gpt4 book ai didi

ssl - 了解 Mutual TLS,使用服务器名的客户端配置

转载 作者:数据小太阳 更新时间:2023-10-29 03:10:14 26 4
gpt4 key购买 nike

我想了解双向 TLS 的工作原理,我有以下示例:

I have a client who wants to connect to server "svc1.example.com"

但是服务器有一个

server certificate with a commonName as "svc1.example.cloud" and a SAN as "svc.example.test.cloud".

现在当我发出 GET 请求时,我得到以下信息:

x509:证书对 svc.example.test.cloud 有效,对 svc1.example.com 无效。

所以,我的问题是我是否应该对 TLS clientConfig 进行更改以包含服务器名?或者我应该在 TLS 客户端配置中添加自定义 verifyPeerCertificate 函数,如下所示?

请告诉我服务器名称应该是什么以及我应该在 verifyPeerCertificate 函数中检查什么。

func customverify(customCName func(*x509.Certificate) bool) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
if customCName == nil {
return nil
}
return func(_ [][]byte, verifiedChains [][]*x509.Certificate) error {
for _, certs := range verifiedChains {
leaf := certs[0]
if customCName(leaf) {
return nil
}
}
return fmt.Errorf("client identity verification failed")
}
}




func configureClient(certFile, keyFile string) (*http.Client, error) {
certpool, err := addRootCA()
if err != nil {
return nil, err
}

cert, err := tls.LoadX509KeyPair(certFile, keyFile)
if err != nil {
return nil, err
}
transport := ytls.NewClientTransport()
transport.TLSClientConfig.Certificates = []tls.Certificate{cert}
transport.TLSClientConfig.RootCAs = certpool
//transport.TLSClientConfig.ServerName = expectedCName
transport.TLSClientConfig.VerifyPeerCertificate = customverify(func(cert *x509.Certificate) bool {
return cert.Subject.CommonName == "svc1.example.cloud"
})

httpClient := &http.Client{Transport: transport}
return httpClient, nil

最佳答案

由于 x509: 证书对 svc.example.test.cloud 有效,所以 transport.TLSClientConfig.ServerName = "svc.example.test.cloud"

来自 https://golang.org/pkg/crypto/tls/#Config

VerifyPeerCertificate, if not nil, is called after normal
certificate verification by either a TLS client or server. It
receives the raw ASN.1 certificates provided by the peer and also
any verified chains that normal processing found. If it returns a
non-nil error, the handshake is aborted and that error results.

If normal verification fails then the handshake will abort before
considering this callback. If normal verification is disabled by
setting InsecureSkipVerify, or (for a server) when ClientAuth is
RequestClientCert or RequireAnyClientCert, then this callback will
be considered but the verifiedChains argument will always be nil.

VerifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) 错误

因此,如果正常验证失败,则不会调用 VerifyPeerCertificate。此外,如果正常验证通过,我认为您不需要额外检查 VerifyPeerCertificate

关于ssl - 了解 Mutual TLS,使用服务器名的客户端配置,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/53276769/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com