{"id":13432546,"url":"https://github.com/denji/golang-tls","last_synced_at":"2025-09-24T21:30:55.582Z","repository":{"id":43174235,"uuid":"85368976","full_name":"denji/golang-tls","owner":"denji","description":"Simple Golang HTTPS/TLS Examples","archived":false,"fork":false,"pushed_at":"2020-11-20T20:01:23.000Z","size":30,"stargazers_count":1318,"open_issues_count":4,"forks_count":155,"subscribers_count":35,"default_branch":"master","last_synced_at":"2025-09-17T09:10:07.060Z","etag":null,"topics":["awesome","go","golang","http2","httpclient","https","https-server","libressl","openssl","secure","security","security-audit","security-hardening","security-scanner","security-tools","tools"],"latest_commit_sha":null,"homepage":"https://git.io/vSvsI","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc0-1.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/denji.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-03-18T02:01:08.000Z","updated_at":"2025-09-15T15:09:07.000Z","dependencies_parsed_at":"2022-07-18T08:13:05.724Z","dependency_job_id":null,"html_url":"https://github.com/denji/golang-tls","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/denji/golang-tls","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/denji%2Fgolang-tls","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/denji%2Fgolang-tls/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/denji%2Fgolang-tls/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/denji%2Fgolang-tls/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/denji","download_url":"https://codeload.github.com/denji/golang-tls/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/denji%2Fgolang-tls/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":276662418,"owners_count":25682029,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-23T02:00:09.130Z","response_time":73,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["awesome","go","golang","http2","httpclient","https","https-server","libressl","openssl","secure","security","security-audit","security-hardening","security-scanner","security-tools","tools"],"created_at":"2024-07-31T02:01:13.203Z","updated_at":"2025-09-24T21:30:55.542Z","avatar_url":"https://github.com/denji.png","language":null,"funding_links":[],"categories":["Others","Articles, Guides \u0026 Talks","Repositories"],"sub_categories":[],"readme":"##### Generate private key (.key)\n\n```sh\n# Key considerations for algorithm \"RSA\" ≥ 2048-bit\nopenssl genrsa -out server.key 2048\n\n# Key considerations for algorithm \"ECDSA\" (X25519 || ≥ secp384r1)\n# https://safecurves.cr.yp.to/\n# List ECDSA the supported curves (openssl ecparam -list_curves)\nopenssl ecparam -genkey -name secp384r1 -out server.key\n```\n\n##### Generation of self-signed(x509) public key (PEM-encodings `.pem`|`.crt`) based on the private (`.key`)\n\n```sh\nopenssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650\n```\n\n---\n\n#### Simple Golang HTTPS/TLS Server\n\n```go\npackage main\n\nimport (\n    // \"fmt\"\n    // \"io\"\n    \"net/http\"\n    \"log\"\n)\n\nfunc HelloServer(w http.ResponseWriter, req *http.Request) {\n    w.Header().Set(\"Content-Type\", \"text/plain\")\n    w.Write([]byte(\"This is an example server.\\n\"))\n    // fmt.Fprintf(w, \"This is an example server.\\n\")\n    // io.WriteString(w, \"This is an example server.\\n\")\n}\n\nfunc main() {\n    http.HandleFunc(\"/hello\", HelloServer)\n    err := http.ListenAndServeTLS(\":443\", \"server.crt\", \"server.key\", nil)\n    if err != nil {\n        log.Fatal(\"ListenAndServe: \", err)\n    }\n}\n```\n\nHint: visit, please do not forget to use https begins, otherwise chrome will download a file as follows:\n\n```bash\n$ curl -sL https://localhost:443 | xxd\n0000000: 1503 0100 0202 0a                        .......\n```\n\n#### TLS (transport layer security) — `Server`\n\n```go\npackage main\n\nimport (\n    \"log\"\n    \"crypto/tls\"\n    \"net\"\n    \"bufio\"\n)\n\nfunc main() {\n    log.SetFlags(log.Lshortfile)\n\n    cer, err := tls.LoadX509KeyPair(\"server.crt\", \"server.key\")\n    if err != nil {\n        log.Println(err)\n        return\n    }\n\n    config := \u0026tls.Config{Certificates: []tls.Certificate{cer}}\n    ln, err := tls.Listen(\"tcp\", \":443\", config) \n    if err != nil {\n        log.Println(err)\n        return\n    }\n    defer ln.Close()\n\n    for {\n        conn, err := ln.Accept()\n        if err != nil {\n            log.Println(err)\n            continue\n        }\n        go handleConnection(conn)\n    }\n}\n\nfunc handleConnection(conn net.Conn) {\n    defer conn.Close()\n    r := bufio.NewReader(conn)\n    for {\n        msg, err := r.ReadString('\\n')\n        if err != nil {\n            log.Println(err)\n            return\n        }\n\n        println(msg)\n\n        n, err := conn.Write([]byte(\"world\\n\"))\n        if err != nil {\n            log.Println(n, err)\n            return\n        }\n    }\n}\n```\n\n#### TLS (transport layer security) — `Client`\n\n```go\npackage main\n\nimport (\n    \"log\"\n    \"crypto/tls\"\n)\n\nfunc main() {\n    log.SetFlags(log.Lshortfile)\n\n    conf := \u0026tls.Config{\n         //InsecureSkipVerify: true,\n    }\n\n    conn, err := tls.Dial(\"tcp\", \"127.0.0.1:443\", conf)\n    if err != nil {\n        log.Println(err)\n        return\n    }\n    defer conn.Close()\n\n    n, err := conn.Write([]byte(\"hello\\n\"))\n    if err != nil {\n        log.Println(n, err)\n        return\n    }\n\n    buf := make([]byte, 100)\n    n, err = conn.Read(buf)\n    if err != nil {\n        log.Println(n, err)\n        return\n    }\n\n    println(string(buf[:n]))\n}\n```\n\n##### [Perfect SSL Labs Score with Go](https://blog.bracelab.com/achieving-perfect-ssl-labs-score-with-go)\n\n```go\npackage main\n\nimport (\n    \"crypto/tls\"\n    \"log\"\n    \"net/http\"\n)\n\nfunc main() {\n    mux := http.NewServeMux()\n    mux.HandleFunc(\"/\", func(w http.ResponseWriter, req *http.Request) {\n        w.Header().Add(\"Strict-Transport-Security\", \"max-age=63072000; includeSubDomains\")\n        w.Write([]byte(\"This is an example server.\\n\"))\n    })\n    cfg := \u0026tls.Config{\n        MinVersion:               tls.VersionTLS12,\n        CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},\n        PreferServerCipherSuites: true,\n        CipherSuites: []uint16{\n            tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\n            tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,\n            tls.TLS_RSA_WITH_AES_256_GCM_SHA384,\n            tls.TLS_RSA_WITH_AES_256_CBC_SHA,\n        },\n    }\n    srv := \u0026http.Server{\n        Addr:         \":443\",\n        Handler:      mux,\n        TLSConfig:    cfg,\n        TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0),\n    }\n    log.Fatal(srv.ListenAndServeTLS(\"tls.crt\", \"tls.key\"))\n}\n```\n\n#### Generation of self-sign a certificate with a private (`.key`) and public key (PEM-encodings `.pem`|`.crt`) in one command:\n\n```sh\n# ECDSA recommendation key ≥ secp384r1\n# List ECDSA the supported curves (openssl ecparam -list_curves)\nopenssl req -x509 -nodes -newkey ec:secp384r1 -keyout server.ecdsa.key -out server.ecdsa.crt -days 3650\n# openssl req -x509 -nodes -newkey ec:\u003c(openssl ecparam -name secp384r1) -keyout server.ecdsa.key -out server.ecdsa.crt -days 3650\n# -pkeyopt ec_paramgen_curve:… / ec:\u003c(openssl ecparam -name …) / -newkey ec:…\nln -sf server.ecdsa.key server.key\nln -sf server.ecdsa.crt server.crt\n\n# RSA recommendation key ≥ 2048-bit\nopenssl req -x509 -nodes -newkey rsa:2048 -keyout server.rsa.key -out server.rsa.crt -days 3650\nln -sf server.rsa.key server.key\nln -sf server.rsa.crt server.crt\n```\n\n* `.crt` — Alternate synonymous most common among *nix systems `.pem` (pubkey).\n* `.csr` — Certficate Signing Requests (synonymous most common among *nix systems).\n* `.cer` — Microsoft alternate form of `.crt`, you can use MS to convert `.crt` to `.cer` (`DER` encoded `.cer`, or `base64[PEM]` encoded `.cer`).\n* `.pem` = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a «—– BEGIN …» line. These files may also bear the `cer` or the `crt` extension.\n* `.der` — The DER extension is used for binary DER encoded certificates.\n\n#### Generating the Certficate Signing Request\n\n    openssl req -new -sha256 -key server.key -out server.csr\n    openssl x509 -req -sha256 -in server.csr -signkey server.key -out server.crt -days 3650\n\nECDSA \u0026 RSA — FAQ\n---\n* Validate the elliptic curve parameters `-check`\n* List \"ECDSA\" the supported curves `openssl ecparam -list_curves`\n* Encoding to explicit \"ECDSA\" `-param_enc explicit`\n* Conversion form to compressed \"ECDSA\" `-conv_form compressed`\n* \"EC\" parameters and a private key `-genkey`\n\nCA Bundle Path\n---\n\n| Distro                                                       \t| Package         \t| Path to CA                               \t|\n|--------------------------------------------------------------\t|-----------------\t|------------------------------------------\t|\n| Fedora, RHEL, CentOS                                         \t| ca-certificates \t| /etc/pki/tls/certs/ca-bundle.crt         \t|\n| Debian, Ubuntu, Gentoo, Arch Linux                           \t| ca-certificates \t| /etc/ssl/certs/ca-certificates.crt       \t|\n| SUSE, openSUSE                                               \t| ca-certificates \t| /etc/ssl/ca-bundle.pem                   \t|\n| FreeBSD                                                      \t| ca_root_nss     \t| /usr/local/share/certs/ca-root-nss.crt   \t|\n| Cygwin                                                       \t| -               \t| /usr/ssl/certs/ca-bundle.crt             \t|\n| macOS (MacPorts)                                             \t| curl-ca-bundle  \t| /opt/local/share/curl/curl-ca-bundle.crt \t|\n| Default cURL CA bunde path (without --with-ca-bundle option) \t|                 \t| /usr/local/share/curl/curl-ca-bundle.crt \t|\n| Really old RedHat?                                           \t|                 \t| /usr/share/ssl/certs/ca-bundle.crt       \t|\n\nReference Link\n---\n* https://github.com/smallstep/certificates\n* https://github.com/FiloSottile/mkcert\n* https://getgophish.com/blog/post/2018-12-02-building-web-servers-in-go/\n* [Go programming language secure coding practices guide](https://github.com/Checkmarx/Go-SCP)\n* ~~[Achieving a Perfect SSL Labs Score with Go – `blog.bracelab.com`](https://web.archive.org/web/20160520182043/https://blog.bracelab.com/achieving-perfect-ssl-labs-score-with-go)~~\n* [Automatic HTTPS With Free SSL Certificates Using Go + Let's Encrypt](https://www.captaincodeman.com/2017/05/07/automatic-https-with-free-ssl-certificates-using-go-lets-encrypt)\n* https://golang.org/pkg/crypto/tls/\n* [OpenSSL without prompt – `superuser.com` (Stack Exchange)](http://superuser.com/a/226229/205366)\n* [TLS server and client — `gist.github.com/spikebike`](https://gist.github.com/spikebike/2232102)\n* ~~[Echo, a fast and unfancy micro web framework for Go — `echo.labstack.com/guide`](https://web.archive.org/web/20150925030955/http://echo.labstack.com/guide)~~\n* https://kjur.github.io/jsrsasign/sample-ecdsa.html\n* [Creating Self-Signed ECDSA SSL Certificate using OpenSSL – `guyrutenberg.com`](https://www.guyrutenberg.com/2013/12/28/creating-self-signed-ecdsa-ssl-certificate-using-openssl/)\n* https://www.openssl.org/docs/manmaster/\n * https://www.openssl.org/docs/manmaster/man1/ecparam.html\n * https://www.openssl.org/docs/manmaster/man1/ec.html\n * https://www.openssl.org/docs/manmaster/man1/req.html\n* https://digitalelf.net/2016/02/creating-ssl-certificates-in-3-easy-steps/\n* [HTTPS and Go – `kaihag.com`](http://www.kaihag.com/https-and-go/)\n* [The complete guide to Go net/http timeouts – `blog.cloudflare.com`](https://blog.cloudflare.com/the-complete-guide-to-golang-net-http-timeouts/)\n* [Certificate fetcher in Go – `gist.github.com`](https://gist.github.com/jtwaleson/1fdd77260bcb48377b6b)\n* [How to redirect HTTP to HTTPS with a golang webserver – `gist.github.com`](https://gist.github.com/d-schmidt/587ceec34ce1334a5e60)\n* __[XCA - X Certificate and key management](https://sourceforge.net/projects/xca/)__\n* Package [tcplisten](https://github.com/valyala/tcplisten) provides customizable TCP `net.Listener` with various performance-related options \n* https://github.com/bifurcation/mint — minimal TLS 1.3 Implementation in Go\n* https://github.com/cloudflare/tls-tris — crypto/tls, now with 100% more 1.3\n* https://github.com/Xeoncross/secureserver\n* https://github.com/cloudflare/cfssl\n* https://github.com/google/certificate-transparency\n* https://cipherli.st/\n* https://github.com/cmrunton/tls-dashboard — dashboard written in JavaScript \u0026 HTML to check the remaining time before a TLS certificate expires.\n* https://github.com/tomato42/tlsfuzzer\n* https://github.com/mozilla/tls-observatory (https://observatory.mozilla.org/)\n* https://dev.ssllabs.com/ssltest/\n* https://indieweb.org/HTTPS\n* https://github.com/konklone/shaaaaaaaaaaaaa (https://shaaaaaaaaaaaaa.com/)\n* https://securityheaders.io/\n* https://testssl.sh/\n* https://github.com/nabla-c0d3/sslyze\n* https://github.com/iSECPartners/sslyze\n* https://github.com/mozilla/cipherscan\n* https://github.com/ssllabs/ssllabs-scan\n* https://github.com/chromium/badssl.com (https://badssl.com)\n* https://github.com/datatheorem/TrustKit\n* https://github.com/certifi/gocertifi\n* https://github.com/unrolled/secure\n* https://github.com/tidwall/modern-server\n* https://github.com/genkiroid/cert\n* https://github.com/zmap/zlint\n* https://github.com/globalsign/certlint\n* https://github.com/google/certificate-transparency-go\n* https://github.com/Evolix/chexpire\n* https://github.com/mimoo/cryptobible/blob/master/protocols/tls.mediawiki\n* https://posener.github.io/http2/\n* https://seclists.org/oss-sec/2018/q4/123\n* …\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdenji%2Fgolang-tls","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdenji%2Fgolang-tls","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdenji%2Fgolang-tls/lists"}