Articles in this section

See more

Go and SSL verification

Avatar
Brett Cave
Updated
Follow 

Hi, I was wondering how Go verifies server certificate authenticity. i.e. if there was a man in the middle attack with a different certificate, would the agent fail on the SSL connection to the go-server? Go version 2.1

Related articles

Comments

3 comments

Sort by Date Votes
  • Avatar
    Brett Cave

    *bump*

    0
    Comment actions Permalink
  • Avatar
    Sara Paul

    Go Server uses self-signed certificates. When an agent and the Go server first negotiate their SSL session, the Go server sends its digital certificate (containing the public key) to the agent. The agent adds Go server to its trust store.


     

    Go server then creates a x.509 certificate for the agent which the agent stores it in its key store. All further SSL communication from the agent happens using this certificate. This certificate is also used to authenticate the agent.

     

    Now, lets assume that there is a man in middle attack with a different certificate. When the agent communicates with the malicious server, the first request will fail to complete because the certificate would not be present in the trust store. The agent then deletes the old certificate from the trust store and starts communicating with the new server. The last step is done so as to ensure easy configuration and administration of Go deployments as typical Go deployments are in an internal network or behind a firewall.
    0
    Comment actions Permalink
  • Avatar
    Sara Paul

    If you want to prevent a rogue server from using an agent, you can make root the owner of the agent's certificate store, and allow only read only access for the cruise user, so that the Go agent process does not write to the certificate store. Thereby ensuring that no new certificates are accepted from the impersonating server.  

    0
    Comment actions Permalink

Please sign in to leave a comment.