Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // MustStapleValue is the value in the MustStaple extension. MustStapleValue = []byte{0x30, 0x03, 0x02, 0x01, 0x05} //MustStapleOID is the OID of the must staple MustStapleOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 24} )
Functions ¶
Types ¶
type InTransport ¶
type InTransport struct { // Specify this method in the situation where you might otherwise have wanted to // install your own VerifyPeerCertificate hook into tls.Config. If specified, // This method will be called after a successful InTransport verification, // and verifiedChains will contain appropriate data including any intermediates // that needed to be downloaded. NextVerifyPeerCertificate PeerCertVerifier TLS *tls.Config TLSHandshakeTimeout time.Duration Transport *http.Transport }
InTransport - this implements an http.RoundTripper and handles the fetching of missing intermediate certificates, and verifying OCSP stapling, and in the event there is a "must staple" set on the certificate it will fail on missing staple.
func NewInTransport ¶
func NewInTransport(tlsc *tls.Config) *InTransport
NewInTransport - create a new http transport suitable for client connections. InTransport implements http.RoundTripper, and can be used like so:
it := intransport.NewInTranport(nil) c := &http.Client{ Transport: it, }
func NewInTransportFromHTTPTransport ¶
func NewInTransportFromHTTPTransport(transport *http.Transport) *InTransport
NewInTransportFromHTTPTransport - this allows you to pass in an http.Transport with pre-configured timeouts. This is useful where you want to customize. Note that the transport passed in will be modified by this call. Will panic on a nil transport passed.
func (*InTransport) RoundTrip ¶
RoundTrip - this implements the http.RoundTripper interface, and makes it suitable for use as a transport.
func (*InTransport) VerifyPeerCertificate ¶
func (it *InTransport) VerifyPeerCertificate(rawCerts [][]byte, _ [][]*x509.Certificate) error
VerifyPeerCertificate - this is the method that is to be plugged into tls.Config VerifyPeerCertificate. If using this method inside of a custom built htttp.Transport, you must also set InsecureSkipVerify to true. When set to false, a certificate that isn't trusted to the root and has missing intermediate certs will prevent VerifyPeerCertificate from being called. This method will still ensure that a valid chain exists from the presented certificates(s) to a trusted root certificate. The difference between this and the default TLS verification is that missing intermediates will be fetched until either a valid path to a trusted root is found or no further intermediates can be found. If a chain cannot be established, the connection will fail . If a chain can be established, then the optional NextVerifyPeerCertificate() method will be called, if specified. If this method returns an error, it will stop the connection.
type PeerCertVerifier ¶
type PeerCertVerifier func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
PeerCertVerifier - this is a method type that is plugged into a tls.Config.VerifyPeerCertificate, or into our NextVerifyPeerCertificate.