intransport

package module
v0.1.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 4, 2018 License: MIT Imports: 13 Imported by: 0

README

GoDoc Go Report Card Build Status

Package intransport implements the http RoundTripper interface. This can be used with, for example, http.Client and httputil.ReverseProxy. This package is meant to allow secure communications with remote hosts that may not fully specify their intermediate certificates on the TLS handshake. Most browsers support communication with these hosts by using the issuing certificate URL from the Authority Information Access extension of the cert to fetch any missing intermediates. Each intermediate is fetched in turn until it can either complete the chain back to a trusted root or give up after all avenues have been exhausted, in which case it displays an error. Go's default transport does not fetch intermediates and will fail on mis-configured hosts. This package attempts to emulate browser behavior by attempting to complete the chain to a trusted root by fetching any missing intermediates.

Additionally, this will validate any stapled OCSP responses, and in the case where the certificate was created with the Must Staple extension set, it will fail in the absence of a validated OCSP response.

In order to use this, for most use cases, will be simply:

package main

import (
	"fmt"
	"io/ioutil"
	"os"
	
	it "github.com/nathanejohnson/intransport"
)

func main() {
	c := it.NewInTransportHTTPClient(nil)
	resp, err := c.Get("https://something.org")
	if err != nil {
		fmt.Println("boo, hiss! ", err)
		os.Exit(1)
	}
	body, err := ioutil.ReadAll(resp.Body)
	_ = resp.Body.Close()
	if err != nil {		
		fmt.Println("ba dum, tiss! ", err)
		os.Exit(1)
	}
	fmt.Printf("got response:\n%s", string(body))
}

Documentation

Overview

Package intransport implements the http RoundTripper interface. This can be used with, for example, http.Client and httputil.ReverseProxy. This package is meant to allow secure communications with remote hosts that may not fully specify their intermediate certificates on the TLS handshake. Most browsers support communication with these hosts by using the issuing certificate URL from the Authority Information Access extension of the cert to fetch any missing intermediates. Each intermediate is fetched in turn until it can either complete the chain back to a trusted root or give up after all avenues have been exhausted, in which case it displays an error. Go's default transport does not fetch intermediates and will fail on mis-configured hosts. This package attempts to emulate browser behavior by attempting to complete the chain to a trusted root by fetching any missing intermediates.

Additionally, this will validate any stapled OCSP responses, and in the case where the certificate was created with the Must Staple extension set, it will fail in the absence of a validated OCSP response.

Index

Constants

This section is empty.

Variables

View Source
var (
	// MustStapleValue is the value in the MustStaple extension.
	// DER encoding of the status_request extension, 5.
	// https://tools.ietf.org/html/rfc6066#section-1.1
	MustStapleValue = []byte{0x30, 0x03, 0x02, 0x01, 0x05}

	// MustStapleOID is the OID of the must staple.
	//
	// Must staple oid is id-pe-tlsfeature  as defined here
	// https://tools.ietf.org/html/rfc7633#section-6
	MustStapleOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 24}
)

Functions

func NewInTransportHTTPClient

func NewInTransportHTTPClient(tlsc *tls.Config) *http.Client

NewInTransportHTTPClient - generate an http client with sensible defaults. Optionally pass a *tls.Config that will be used as a basis for tls configuration.

Types

type InTransport

type InTransport struct {
	// Specify this method in the situation where you might otherwise have wanted to
	// install your own VerifyPeerCertificate hook into tls.Config.  If specified,
	// This method will be called after a successful InTransport verification,
	// and verifiedChains will contain appropriate data including any intermediates
	// that needed to be downloaded.
	NextVerifyPeerCertificate PeerCertVerifier

	TLS                 *tls.Config
	TLSHandshakeTimeout time.Duration

	Transport *http.Transport
}

InTransport - this implements an http.RoundTripper and handles the fetching of missing intermediate certificates, and verifying OCSP stapling, and in the event there is a "must staple" set on the certificate it will fail on missing staple.

func NewInTransport

func NewInTransport(tlsc *tls.Config) *InTransport

NewInTransport - create a new http transport suitable for client connections. InTransport implements http.RoundTripper, and can be used like so:

it := intransport.NewInTranport(nil)
c := &http.Client{
    Transport: it,
}

func NewInTransportFromHTTPTransport

func NewInTransportFromHTTPTransport(transport *http.Transport) *InTransport

NewInTransportFromHTTPTransport - this allows you to pass in an http.Transport with pre-configured timeouts. This is useful where you want to customize. Note that the transport passed in will be modified by this call. Do not pass in a transport that's already in-use. Will panic on a nil transport passed. if the passed transport has a TLSClientConfiguration defined, it will be cloned and then modified to integrate InTransport. The following settings within TLSClientConnection will be modified:

* InsecureSkipVerify will be set to true

* VerifyPeerCertificate will be set to our InTransport.VerifyPeerCertificate

As noted elsewhere, InsecureSkipVerify must be set in order for our VerifyPeerCertificate method to get called in the case of missing intermediates. We still do the full certificate checking here, we just go about it a different way.

it := intransport.NewInTransportFromHTTPTransport(&http.Transport{
    Proxy:                 http.ProxyFromEnvironment,
    MaxIdleConns:          100,
    IdleConnTimeout:       90 * time.Second,
    ExpectContinueTimeout: 1 * time.Second,
    TLSHandshakeTimeout:   10 * time.Second,
    DialContext: (&net.Dialer{
        Timeout:   30 * time.Second,
        KeepAlive: 30 * time.Second,
        DualStack: true,
    }).DialContext,
}
c := &http.Client{
    Transport: it,
}

func (*InTransport) RoundTrip

func (it *InTransport) RoundTrip(req *http.Request) (*http.Response, error)

RoundTrip - this implements the http.RoundTripper interface, and makes it suitable for use as a transport.

func (*InTransport) SetNextVerifyPeerCertificate added in v0.1.1

func (it *InTransport) SetNextVerifyPeerCertificate(verifier PeerCertVerifier)

SetNextVerifyPeerCertificate - this is a setter method to specify a method to be called after a successful InTransport TLS validation. Specify this method in the situation where you might otherwise have wanted to install your own VerifyPeerCertificate hook into tls.Config. verifiedChains will contain appropriate data including any intermediates that needed to be downloaded.

func (*InTransport) VerifyPeerCertificate

func (it *InTransport) VerifyPeerCertificate(rawCerts [][]byte, _ [][]*x509.Certificate) error

VerifyPeerCertificate - this is the method that is to be plugged into tls.Config VerifyPeerCertificate. If using this method inside of a custom built htttp.Transport, you must also set InsecureSkipVerify to true. When set to false, a certificate that isn't trusted to the root and has missing intermediate certs will prevent VerifyPeerCertificate from being called. This method will still ensure that a valid chain exists from the presented certificates(s) to a trusted root certificate. The difference between this and the default TLS verification is that missing intermediates will be fetched until either a valid path to a trusted root is found or no further intermediates can be found. If a chain cannot be established, the connection will fail . If a chain can be established, then the optional NextVerifyPeerCertificate() method will be called, if specified. If this method returns an error, it will stop the connection.

type PeerCertVerifier

type PeerCertVerifier func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error

PeerCertVerifier - this is a method type that is plugged into a tls.Config.VerifyPeerCertificate, or into our NextVerifyPeerCertificate.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL