refactor(internal/examples/http2): remove self-signed cert generation

Simplify the TLS example by requiring -cert and -key flags instead of
auto-generating a self-signed certificate. This reduces complexity and
keeps the example focused on HTTP/2 WebSocket usage.

Author: mafredri

internal/examples/http2/README.md

@@ -6,7 +6,7 @@ This example shows a minimal WebSocket echo over HTTP/2 using extended CONNECT
 It supports:
 
 - h2c (cleartext HTTP/2) via `ws://`
-- TLS + HTTP/2 via `wss://` (self-signed by default, or bring your own cert/key)
+- TLS + HTTP/2 via `wss://` (requires cert and key)
 
 ## Run
 
@@ -16,47 +16,34 @@ Cleartext HTTP/2:
 # Server.
 $ cd internal/examples/http2
 $ GODEBUG=http2xconnect=1 go run . server -addr :8080
-listening on ws://127.0.0.1:8080 (h2c)
+listening on ws://0.0.0.0:8080 (h2c)
 
 # Client.
 $ go run . client ws://127.0.0.1:8080
 Hello over HTTP/2 WebSocket!
 ```
 
-TLS (wss) with self-signed cert:
-
-```console
-# Server.
-$ cd internal/examples/http2
-$ GODEBUG=http2xconnect=1 go run . server -tls -addr :8443
-listening on wss://127.0.0.1:8443 (self-signed)
-
-# Client.
-$ go run . client -insecure wss://localhost:8443
-Hello over HTTP/2 WebSocket!
-```
-
-TLS (wss) with your own cert/key:
+TLS (wss):
 
 ```console
 # Server.
 $ cd internal/examples/http2
 $ GODEBUG=http2xconnect=1 go run . server -tls -cert cert.pem -key key.pem -addr :8443
-listening on wss://127.0.0.1:8443 (cert/key)
+listening on wss://0.0.0.0:8443
 
 # Client.
-$ go run . client wss://your.host:8443
+$ go run . client wss://localhost:8443
+Hello over HTTP/2 WebSocket!
 ```
 
 ## Structure
 
 The server is in `server.go` and is implemented as an `http.Handler` that
 accepts a WebSocket over HTTP/2 (extended CONNECT) and echoes messages. It
-supports cleartext HTTP/2 (h2c) and TLS; for TLS it can generate a self‑signed
-certificate or use a provided cert/key.
+supports cleartext HTTP/2 (h2c) and TLS.
 
 The client is in `client.go`. It dials the server over HTTP/2 (both `ws://` h2c
 and `wss://` TLS), sends a single text message, and prints the echoed response.
 
 `main.go` wires a small CLI with `server` and `client` subcommands so you can
-run and try the example quickly.
+run and try the example quickly.

internal/examples/http2/server.go

@@ -1,21 +1,13 @@
 package main
 
 import (
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/tls"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/pem"
 	"errors"
 	"flag"
 	"fmt"
 	"io"
-	"math/big"
 	"net/http"
 	"os"
 	"strings"
-	"time"
 
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/h2c"
@@ -25,8 +17,7 @@ import (
 
 // serverMain starts a minimal HTTP/2 WebSocket echo server.
 // - By default it serves h2c (cleartext HTTP/2): ws://
-// - With -tls it serves TLS+HTTP/2: wss://
-//   - If -cert and -key are not provided, a self-signed certificate is generated.
+// - With -tls it serves TLS+HTTP/2: wss:// (requires -cert and -key)
 func serverMain(prog string, args []string) error {
 	fs := flag.NewFlagSet("server", flag.ExitOnError)
 	addr := fs.String("addr", ":8080", "address to listen on (host:port)")
@@ -43,8 +34,7 @@ Options:
 		fmt.Fprintf(fs.Output(), `
 Examples:
   GODEBUG=http2xconnect=1 %[1]s server -addr :8080
-  GODEBUG=http2xconnect=1 %[1]s server -tls -addr :8443
-  GODEBUG=http2xconnect=1 %[1]s server -tls -cert cert.pem -key key.pem
+  GODEBUG=http2xconnect=1 %[1]s server -tls -cert cert.pem -key key.pem -addr :8443
 `, prog)
 	}
 	if err := fs.Parse(args); err != nil {
@@ -97,24 +87,16 @@ Examples:
 	}
 
 	if *useTLS {
+		if *certFile == "" || *keyFile == "" {
+			return errors.New("-cert and -key are required when using -tls")
+		}
+
 		// Enable HTTP/2 over TLS.
 		if err := http2.ConfigureServer(srv, &http2.Server{}); err != nil {
 			return err
 		}
 
-		selfSigned := ""
-		if *certFile == "" && *keyFile == "" {
-			// No certificate provided, generate an
-			// ephemeral self-signed certificate.
-			cert, err := selfSignedRSA2048()
-			if err != nil {
-				return fmt.Errorf("generate self-signed certificate failed: %w", err)
-			}
-			srv.TLSConfig.Certificates = []tls.Certificate{cert}
-			selfSigned = " (self-signed)"
-		}
-
-		fmt.Printf("listening on wss://%s%s\n", visibleAddr(*addr), selfSigned)
+		fmt.Printf("listening on wss://%s\n", visibleAddr(*addr))
 		return srv.ListenAndServeTLS(*certFile, *keyFile)
 	}
 
@@ -131,42 +113,3 @@ func visibleAddr(addr string) string {
 	}
 	return addr
 }
-
-// selfSignedRSA2048 returns an ephemeral self-signed certificate
-// suitable for TLS servers.
-//
-// DO NOT USE IN PRODUCTION.
-func selfSignedRSA2048() (tls.Certificate, error) {
-	priv, err := rsa.GenerateKey(rand.Reader, 2048)
-	if err != nil {
-		return tls.Certificate{}, fmt.Errorf("generate private key failed: %w", err)
-	}
-
-	serial, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
-	if err != nil {
-		return tls.Certificate{}, fmt.Errorf("generate serial number failed: %w", err)
-	}
-
-	tpl := x509.Certificate{
-		SerialNumber: serial,
-		Subject: pkix.Name{
-			CommonName:   "websocket-example",
-			Organization: []string{"websocket-example"},
-		},
-		DNSNames:              []string{"localhost"},
-		NotBefore:             time.Now().Add(-time.Hour),
-		NotAfter:              time.Now().Add(365 * 24 * time.Hour),
-		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		BasicConstraintsValid: true,
-	}
-
-	der, err := x509.CreateCertificate(rand.Reader, &tpl, &tpl, &priv.PublicKey, priv)
-	if err != nil {
-		return tls.Certificate{}, fmt.Errorf("create certificate failed: %w", err)
-	}
-
-	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der})
-	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
-	return tls.X509KeyPair(certPEM, keyPEM)
-}