Skip to content

tls

Hardened, framework-free TLS plumbing for Go — one curated, secure crypto/tls.Config, a typed certificate Pair, ServerConfig/ClientConfig builders, and a CertPool helper for trusting private CAs.

go get gitlab.com/phpboyscout/go/tls

gitlab.com/phpboyscout/go/tls gives every Go server and client the same opinionated, secure TLS posture without a framework in tow: a TLS 1.2 floor, AEAD-only cipher suites, and modern curve preferences, applied consistently to both sides of a connection. It is the TLS layer extracted from go-tool-base, where it backs the HTTP, gRPC and gateway transports.

Why

  • Secure by default. DefaultConfig fixes a TLS 1.2 minimum, six curated ECDHE-AEAD cipher suites, and X25519/P-256 curve preferences — no knobs to get wrong. See the threat model for the rationale behind every choice.
  • Framework-free. The only external dependency is cockroachdb/errors. No config framework, no TUI, no OpenTelemetry — a depfootprint_test.go guard keeps the dependency graph minimal so it stays cheap to embed anywhere.
  • Typed values in, hardened config out. The package works entirely from typed Pair values — you own how they are sourced (flags, environment, a config file). One shared certificate can serve many listeners via ResolvePair.

Where next


Part of the phpboyscout Go toolkit — small, framework-free Go modules extracted from go-tool-base.