Documentation ¶
Overview ¶
Package intermediates embeds a list of known unexpired, unrevoked intermediate certificates chaining to roots with Websites trust in the Mozilla Root Program.
This dataset is useful to establish connections to misconfigured servers that fail to provide a full certificate chain but provide a valid, publicly trusted end-entity certificate. Some browsers implement similar strategies to successfully establish connections to these sites.
Note that this might not be necessary if using the system roots on certain operating systems, as the platform verifier might have its own mechanism to fetch missing intermediates.
Index ¶
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Pool ¶
Pool returns a new x509.CertPool containing a set of known WebPKI intermediates chaining to roots in the Mozilla Root Program.
These certificates must not be used as trusted roots, but can be used as the Intermediates pool in x509.VerifyOptions.
The returned CertPool can be modified safely, for example to add intermediates provided by the server, and multiple invocations return distinct CertPools.
func VerifyConnection ¶
func VerifyConnection(cs tls.ConnectionState) error
VerifyConnection is a function that can be used as the VerifyConnection callback in a tls.Config for a client connection.
It performs the same verification that crypto/tls does by default, but it makes use of both the server's intermediates and this package's pool, and it disregards the Time and RootCAs fields of tls.Config, using their default values: the current time and the system roots.
Example ¶
package main import ( "crypto/tls" "fmt" "log" "net/http" "time" "filippo.io/intermediates" ) func main() { tr := http.DefaultTransport.(*http.Transport).Clone() tr.TLSClientConfig = &tls.Config{ // Set InsecureSkipVerify to skip the default validation we are // replacing. This will not disable VerifyConnection. InsecureSkipVerify: true, VerifyConnection: intermediates.VerifyConnection, } c := &http.Client{Transport: tr, Timeout: 1 * time.Minute} r, err := c.Get("https://incomplete-chain.badssl.com") if err != nil { log.Fatal(err) } defer r.Body.Close() fmt.Println(r.StatusCode) }
Output:
Types ¶
This section is empty.