Testing Certificate Chains in Go

This talk was derived from an opensource.com article I wrote in April 2017, Golang to the rescue: Saving DevOps from TLS turmoil. Presented at GopherCon 2017 as a Lightning Talk. Source for the talk is available on GitHub.

Chris Short

Notes:

Hi! I’m Chris!
I manage DevOps activities at Bankrate (we’re hiring)
I work in the DevOps space
I contribute content a few places
I run a DevOps Newsletter called DevOps’ish if you’re into those please check it out
This talk was derived from an opensource.com article I wrote in April 2017

Chris Short in Gopher Form

I’m many things But Most Importantly, I’m a Gopher

Star Wars Scroll Y'all

This Sound Familiar?

This Sound Familiar? 2 Chainz (we can talk rap music later)

This is the goal
If you are going to bother to encrypt your traffic you better do it right
This is what we’re aiming for; an A+
At this company, we obtained certs from a preferred vendor that our company was cool with
I prefer Let’s Encrypt but some companies aren’t comfortable with that yet for various reasons
The process goes like this…
You generate your CSR and private key
You send the CSR to the vendor
The certificate arrives but usually doesn’t have an intermediate key in chain because… vendors be vendoring

This is the Goal

No big deal
Let’s go to the vendor’s documentation…
And OMG…
The vendor docs are terrible
This is when you learn…
Cryptography is hard but implementing cryptographic best practices might be even harder

: What do we do?; Look at statistical probabilities and start shuffling keys around?; The series of games you have to play with openssl or nginx or some other method aren’t intuitive; Do you know how hard this is to explain to people?

Go Build by Ashley McNamara

We needed a tool that would fail if the certificate chain provided was incorrect
We wanted a lightweight tool that could be publicly accessible
Conducting a third-party analysis of the certificates and configuration was also a requirement
There were no tools that I could find meeting these needs
So I decided to build my own
With Go of course!

The go log package is pretty self-explanatory
Package that enables logging
Needed a spectacular failure at the sign of trouble
log has three helper functions: print, fatal, and panic
Output from the package goes to stderr
Used a fatal error to get the web server to stop and log any issue
Let me just say the Go standard library is amazing!
log is designed beautifully
Using fatal to break the app and log to stderr if something isn’t right is great!

The Gocrypto/tls package partially implements TLS 1.2, as specified in RFC 5246
Package configures usable SSL/TLS versions
Identifies preferred cipher suites and elliptic curves used during handshakes
This is the package that handles connections securely

Gopher Star Wars by Ashley McNamara

Go implementation of HTTP
net/http has a function called ListenAndServeTLS
ListenAndServeTLS provides the desired certificate checking functionality
“If the certificate is signed by a certificate authority, the certFile should be the concatenation of the server’s certificate, any intermediates, and the CA’s certificate.”

Gopher Inclusion by Ashley McNamara

Code creates a mux, short for HTTP request multiplexer
I ❤️ multiplexers (it’s a long story that involves analog signals)
mux has a function that creates an HTTP server with headers and content (Hello World!)
cfg brings in all the TLS bits seen in a solid web server config
srv puts the pieces together and defines what port to listen on

I ❤️ DevOps
I embrace failure
log.Fatal(srv.ListenAndServeTLS("/etc/ssl-tester/tls.crt", "/etc/ssl-tester/tls.key"))
Defines path of certificate files to use
Also logs a fatal error if certificate is not valid
Fails Fast

Nuclear Weapons Test

I love DevOps and I embrace failure
The code allows us to fail quickly if the certificates aren’t in accordance with RFC
Stuff in the standard library JUST WORKS