restful icon indicating copy to clipboard operation
restful copied to clipboard
verified publisher icon nokia

OCSP and CRL support

Open Som-Som-CC opened this issue 4 years ago • 3 comments

Certificate Revocation List (CRL) is a file that contains revoked certs. That is to be downloaded on a regular schedule. That is an old method, superseded by OCSP. Online Certificate Status Protocol (OCSP) is a service to check whether a cert is revoked. These are needed, as verifying the signing Root/Immediate CA successfully does not mean that a server or mTLS client cert has not been compromised.

TLS config crypto.tls.Config has attribute VerifyPeerCertificate, a function called when basic CA verification is done. That can be used to check CLR/OCSP.

See article and related code.

It would be great to have restful Client (similar to TLSRootCerts) and Server/Router (similar to TLSClientCert) functions for CRL and OCSP. E.g. Client.OCSP(ocspURL string) and Client.CRL(path), setting up VerifyPeerCertificate.

OCSP is the important one, CRL can be omitted.

Som-Som-CC avatar Mar 29 '22 09:03 Som-Som-CC

There is a nice article explaining how to check OCSP with OpenSSL, and OCSP ULR being in the certificate. Still, we may need that aforementioned OCSP URL setting, in case the URL is not in the certificate itself.

Som-Som-CC avatar May 13 '22 19:05 Som-Som-CC

Note that in Go 1.19 x509.ParseCRL is replaced by x509.ParseRevocationList.

Som-Som-CC avatar Aug 03 '22 15:08 Som-Som-CC

An article on how cert revocations are performing on the public internet: https://www.ssl.com/blogs/how-do-browsers-handle-revoked-ssl-tls-certificates/

Som-Som-CC avatar Aug 05 '22 17:08 Som-Som-CC