Check fingerprints of server SSL/TLS certificates in http.NewRequest

Question

How can I check the fingerprints of the server SSL/TLS certificates during a http request in golang?

This ruby code shows what I want to do in Go:

  @verify_callback = proc do |preverify_ok, store_context|
    if preverify_ok and store_context.error == 0
      certificate = OpenSSL::X509::Certificate.new(store_context.chain[0])
      fingerprint = Digest::SHA1.hexdigest(certificate.to_der).upcase.scan(/../).join(":")
      $valid_fingerprints.include?(fingerprint)
    else
      false
    end
  end

Answer 1

In general the process of generating a certificate fingerprint in Go is pretty simple. If you already have an x509.Certificate struct, stored in cert, all you need to do is

sha1Fingerprint := sha1.Sum(cert.Raw)

Getting certificates from an HTTP response struct after the request is complete is also pretty easy (use resp.TLS.PeerCertificates), but it doesn't seem like that's what you need.

If you need access to the server's certificate at TLS connection set up time, I think you'll need to create your own http.Transport and hand it a custom implementation of DialTLS. You'd then use that transport when configuring an http.Client to make your outbound requests.

Within your custom DialTLS func you'd have access to connection state information like the server's certificate chain, and you could perform the SHA1 fingerprint generation from there.