OCSP and CRL support

[Som-Som-CC]

Certificate Revocation List (CRL) is a file that contains revoked certs. That is to be downloaded on a regular schedule. That is an old method, superseded by OCSP. Online Certificate Status Protocol (OCSP) is a service to check whether a cert is revoked. These are needed, as verifying the signing Root/Immediate CA successfully does not mean that a server or mTLS client cert has not been compromised.

TLS config crypto.tls.Config has attribute VerifyPeerCertificate, a function called when basic CA verification is done. That can be used to check CLR/OCSP.

See article and related code.

It would be great to have restful Client (similar to TLSRootCerts) and Server/Router (similar to TLSClientCert) functions for CRL and OCSP. E.g. Client.OCSP(ocspURL string) and Client.CRL(path), setting up VerifyPeerCertificate.

OCSP is the important one, CRL can be omitted.

[Som-Som-CC]

There is a nice article explaining how to check OCSP with OpenSSL, and OCSP ULR being in the certificate. Still, we may need that aforementioned OCSP URL setting, in case the URL is not in the certificate itself.

[Som-Som-CC]

Note that in Go 1.19 x509.ParseCRL is replaced by x509.ParseRevocationList.

[Som-Som-CC]

An article on how cert revocations are performing on the public internet: https://www.ssl.com/blogs/how-do-browsers-handle-revoked-ssl-tls-certificates/