I'm using the ClientCAs and ClientAuth options in tls.Config to do cert-based client authentication in my Go HTTP application. Is it possible to also verify the client certs against a provided CRL? I see in the x509 package there are some functions around CRLs, but I'm not sure how to configure the HTTP server to use them (ie. there doesn't seem to be any options in tls.Config that would cause a CRL to also be used).
How can I verify client certificates against a CRL in Golang?
Is it possible to also verify the client certs against a provided CRL?
Yes, it is possible, by means of the functionality provided in the crypto/x509 package (as you correctly stated in your question). However, higher-level interfaces such as crypto/tls.Config (consumed by net/http) do not offer that. A good chance to implement a check against a CRL probably is by inspecting net/http.Request.TLS.PeerCertificates.
A little bit of background: crypto/tls is maintained by security expert Adam Langley who has an opinion on revocation checking (original source is his blog). Though I have no evidence, one might assume that this was a deliberate design decision.
Thanks @flowlo, I'll dig deeper into the PeerCertificates option you suggested. As for Adam's post on CRLs, I get what he's saying from a client-side perspective. When using certs for server-side auth though, CRLs are still vital. –
Highpitched
Manually verifying the peer certificates looks to be a valid approach. Would just have to be done as middleware somewhere in the server call stack. For future reference, the code at github.com/cloudflare/cfssl/blob/master/revoke/revoke.go has some good examples of how to actually compare peer certificates against a CRL. –
Highpitched
You can use VerifyPeerCertificate to validate connections against your CRL file. Simply iterate over your list of revoked certificates and check if the serial number of the revoked certs is equal to the peer certificiate's serial number.
© 2022 - 2024 — McMap. All rights reserved.