dongsheng66783619 2019-04-11 11:53
浏览 336
已采纳

完成TLS握手之前的OCSP吊销检查

I am required to, using Go, as a client do OCSP revocation checking of server certificate before completing a TLS handshake, i.e [initiate handshake -> get server cert -> check revocation status -> if revoked abort], and not [initiate handshake -> complete handshake -> check revocation status]

Using Go's standard TLS library this does not seem possible, as tls.Dial does not seem to do any OCSP checking. Another possible workaround would be to fetch the server certificate without performing a handshake, then check revocation status, and if status is OK, redo the handshake using tls.Dial, but I couldn't find a way to do it in Go.

Any suggestions on how to solve this particular problem?

  • 写回答

1条回答 默认 最新

  • doubu1853 2019-04-11 17:10
    关注

    You can set VerifyPeerCertificate in the tls.Config object, and have the pointed-to function return a non-nil error if revocation checking fails and you wish to abort the handshake.

    From the docs:

    // VerifyPeerCertificate, if not nil, is called after normal
// certificate verification by either a TLS client or server. It
// receives the raw ASN.1 certificates provided by the peer and also
// any verified chains that normal processing found. If it returns a
// non-nil error, the handshake is aborted and that error results.
//
// If normal verification fails then the handshake will abort before
// considering this callback. If normal verification is disabled by
// setting InsecureSkipVerify, or (for a server) when ClientAuth is
// RequestClientCert or RequireAnyClientCert, then this callback will
// be considered but the verifiedChains argument will always be nil.
VerifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error // Go 1.8
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 多电路系统共用电源的串扰问题
  • ¥15 slam rangenet++配置
  • ¥15 有没有研究水声通信方面的帮我改俩matlab代码
  • ¥15 对于相关问题的求解与代码
  • ¥15 ubuntu子系统密码忘记
  • ¥15 信号傅里叶变换在matlab上遇到的小问题请求帮助
  • ¥15 保护模式-系统加载-段寄存器
  • ¥15 电脑桌面设定一个区域禁止鼠标操作
  • ¥15 求NPF226060磁芯的详细资料
  • ¥15 使用R语言marginaleffects包进行边际效应图绘制