HTTP2探索

HTTP2支持Server Push和全双工通讯,同时可向下兼容HTTP 1.1.

注:

  1. 浏览器和Go新版本不再用证书的 Common Name 字段校验域名信息,改用 Subject Alternative Name (SAN) 字段。
  2. Postman并不支持HTTP2,可使用Insomnia替代测试(前提:Preferences - Request/Response - Preferred HTTP Version 选择HTTP/2)

标准库支持

注:

  1. H2默认必须开启TLS,标准库通过h2c扩展关闭
  2. http.Client并不支持Push.

生成证书

方式1

刚发现原来有最简单到方式用于本地测试:

go run $GOROOT/src/crypto/tls/generate_cert.go --host localhost
# 或者
go run $GOROOT/src/crypto/tls/generate_cert.go --host localhost -ca true

系统的CA位置描述位于 /usr/lib/go-1.18/src/crypto/x509/root_linux.go

// Possible certificate files; stop after finding one.
var certFiles = []string{
  "/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc.
  "/etc/pki/tls/certs/ca-bundle.crt",   // Fedora/RHEL 6
  "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
}

方式2和3

生成测试证书的两种方式:

  • 方式1:是生成一个CA根证书和多个服务需要的证书,然后使用CA根证书去签名多个证书。这种方式可以一次管理多个证书,也比较贴近真实情况,当然也可以用来做证书过期、更新等试验,缺点是操作起来略微麻烦一点。
    • 生成CA: cacert.pem和cakey.pem
    • 创建证书签名请求 .csr
    • 自签证书 .pem
  • 方式2:直接用根证书作为网站的HTTPS证书使用,这样只需要建立一个证书即可,比较适合小范围的测试,操作快捷。

为方便本地测试,方式2的命令为:

test-server.conf

[ req ]
default_bits = 2048
distinguished_name = server_distinguished_name
req_extensions = req_ext
x509_extensions = x509_ext

[ server_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Tianjin
localityName = Locality Name (eg, city)
localityName_default = Tianjin
organizationName = Organization Name (eg, company)
organizationName_default = Test
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = xulizhao.com
emailAddress = Email Address
emailAddress_default = admin@xulizhao.com

[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alt_names
nsComment = "OpenSSL Generated Certificate"

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1 = xulizhao.com
DNS.2 = localhost
DNS.3 = 127.0.0.1
# IPv4 localhost
IP.1 = 192.168.6.9
# IPv6 localhost
IP.2 = ::1

运行命令:

openssl req -config test-server.conf -new -newkey rsa:2048 \
-nodes -sha512 -keyout server.key -x509 -days 365 \
-out server.crt

查看证书

  • 方式1:openssl x509 -in cert-46.pem -text
  • 方式2:浏览器查看

参考