README
¶
Package intransport implements the http RoundTripper interface. This can be used with, for example, http.Client and httputil.ReverseProxy. This package is meant to allow secure communications with remote hosts that may not fully specify their intermediate certificates on the TLS handshake. Most browsers support communication with these hosts by using the issuing certificate URL from the Authority Information Access extension of the cert to fetch any missing intermediates. Each intermediate is fetched in turn until it can either complete the chain back to a trusted root or give up after all avenues have been exhausted, in which case it displays an error. Go's default transport does not fetch intermediates and will fail on mis-configured hosts. This package attempts to emulate browser behavior by attempting to complete the chain to a trusted root by fetching any missing intermediates.
Additionally, this will validate any stapled OCSP responses, and in the case where the certificate was created with the Must Staple extension set, it will fail in the absence of a validated OCSP response.
In order to use this, for most use cases, will be simply:
package main
import (
"fmt"
"io/ioutil"
"os"
it "github.com/nathanejohnson/intransport"
)
func main() {
c := it.NewInTransportHTTPClient(nil)
resp, err := c.Get("https://something.org")
if err != nil {
fmt.Println("boo, hiss! ", err)
os.Exit(1)
}
body, err := ioutil.ReadAll(resp.Body)
_ = resp.Body.Close()
if err != nil {
fmt.Println("ba dum, tiss! ", err)
os.Exit(1)
}
fmt.Printf("got response:\n%s", string(body))
}
Documentation
¶
Overview ¶
Package intransport implements the http RoundTripper interface. This can be used with, for example, http.Client and httputil.ReverseProxy. This package is meant to allow secure communications with remote hosts that may not fully specify their intermediate certificates on the TLS handshake. Most browsers support communication with these hosts by using the issuing certificate URL from the Authority Information Access extension of the cert to fetch any missing intermediates. Each intermediate is fetched in turn until it can either complete the chain back to a trusted root or give up after all avenues have been exhausted, in which case it displays an error. Go's default transport does not fetch intermediates and will fail on mis-configured hosts. This package attempts to emulate browser behavior by attempting to complete the chain to a trusted root by fetching any missing intermediates.
Additionally, this will validate any stapled OCSP responses, and in the case where the certificate was created with the Must Staple extension set, it will fail in the absence of a validated OCSP response.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // MustStapleValue is the value in the MustStaple extension. // DER encoding of the status_request extension, 5. // https://tools.ietf.org/html/rfc6066#section-1.1 MustStapleValue = []byte{0x30, 0x03, 0x02, 0x01, 0x05} // MustStapleOID is the OID of the must staple. // // Must staple oid is id-pe-tlsfeature as defined here // https://tools.ietf.org/html/rfc7633#section-6 MustStapleOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 24} )
Functions ¶
Types ¶
type InTransport ¶
type InTransport struct {
// Specify this method in the situation where you might otherwise have wanted to
// install your own VerifyPeerCertificate hook into tls.Config. If specified,
// This method will be called after a successful InTransport verification,
// and verifiedChains will contain appropriate data including any intermediates
// that needed to be downloaded.
NextVerifyPeerCertificate PeerCertVerifier
TLS *tls.Config
TLSHandshakeTimeout time.Duration
Transport *http.Transport
}
InTransport - this implements an http.RoundTripper and handles the fetching of missing intermediate certificates, and verifying OCSP stapling, and in the event there is a "must staple" set on the certificate it will fail on missing staple.
func NewInTransport ¶
func NewInTransport(tlsc *tls.Config) *InTransport
NewInTransport - create a new http transport suitable for client connections. InTransport implements http.RoundTripper, and can be used like so:
it := intransport.NewInTranport(nil)
c := &http.Client{
Transport: it,
}
func NewInTransportFromHTTPTransport ¶
func NewInTransportFromHTTPTransport(transport *http.Transport) *InTransport
NewInTransportFromHTTPTransport - this allows you to pass in an http.Transport with pre-configured timeouts. This is useful where you want to customize. Note that the transport passed in will be modified by this call. Do not pass in a transport that's already in-use. Will panic on a nil transport passed. if the passed transport has a TLSClientConfiguration defined, it will be cloned and then modified to integrate InTransport. The following settings within TLSClientConnection will be modified:
* InsecureSkipVerify will be set to true
* VerifyPeerCertificate will be set to our InTransport.VerifyPeerCertificate
As noted elsewhere, InsecureSkipVerify must be set in order for our VerifyPeerCertificate method to get called in the case of missing intermediates. We still do the full certificate checking here, we just go about it a different way.
it := intransport.NewInTransportFromHTTPTransport(&http.Transport{
Proxy: http.ProxyFromEnvironment,
MaxIdleConns: 100,
IdleConnTimeout: 90 * time.Second,
ExpectContinueTimeout: 1 * time.Second,
TLSHandshakeTimeout: 10 * time.Second,
DialContext: (&net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
DualStack: true,
}).DialContext,
}
c := &http.Client{
Transport: it,
}
func (*InTransport) RoundTrip ¶
RoundTrip - this implements the http.RoundTripper interface, and makes it suitable for use as a transport.
func (*InTransport) SetNextVerifyPeerCertificate ¶ added in v0.1.1
func (it *InTransport) SetNextVerifyPeerCertificate(verifier PeerCertVerifier)
SetNextVerifyPeerCertificate - this is a setter method to specify a method to be called after a successful InTransport TLS validation. Specify this method in the situation where you might otherwise have wanted to install your own VerifyPeerCertificate hook into tls.Config. verifiedChains will contain appropriate data including any intermediates that needed to be downloaded.
func (*InTransport) VerifyPeerCertificate ¶
func (it *InTransport) VerifyPeerCertificate(rawCerts [][]byte, _ [][]*x509.Certificate) error
VerifyPeerCertificate - this is the method that is to be plugged into tls.Config VerifyPeerCertificate. If using this method inside of a custom built htttp.Transport, you must also set InsecureSkipVerify to true. When set to false, a certificate that isn't trusted to the root and has missing intermediate certs will prevent VerifyPeerCertificate from being called. This method will still ensure that a valid chain exists from the presented certificates(s) to a trusted root certificate. The difference between this and the default TLS verification is that missing intermediates will be fetched until either a valid path to a trusted root is found or no further intermediates can be found. If a chain cannot be established, the connection will fail . If a chain can be established, then the optional NextVerifyPeerCertificate() method will be called, if specified. If this method returns an error, it will stop the connection.
type PeerCertVerifier ¶
type PeerCertVerifier func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
PeerCertVerifier - this is a method type that is plugged into a tls.Config.VerifyPeerCertificate, or into our NextVerifyPeerCertificate.
Source Files