Mutual Authentication TLS encryption TCP proxy with golang
I created this because of sometimes, it is not possible for us to establish secure connection and authentication between client and server for some reason (e.g no budget for VPNs). Forcing both parties to connect those services over TCP network, that is plaintext by design
If somehow we manage to create secure proxy link, that stands between those client and server, then I think it's sufficient enough.
Navigate to provided CSR files provided.
cd certs
Generate the CA certificate and private key.
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
Generate a server cert using the CSR provided. You can change hostname as you want the client connect to (in this case, localhost)
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-hostname=localhost,127.0.0.1 \
-profile=mtlstcp server-csr.json | cfssljson -bare server
Generate a client cert using the CSR provided.
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=mtlstcp \
client-csr.json | cfssljson -bare client
This is for testing purpose on localhost
Encryptor
CERT_PATH=./certs/client.pem KEY_PATH=./certs/client-key.pem ROOT_CERT_PATH=./certs/ca.pem BIND_PORT=10000 REMOTE_ADDR_PAIR=localhost:10001 ./main encryptor
Decryptor
CERT_PATH=./certs/server.pem KEY_PATH=./certs/server-key.pem ROOT_CERT_PATH=./certs/ca.pem BIND_PORT=10001 REMOTE_ADDR_PAIR=localhost:10002 ./main decryptor
TCP Server (netcat)
nc -nlvp 10002
Client (netcat)
nc -vvv localhost 10000
Client ---> encryptor (port 10000) -> decryptor (port 10001) -> Server (port 10002)
Like this diagram, represent the real-world use case for this program
This is the picture, testing successful with netcat, representing client and server
When you try to connect directly to the server (decryptor). It is not valid TLS handshake
