From a2cbe4a78f966faac5e149f0ae2db13705baf373 Mon Sep 17 00:00:00 2001 From: David Narayan Date: Wed, 24 Oct 2018 13:25:56 -0400 Subject: [PATCH 1/2] Add option to specify additional CA certificates for peer validation --- main.go | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/main.go b/main.go index a83f301..199b5ba 100644 --- a/main.go +++ b/main.go @@ -3,6 +3,7 @@ package main import ( "context" "crypto/tls" + "crypto/x509" "encoding/pem" "flag" "fmt" @@ -62,6 +63,7 @@ var ( clientCertFile string fourOnly bool sixOnly bool + cacert string // number of redirects followed redirectsFollowed int @@ -84,6 +86,7 @@ func init() { flag.StringVar(&clientCertFile, "E", "", "client cert file for tls config") flag.BoolVar(&fourOnly, "4", false, "resolve IPv4 addresses only") flag.BoolVar(&sixOnly, "6", false, "resolve IPv6 addresses only") + flag.StringVar(&cacert, "cacert", "", "CA certificate to verify peer against (SSL)") flag.Usage = usage } @@ -140,6 +143,20 @@ func main() { visit(url) } +// readCACerts - helper function to load additional CA certificates +func readCACerts(certfile string) (*x509.CertPool, error) { + certFileBytes, err := ioutil.ReadFile(certfile) + + if err != nil { + return nil, fmt.Errorf("failed to read CA certificate file: %v", err) + } + + certPool := x509.NewCertPool() + certPool.AppendCertsFromPEM(certFileBytes) + + return certPool, nil +} + // readClientCert - helper function to read client certificate // from pem formatted file func readClientCert(filename string) []tls.Certificate { @@ -269,10 +286,16 @@ func visit(url *url.URL) { host = req.Host } + rootCAs, err := readCACerts(cacert) + if err != nil { + log.Printf("warning: failed to read CA certificates: %s\n", err) + } + tr.TLSClientConfig = &tls.Config{ ServerName: host, InsecureSkipVerify: insecure, Certificates: readClientCert(clientCertFile), + RootCAs: rootCAs, } // Because we create a custom TLSClientConfig, we have to opt-in to HTTP/2. From 55f832ee7482dc859bbb49b6542b4969f390d217 Mon Sep 17 00:00:00 2001 From: David Narayan Date: Wed, 24 Oct 2018 14:14:53 -0400 Subject: [PATCH 2/2] Fix check for empty filename on cacert option. --- main.go | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/main.go b/main.go index 199b5ba..0abfe5d 100644 --- a/main.go +++ b/main.go @@ -144,8 +144,11 @@ func main() { } // readCACerts - helper function to load additional CA certificates -func readCACerts(certfile string) (*x509.CertPool, error) { - certFileBytes, err := ioutil.ReadFile(certfile) +func readCACerts(filename string) (*x509.CertPool, error) { + if filename == "" { + return nil, nil + } + certFileBytes, err := ioutil.ReadFile(filename) if err != nil { return nil, fmt.Errorf("failed to read CA certificate file: %v", err)