intermediates

package module

v0.0.0-...-9429243 Latest Latest Go to latest Published: Apr 24, 2024 License: BSD-3-Clause Imports: 7 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/FiloSottile/intermediates

Links

Open Source Insights

README ¶

filippo.io/intermediates

Package intermediates embeds a list of known unexpired, unrevoked intermediate certificates chaining to roots with Websites trust in the Mozilla Root Program.

This dataset is useful to establish connections to misconfigured servers that fail to provide a full certificate chain but provide a valid, publicly trusted end-entity certificate. Some browsers implement similar strategies to successfully establish connections to these sites.

https://pkg.go.dev/filippo.io/intermediates

This is not an official or supported Google product, just some code that happens to be owned by Google.

Documentation ¶

Overview ¶

Package intermediates embeds a list of known unexpired, unrevoked intermediate certificates chaining to roots with Websites trust in the Mozilla Root Program.

This dataset is useful to establish connections to misconfigured servers that fail to provide a full certificate chain but provide a valid, publicly trusted end-entity certificate. Some browsers implement similar strategies to successfully establish connections to these sites.

Note that this might not be necessary if using the system roots on certain operating systems, as the platform verifier might have its own mechanism to fetch missing intermediates.

Index ¶

func Pool() *x509.CertPool
func VerifyConnection(cs tls.ConnectionState) error

Examples ¶

VerifyConnection

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func Pool ¶

func Pool() *x509.CertPool

Pool returns a new x509.CertPool containing a set of known WebPKI intermediates chaining to roots in the Mozilla Root Program.

These certificates must not be used as trusted roots, but can be used as the Intermediates pool in x509.VerifyOptions.

The returned CertPool can be modified safely, for example to add intermediates provided by the server, and multiple invocations return distinct CertPools.

func VerifyConnection ¶

func VerifyConnection(cs tls.ConnectionState) error

VerifyConnection is a function that can be used as the VerifyConnection callback in a tls.Config for a client connection.

It performs the same verification that crypto/tls does by default, but it makes use of both the server's intermediates and this package's pool, and it disregards the Time and RootCAs fields of tls.Config, using their default values: the current time and the system roots.

Example ¶

package main

import (
	"crypto/tls"
	"fmt"
	"log"
	"net/http"
	"time"

	"filippo.io/intermediates"
)

func main() {
	tr := http.DefaultTransport.(*http.Transport).Clone()
	tr.TLSClientConfig = &tls.Config{
		// Set InsecureSkipVerify to skip the default validation we are
		// replacing. This will not disable VerifyConnection.
		InsecureSkipVerify: true,
		VerifyConnection:   intermediates.VerifyConnection,
	}

	c := &http.Client{Transport: tr, Timeout: 1 * time.Minute}
	r, err := c.Get("https://incomplete-chain.badssl.com")
	if err != nil {
		log.Fatal(err)
	}
	defer r.Body.Close()
	fmt.Println(r.StatusCode)
}

Output:

Types ¶

This section is empty.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL