-
Notifications
You must be signed in to change notification settings - Fork 0
/
dial.go
50 lines (44 loc) · 1.31 KB
/
dial.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
package tlstools
import (
"crypto/tls"
"crypto/x509"
"fmt"
"net"
"os"
"time"
)
var dialer = &net.Dialer{
Timeout: 3 * time.Second,
}
var conf = &tls.Config{
InsecureSkipVerify: true,
VerifyConnection: warnOnVerificationFailure,
}
// Dial opens a TLS connection to the given address over TCP,
// and returns the peer certificates. It will return an error
// if there was an error opening the TLS connection.
func Dial(addr string) ([]*x509.Certificate, error) {
conn, err := tls.DialWithDialer(dialer, "tcp", addr, conf)
if err != nil {
return nil, fmt.Errorf("connection error: %w", err)
}
defer conn.Close()
return conn.ConnectionState().PeerCertificates, nil
}
// warnOnVerificationFailure re-implements the regular certificate verification process,
// but never returns an error. It is used so that we may continue processing invalid certificates,
// but warn the user that the chain is not valid.
func warnOnVerificationFailure(cs tls.ConnectionState) error {
opts := x509.VerifyOptions{
DNSName: cs.ServerName,
Intermediates: x509.NewCertPool(),
}
for _, cert := range cs.PeerCertificates[1:] {
opts.Intermediates.AddCert(cert)
}
_, err := cs.PeerCertificates[0].Verify(opts)
if err != nil {
fmt.Fprintf(os.Stderr, "WARNING: certificate verification failed: %s\n", err.Error())
}
return nil
}