Question

传输层安全性协议 （Transport Layer Security, TLS），及其前身 安全套接层 （Secure Sockets Layer, SSL）是一种安全协议，目的是为通信提供安全及数据完整性保障。

基本过程：

1. 客户端获取证书公钥。
2. 协商生成 “对话密钥”。
3. 双方使用 “对话密钥” 加密数据。

握手（handshake）过程包括协商加密和压缩算法，以及生成对话密钥。

# 生成自签名证书。

$ openssl genrsa -out key.pem 2048
$ openssl req -new -x509 -key key.pem -out cert.pem -days 1095

package main

import (
	"fmt"
	"log"
	"net/http"
)

func hello(w http.ResponseWriter, req *http.Request) {
	fmt.Fprintln(w, "hello, world!")
}

func main() {
	http.HandleFunc("/", hello)
	log.Fatalln(http.ListenAndServeTLS(":https", "cert.pem", "key.pem", nil))
}

以 TLS 启动后，默认支持 HTTP/2（h2）协议。

$ curl -v --insecure https://localhost

*   Trying 127.0.0.1:443...
* Connected to localhost (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN),  TLS header, Certificate Status (22):
* TLSv1.3 (IN),  TLS handshake, Server hello (2):
* TLSv1.2 (IN),  TLS header, Finished (20):
* TLSv1.2 (IN),  TLS header, Supplemental data (23):
* TLSv1.3 (IN),  TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN),  TLS header, Supplemental data (23):
* TLSv1.3 (IN),  TLS handshake, Certificate (11):
* TLSv1.2 (IN),  TLS header, Supplemental data (23):
* TLSv1.3 (IN),  TLS handshake, CERT verify (15):
* TLSv1.2 (IN),  TLS header, Supplemental data (23):
* TLSv1.3 (IN),  TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
*  start date: Jul 17 05:24:50 2022 GMT
*  expire date: Jul 16 05:24:50 2025 GMT
*  issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
*  SSL certificate verify result: self-signed certificate (18).
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x5640fd953e80)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):

> GET / HTTP/2
> Host: localhost
> user-agent: curl/7.81.0
> accept: */*
> 

* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):

< HTTP/2 200 
< content-type: text/plain; charset=utf-8
< content-length: 14
< date: Sun, 17 Jul 2022 05:29:26 GMT
< 
hello, world!

* Connection #0 to host localhost left intact

用客户端连接，须关闭证书验证。

package main

import (
	"crypto/tls"
	"fmt"
	"log"
	"net/http"
	"net/http/httputil"
)

func main() {
	trans := http.DefaultTransport.(*http.Transport).Clone()
	trans.TLSClientConfig = &tls.Config{ InsecureSkipVerify: true }	
    
	client := &http.Client{ Transport: trans }
    
	res, err := client.Get("https://localhost")
	if err != nil { log.Fatalln(err) }
	defer res.Body.Close()

	d, _ := httputil.DumpResponse(res, true)
	fmt.Println(string(d))
}

/*

HTTP/2.0 200 OK
Content-Length: 14
Content-Type: text/plain; charset=utf-8
Date: Sun, 17 Jul 2022 05:26:10 GMT

hello, world!

*/

h2c

autocert ​