Re: [go-nuts] Re: Get fingerprint of ca
вт, 30 апр. 2019 г. в 23:30, Marcin Romaszewicz : > > Now we're onto the topic of TLS chain of trust. The full answer is > complicated. > > In your case, I think the answer is Yes. > > Say you have RootCA which signs SubCA which signs ServerCert. > > When your server serves on the internet, it can present just ServerCert to > the clients, and if the clients know (SubCa, RootCA), then the server doesn't > need to present them. If the clients only trust (RootCA), then the server > would have to present (ServerCA, SubCA) to the clients in order to build the > chain of trust. All the certificates involved in a connection must be > presented, but where you stop checking the chain is up to you. > > Have a look here as starting points. > https://ericchiang.github.io/post/go-tls/ > https://security.stackexchange.com/questions/130847/how-tls-certificate-chain-is-verified > > Thank you for help. Now i think that i have all needed pieces and next steps is to write simple code that acts like i need =) -- Vasiliy Tolstov, e-mail: v.tols...@selfip.ru -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [go-nuts] Re: Get fingerprint of ca
Now we're onto the topic of TLS chain of trust. The full answer is complicated. In your case, I think the answer is Yes. Say you have RootCA which signs SubCA which signs ServerCert. When your server serves on the internet, it can present just ServerCert to the clients, and if the clients know (SubCa, RootCA), then the server doesn't need to present them. If the clients only trust (RootCA), then the server would have to present (ServerCA, SubCA) to the clients in order to build the chain of trust. All the certificates involved in a connection must be presented, but where you stop checking the chain is up to you. Have a look here as starting points. https://ericchiang.github.io/post/go-tls/ https://security.stackexchange.com/questions/130847/how-tls-certificate-chain-is-verified On Tue, Apr 30, 2019 at 1:12 PM Vasiliy Tolstov wrote: > вт, 30 апр. 2019 г. в 23:01, Marcin Romaszewicz : > > > > Look at the ""crypto/x509" package, specifically at CertPool. You would > load your CA public cert and intermediate cert's into a CertPool. > > > > Once you have a CertPool, you can use it in tls.Config to configure your > TLS connections. Given a valid certificate chain, Go will automatically > validate server TLS certificates. If you want client cert validation, you > have to enable it ( > https://golang.org/src/crypto/tls/common.go?s=8208:8231#L227) > > > > Is that what you were looking for? > > > > Thanks looks fine, but does i need to always have root ca to trust > intermediate certs? Or if i have custom validation in tls.Config i > don't need it? > For example i'm pass root ca fingerprint to service, does it possible > to trust all intermediates if they issued by root CA that have the > same fingerprint ? > > -- > Vasiliy Tolstov, > e-mail: v.tols...@selfip.ru > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [go-nuts] Re: Get fingerprint of ca
вт, 30 апр. 2019 г. в 23:01, Marcin Romaszewicz : > > Look at the ""crypto/x509" package, specifically at CertPool. You would load > your CA public cert and intermediate cert's into a CertPool. > > Once you have a CertPool, you can use it in tls.Config to configure your TLS > connections. Given a valid certificate chain, Go will automatically validate > server TLS certificates. If you want client cert validation, you have to > enable it (https://golang.org/src/crypto/tls/common.go?s=8208:8231#L227) > > Is that what you were looking for? > Thanks looks fine, but does i need to always have root ca to trust intermediate certs? Or if i have custom validation in tls.Config i don't need it? For example i'm pass root ca fingerprint to service, does it possible to trust all intermediates if they issued by root CA that have the same fingerprint ? -- Vasiliy Tolstov, e-mail: v.tols...@selfip.ru -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [go-nuts] Re: Get fingerprint of ca
Apologies. I'm quite new to Go and what you are seeking is probably over my head. On Tuesday, April 30, 2019 at 1:53:13 PM UTC-6, Vasiliy Tolstov wrote: > > вт, 30 апр. 2019 г. в 16:23, >: > > > > > > If I'm understanding your question correctly, this Youtube video from > the 2018 Gophercon should help: > https://www.youtube.com/watch?v=kxKLYDLzuHA > > > > Thanks, i'm already saw this. My question about ability to get trust > root self signed CA cert, and trust all intermediate cert from it. > Also trust all client certs from it intermediates. > > -- > Vasiliy Tolstov, > e-mail: v.to...@selfip.ru > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [go-nuts] Re: Get fingerprint of ca
Look at the ""crypto/x509" package, specifically at CertPool. You would load your CA public cert and intermediate cert's into a CertPool. Once you have a CertPool, you can use it in tls.Config to configure your TLS connections. Given a valid certificate chain, Go will automatically validate server TLS certificates. If you want client cert validation, you have to enable it ( https://golang.org/src/crypto/tls/common.go?s=8208:8231#L227) Is that what you were looking for? On Tue, Apr 30, 2019 at 12:53 PM Vasiliy Tolstov wrote: > вт, 30 апр. 2019 г. в 16:23, : > > > > > > If I'm understanding your question correctly, this Youtube video from > the 2018 Gophercon should help: > https://www.youtube.com/watch?v=kxKLYDLzuHA > > > > Thanks, i'm already saw this. My question about ability to get trust > root self signed CA cert, and trust all intermediate cert from it. > Also trust all client certs from it intermediates. > > -- > Vasiliy Tolstov, > e-mail: v.tols...@selfip.ru > > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [go-nuts] Re: Get fingerprint of ca
вт, 30 апр. 2019 г. в 16:23, : > > > If I'm understanding your question correctly, this Youtube video from the > 2018 Gophercon should help: https://www.youtube.com/watch?v=kxKLYDLzuHA > Thanks, i'm already saw this. My question about ability to get trust root self signed CA cert, and trust all intermediate cert from it. Also trust all client certs from it intermediates. -- Vasiliy Tolstov, e-mail: v.tols...@selfip.ru -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
