👨‍💻如何在go中驗證SSL憑證

因之前玩過監控證書,最近在接觸golang因此來看看有甚麼方法能夠取得憑證到期日,最後發現有crypto/tls這個module可以用,驗證步驟簡單三步如下

1. 確認網站是否有SSL證書

package main

import (
	"crypto/tls"
)

func main() {
	conn, err := tls.Dial("tcp", "example.com:80", nil)
	if err != nil {
		panic("Server doesn't support SSL certificate err: " + err.Error())
	}
}

上述程式碼首先使用 tls.Dial 建立TLS連線,語法規則為

tls.Dial(protocol, website, tls config)

連線成功則返回一個tls.Conn

執行後會噴以下錯誤

panic: Server doesn't support SSL certificate err: tls: first record does not look like a TLS handshake

goroutine 1 [running]:

接著將網站改為google重新執行一次程式碼,沒有任何輸出表示正常,也代表網站有啟用SSL

package main

import (
	"crypto/tls"
)

func main() {
	conn, err := tls.Dial("tcp", "www.google.com:443", nil)
	if err != nil {
		panic("Server doesn't support SSL certificate err: " + err.Error())
	}
}

2. 確認SSL憑證和網站hostname是否吻合

可使用conn.VerifyHostname驗證server的憑證與hostname是否吻合

package main

import (
	"crypto/tls"
)

func main() {
	conn, err := tls.Dial("tcp", "www.google.com:443", nil)
	if err != nil {
		panic("Server doesn't support SSL certificate err: " + err.Error())
	}

	err = conn.VerifyHostname("www.google.com")
	if err != nil {
		panic("Hostname doesn't match with certificate: " + err.Error())
	}
}

3. 驗證SSL憑證的到期日

我們可以透過conn.ConnectionState().PeerCertificates來取得憑證,然後透過NotAfter來取得憑證到期日

package main

import (
	"crypto/tls"
	"fmt"
)

func main() {
	conn, err := tls.Dial("tcp", "www.google.com:443", nil)
	if err != nil {
		panic("Server doesn't support SSL certificate err: " + err.Error())
	}

	err = conn.VerifyHostname("www.google.com")
	if err != nil {
		panic("Hostname doesn't match with certificate: " + err.Error())
	}
	expiry := conn.ConnectionState().PeerCertificates[0]
	fmt.Printf("Issuer Name: %s\n", expiry.Issuer)
	fmt.Printf("Expiry: %s \n", expiry.NotAfter.Format("2006-01-02"))
	fmt.Printf("Common Name: %s \n", expiry.Issuer.CommonName)
}

📚Reference