Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement OCSP validation #5

Closed
smtakeda opened this issue Apr 20, 2017 · 2 comments
Closed

Implement OCSP validation #5

smtakeda opened this issue Apr 20, 2017 · 2 comments
Assignees
Labels
enhancement The issue is a request for improvement or a new feature

Comments

@smtakeda
Copy link
Contributor

Issue description

TLS connection must be validated with OCSP/CRL (unless Go's library does)

@smtakeda smtakeda self-assigned this Apr 21, 2017
@smtakeda smtakeda added the enhancement The issue is a request for improvement or a new feature label May 2, 2017
@smtakeda
Copy link
Contributor Author

smtakeda commented May 2, 2017

Golang already has ocsp package that can encode/decode OCSP request/response.
https://godoc.org/golang.org/x/crypto/ocsp

Looks like this thread talks about it.
https://groups.google.com/forum/#!topic/golang-nuts/QC5FOysyVxg

@smtakeda
Copy link
Contributor Author

smtakeda commented May 3, 2017

Here are the steps to implement the revocation checks with OCSP:

  • Check if certificate validation can be intercepted to add revocation checks (Yes. TLSClientConfig including verifyPeerCertificate can be injected in Client)
  • Extract OCSP URL from the certificate
  • Make sure OCSP Request can be composed.
  • Make sure a simple roundtrip with OCSP server returns OCSP Response and can be decoded.
  • Make sure OCSP Response can include enough information to validate the revocation status.
  • Implement concurrent OCSP round trips for chained certificates.
  • Implement caching the results in a cache directory

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement The issue is a request for improvement or a new feature
Projects
None yet
Development

No branches or pull requests

1 participant