dongsheng66783619 2019-04-11 11:53
浏览 339
已采纳

完成TLS握手之前的OCSP吊销检查

I am required to, using Go, as a client do OCSP revocation checking of server certificate before completing a TLS handshake, i.e [initiate handshake -> get server cert -> check revocation status -> if revoked abort], and not [initiate handshake -> complete handshake -> check revocation status]

Using Go's standard TLS library this does not seem possible, as tls.Dial does not seem to do any OCSP checking. Another possible workaround would be to fetch the server certificate without performing a handshake, then check revocation status, and if status is OK, redo the handshake using tls.Dial, but I couldn't find a way to do it in Go.

Any suggestions on how to solve this particular problem?

  • 写回答

1条回答 默认 最新

  • doubu1853 2019-04-11 17:10
    关注

    You can set VerifyPeerCertificate in the tls.Config object, and have the pointed-to function return a non-nil error if revocation checking fails and you wish to abort the handshake.

    From the docs:

    // VerifyPeerCertificate, if not nil, is called after normal
    // certificate verification by either a TLS client or server. It
    // receives the raw ASN.1 certificates provided by the peer and also
    // any verified chains that normal processing found. If it returns a
    // non-nil error, the handshake is aborted and that error results.
    //
    // If normal verification fails then the handshake will abort before
    // considering this callback. If normal verification is disabled by
    // setting InsecureSkipVerify, or (for a server) when ClientAuth is
    // RequestClientCert or RequireAnyClientCert, then this callback will
    // be considered but the verifiedChains argument will always be nil.
    VerifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error // Go 1.8
    
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?