Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS のサーバ証明書の検証ちゃんとする #53

Closed
ddddddO opened this issue Aug 11, 2024 · 1 comment
Closed

TLS のサーバ証明書の検証ちゃんとする #53

ddddddO opened this issue Aug 11, 2024 · 1 comment

Comments

@ddddddO
Copy link
Owner

ddddddO commented Aug 11, 2024
edited
Loading

確かこの辺り
いま、パースできることくらいしかやってない

packemon/tls.go

Line 208 in ab267a6

func (c *Certificate) Validate() error {

実装対応したら、packemon 実行元でこちら実施する必要あるはず。実施前後で実行してみて動作確認する

mkcert でサーバ証明書作成したから、このあたりも参考になるはず

https://github.com/FiloSottile/mkcert?tab=readme-ov-file#changing-the-location-of-the-ca-files

pi@raspberrypi:~ $ mkcert -CAROOT
/home/pi/.local/share/mkcert
pi@raspberrypi:~ $ ls /home/pi/.local/share/mkcert/
rootCA-key.pem  rootCA.pem
pi@raspberrypi:~ $

実装後、

  • クライアント側でルート証明書の追加してない状態
2024/09/08 11:26:46 certificateLength: 1052
2024/09/08 11:26:46 certificate num: 1
2024/09/08 11:26:46 start verify server certificate
2024/09/08 11:26:46     DNS name in server certificate: my-tls.com
2024/09/08 11:26:46     failed to verify server certificate
x509: certificate signed by unknown authority
ddddddo@debian:~/github.com/ddddddO/packemon$
  • クライアント側でmkcertのルート証明書を追加した状態
2024/09/08 11:49:40 certificateLength: 1052
2024/09/08 11:49:40 certificate num: 1
2024/09/08 11:49:40 start verify server certificate
2024/09/08 11:49:40     DNS name in server certificate: my-tls.com
2024/09/08 11:49:40 finish verify server certificate

クライアント側でmkcertのルート証明書を追加するメモ

  • mkcert でルート証明書(以下)作成したあと、それをコピーして packemon 実行ホストに追加する
pi@raspberrypi:~/.local/share/mkcert $ cat rootCA.pem 
-----BEGIN CERTIFICATE-----
MIIEgTCCAumgAwIBAgIQblZPNGRgDvpS+H3SHH6SAzANBgkqhkiG9w0BAQsFADBZ
...
@ddddddO ddddddO changed the title TLS のサーバ証明の検証ちゃんとする TLS のサーバ証明書の検証ちゃんとする Aug 11, 2024
@ddddddO ddddddO mentioned this issue Sep 8, 2024
Merged
@ddddddO
Copy link
Owner Author

ddddddO commented Sep 8, 2024

対応した

@ddddddO ddddddO closed this as completed Sep 8, 2024
@ddddddO ddddddO mentioned this issue Sep 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ddddddO