Go http transport and http client that will communicate with https websites that do not present their intermediate certificates, provided it can complete the chain. Also validates stapled OCSP responses, and supports OCSP must staple
Package intransport implements the http RoundTripper interface. This can be used with, for example, http.Client and httputil.ReverseProxy. This package is meant to allow secure communications with remote hosts that may not fully specify their intermediate certificates on the TLS handshake. Most browsers support communication with these hosts by using the issuing certificate URL from the Authority Information Access extension of the cert to fetch any missing intermediates. Each intermediate is fetched in turn until it can either complete the chain back to a trusted root or give up after all avenues have been exhausted, in which case it displays an error. Go’s default transport does not fetch intermediates and will fail on mis-configured hosts. This package attempts to emulate browser behavior by attempting to complete the chain to a trusted root by fetching any missing intermediates.
Additionally, this will validate any stapled OCSP responses, and in the case where the certificate was created with the Must Staple extension set, it will fail in the absence of a validated OCSP response.
In order to use this, for most use cases, will be simply:
package mainimport ("fmt""io/ioutil""os"it "github.com/nathanejohnson/intransport/v2")func main() {c := it.NewInTransportHTTPClient(nil)resp, err := c.Get("https://something.org")if err != nil {fmt.Println("boo, hiss! ", err)os.Exit(1)}body, err := ioutil.ReadAll(resp.Body)_ = resp.Body.Close()if err != nil {fmt.Println("ba dum, tiss! ", err)os.Exit(1)}fmt.Printf("got response:\n%s", string(body))}
Note: v2 package supports only go 1.15 and newer due to the use of tls VerifyConn.