Golang crypto/tls.Client and ConnectionState functions example

22nd June 2015

package crypto/tls

Client returns a new TLS client side connection using conn as the underlying transport. The config cannot be nil: users must set either ServerName or InsecureSkipVerify in the config.

ConnectionState returns basic TLS details about the connection.

Golang crypto/tls.Client and ConnectionState functions usage example

 package main

 import (
 "fmt"
 "crypto/tls"
 "crypto/x509"
 )

 func main() {
 // Connecting with a custom root-certificate set.

 const rootPEM = `
 -----BEGIN CERTIFICATE-----
 MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
 MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
 YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG
 EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
 bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
 AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
 VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
 h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
 ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
 EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
 DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7
 qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
 VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g
 K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI
 KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n
 ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB
 BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY
 /iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/
 zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza
 HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto
 WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6
 yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
 -----END CERTIFICATE-----`

 // First, create the set of root certificates. For this example we only
 // have one. It's also possible to omit this in order to use the
 // default root set of the current operating system.
 roots := x509.NewCertPool()
 ok := roots.AppendCertsFromPEM([]byte(rootPEM))
 if !ok {
 panic("failed to parse root certificate")
 }

 conn, err := tls.Dial("tcp", "mail.google.com:443", &tls.Config{
 RootCAs: roots,ServerName: "mail.google.com", InsecureSkipVerify: true,
 })
 if err != nil {
 panic("failed to connect: " + err.Error())
 }


 // populate tls.Config with dummy data
 tlsConn := tls.Client(conn, &tls.Config{
 RootCAs: roots,ServerName : "mail.google.com", InsecureSkipVerify: true,
 })

 // skip Handshake ... not with google mail server
 connstate := tlsConn.ConnectionState()

 fmt.Printf("Version : %x\n", connstate.Version)
 fmt.Printf("HandshakeComplete : %v\n", connstate.HandshakeComplete)
 fmt.Printf("DidResume : %v\n", connstate.DidResume)
 fmt.Printf("CipherSuite : %x\n", connstate.CipherSuite)
 fmt.Printf("NegotiatedProtocol : %x\n", connstate.NegotiatedProtocol)
 fmt.Printf("NegotiatedProtocolIsMutual : %v\n", connstate.NegotiatedProtocolIsMutual)
 fmt.Printf("ServerName : %s\n", connstate.ServerName)

 for i := range connstate.PeerCertificates {
 peercert := &connstate.PeerCertificates[i]
 fmt.Printf("PeerCertificate %d : %d\n", i, peercert)
 }


 for r := range connstate.VerifiedChains {
 vchains := &connstate.VerifiedChains[r]
 fmt.Printf("Verified Chains %d : %d\n", r, vchains)
 }

 tlsConn.Close()
 conn.Close()
 }

Example output :