Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http revoked SSL certificate passes verification #18323

Closed
akamensky opened this issue Dec 15, 2016 · 4 comments
Closed

net/http revoked SSL certificate passes verification #18323

akamensky opened this issue Dec 15, 2016 · 4 comments
Labels
FrozenDueToAge

Comments

@akamensky
Copy link

What version of Go are you using (go version)?

go version go1.7.4 darwin/amd64

What operating system and processor architecture are you using (go env)?

GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH=""
GORACE=""
GOROOT="/usr/local/go"
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
CC="clang"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/rk/g9b46vzx70g86vhvqtmwtjxw0000gn/T/go-build972946867=/tmp/go-build -gno-record-gcc-switches -fno-common"
CXX="clang++"
CGO_ENABLED="1"

What did you do?

package main

import (
"net/http"
"log"
)

func main() {
	_, err := http.Get("https://revoked.badssl.com/")
	if err != nil {
		log.Fatal(err)
	}
}

What did you expect to see?

Error message since cert is invalid and exit status code 1 (since log.Fatal)

What did you see instead?

No message and exit code 0, it actually fetches the page for revoked certificate.
@Thomasdezeeuw
Copy link
Contributor

On MacOS (10.11.6) Safari accepts the certificate, however Firefox and Chrome don't. Maybe it's still accepted by Apple?

@akamensky
Copy link
Author

Seems right. Safari 10.0.1 accepts certificate where as FF (which I mostly use) rejects it.

Makes me wonder if Chrome/FF use their own CA bundles? Or they just use some other way to verify certificate without using local CA bundle?

I thought that revocation happens at the intermediate cert, so it should not be updated in ca bundle every time when some cert if invalidated ahead of expiration.

@FiloSottile
Copy link
Contributor

This is known. crypto/tls does not do live OCSP checks, and that definitely can't be introduced by default because it's a behavior change. Google "ImperialViolet revocation" for a few pieces by @agl on why.

Feel free to file a feature request for a tls.Config knob to perform OCSP checks, or to require stapling, but you might be better off making a library that hooks into the new Config.VerifyPeerCertificate.

There is nothing that can be done for the default case until Must-Staple extensions in x509 come along.

@bradfitz
Copy link
Contributor

Working as intended.

As @FiloSottile, you'll have to modify your tls.Config. We aren't going to do OCSP checks by default.

I can't find @agl's OCSP blog posts anymore. They seem to 404 now.

@golang golang locked and limited conversation to collaborators Dec 15, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@bradfitz @akamensky @FiloSottile @Thomasdezeeuw @gopherbot