Hi, I was wondering how Go verifies server certificate authenticity. i.e. if there was a man in the middle attack with a different certificate, would the agent fail on the SSL connection to the go-server? Go version 2.1
Hi, I was wondering how Go verifies server certificate authenticity. i.e. if there was a man in the middle attack with a different certificate, would the agent fail on the SSL connection to the go-server? Go version 2.1
Comments
3 comments
*bump*
Go Server uses self-signed certificates. When an agent and the Go server first negotiate their SSL session, the Go server sends its digital certificate (containing the public key) to the agent. The agent adds Go server to its trust store.
If you want to prevent a rogue server from using an agent, you can make root the owner of the agent's certificate store, and allow only read only access for the cruise user, so that the Go agent process does not write to the certificate store. Thereby ensuring that no new certificates are accepted from the impersonating server.
Please sign in to leave a comment.