Open yschimke opened 4 years ago
$ cft --output=tmp2 --host=www.google.com
$ openssl x509 -text -in tmp2/5ed6032ce36e0d50b54209a866d56ef8b3a1ea733039c3d016db034f565c1250.pem
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
86:74:39:D9:85:27:15:59:CD:49:A4:76:27:60:A1:48:EB:41:FD:A2
X509v3 Authority Key Identifier:
keyid:98:D1:F8:6E:10:EB:CF:9B:EC:60:9F:18:90:1B:A0:EB:7D:09:FD:2B
Authority Information Access:
OCSP - URI:http://ocsp.pki.goog/gts1o1core
CA Issuers - URI:http://pki.goog/gsr2/GTS1O1.crt
X509v3 Subject Alternative Name:
DNS:www.google.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.2
Policy: 1.3.6.1.4.1.11129.2.5.3
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.pki.goog/GTS1O1core.crl
1.3.6.1.4.1.11129.2.4.2: <- CT extension
Playing around with this here https://github.com/cashapp/certifikit/pull/56
We can't practically implement in OkHttp, but this is exactly the sort of thing we should flag in the CLI, since browsers will fail these requests.
https://github.com/square/okhttp/issues/2348