity is used instead.
type ClientSessionState ¶
type ClientSessionState struct {
// contains filtered or unexported fields
}
ClientSessionState contains the state needed by clients to resume TLS sessions.
type Config ¶
type Config struct { // Rand provides the source of entropy for nonces and RSA blinding. // If Rand is nil, TLS uses the cryptographic random reader in package // crypto/rand. // The Reader must be safe for use by multiple goroutines. Rand io.Reader // Time returns the current time as the number of seconds since the epoch. // If Time is nil, TLS uses time.Now. Time func() time.Time // Certificates contains one or more certificate chains // to present to the other side of the connection. // Server configurations must include at least one certificate. Certificates []Certificate // NameToCertificate maps from a certificate name to an element of // Certificates. Note that a certificate name can be of the form // '*.example.com' and so doesn't have to be a domain name as such. // See Config.BuildNameToCertificate // The nil value causes the first element of Certificates to be used // for all connections. NameToCertificate map[string]*Certificate // RootCAs defines the set of root certificate authorities // that clients use when verifying server certificates. // If RootCAs is nil, TLS uses the host's root CA set. RootCAs *x509.CertPool // NextProtos is a list of supported, application level protocols. NextProtos []string // ServerName is used to verify the hostname on the returned // certificates unless InsecureSkipVerify is given. It is also included // in the client's handshake to support virtual hosting. ServerName string // ClientAuth determines the server's policy for // TLS Client Authentication. The default is NoClientCert. ClientAuth ClientAuthType // ClientCAs defines the set of root certificate authorities // that servers use if required to verify a client certificate // by the policy in ClientAuth. ClientCAs *x509.CertPool // InsecureSkipVerify controls whether a client verifies the // server's certificate chain and host name. // If InsecureSkipVerify is true, TLS accepts any certificate // presented by the server and any host name in that certificate. // In this mode, TLS is susceptible to man-in-the-middle attacks. // This should be used only for testing. InsecureSkipVerify bool // CipherSuites is a list of supported cipher suites. If CipherSuites // is nil, TLS uses a list of suites supported by the implementation. CipherSuites []uint16 // PreferServerCipherSuites controls whether the server selects the // client's most preferred ciphersuite, or the server's most preferred // ciphersuite. If true then the server's preference, as expressed in // the order of elements in CipherSuites, is used. PreferServerCipherSuites bool // SessionTicketsDisabled may be set to true to disable session ticket // (resumption) support. SessionTicketsDisabled bool // SessionTicketKey is used by TLS servers to provide session // resumption. See RFC 5077. If zero, it will be filled with // random data before the first server handshake. // // If multiple servers are terminating connections for the same host // they should all have the same SessionTicketKey. If the // SessionTicketKey leaks, previously recorded and future TLS // connections using that key are compromised. SessionTicketKey [32]byte // SessionCache is a cache of ClientSessionState entries for TLS session // resumption. ClientSessionCache ClientSessionCache // MinVersion contains the minimum SSL/TLS version that is acceptable. // If zero, then SSLv3 is taken as the minimum. MinVersion uint16 // MaxVersion contains the maximum SSL/TLS version that is acceptable. // If zero, then the maximum version supported by this package is used, // which is currently TLS 1.2. MaxVersion uint16 // CurvePreferences contains the elliptic curves that will be used in // an ECDHE handshake, in preference order. If empty, the default will // be used. CurvePreferences []CurveID ForceSuites bool // Export RSA Key ExportRSAKey *rsa.PrivateKey // HeartbeatEnabled sets whether the heartbeat extension is sent HeartbeatEnabled bool // ClientDSAEnabled sets whether a TLS client will accept server DSA keys // and DSS signatures ClientDSAEnabled bool // Use extended random ExtendedRandom bool // contains filtered or unexported fields }
A Config structure is used to configure a TLS client or server. After one has been passed to a TLS function it must not be modified. A Config may be reused; the tls package will also not modify it.
func (*Config) BuildNameToCertificate ¶
func (c *Config) BuildNameToCertificate()
BuildNameToCertificate parses c.Certificates and builds c.NameToCertificate from the CommonName and SubjectAlternateName fields of each of the leaf certificates.
type Conn ¶
type Conn struct {
// contains filtered or unexported fields
}
A Conn represents a secured connection. It implements the net.Conn interface.
func Client ¶
Client returns a new TLS client side connection using conn as the underlying transport. The config cannot be nil: users must set either ServerName or InsecureSkipVerify in the config.
func Dial ¶
Dial connects to the given network address using net.Dial and then initiates a TLS handshake, returning the resulting TLS connection. Dial interprets a nil configuration as equivalent to the zero configuration; see the documentation of Config for the defaults.
Example ¶
package main import ( "github.com/xtalentfeng/zgrab_/ztools/x509" "github.com/xtalentfeng/zgrab_/ztools/ztls" ) func main() { // Connecting with a custom root-certificate set. const rootPEM = ` -----BEGIN CERTIFICATE----- MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7 qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY /iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/ zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6 yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx -----END CERTIFICATE-----` // First, create the set of root certificates. For this example we only // have one. It's also possible to omit this in order to use the // default root set of the current operating system. roots := x509.NewCertPool() ok := roots.AppendCertsFromPEM([]byte(rootPEM)) if !ok { panic("failed to parse root certificate") } conn, err := ztls.Dial("tcp", "mail.google.com:443", &ztls.Config{ RootCAs: roots, }) if err != nil { panic("failed to connect: " + err.Error()) } conn.Close() }
Output:
func DialWithDialer ¶
DialWithDialer connects to the given network address using dialer.Dial and then initiates a TLS handshake, returning the resulting TLS connection. Any timeout or deadline given in the dialer apply to connection and TLS handshake as a whole.
DialWithDialer interprets a nil configuration as equivalent to the zero configuration; see the documentation of Config for the defaults.
func Server ¶
Server returns a new TLS server side connection using conn as the underlying transport. The configuration config must be non-nil and must have at least one certificate.
func (*Conn) ClientCiphers ¶
func (c *Conn) ClientCiphers() []CipherSuite
func (*Conn) ClientHelloRaw ¶
func (*Conn) ConnectionState ¶
func (c *Conn) ConnectionState() ConnectionState
ConnectionState returns basic TLS details about the connection.
func (*Conn) GetHandshakeLog ¶
func (c *Conn) GetHandshakeLog() *ServerHandshake
func (*Conn) GetHeartbleedLog ¶
func (c *Conn) GetHeartbleedLog() *Heartbleed
func (*Conn) Handshake ¶
Handshake runs the client or server handshake protocol if it has not yet been run. Most uses of this package need not call Handshake explicitly: the first Read or Write will call it automatically.
func (*Conn) OCSPResponse ¶
OCSPResponse returns the stapled OCSP response from the TLS server, if any. (Only valid for client connections.)
func (*Conn) Read ¶
Read can be made to time out and return a net.Error with Timeout() == true after a fixed time limit; see SetDeadline and SetReadDeadline.
func (*Conn) RemoteAddr ¶
RemoteAddr returns the remote network address.
func (*Conn) SetDeadline ¶
SetDeadline sets the read and write deadlines associated with the connection. A zero value for t means Read and Write will not time out. After a Write has timed out, the TLS state is corrupt and all future writes will return the same error.
func (*Conn) SetReadDeadline ¶
SetReadDeadline sets the read deadline on the underlying connection. A zero value for t means Read will not time out.
func (*Conn) SetWriteDeadline ¶
SetWriteDeadline sets the write deadline on the underlying connection. A zero value for t means Write will not time out. After a Write has timed out, the TLS state is corrupt and all future writes will return the same error.
func (*Conn) VerifyHostname ¶
VerifyHostname checks that the peer certificate chain is valid for connecting to host. If so, it returns nil; if not, it returns an error describing the problem.
type ConnectionState ¶
type ConnectionState struct { Version uint16 // TLS version used by the connection (e.g. VersionTLS12) HandshakeComplete bool // TLS handshake is complete DidResume bool // connection resumes a previous TLS connection CipherSuite uint16 // cipher suite in use (TLS_RSA_WITH_RC4_128_SHA, ...) NegotiatedProtocol string // negotiated next protocol (from Config.NextProtos) NegotiatedProtocolIsMutual bool // negotiated protocol was advertised by server ServerName string // server name requested by client, if any (server side only) PeerCertificates []*x509.Certificate // certificate chain presented by remote peer VerifiedChains [][]*x509.Certificate // verified chains built from PeerCertificates }
ConnectionState records basic TLS details about the connection.
type CurveID ¶
type CurveID uint16
CurveID is the type of a TLS identifier for an elliptic curve. See http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8
type DigitalSignature ¶
type DigitalSignature struct { Raw []byte `json:"raw"` Type string `json:"type,omitempty"` Valid bool `json:"valid"` SigHashExtension *SignatureAndHash `json:"signature_and_hash_type,omitempty"` Version TLSVersion `json:"tls_version"` }
DigitalSignature represents a signature for a digitally-signed-struct in the TLS record protocol. It is dependent on the version of TLS in use. In TLS 1.2, the first two bytes of the signature specify the signature and hash algorithms. These are contained the TLSSignature.Raw field, but also parsed out into TLSSignature.SigHashExtension. In older versions of TLS, the signature and hash extension is not used, and so TLSSignature.SigHashExtension will be empty. The version string is stored in TLSSignature.TLSVersion.
type Finished ¶
type Finished struct {
VerifyData []byte `json:"verify_data"`
}
Finished represents a TLS Finished message
type Heartbleed ¶
type ServerHandshake ¶
type ServerHandshake struct { ClientHello *ClientHello `json:"client_hello,omitempty"` ServerHello *ServerHello `json:"server_hello,omitempty"` ServerCertificates *Certificates `json:"server_certificates,omitempty"` ServerKeyExchange *ServerKeyExchange `json:"server_key_exchange,omitempty"` ServerFinished *Finished `json:"server_finished,omitempty"` }
ServerHandshake stores all of the messages sent by the server during a standard TLS Handshake. It implements zgrab.EventData interface
type ServerHello ¶
type ServerHello struct { Version TLSVersion `json:"version"` Random []byte `json:"random"` SessionID []byte `json:"session_id"` CipherSuite CipherSuite `json:"cipher_suite"` CompressionMethod uint8 `json:"compression_method"` OcspStapling bool `json:"ocsp_stapling"` TicketSupported bool `json:"ticket"` SecureRenegotiation bool `json:"secure_renegotiation"` HeartbeatSupported bool `json:"heartbeat"` ExtendedRandom []byte `json:"extended_random,omitempty"` }
type ServerKeyExchange ¶
type ServerKeyExchange struct { Raw []byte `json:"-"` RSAParams *keys.RSAPublicKey `json:"rsa_params,omitempty"` DHParams *keys.DHParams `json:"dh_params,omitempty"` ECDHParams *keys.ECDHParams `json:"ecdh_params,omitempty"` Signature *DigitalSignature `json:"signature,omitempty"` SignatureError string `json:"signature_error,omitempty"` }
ServerKeyExchange represents the raw key data sent by the server in TLS key exchange message
type SignatureAndHash ¶
type SignatureAndHash signatureAndHash
SignatureAndHash is a signatureAndHash that implements json.Marshaler and json.Unmarshaler
func (*SignatureAndHash) MarshalJSON ¶
func (sh *SignatureAndHash) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface
func (*SignatureAndHash) UnmarshalJSON ¶
func (sh *SignatureAndHash) UnmarshalJSON(b []byte) error
UnmarshalJSON implements the json.Unmarshaler interface
type SimpleCertificate ¶
type SimpleCertificate struct { Raw []byte `json:"raw,omitempty"` Parsed *x509.Certificate `json:"parsed,omitempty"` }
SimpleCertificate holds a *x509.Certificate and a []byte for the certificate
type TLSVersion ¶
type TLSVersion uint16
func (*TLSVersion) MarshalJSON ¶
func (v *TLSVersion) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshler interface
func (TLSVersion) String ¶
func (v TLSVersion) String() string
func (*TLSVersion) UnmarshalJSON ¶
func (v *TLSVersion) UnmarshalJSON(b []byte) error
UnmarshalJSON implements the json.Unmarshaler interface