前面的实现完全是在网络上裸奔的,通过抓包工具很容易看到传输的内容是什么,接下来我们利用现成的TLS来实现一个更为安全的服务.
生成服务器端的私钥
openssl genrsa -out server.key 2048
生成服务器端证书
openssl req -new -x509 -key server.key -out server.pem -days 3650
服务端代码如下
package main /* * tls服务端 */ import ( "bufio" "crypto/tls" "encoding/json" "fmt" "math/rand" "net" "strings" "sync" "time" ) //保存连接 var connList sync.Map //消息结构{"from":"aaa","to":"bbb","body":"aaa","cmd":"sendMsg"} type UserMsg struct { From string `json:"from"` To string `json:"to"` Body string `json:"body"` Cmd string `json:"cmd"` } //随机字符串 func randName() string { var letterRunes = []rune("123456789") rand.Seed(time.Now().UnixNano()) b := make([]rune, 6) for i := range b { b[i] = letterRunes[rand.Intn(len(letterRunes))] } return string(b) } func DealConn(conn net.Conn) { // 处理完关闭连接 defer conn.Close() fmt.Println("new conn\n") conn.Write([]byte("hello\n")) //安全认证+读取超时 conn.SetReadDeadline(time.Now().Add(20 * time.Second)) reader := bufio.NewReader(conn) str, err := reader.ReadString('\n') if err == nil { str = strings.TrimSpace(str) var strStruct UserMsg err := json.Unmarshal([]byte(str), &strStruct) if err != nil { fmt.Printf("msg json error, err:%v\n", err) return } else { if strStruct.Cmd == "auth" { if strStruct.Body != "123456" { fmt.Println("not auth") return } } else { fmt.Println("not auth") return } } } else { return } name := randName() connList.Store(name, conn) conn.Write([]byte("you is : " + name + "\r\n")) // 针对当前连接做发送和接受操作 for { conn.SetReadDeadline(time.Now().Add(3600 * time.Second)) reader := bufio.NewReader(conn) // 读取字符串, 直到碰到回车返回 str, err := reader.ReadString('\n') // 数据读取正确 if err == nil { // 去掉字符串尾部的回车 str = strings.TrimSpace(str) var strStruct UserMsg err := json.Unmarshal([]byte(str), &strStruct) if err != nil { fmt.Printf("msg json error, err:%v\n", err) } else { to := strStruct.To cmd := strStruct.Cmd if cmd == "sendMsg" { toUser, ok := connList.Load(to) if !ok { fmt.Println("to user is not\n") } else { toUserConn, ok := toUser.(net.Conn) if !ok { fmt.Println("to user type wrong\n") } else { toUserConn.Write([]byte(strStruct.From + " say : " + strStruct.Body + "\r\n")) } } } else { fmt.Println("unkonw msg") } } } else { //删除保存的连接 connList.Delete(name) fmt.Println("conn close\n") break } } } func main() { cert, err := tls.LoadX509KeyPair("server.pem", "server.key") if err != nil { fmt.Println(err) return } config := &tls.Config{Certificates: []tls.Certificate{cert}} // 建立tcp 服务 listen, err := tls.Listen("tcp", "0.0.0.0:1215", config) if err != nil { fmt.Printf("listen failed, err:%v\n", err) return } for { // 等待客户端建立连接 fmt.Printf("accept conn ...... \n") conn, err := listen.Accept() if err != nil { fmt.Printf("accept failed, err:%v\n", err) continue } // 启动一个单独的 goroutine 去处理连接 go DealConn(conn) } }
生成客户端的私钥
openssl genrsa -out client.key 2048
生成客户端的证书
openssl req -new -x509 -key client.key -out client.pem -days 3650
客户端的代码如下:
package main import ( "crypto/tls" "log" "time" ) func main() { conf := &tls.Config{ InsecureSkipVerify: true, } conn, err := tls.Dial("tcp", "127.0.0.1:1215", conf) if err != nil { log.Println(err) return } defer conn.Close() conn.Write([]byte("{\"from\":\"aaa\",\"to\":\"678292\",\"body\":\"123456\",\"cmd\":\"auth\"}\n")) conn.Write([]byte("{\"from\":\"aaa\",\"to\":\"678292\",\"body\":\"123456\",\"cmd\":\"sendMsg\"}\n")) buf := make([]byte, 100) n, err := conn.Read(buf) if err != nil { log.Println(n, err) return } println(string(buf[:n])) time.Sleep(time.Second * 10) }
通过使用tls我们就快速实现了一个更为安全的socket服务.
除去这种方式是不是还有其他方式呢?