已发表的技术专栏（订阅即可观看所有专栏）
0 grpc-go、protobuf、multus-cni 技术专栏 总入口

1 grpc-go 源码剖析与实战 文章目录

2 Protobuf介绍与实战 图文专栏 文章目录

3 multus-cni 文章目录(k8s多网络实现方案)

4 grpc、oauth2、openssl、双向认证、单向认证等专栏文章目录

• 客户端要验证服务器端的证书，同样，服务器端也要验证客户端的证书
• 客户端一侧
  • 需要加载根证书，或者给服务器端颁发证书的父证书，用来证明服务器端证书的有效性
  • 客户端也需要加载自己的证书，以及证书密钥，将证书，证书密钥发送给服务器端，以供验证
• 服务器端一侧：
  • 需要加载根证书，或者给客户端颁发证书的父证书，用来验证客户端证书的有效性
  • 服务器端一侧，需要加载自己的证书，证书密钥；将证书，证书密钥发送给客户端以供校验

一次性方式生成根证书

openssl req -newkey rsa:2048 -nodes -keyout ca.key -x509 -days 365 -out ca.crt -subj "/C=CN/ST=beijing/L=beijing/O=baidu/OU=bigdata/CN=www.golang.com/emailAddress=000000@qq.com"

openssl req -newkey rsa:2048 -nodes -keyout server.key \
    -subj "/C=CN/ST=beijing/L=beijing/O=baidu/OU=bigdata/CN=www.golang-server.com/emailAddress=123456789@qq.com" \
    -reqexts SAN \
    -config <(cat /etc/pki/tls/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:*.org.golang-server.com,DNS:www.golang-server.cn")) \
    -out server.csr

查看证书签名里，是否有SAN请求信息

openssl req -noout -text -in server.csr

openssl x509 -req -days 365 \
  -in server.csr -out server.crt \
  -CA ca.crt -CAkey ca.key -CAcreateserial \
  -extensions SAN \
  -extfile <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:*.org.golang-server.com,DNS:www.golang-server.cn"))

openssl x509 -in server.crt -noout -text 

openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr -subj "/C=CN/ST=beijing/L=beijing/O=baidu/OU=bigdata/CN=www.golang-client.com/emailAddress=987654321@qq.com"

openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt

openssl x509 -noout -text -in client.crt

package main

import (
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"io/ioutil"
	"net/http"
)

type MyMux struct {
}

func (p *MyMux) ServeHTTP(res http.ResponseWriter, req *http.Request) {
	fmt.Fprintf(res, "this is http server!")
}

func main() {
	pool := x509.NewCertPool()
	caCertPath := "8-WithTransportCredentials/https/two-way-authentication/tls/ca.crt"

	caCrt, err := ioutil.ReadFile(caCertPath)
	if err != nil {
		fmt.Println("ReadFile err:", err)
		return
	}
	pool.AppendCertsFromPEM(caCrt)

	s := &http.Server{
		Addr:    ":8080",
		Handler: &MyMux{},
		TLSConfig: &tls.Config{
			ClientCAs:  pool,
			ClientAuth: tls.RequireAndVerifyClientCert,
		},
	}

	err = s.ListenAndServeTLS("8-WithTransportCredentials/https/two-way-authentication/tls/server.crt", "8-WithTransportCredentials/https/two-way-authentication/tls/server.key")
	if err != nil {
		fmt.Println("ListenAndServeTLS err:", err)
	}
}

package main

import (
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"io/ioutil"
	"net/http"
	"testing"
)

var client *http.Client

func init() {
	pool := x509.NewCertPool()
	caCertPath := "*****改成自己的地址******ca.crt"
	caCrt, err := ioutil.ReadFile(caCertPath)
	if err != nil {
		fmt.Println("ReadFile err:", err)
		return
	}
	pool.AppendCertsFromPEM(caCrt)

	clientCrt, err := tls.LoadX509KeyPair("*****改成自己的地址******client.crt", "*****改成自己的地址******client.key")
	if err != nil {
		fmt.Println("Loadx509keypair err:", err)
		return
	}

	tr := &http.Transport{
		TLSClientConfig: &tls.Config{
			RootCAs:      pool,
			Certificates: []tls.Certificate{clientCrt},
		},
	}

	client = &http.Client{Transport: tr}
}

// 测试单向认证
func TestOneWayAuthentication(t *testing.T) {
	type test struct { // 定义test结构体
		url string
	}
	tests := map[string]test{ // 测试组
		"test1": {url: "https://www.golang-server.cn:8080/svc/hello-openssl"},
		"test2": {url: "https://www.golang-server.com:8080/svc/hello-openssl"},
		"test3": {url: "https://abc.org.golang-server.com:8080/svc/hello-openssl"},
		"test4": {url: "https://www.golang-server.cn:8080/svc/hello-openssl"},
	}

	for name, tc := range tests {
		t.Run(name, func(t *testing.T) { // 使用t.Run()执行子测试
			resp, err := client.Get(tc.url)
			if err != nil {
				fmt.Println("Get error:", err)
				return
			}
			defer resp.Body.Close()

			body, err := ioutil.ReadAll(resp.Body)
			fmt.Println(string(body))
		})
	}
}

在/etc/hosts里设置域名，进行测试

最后，点击 左下角红色的Add

下一篇文章

oauth2认证方式介绍