intermediates

package module
v0.0.0-...-242b91f Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 6, 2024 License: BSD-3-Clause Imports: 7 Imported by: 0

README

filippo.io/intermediates

Package intermediates embeds a list of known unexpired, unrevoked intermediate certificates chaining to roots with Websites trust in the Mozilla Root Program.

This dataset is useful to establish connections to misconfigured servers that fail to provide a full certificate chain but provide a valid, publicly trusted end-entity certificate. Some browsers implement similar strategies to successfully establish connections to these sites.

https://pkg.go.dev/filippo.io/intermediates

This is not an official or supported Google product, just some code that happens to be owned by Google.

Documentation

Overview

Package intermediates embeds a list of known unexpired, unrevoked intermediate certificates chaining to roots with Websites trust in the Mozilla Root Program.

This dataset is useful to establish connections to misconfigured servers that fail to provide a full certificate chain but provide a valid, publicly trusted end-entity certificate. Some browsers implement similar strategies to successfully establish connections to these sites.

Note that this might not be necessary if using the system roots on certain operating systems, as the platform verifier might have its own mechanism to fetch missing intermediates.

Index

Examples

Constants

This section is empty.

Variables

This section is empty.

Functions

func Pool

func Pool() *x509.CertPool

Pool returns a new x509.CertPool containing a set of known WebPKI intermediates chaining to roots in the Mozilla Root Program.

These certificates must not be used as trusted roots, but can be used as the Intermediates pool in x509.VerifyOptions.

The returned CertPool can be modified safely, for example to add intermediates provided by the server, and multiple invocations return distinct CertPools.

func VerifyConnection

func VerifyConnection(cs tls.ConnectionState) error

VerifyConnection is a function that can be used as the VerifyConnection callback in a tls.Config for a client connection.

It performs the same verification that crypto/tls does by default, but it makes use of both the server's intermediates and this package's pool, and it disregards the Time and RootCAs fields of tls.Config, using their default values: the current time and the system roots.

Example
package main

import (
	"crypto/tls"
	"fmt"
	"log"
	"net/http"
	"time"

	"filippo.io/intermediates"
)

func main() {
	tr := http.DefaultTransport.(*http.Transport).Clone()
	tr.TLSClientConfig = &tls.Config{
		// Set InsecureSkipVerify to skip the default validation we are
		// replacing. This will not disable VerifyConnection.
		InsecureSkipVerify: true,
		VerifyConnection:   intermediates.VerifyConnection,
	}

	c := &http.Client{Transport: tr, Timeout: 1 * time.Minute}
	r, err := c.Get("https://incomplete-chain.badssl.com")
	if err != nil {
		log.Fatal(err)
	}
	defer r.Body.Close()
	fmt.Println(r.StatusCode)
}
Output:

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL