tls¶
Hardened, framework-free TLS plumbing for Go — one curated, secure
crypto/tls.Config, a typed certificate Pair, ServerConfig/ClientConfig
builders, and a CertPool helper for trusting private CAs.
gitlab.com/phpboyscout/go/tls gives every Go server and client the same
opinionated, secure TLS posture without a framework in tow: a TLS 1.2 floor,
AEAD-only cipher suites, and modern curve preferences, applied consistently to both
sides of a connection. It is the TLS layer extracted from
go-tool-base, where it backs the
HTTP, gRPC and gateway transports.
Why¶
- Secure by default.
DefaultConfigfixes a TLS 1.2 minimum, six curated ECDHE-AEAD cipher suites, and X25519/P-256 curve preferences — no knobs to get wrong. See the threat model for the rationale behind every choice. - Framework-free. The only external dependency is
cockroachdb/errors. No config framework, no TUI, no OpenTelemetry — adepfootprint_test.goguard keeps the dependency graph minimal so it stays cheap to embed anywhere. - Typed values in, hardened config out. The package works entirely from typed
Pairvalues — you own how they are sourced (flags, environment, a config file). One shared certificate can serve many listeners viaResolvePair.
Where next¶
- Getting started — serve HTTPS with the hardened defaults in a dozen lines.
- Harden a server & client — ALPN, private-CA trust, and shared/per-transport resolution.
- Security threat model — why the TLS floor, cipher suites, and curves are what they are.
- API reference — full godoc on pkg.go.dev.
Part of the phpboyscout Go toolkit — small, framework-free Go modules extracted from go-tool-base.