Documentation ¶
Overview ¶
Package dane provides functionalities to use DNS-based Authentication of Named Entities aka DANE in standard go tls connections
Example ¶
package main import ( "context" "crypto/tls" "crypto/x509" "fmt" "github.com/hawell/dane" "log" "net" "net/http" "time" ) func main() { t := &http.Transport{ DialTLSContext: func(ctx context.Context, network, addr string) (net.Conn, error) { dialer := &net.Dialer{ Timeout: 30 * time.Second, KeepAlive: 30 * time.Second, } conn, err := tls.DialWithDialer(dialer, network, addr, &tls.Config{ InsecureSkipVerify: true, VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { return dane.VerifyPeerCertificate(network, addr, rawCerts, nil) }, }) if err != nil { return conn, err } return conn, nil }, } client := http.Client{Transport: t} resp, err := client.Get("https://www.fedoraproject.org") if err != nil { log.Fatal(err) } fmt.Println(resp) }
Output:
Index ¶
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func VerifyPeerCertificate ¶
func VerifyPeerCertificate(network string, addr string, rawCerts [][]byte, roots *x509.CertPool) error
VerifyPeerCertificate is a custom tls validator which uses TLSA records to verify provided certificates. InsecureSkipVerify in tls.Config has to be set to true. "network" and "addr" from DialTLS or DialTLSContext are needed to find the matching TLSA record
Types ¶
type Resolver ¶
type Resolver struct {
// contains filtered or unexported fields
}
Resolver contains cached query responses and a dns client for querying
func NewResolver ¶
func NewResolver() *Resolver
NewResolver creates a new dns resolver with root keys set
func (*Resolver) Get ¶
Get starts a recursive dnssec query from root zone and verify responses along the way
Click to show internal directories.
Click to hide internal directories.