dongsheng66783619 2019-04-11 11:53
浏览 336
已采纳

完成TLS握手之前的OCSP吊销检查

I am required to, using Go, as a client do OCSP revocation checking of server certificate before completing a TLS handshake, i.e [initiate handshake -> get server cert -> check revocation status -> if revoked abort], and not [initiate handshake -> complete handshake -> check revocation status]

Using Go's standard TLS library this does not seem possible, as tls.Dial does not seem to do any OCSP checking. Another possible workaround would be to fetch the server certificate without performing a handshake, then check revocation status, and if status is OK, redo the handshake using tls.Dial, but I couldn't find a way to do it in Go.

Any suggestions on how to solve this particular problem?

  • 写回答

1条回答 默认 最新

  • doubu1853 2019-04-11 17:10
    关注

    You can set VerifyPeerCertificate in the tls.Config object, and have the pointed-to function return a non-nil error if revocation checking fails and you wish to abort the handshake.

    From the docs:

    // VerifyPeerCertificate, if not nil, is called after normal
// certificate verification by either a TLS client or server. It
// receives the raw ASN.1 certificates provided by the peer and also
// any verified chains that normal processing found. If it returns a
// non-nil error, the handshake is aborted and that error results.
//
// If normal verification fails then the handshake will abort before
// considering this callback. If normal verification is disabled by
// setting InsecureSkipVerify, or (for a server) when ClientAuth is
// RequestClientCert or RequireAnyClientCert, then this callback will
// be considered but the verifiedChains argument will always be nil.
VerifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error // Go 1.8
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 echarts动画效果失效的问题。官网下载的例子。
  • ¥60 许可证msc licensing软件报错显示已有相同版本软件,但是下一步显示无法读取日志目录。
  • ¥15 Attention is all you need 的代码运行
  • ¥15 一个服务器已经有一个系统了如果用usb再装一个系统,原来的系统会被覆盖掉吗
  • ¥15 使用esm_msa1_t12_100M_UR50S蛋白质语言模型进行零样本预测时,终端显示出了sequence handled的进度条,但是并不出结果就自动终止回到命令提示行了是怎么回事:
  • ¥15 前置放大电路与功率放大电路相连放大倍数出现问题
  • ¥30 关于<main>标签页面跳转的问题
  • ¥80 部署运行web自动化项目
  • ¥15 腾讯云如何建立同一个项目中物模型之间的联系
  • ¥30 VMware 云桌面水印如何添加