github.com/Psiphon-Labs/tls-tris@v0.0.0-20230824155421-58bf6d336a9a/example_test.go (about)

     1  // Copyright 2014 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls_test
     6  
     7  import (
     8  	"crypto/tls"
     9  	"crypto/x509"
    10  	"log"
    11  	"net/http"
    12  	"net/http/httptest"
    13  	"os"
    14  )
    15  
    16  // zeroSource is an io.Reader that returns an unlimited number of zero bytes.
    17  type zeroSource struct{}
    18  
    19  func (zeroSource) Read(b []byte) (n int, err error) {
    20  	for i := range b {
    21  		b[i] = 0
    22  	}
    23  
    24  	return len(b), nil
    25  }
    26  
    27  func ExampleDial() {
    28  	// Connecting with a custom root-certificate set.
    29  
    30  	const rootPEM = `
    31  -----BEGIN CERTIFICATE-----
    32  MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
    33  MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
    34  YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG
    35  EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
    36  bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
    37  AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
    38  VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
    39  h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
    40  ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
    41  EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
    42  DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7
    43  qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
    44  VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g
    45  K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI
    46  KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n
    47  ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB
    48  BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY
    49  /iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/
    50  zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza
    51  HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto
    52  WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6
    53  yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
    54  -----END CERTIFICATE-----`
    55  
    56  	// First, create the set of root certificates. For this example we only
    57  	// have one. It's also possible to omit this in order to use the
    58  	// default root set of the current operating system.
    59  	roots := x509.NewCertPool()
    60  	ok := roots.AppendCertsFromPEM([]byte(rootPEM))
    61  	if !ok {
    62  		panic("failed to parse root certificate")
    63  	}
    64  
    65  	conn, err := tls.Dial("tcp", "mail.google.com:443", &tls.Config{
    66  		RootCAs: roots,
    67  	})
    68  	if err != nil {
    69  		panic("failed to connect: " + err.Error())
    70  	}
    71  	conn.Close()
    72  }
    73  
    74  func ExampleConfig_keyLogWriter_TLS12() {
    75  	// Debugging TLS applications by decrypting a network traffic capture.
    76  
    77  	// WARNING: Use of KeyLogWriter compromises security and should only be
    78  	// used for debugging.
    79  
    80  	// Dummy test HTTP server for the example with insecure random so output is
    81  	// reproducible.
    82  	server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
    83  	server.TLS = &tls.Config{
    84  		Rand:       zeroSource{}, // for example only; don't do this.
    85  		MaxVersion: tls.VersionTLS12,
    86  	}
    87  	server.StartTLS()
    88  	defer server.Close()
    89  
    90  	// Typically the log would go to an open file:
    91  	// w, err := os.OpenFile("tls-secrets.txt", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
    92  	w := os.Stdout
    93  
    94  	client := &http.Client{
    95  		Transport: &http.Transport{
    96  			TLSClientConfig: &tls.Config{
    97  				KeyLogWriter: w,
    98  
    99  				Rand:               zeroSource{}, // for reproducible output; don't do this.
   100  				InsecureSkipVerify: true,         // test server certificate is not trusted.
   101  			},
   102  		},
   103  	}
   104  	resp, err := client.Get(server.URL)
   105  	if err != nil {
   106  		log.Fatalf("Failed to get URL: %v", err)
   107  	}
   108  	resp.Body.Close()
   109  
   110  	// The resulting file can be used with Wireshark to decrypt the TLS
   111  	// connection by setting (Pre)-Master-Secret log filename in SSL Protocol
   112  	// preferences.
   113  
   114  	// Output:
   115  	// CLIENT_RANDOM 0000000000000000000000000000000000000000000000000000000000000000 baca0df460a688e44ce018b025183cc2353ae01f89755ef766eedd3ecc302888ee3b3a22962e45f48c20df15a98c0e80
   116  }
   117  
   118  func ExampleConfig_keyLogWriter_TLS13() {
   119  	// Debugging TLS applications by decrypting a network traffic capture.
   120  
   121  	// WARNING: Use of KeyLogWriter compromises security and should only be
   122  	// used for debugging.
   123  
   124  	// Dummy test HTTP server for the example with insecure random so output is
   125  	// reproducible.
   126  	server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
   127  	server.TLS = &tls.Config{
   128  		Rand: zeroSource{}, // for example only; don't do this.
   129  	}
   130  	server.StartTLS()
   131  	defer server.Close()
   132  
   133  	// Typically the log would go to an open file:
   134  	// w, err := os.OpenFile("tls-secrets.txt", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
   135  	w := os.Stdout
   136  
   137  	client := &http.Client{
   138  		Transport: &http.Transport{
   139  			TLSClientConfig: &tls.Config{
   140  				KeyLogWriter: w,
   141  
   142  				Rand:               zeroSource{}, // for reproducible output; don't do this.
   143  				InsecureSkipVerify: true,         // test server certificate is not trusted.
   144  			},
   145  		},
   146  	}
   147  	resp, err := client.Get(server.URL)
   148  	if err != nil {
   149  		log.Fatalf("Failed to get URL: %v", err)
   150  	}
   151  	resp.Body.Close()
   152  
   153  	// The resulting file can be used with Wireshark to decrypt the TLS
   154  	// connection by setting (Pre)-Master-Secret log filename in SSL Protocol
   155  	// preferences.
   156  
   157  	// Output:
   158  	// CLIENT_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 b946c84f46f53bd410368a1fd7d53873e74bedd53b4b1a4b125be40c8b0510a1
   159  	// SERVER_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 b6c44e95e34cb2616ff2e9a1163577aa1aa5cb3af8df16d0fdbbbaf15f415c8e
   160  	// SERVER_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 cbecc42509a124ae517f6c9aaae1961d755ab4268548b40b0c7840a9643240e8
   161  	// CLIENT_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 8f6dd1476706ea8147d829347937694496a7d62d6d01de0a1b4820140d01cad0
   162  }