I'm using the ClientCAs
and ClientAuth
options in tls.Config
to do cert-based client authentication in my Go HTTP application. Is it possible to also verify the client certs against a provided CRL? I see in the x509
package there are some functions around CRLs, but I'm not sure how to configure the HTTP server to use them (ie. there doesn't seem to be any options in tls.Config
that would cause a CRL to also be used).
如何在Golang中针对CRL验证客户端证书?
- 写回答
- 好问题 0 提建议
- 追加酬金
- 关注问题
- 邀请回答
-
1条回答 默认 最新
- donglin9717 2016-05-06 12:36关注
Is it possible to also verify the client certs against a provided CRL?
Yes, it is possible, by means of the functionality provided in the
crypto/x509
package (as you correctly stated in your question). However, higher-level interfaces such ascrypto/tls.Config
(consumed bynet/http
) do not offer that. A good chance to implement a check against a CRL probably is by inspectingnet/http.Request.TLS.PeerCertificates
.A little bit of background:
crypto/tls
is maintained by security expert Adam Langley who has an opinion on revocation checking (original source is his blog). Though I have no evidence, one might assume that this was a deliberate design decision.本回答被题主选为最佳回答 , 对您是否有帮助呢?解决 无用评论 打赏 举报
悬赏问题
- ¥15 MATLAB代码补全插值
- ¥15 Typegoose 中如何使用 arrayFilters 筛选并更新深度嵌套的子文档数组信息
- ¥15 前后端分离的学习疑问?
- ¥15 stata实证代码答疑
- ¥50 husky+jaco2实现在gazebo与rviz中联合仿真
- ¥15 dpabi预处理报错:Error using y_ExtractROISignal (line 251)
- ¥15 在虚拟机中配置flume,无法将slave1节点的文件采集到master节点中
- ¥15 husky+kinova jaco2 仿真
- ¥15 zigbee终端设备入网失败
- ¥15 金融监管系统怎么对7+4机构进行监管的