{"id":208047,"date":"2025-07-08T09:49:38","date_gmt":"2025-07-08T01:49:38","guid":{"rendered":"https:\/\/server.hk\/cnblog\/208047\/"},"modified":"2025-07-08T09:49:38","modified_gmt":"2025-07-08T01:49:38","slug":"%e4%b8%ba%e4%bb%bb%e4%bd%95%e5%ae%a2%e6%88%b7%e7%ab%af%e5%88%9b%e5%bb%bahttps%e6%b5%8b%e8%af%95%e6%9c%8d%e5%8a%a1%e5%99%a8","status":"publish","type":"post","link":"https:\/\/server.hk\/cnblog\/208047\/","title":{"rendered":"\u4e3a\u4efb\u4f55\u5ba2\u6237\u7aef\u521b\u5efaHTTPS\u6d4b\u8bd5\u670d\u52a1\u5668"},"content":{"rendered":"

<\/b> <\/p>\n

\u5f53\u524d\u4f4d\u7f6e\uff1a ><\/span> ><\/span> ><\/span> ><\/span> \u4e3a\u4efb\u4f55\u5ba2\u6237\u7aef\u521b\u5efaHTTPS\u6d4b\u8bd5\u670d\u52a1\u5668<\/span><\/p>\n

\u6765\u6e90\uff1astackoverflow<\/span>
\n2024-04-28 11:15:32<\/span>
\n<\/i>0\u6d4f\u89c8<\/span>
\n<\/i>\u6536\u85cf<\/span> <\/p>\n

\u6709\u5fd7\u8005\uff0c\u4e8b\u7adf\u6210\uff01\u5982\u679c\u4f60\u5728\u5b66\u4e60Golang<\/span>\uff0c\u90a3\u4e48\u672c\u6587\u300a\u4e3a\u4efb\u4f55\u5ba2\u6237\u7aef\u521b\u5efaHTTPS\u6d4b\u8bd5\u670d\u52a1\u5668\u300b<\/span>\uff0c\u5c31\u5f88\u9002\u5408\u4f60\uff01\u6587\u7ae0\u8bb2\u89e3\u7684\u77e5\u8bc6\u70b9\u4e3b\u8981\u5305\u62ec<\/span>\uff0c\u82e5\u662f\u4f60\u5bf9\u672c\u6587\u611f\u5174\u8da3\uff0c\u6216\u8005\u662f\u60f3\u641e\u61c2\u5176\u4e2d\u67d0\u4e2a\u77e5\u8bc6\u70b9\uff0c\u5c31\u8bf7\u4f60\u7ee7\u7eed\u5f80\u4e0b\u770b\u5427~<\/span><\/p>\n

\u95ee\u9898\u5185\u5bb9
\n <\/p>\n

newtlsserver \u521b\u5efa\u7684\u670d\u52a1\u5668\u53ef\u4ee5\u9a8c\u8bc1\u4ece\u5176\u663e\u5f0f\u521b\u5efa\u7684\u5ba2\u6237\u7aef\u7684\u8c03\u7528\uff1a<\/p>\n

ts := httptest.newtlsserver(http.handlerfunc(func(w http.responsewriter, r *http.request) {\n    fmt.fprintln(w, \"hello, client\")\n}))\ndefer ts.close()\n\nclient := ts.client()\nres, err := client.get(ts.url)<\/pre>\n
\u5728 client := ts.client()<\/code> \u884c\u4e2d\u3002<\/p>\n
\u4f46\u662f\uff0c\u6211\u6709\u4e00\u4e2a\u751f\u4ea7\u7a0b\u5e8f\uff0c\u6211\u60f3\u5c06\u5176\u8bbe\u7f6e\u4e3a\u4f7f\u7528 ts.url<\/code> \u4f5c\u4e3a\u5176\u4e3b\u673a\u3002\u6211\u6b63\u5728\u5f97\u5230<\/p>\n
x509: certificate signed by unknown authority<\/pre>\n
\u8c03\u7528\u65f6\u51fa\u9519\u3002<\/p>\n
\u5982\u4f55\u8bbe\u7f6e ts<\/code> \u6765\u50cf\u666e\u901a https \u670d\u52a1\u5668\u4e00\u6837\u5411\u5ba2\u6237\u7aef\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\uff1f<\/p>\n
 <\/p>\n
\u89e3\u51b3\u65b9\u6848<\/h2>\n
 <\/p>\n
\u4ece go 1.11 \u5f00\u59cb\uff0c\u7531\u4e8e https \u7684\u673a\u5236\uff0c\u8fd9\u6839\u672c\u4e0d\u53ef\u80fd\u5728 _test.go<\/code> \u7a0b\u5e8f\u4e2d\u5b8c\u5168\u5b8c\u6210\u3002<\/p>\n
\u4f46\u662f\uff0c\u60a8\u53ef\u4ee5\u5bf9 server.crt<\/code> \u548c server.key<\/code> \u6587\u4ef6\u8fdb\u884c\u5355\u4e2a\u8bc1\u4e66\u7b7e\u540d\u548c\u751f\u6210\uff0c\u7136\u540e\u5728\u672c\u5730\u76ee\u5f55\u4e2d\u7684 _test.go<\/code> \u7a0b\u5e8f\u4e2d\u65e0\u9650\u671f\u5730\u5f15\u7528\u5b83\u4eec\u3002<\/p>\n
\u4e00\u6b21\u6027\u751f\u6210 .crt<\/code> \u548c .key<\/code><\/h1>\n
\u8fd9\u662f daksh shah \u7684 medium \u6587\u7ae0 \u4e2d\u6307\u5b9a\u6b65\u9aa4\u7684\u7565\u4e3a\u7cbe\u7b80\u7684\u7248\u672c\uff0c\u9002\u7528\u4e8e mac\u3002<\/p>\n
\u5728\u60a8\u60f3\u8981 server.crt<\/code> \u548c server.key<\/code> \u6587\u4ef6\u7684\u76ee\u5f55\u4e2d\uff0c\u521b\u5efa\u4e24\u4e2a\u914d\u7f6e\u6587\u4ef6<\/p>\n
server.csr.cnf<\/code><\/h2>\n
[req]\ndefault_bits = 2048\nprompt = no\ndefault_md = sha256\ndistinguished_name = dn\n\n[dn]\nc=us\nst=randomstate\nl=randomcity\no=randomorganization\nou=randomorganizationunit\n\ncn = localhost<\/pre>\n
\u548c<\/p>\n
v3.ext<\/code><\/h2>\n
authoritykeyidentifier=keyid,issuer\nbasicconstraints=ca:false\nkeyusage = digitalsignature, nonrepudiation, keyencipherment, dataencipherment\nsubjectaltname = @alt_names\n\n[alt_names]\ndns.1 = localhost\nip.1 = 127.0.0.1<\/pre>\n
\u7136\u540e\u5728\u8be5\u76ee\u5f55\u4e2d\u8f93\u5165\u4ee5\u4e0b\u547d\u4ee4<\/p>\n
openssl genrsa -des3 -out rootca.key 2048 \n# create a passphrase\n<\/pre>\n
openssl req -x509 -new -nodes -key rootca.key -sha256 -days 1024 -out rootca.pem -config server.csr.cnf\n# enter passphrase\n<\/pre>\n
openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config server.csr.cnf\n<\/pre>\n
openssl x509 -req -in server.csr -ca rootca.pem -cakey rootca.key -cacreateserial -out server.crt -days 500 -sha256 -extfile v3.ext\n# enter passphrase\n<\/pre>\n
\u6700\u540e\uff0c\u901a\u8fc7\u8fd0\u884c <\/p>\n
 \u8ba9\u60a8\u7684\u7cfb\u7edf\u4fe1\u4efb\u60a8\u7528\u4e8e\u7b7e\u7f72\u6587\u4ef6\u7684\u8bc1\u4e66 <\/p>\n
open rootca.pem\n<\/pre>\n
\u8fd9\u5e94\u8be5\u5728 keychain acces \u5e94\u7528\u7a0b\u5e8f\u4e2d\u6253\u5f00\u8bc1\u4e66\uff0c\u53ef\u4ee5\u5728\u201c\u8bc1\u4e66\u201d\u90e8\u5206\u4e2d\u627e\u5230\u8be5\u8bc1\u4e66\uff0c\u5e76\u547d\u540d\u4e3a localhost<\/code>\u3002\u7136\u540e\u59cb\u7ec8\u4fe1\u4efb<\/strong>\u5b83<\/p>\n
    \n
  • \u6309 enter \u952e\u6253\u5f00\u7a97\u53e3<\/li>\n
  • \u6309\u7a7a\u683c\u952e\u5411\u4e0b\u65cb\u8f6c\u4fe1\u4efb<\/em><\/li>\n
  • \u5c06\u201c\u4f7f\u7528\u6b64\u8bc1\u4e66\u65f6\uff1a\u201d\u66f4\u6539\u4e3a\u59cb\u7ec8\u4fe1\u4efb<\/em><\/li>\n
  • \u5173\u95ed\u7a97\u53e3\u5e76\u9a8c\u8bc1\u60a8\u7684\u51b3\u5b9a<\/li>\n<\/ul>\n
    \u6ce8\u610f\uff1a<\/strong>\u6211\u5df2\u7ecf\u4ece\u547d\u4ee4\u884c\u5c1d\u8bd5\u4e86 security add-trusted-cert<\/code> \u7684\u8bb8\u591a\u6392\u5217\uff0c\u5c3d\u7ba1\u5b83\u4f1a\u5c06\u8bc1\u4e66\u6dfb\u52a0\u5230\u94a5\u5319\u4e32\u5e76\u5c06\u5176\u6807\u8bb0\u4e3a\u201c\u59cb\u7ec8\u4fe1\u4efb\u201d\uff0c\u6211\u7684 go \u7a0b\u5e8f\u4e0d\u4f1a\u4fe1\u4efb\u5b83\u3002\u53ea\u6709 gui \u65b9\u6cd5\u624d\u80fd\u4f7f\u7cfb\u7edf\u5904\u4e8e\u6211\u7684 go \u7a0b\u5e8f\u4fe1\u4efb\u8bc1\u4e66\u7684\u72b6\u6001\u3002<\/p>\n
    \u60a8\u4f7f\u7528 https \u5728\u672c\u5730\u8fd0\u884c\u7684\u4efb\u4f55 go \u7a0b\u5e8f\u73b0\u5728\u90fd\u5c06\u4fe1\u4efb\u60a8\u4f7f\u7528 server.crt<\/code> \u548c server.key<\/code> \u8fd0\u884c\u7684\u670d\u52a1\u5668\u3002<\/p>\n
    \u8fd0\u884c\u670d\u52a1\u5668<\/h1>\n
    \u60a8\u53ef\u4ee5\u521b\u5efa\u4f7f\u7528\u8fd9\u4e9b\u51ed\u636e\u7684 *httptest.server<\/code> \u5b9e\u4f8b<\/p>\n
    func newlocalhttpstestserver(handler http.handler) (*httptest.server, error) {\n    ts := httptest.newunstartedserver(handler)\n    cert, err := tls.loadx509keypair(\"server.crt\", \"server.key\")\n    if err != nil {\n        return nil, err\n    }\n    ts.tls = &tls.config{certificates: []tls.certificate{cert}}\n    ts.starttls()\n    return ts, nil\n}\n<\/pre>\n
    \u8fd9\u662f\u4e00\u4e2a\u793a\u4f8b\u7528\u6cd5\uff1a<\/p>\n
    func testlocalhttpsserver(t *testing.t) {\n    ts, err := newlocalhttpstestserver(http.handlerfunc(func(w http.responsewriter, r *http.request) {\n        fmt.fprint(w, \"hello, client\")\n    }))\n    assert.nil(t, err)\n    defer ts.close()\n\n    res, err := http.get(ts.url)\n    assert.nil(t, err)\n\n    greeting, err := ioutil.readall(res.body)\n    res.body.close()\n    assert.nil(t, err)\n\n    assert.equal(t, \"hello, client\", string(greeting))\n}\n<\/pre>\n
    httptest.server<\/code> \u521b\u5efa\u4e00\u4e2a\u81ea\u7b7e\u540d\u8bc1\u4e66\uff0c\u8be5\u8bc1\u4e66\u53ef\u4ee5\u63d0\u4f9b\u7ed9 http.client<\/code> \u4ee5\u4fbf\u80fd\u591f\u6b63\u786e\u9a8c\u8bc1 ssl \u8bc1\u4e66\u3002<\/p>\n
    \u7531\u4e8e\u8bc1\u4e66\u901a\u5e38\u7ed1\u5b9a\u5230\u670d\u52a1\u5668\u7684\u4e3b\u673a\u540d\uff0c\u56e0\u6b64\u8fd9\u53ef\u80fd\u662f\u5728\u6d4b\u8bd5\u4e2d\u4f7f\u7528 ssl \u7684\u66f4\u597d\u65b9\u6cd5\u3002<\/p>\n
    \u793a\u4f8b\u5982\u4e0b\uff1a<\/p>\n
      \n
    1. \u8bbe\u7f6e\u6d4b\u8bd5\u670d\u52a1\u5668\uff1a<\/li>\n<\/ol>\n
          \/\/ create a handler\n    handler := http.handlerfunc(func(w http.responsewriter, r *http.request) {\n        fmt.fprintln(w, \"hello world\")\n    })\n\n    \/\/ create a test server with ssl\n    ts := httptest.newtlsserver(handler)\n<\/pre>\n
      2a\u3002\u5feb\u901f\u7684\u5ba2\u6237\u7aef\uff0c\u4f46\u7075\u6d3b\u6027\u8f83\u5dee\uff1a<\/p>\n
          \/\/ get the client directly from the test server ts\n    cl = ts.client()\n<\/pre>\n
      2b\u3002\u901a\u7528\u5ba2\u6237\u7aef<\/p>\n
          \/\/ create a certpool and add the certificate from ts\n    certpool := x509.newcertpool()\n    certpool.addcert(ts.certificate())\n\n    \/\/ create a tls config with the certpool\n    tlsconf := &tls.config{rootcas: certpool}\n    cl := &http.client{transport: &http.transport{tlsclientconfig: tlsconf}}\n<\/pre>\n
        \n
      1. \u4f7f\u7528\u5ba2\u6237\u7aef\uff1a<\/li>\n<\/ol>\n
            \/\/ use the client normally\n    resp, err := cl.get(ts.url)\n    if err != nil {\n        log.fatal(err)\n    }\n    log.println(resp.statuscode)\n    ...\n<\/pre>\n
        \u5982\u679c\u60a8\u786e\u5b9e\u5fc5\u987b<\/em>\u4f7f\u7528\u81ea\u5df1\u7684\u8bc1\u4e66\uff0c\u60a8\u5e94\u8be5\u80fd\u591f\u521b\u5efa\u4e00\u4e2a\u6d4b\u8bd5\u670d\u52a1\u5668\u800c\u4e0d\u542f\u52a8\u5b83\uff0c\u8bbe\u7f6e tls.config<\/code> \u5e76\u542f\u52a8\u670d\u52a1\u5668…<\/p>\n
        ts := httptest.NewUnstartedServer(h)\nts.TLS = &tls.Config{ \/* custom settings here *\/ }\nts.StartTLS()\n<\/pre>\n
        \u6587\u4e2d\u5173\u4e8e\u7684\u77e5\u8bc6\u4ecb\u7ecd\uff0c\u5e0c\u671b\u5bf9\u4f60\u7684\u5b66\u4e60\u6709\u6240\u5e2e\u52a9\uff01\u82e5\u662f\u53d7\u76ca\u532a\u6d45\uff0c\u90a3\u5c31\u52a8\u52a8\u9f20\u6807\u6536\u85cf\u8fd9\u7bc7\u300a\u4e3a\u4efb\u4f55\u5ba2\u6237\u7aef\u521b\u5efaHTTPS\u6d4b\u8bd5\u670d\u52a1\u5668\u300b\u6587\u7ae0\u5427\uff0c\u4e5f\u53ef\u5173\u6ce8\u516c\u4f17\u53f7\u4e86\u89e3\u76f8\u5173\u6280\u672f\u6587\u7ae0\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
        \u5f53\u524d\u4f4d\u7f6e\uff1a > > ...<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4925],"tags":[],"class_list":["post-208047","post","type-post","status-publish","format-standard","hentry","category-4925"],"_links":{"self":[{"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/posts\/208047","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/comments?post=208047"}],"version-history":[{"count":0,"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/posts\/208047\/revisions"}],"wp:attachment":[{"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/media?parent=208047"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/categories?post=208047"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/tags?post=208047"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}