完成TLS握手之前进行OCSP吊销检查

时间:2019-04-11 11:53:22

标签: ssl go ocsp

我需要使用Go作为客户端在完成TLS握手之前对服务器证书进行OCSP吊销检查,即[启动握手->获取服务器证书->检查吊销状态->如果吊销中止],而不是[发起握手->完成握手->检查吊销状态]

使用Go的标准TLS库似乎不太可能,因为tls.Dial似乎没有进行任何OCSP检查。另一个可能的解决方法是在不执行握手的情况下获取服务器证书,然后检查吊销状态,如果状态正常,请使用tls.Dial重做握手,但我找不到在Go中进行操作的方法。

关于如何解决此特定问题的任何建议?

1 个答案:

答案 0 :(得分:1)

您可以在VerifyPeerCertificate对象中设置tls.Config,并且如果吊销检查失败并且希望中止握手,则指向函数返回非nil错误。

来自docs

// VerifyPeerCertificate, if not nil, is called after normal
// certificate verification by either a TLS client or server. It
// receives the raw ASN.1 certificates provided by the peer and also
// any verified chains that normal processing found. If it returns a
// non-nil error, the handshake is aborted and that error results.
//
// If normal verification fails then the handshake will abort before
// considering this callback. If normal verification is disabled by
// setting InsecureSkipVerify, or (for a server) when ClientAuth is
// RequestClientCert or RequireAnyClientCert, then this callback will
// be considered but the verifiedChains argument will always be nil.
VerifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error // Go 1.8