因之前玩過監控證書,最近在接觸golang因此來看看有甚麼方法能夠取得憑證到期日,最後發現有crypto/tls這個module可以用,驗證步驟簡單三步如下
package main
import (
"crypto/tls"
)
func main() {
conn, err := tls.Dial("tcp", "example.com:80", nil)
if err != nil {
panic("Server doesn't support SSL certificate err: " + err.Error())
}
}
上述程式碼首先使用 tls.Dial
建立TLS連線,語法規則為
tls.Dial(protocol, website, tls config)
連線成功則返回一個tls.Conn
執行後會噴以下錯誤
panic: Server doesn't support SSL certificate err: tls: first record does not look like a TLS handshake
接著將網站改為google重新執行一次程式碼,沒有任何輸出表示正常,也代表網站有啟用SSL
package main
import (
"crypto/tls"
)
func main() {
conn, err := tls.Dial("tcp", "www.google.com:443", nil)
if err != nil {
panic("Server doesn't support SSL certificate err: " + err.Error())
}
}
可使用conn.VerifyHostname
驗證server的憑證與hostname是否吻合
package main
import (
"crypto/tls"
)
func main() {
conn, err := tls.Dial("tcp", "www.google.com:443", nil)
if err != nil {
panic("Server doesn't support SSL certificate err: " + err.Error())
}
err = conn.VerifyHostname("www.google.com")
if err != nil {
panic("Hostname doesn't match with certificate: " + err.Error())
}
}
我們可以透過conn.ConnectionState().PeerCertificates
來取得憑證,然後透過NotAfter來取得憑證到期日
package main
import (
"crypto/tls"
"fmt"
)
func main() {
conn, err := tls.Dial("tcp", "www.google.com:443", nil)
if err != nil {
panic("Server doesn't support SSL certificate err: " + err.Error())
}
err = conn.VerifyHostname("www.google.com")
if err != nil {
panic("Hostname doesn't match with certificate: " + err.Error())
}
expiry := conn.ConnectionState().PeerCertificates[0]
fmt.Printf("Issuer Name: %s\n", expiry.Issuer)
fmt.Printf("Expiry: %s \n", expiry.NotAfter.Format("2006-01-02"))
fmt.Printf("Common Name: %s \n", expiry.Issuer.CommonName)
}