如何在Golang中针对CRL验证客户端证书?
I'm using the ClientCAs and ClientAuth options in tls.Config to do cert-based client authentication in my Go HTTP application. Is it possible to also verify the client certs against a provided CRL? I see in the x509 package there are some functions around CRLs, but I'm not sure how to configure the HTTP server to use them (ie. there doesn't seem to be any options in tls.Config that would cause a CRL to also be used).
我在使用 ClientCAs code>和 ClientAuth code>选项 tls.Config code>可以在Go HTTP应用程序中执行基于证书的客户端身份验证。 是否也可以根据提供的CRL验证客户证书? 我在 x509 code>包中看到了一些围绕CRL的功能,但是我不确定如何配置HTTP服务器以使用它们(即, tls.Config code>,这也会导致使用CRL。 p>
div>
Is it possible to also verify the client certs against a provided CRL?
Yes, it is possible, by means of the functionality provided in the crypto/x509 package (as you correctly stated in your question). However, higher-level interfaces such as crypto/tls.Config (consumed by net/http) do not offer that. A good chance to implement a check against a CRL probably is by inspecting net/http.Request.TLS.PeerCertificates.
A little bit of background: crypto/tls is maintained by security expert Adam Langley who has an opinion on revocation checking (original source is his blog). Though I have no evidence, one might assume that this was a deliberate design decision.