Package tls
import "crypto/tls"
Package tls partially implements the TLS 1.1 protocol, as specified in RFC 4346.
Package files
alert.go cipher_suites.go common.go conn.go handshake_client.go handshake_messages.go handshake_server.go key_agreement.go prf.go tls.goConstants
A list of the possible cipher suite ids. Taken from http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
const (
TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005
TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f
TLS_ECDHE_RSA_WITH_RC4_128_SHA uint16 = 0xc011
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013
)
type Certificate
A Certificate is a chain of one or more certificates, leaf first.
type Certificate struct {
Certificate [][]byte
PrivateKey *rsa.PrivateKey
// OCSPStaple contains an optional OCSP response which will be served
// to clients that request it.
OCSPStaple []byte
}
func LoadX509KeyPair
func LoadX509KeyPair(certFile string, keyFile string) (cert Certificate, err os.Error)
LoadX509KeyPair reads and parses a public/private key pair from a pair of files. The files must contain PEM encoded data.
func X509KeyPair
func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (cert Certificate, err os.Error)
X509KeyPair parses a public/private key pair from a pair of PEM encoded data.
type Config
A Config structure is used to configure a TLS client or server. After one has been passed to a TLS function it must not be modified.
type Config struct {
// Rand provides the source of entropy for nonces and RSA blinding.
// If Rand is nil, TLS uses the cryptographic random reader in package
// crypto/rand.
Rand io.Reader
// Time returns the current time as the number of seconds since the epoch.
// If Time is nil, TLS uses the system time.Seconds.
Time func() int64
// Certificates contains one or more certificate chains
// to present to the other side of the connection.
// Server configurations must include at least one certificate.
Certificates []Certificate
// RootCAs defines the set of root certificate authorities
// that clients use when verifying server certificates.
// If RootCAs is nil, TLS uses the host's root CA set.
RootCAs *x509.CertPool
// NextProtos is a list of supported, application level protocols.
NextProtos []string
// ServerName is included in the client's handshake to support virtual
// hosting.
ServerName string
// AuthenticateClient controls whether a server will request a certificate
// from the client. It does not require that the client send a
// certificate nor does it require that the certificate sent be
// anything more than self-signed.
AuthenticateClient bool
// CipherSuites is a list of supported cipher suites. If CipherSuites
// is nil, TLS uses a list of suites supported by the implementation.
CipherSuites []uint16
}
type Conn
A Conn represents a secured connection. It implements the net.Conn interface.
type Conn struct {
// contains filtered or unexported fields
}
func Client
func Client(conn net.Conn, config *Config) *Conn
Client returns a new TLS client side connection using conn as the underlying transport. Client interprets a nil configuration as equivalent to the zero configuration; see the documentation of Config for the defaults.
func Dial
func Dial(network, addr string, config *Config) (*Conn, os.Error)
Dial connects to the given network address using net.Dial and then initiates a TLS handshake, returning the resulting TLS connection. Dial interprets a nil configuration as equivalent to the zero configuration; see the documentation of Config for the defaults.
func Server
func Server(conn net.Conn, config *Config) *Conn
Server returns a new TLS server side connection using conn as the underlying transport. The configuration config must be non-nil and must have at least one certificate.
func (*Conn) Close
func (c *Conn) Close() os.Error
Close closes the connection.
func (*Conn) ConnectionState
func (c *Conn) ConnectionState() ConnectionState
ConnectionState returns basic TLS details about the connection.
func (*Conn) Handshake
func (c *Conn) Handshake() os.Error
Handshake runs the client or server handshake protocol if it has not yet been run. Most uses of this package need not call Handshake explicitly: the first Read or Write will call it automatically.
func (*Conn) LocalAddr
func (c *Conn) LocalAddr() net.Addr
LocalAddr returns the local network address.
func (*Conn) OCSPResponse
func (c *Conn) OCSPResponse() []byte
OCSPResponse returns the stapled OCSP response from the TLS server, if any. (Only valid for client connections.)
func (*Conn) Read
func (c *Conn) Read(b []byte) (n int, err os.Error)
Read can be made to time out and return err == os.EAGAIN after a fixed time limit; see SetTimeout and SetReadTimeout.
func (*Conn) RemoteAddr
func (c *Conn) RemoteAddr() net.Addr
RemoteAddr returns the remote network address.
func (*Conn) SetReadTimeout
func (c *Conn) SetReadTimeout(nsec int64) os.Error
SetReadTimeout sets the time (in nanoseconds) that Read will wait for data before returning os.EAGAIN. Setting nsec == 0 (the default) disables the deadline.
func (*Conn) SetTimeout
func (c *Conn) SetTimeout(nsec int64) os.Error
SetTimeout sets the read deadline associated with the connection. There is no write deadline.
func (*Conn) SetWriteTimeout
func (c *Conn) SetWriteTimeout(nsec int64) os.Error
SetWriteTimeout exists to satisfy the net.Conn interface but is not implemented by TLS. It always returns an error.
func (*Conn) VerifyHostname
func (c *Conn) VerifyHostname(host string) os.Error
VerifyHostname checks that the peer certificate chain is valid for connecting to host. If so, it returns nil; if not, it returns an os.Error describing the problem.
func (*Conn) Write
func (c *Conn) Write(b []byte) (n int, err os.Error)
Write writes data to the connection.
type ConnectionState
ConnectionState records basic TLS details about the connection.
type ConnectionState struct {
HandshakeComplete bool
CipherSuite uint16
NegotiatedProtocol string
NegotiatedProtocolIsMutual bool
// the certificate chain that was presented by the other side
PeerCertificates []*x509.Certificate
// the verified certificate chains built from PeerCertificates.
VerifiedChains [][]*x509.Certificate
}
type Listener
A Listener implements a network listener (net.Listener) for TLS connections.
type Listener struct {
// contains filtered or unexported fields
}
func Listen
func Listen(network, laddr string, config *Config) (*Listener, os.Error)
Listen creates a TLS listener accepting connections on the given network address using net.Listen. The configuration config must be non-nil and must have at least one certificate.
func NewListener
func NewListener(listener net.Listener, config *Config) (l *Listener)
NewListener creates a Listener which accepts connections from an inner Listener and wraps each connection with Server. The configuration config must be non-nil and must have at least one certificate.
func (*Listener) Accept
func (l *Listener) Accept() (c net.Conn, err os.Error)
Accept waits for and returns the next incoming TLS connection. The returned connection c is a *tls.Conn.
func (*Listener) Addr
func (l *Listener) Addr() net.Addr
Addr returns the listener's network address.
func (*Listener) Close
func (l *Listener) Close() os.Error
Close closes the listener.