`crypto/tls`

Guided tour · Crypto · pkg.go.dev →

TLS 1.3 and 1.2 client and server. Sits under net/http for HTTPS, but you can use it directly over any net.Conn.

Server — ListenAndServeTLS

Minimal HTTPS

http.HandleFunc("/", handler)
log.Fatal(http.ListenAndServeTLS(":443", "cert.pem", "key.pem", nil))

Explicit TLS config — set MinVersion

Go's default TLS config is already strong, but pinning MinVersion: TLS 1.2 is a good defensive default.

srv := &http.Server{
    Addr: ":443",
    TLSConfig: &tls.Config{
        MinVersion: tls.VersionTLS12,
    },
}
srv.ListenAndServeTLS("cert.pem", "key.pem")

Client — use a pool of CAs

Talking to a server with a custom CA

caCert, _ := os.ReadFile("ca.pem")
pool := x509.NewCertPool()
pool.AppendCertsFromPEM(caCert)

client := &http.Client{
    Transport: &http.Transport{
        TLSClientConfig: &tls.Config{RootCAs: pool},
    },
}

Load a cert and key

cert, err := tls.LoadX509KeyPair("cert.pem", "key.pem")
if err != nil { log.Fatal(err) }
cfg := &tls.Config{Certificates: []tls.Certificate{cert}}

Low-level — TLS over any net.Conn

Dial a raw TLS endpoint

conn, err := tls.Dial("tcp", "example.com:443", &tls.Config{ServerName: "example.com"})
if err != nil { log.Fatal(err) }
defer conn.Close()
conn.Write([]byte("GET / HTTP/1.0\r\n\r\n"))