Skip to content

net/http: Allow verification of certificates beyond just hostname #8522

Closed
@gopherbot

Description

@gopherbot

by c@apcera.com:

What does 'go version' print?
go version devel +0449858880be Mon Aug 11 17:11:31 2014 -0400 darwin/amd64

What steps reproduce the problem?

1. Revoke a TLS certificate (for example, to mitigate Heartbleed)
2. Attempt to prevent a golang client from securing a connection using the revoked
certificate
3. Realize you can verify the hostname, but not other parts of the certificate prior to
establishing a connection and sending a request.

What happened?

Golang clients cannot currently be written to reject certificates based on factors other
than hostname.

What should have happened instead?

The certificate should be available to client code when establishing connections to
allow for more granular verification. The attached file is client code which could be
used to reject blacklisted certs if a hook were available in net/http.

Attachments:

  1. certblacklist.go (932 bytes)

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions