Home | History | Annotate | Download | only in tls 
      1 // Copyright 2014 The Go Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style
      3 // license that can be found in the LICENSE file.
      4 
      5 package tls_test
      6 
      7 import (
      8 	"crypto/tls"
      9 	"crypto/x509"
     10 	"log"
     11 	"net/http"
     12 	"net/http/httptest"
     13 	"os"
     14 )
     15 
     16 // zeroSource is an io.Reader that returns an unlimited number of zero bytes.
     17 type zeroSource struct{}
     18 
     19 func (zeroSource) Read(b []byte) (n int, err error) {
     20 	for i := range b {
     21 		b[i] = 0
     22 	}
     23 
     24 	return len(b), nil
     25 }
     26 
     27 func ExampleDial() {
     28 	// Connecting with a custom root-certificate set.
     29 
     30 	const rootPEM = `
     31 -----BEGIN CERTIFICATE-----
     32 MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
     33 MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
     34 YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG
     35 EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
     36 bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
     37 AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
     38 VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
     39 h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
     40 ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
     41 EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
     42 DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7
     43 qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
     44 VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g
     45 K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI
     46 KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n
     47 ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB
     48 BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY
     49 /iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/
     50 zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza
     51 HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto
     52 WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6
     53 yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
     54 -----END CERTIFICATE-----`
     55 
     56 	// First, create the set of root certificates. For this example we only
     57 	// have one. It's also possible to omit this in order to use the
     58 	// default root set of the current operating system.
     59 	roots := x509.NewCertPool()
     60 	ok := roots.AppendCertsFromPEM([]byte(rootPEM))
     61 	if !ok {
     62 		panic("failed to parse root certificate")
     63 	}
     64 
     65 	conn, err := tls.Dial("tcp", "mail.google.com:443", &tls.Config{
     66 		RootCAs: roots,
     67 	})
     68 	if err != nil {
     69 		panic("failed to connect: " + err.Error())
     70 	}
     71 	conn.Close()
     72 }
     73 
     74 func ExampleConfig_keyLogWriter() {
     75 	// Debugging TLS applications by decrypting a network traffic capture.
     76 
     77 	// WARNING: Use of KeyLogWriter compromises security and should only be
     78 	// used for debugging.
     79 
     80 	// Dummy test HTTP server for the example with insecure random so output is
     81 	// reproducible.
     82 	server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
     83 	server.TLS = &tls.Config{
     84 		Rand: zeroSource{}, // for example only; don't do this.
     85 	}
     86 	server.StartTLS()
     87 	defer server.Close()
     88 
     89 	// Typically the log would go to an open file:
     90 	// w, err := os.OpenFile("tls-secrets.txt", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
     91 	w := os.Stdout
     92 
     93 	client := &http.Client{
     94 		Transport: &http.Transport{
     95 			TLSClientConfig: &tls.Config{
     96 				KeyLogWriter: w,
     97 
     98 				Rand:               zeroSource{}, // for reproducible output; don't do this.
     99 				InsecureSkipVerify: true,         // test server certificate is not trusted.
    100 			},
    101 		},
    102 	}
    103 	resp, err := client.Get(server.URL)
    104 	if err != nil {
    105 		log.Fatalf("Failed to get URL: %v", err)
    106 	}
    107 	resp.Body.Close()
    108 
    109 	// The resulting file can be used with Wireshark to decrypt the TLS
    110 	// connection by setting (Pre)-Master-Secret log filename in SSL Protocol
    111 	// preferences.
    112 
    113 	// Output:
    114 	// CLIENT_RANDOM 0000000000000000000000000000000000000000000000000000000000000000 baca0df460a688e44ce018b025183cc2353ae01f89755ef766eedd3ecc302888ee3b3a22962e45f48c20df15a98c0e80
    115 }
    116