Configurable HTTP proxy for OCSP requests (close #267)
This commit is contained in:
parent
857856663d
commit
8613f4a444
@ -29,6 +29,7 @@ import (
|
||||
"io/fs"
|
||||
weakrand "math/rand"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"strings"
|
||||
"time"
|
||||
@ -1173,6 +1174,10 @@ type OCSPConfig struct {
|
||||
// embedded in certificates. Mapping to an empty
|
||||
// URL will disable OCSP from that responder.
|
||||
ResponderOverrides map[string]string
|
||||
|
||||
// Optionally specify a function that can return the URL
|
||||
// for an HTTP proxy to use for OCSP-related HTTP requests.
|
||||
HTTPProxy func(*http.Request) (*url.URL, error)
|
||||
}
|
||||
|
||||
// certIssueLockOp is the name of the operation used
|
||||
|
16
ocsp.go
16
ocsp.go
@ -168,12 +168,24 @@ func getOCSPForCert(ocspConfig OCSPConfig, bundle []byte) ([]byte, *ocsp.Respons
|
||||
return nil, nil, fmt.Errorf("override disables querying OCSP responder: %v", issuedCert.OCSPServer[0])
|
||||
}
|
||||
|
||||
// configure HTTP client if necessary
|
||||
httpClient := http.DefaultClient
|
||||
if ocspConfig.HTTPProxy != nil {
|
||||
httpClient = &http.Client{
|
||||
Transport: &http.Transport{
|
||||
Proxy: ocspConfig.HTTPProxy,
|
||||
},
|
||||
Timeout: 30 * time.Second,
|
||||
}
|
||||
}
|
||||
|
||||
// get issuer certificate if needed
|
||||
if len(certificates) == 1 {
|
||||
if len(issuedCert.IssuingCertificateURL) == 0 {
|
||||
return nil, nil, fmt.Errorf("no URL to issuing certificate")
|
||||
}
|
||||
|
||||
resp, err := http.Get(issuedCert.IssuingCertificateURL[0])
|
||||
resp, err := httpClient.Get(issuedCert.IssuingCertificateURL[0])
|
||||
if err != nil {
|
||||
return nil, nil, fmt.Errorf("getting issuer certificate: %v", err)
|
||||
}
|
||||
@ -202,7 +214,7 @@ func getOCSPForCert(ocspConfig OCSPConfig, bundle []byte) ([]byte, *ocsp.Respons
|
||||
}
|
||||
|
||||
reader := bytes.NewReader(ocspReq)
|
||||
req, err := http.Post(respURL, "application/ocsp-request", reader)
|
||||
req, err := httpClient.Post(respURL, "application/ocsp-request", reader)
|
||||
if err != nil {
|
||||
return nil, nil, fmt.Errorf("making OCSP request: %v", err)
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user