Checking for expired certificates

gwhe...@yahoo.com

unread,

Jul 7, 2017, 8:12:25 AM7/7/17

to golang-nuts

The golang net/http package currently does not detect an expired SSL certificate.

I need to detect and expired certificate (it's used in an http.Put fuction eventually) and report an error (flag the data back from the put as not secure)

Any idea how to go about doing this?

TIA,

Gary.

For example, here is a short program that checks certificates:

package main

import (

"fmt"

"net/http"

)

// Test links from <https://badssl.com/>

var urls = []string {

"https://expired.badssl.com/",

"https://wrong.host.badssl.com/",

"https://self-signed.badssl.com/",

"https://untrusted-root.badssl.com/",

"https://revoked.badssl.com/",

"https://pinning-test.badssl.com/",

"https://no-common-name.badssl.com/",

"https://no-subject.badssl.com/",

"https://incomplete-chain.badssl.com/",

"https://sha1-intermediate.badssl.com/",

"https://sha256.badssl.com/",

"https://sha384.badssl.com/",

"https://sha512.badssl.com/",

"https://1000-sans.badssl.com/",

"https://10000-sans.badssl.com/",

"https://ecc256.badssl.com/",

"https://ecc384.badssl.com/",

"https://rsa2048.badssl.com/",

"https://rsa8192.badssl.com/" }

func main() {

// See what happens when I access a known bad https

//

for i:= range urls {

_, err := http.Get(urls[i])

if err != nil {

fmt.Println("http.Get error: ", err)

} else {

fmt.Printf("Not so good: %s worked.\n",urls[i])

}

Shawn Milochik

unread,

Jul 7, 2017, 11:13:02 AM7/7/17

to golang-nuts

Happy Friday.

https://play.golang.org/p/gU-wTqYqlv

gwhe...@yahoo.com

unread,

Jul 8, 2017, 4:06:45 AM7/8/17

to golang-nuts, Sh...@milochik.com

Shawn,

I'm a little confused.

Your program prints 'Certificate for "revoked.badssl.com" from "DigiCert Inc" expires 2019-09-11 12:00:00 +0000 UTC (795 days).' for the revoked certificate.

How do I tell that it has been revoked?

Gary.

Cr@p. I just realized that I titled the post "expired" when my issue is with revoked...

On Friday, July 7, 2017 at 8:13:02 AM UTC-7, Shawn Milochik wrote:

Happy Friday.

https://play.golang.org/p/gU-wTqYqlv - private

Matt Harden

unread,

Jul 9, 2017, 10:37:05 PM7/9/17

to gwhe...@yahoo.com, golang-nuts, Sh...@milochik.com

To detect revoked certificates, you have to either have a current CRL for the CA that issued the cert, or use OSCP. This doesn't appear to be easy to do in Go yet, but https://godoc.org/golang.org/x/crypto/ocsp may help.

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all

Reply to author

Forward