finds.dev← search

// the find

haoel/mTLS

★ 247 · Go · MIT · updated Jun 2022

golang mTLS example

A minimal Go example showing how to set up mutual TLS between a client and server using only the standard library. It covers both code-based cert generation (via x509) and OpenSSL shell scripts, then wires up a simple HTTP server that requires and verifies client certs. Good for developers who want to see the actual tls.Config knobs without wading through a framework.

The cert generation code in certs.go is a rare find — most mTLS examples just hand you OpenSSL commands and leave you guessing how the Go types map to the concepts. The server correctly sets ClientAuth: tls.RequireAndVerifyClientCert and enforces TLS 1.2 minimum, which are the two settings people most often forget or get wrong. Having two named clients (a and b) makes it easy to see that the CA trust model works across different leaf certs. The README addresses the Go 1.15 SAN breakage explicitly, which was a genuine gotcha that burned a lot of people.

The private keys for all certs are checked into the repo (certs/ directory), which is fine for a demo but trains people to do the wrong thing. Last commit was 2022 and the code uses ioutil.ReadFile throughout — that package was deprecated in Go 1.16 and removed in 1.21; if someone is on a recent toolchain this will produce deprecation warnings or fail. There's no example of certificate rotation or how to handle expired client certs gracefully, which is the part that actually breaks in production. The Kafka JKS files in certs/ are unexplained — they appear to be from a different tutorial and just add confusion.

View on GitHub →

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →