tls: track errors

author: Luke Shumaker <lukeshu@sbcglobal.net> 2016-11-18 15:43:25 -0500
committer: Luke Shumaker <lukeshu@sbcglobal.net> 2016-11-18 15:43:25 -0500
commit: 80454ad8a77bf46b784c7ef421acf8626b2d4df6 (patch)
tree: a525a09f49d7a6e181c210f2ba8015444b4308fd /tls-getcerts.go
parent: 89fa60bdf5ed6bd729f4d7931c9603e896d38665 (diff)
1 files changed, 21 insertions, 1 deletions
diff --git a/tls-getcerts.go b/tls-getcerts.go
index ba951c9..49e15a2 100644
--- a/tls-getcerts.go
+++ b/tls-getcerts.go
@@ -5,16 +5,33 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
+	"net"
 	"os"
 )
 
 func getcert(socket string) (*x509.Certificate, error){
+	host, _, err := net.SplitHostPort(socket)
+	if err != nil {
+		return nil, err
+	}
 	conn, err := tls.Dial("tcp", socket, &tls.Config{InsecureSkipVerify: true})
 	if err != nil {
 		return nil, err
 	}
 	defer conn.Close()
-	return conn.ConnectionState().PeerCertificates[0], nil
+	cstate := conn.ConnectionState()
+
+	opts := x509.VerifyOptions{
+		DNSName: host,
+		Intermediates: x509.NewCertPool(),
+	}
+	for _, cert := range cstate.PeerCertificates[1:] {
+		opts.Intermediates.AddCert(cert)
+	}
+
+	cert := cstate.PeerCertificates[0]
+	_, err = cert.Verify(opts)
+	return cert, err
 }
 
 func main() {
@@ -29,6 +46,9 @@ func main() {
 			Headers: map[string]string{"X-Socket": socket},
 			Bytes: cert.Raw,
 		}
+		if err != nil {
+			block.Headers["X-Error"] = err.Error()
+		}
 		pem.Encode(os.Stdout, &block)
 	}
 }
author	Luke Shumaker <lukeshu@sbcglobal.net>	2016-11-18 15:43:25 -0500
committer	Luke Shumaker <lukeshu@sbcglobal.net>	2016-11-18 15:43:25 -0500
commit	80454ad8a77bf46b784c7ef421acf8626b2d4df6 (patch)
tree	a525a09f49d7a6e181c210f2ba8015444b4308fd /tls-getcerts.go
parent	89fa60bdf5ed6bd729f4d7931c9603e896d38665 (diff)