2023-08-08|閱讀時間 ‧ 約 5 分鐘

如何在go中驗證SSL憑證

👨‍💻如何在go中驗證SSL憑證

因之前玩過監控證書,最近在接觸golang因此來看看有甚麼方法能夠取得憑證到期日,最後發現有crypto/tls這個module可以用,驗證步驟簡單三步如下

1. 確認網站是否有SSL證書

package main

import (
"crypto/tls"
)
func main() {
conn, err := tls.Dial("tcp", "example.com:80", nil)
if err != nil {
panic("Server doesn't support SSL certificate err: " + err.Error())
}
}

上述程式碼首先使用 tls.Dial 建立TLS連線,語法規則為

tls.Dial(protocol, website, tls config)

連線成功則返回一個tls.Conn

執行後會噴以下錯誤

panic: Server doesn't support SSL certificate err: tls: first record does not look like a TLS handshake

接著將網站改為google重新執行一次程式碼,沒有任何輸出表示正常,也代表網站有啟用SSL

package main

import (
"crypto/tls"
)
func main() {
conn, err := tls.Dial("tcp", "www.google.com:443", nil)
if err != nil {
panic("Server doesn't support SSL certificate err: " + err.Error())
}
}

2. 確認SSL憑證和網站hostname是否吻合

可使用conn.VerifyHostname驗證server的憑證與hostname是否吻合

package main

import (
"crypto/tls"
)
func main() {
conn, err := tls.Dial("tcp", "www.google.com:443", nil)
if err != nil {
panic("Server doesn't support SSL certificate err: " + err.Error())
}
err = conn.VerifyHostname("www.google.com")
if err != nil {
panic("Hostname doesn't match with certificate: " + err.Error())
}
}

3. 驗證SSL憑證的到期日

我們可以透過conn.ConnectionState().PeerCertificates來取得憑證,然後透過NotAfter來取得憑證到期日

package main

import (
"crypto/tls"
"fmt"
)
func main() {
conn, err := tls.Dial("tcp", "www.google.com:443", nil)
if err != nil {
panic("Server doesn't support SSL certificate err: " + err.Error())
}
err = conn.VerifyHostname("www.google.com")
if err != nil {
panic("Hostname doesn't match with certificate: " + err.Error())
}
expiry := conn.ConnectionState().PeerCertificates[0]
fmt.Printf("Issuer Name: %s\n", expiry.Issuer)
fmt.Printf("Expiry: %s \n", expiry.NotAfter.Format("2006-01-02"))
fmt.Printf("Common Name: %s \n", expiry.Issuer.CommonName)
}

📚Reference

分享至
成為作者繼續創作的動力吧!
© 2024 vocus All rights reserved.