Open Som-Som-CC opened 2 years ago
There is a nice article explaining how to check OCSP with OpenSSL, and OCSP ULR being in the certificate. Still, we may need that aforementioned OCSP URL setting, in case the URL is not in the certificate itself.
Note that in Go 1.19 x509.ParseCRL
is replaced by x509.ParseRevocationList
.
An article on how cert revocations are performing on the public internet: https://www.ssl.com/blogs/how-do-browsers-handle-revoked-ssl-tls-certificates/
Certificate Revocation List (CRL) is a file that contains revoked certs. That is to be downloaded on a regular schedule. That is an old method, superseded by OCSP. Online Certificate Status Protocol (OCSP) is a service to check whether a cert is revoked. These are needed, as verifying the signing Root/Immediate CA successfully does not mean that a server or mTLS client cert has not been compromised.
TLS config
crypto.tls.Config
has attributeVerifyPeerCertificate
, a function called when basic CA verification is done. That can be used to check CLR/OCSP.See article and related code.
It would be great to have restful Client (similar to
TLSRootCerts
) and Server/Router (similar toTLSClientCert
) functions for CRL and OCSP. E.g.Client.OCSP(ocspURL string)
andClient.CRL(path)
, setting upVerifyPeerCertificate
.OCSP is the important one, CRL can be omitted.