php editor Baicao will introduce you how to obtain TLS information from the client. During the website development process, obtaining the client's TLS information is very important to implement some security-related functions. TLS is an encryption protocol used to secure network communications. By obtaining the client's TLS information, we can obtain the client's certificate information, encryption algorithm, key length and other related information, thereby improving the security of the website. In the following articles, we will explain in detail how to obtain TLS information from the client and how to apply this information to enhance the security of the website.
net/http go package has a type request, which defines a field TLS that holds ConnectionState
. However, the last statement in the description indicates that it is ignored by HTTP clients. I also checked while debugging and it is nil
.
I need to get the value TLSUnique
from that connection state (or elsewhere) so that I can include it in my certificate request (aka CSR) before I can register/send it to server.
The server then receives the request and checks the signature of the CSR and the TLS unique value, proving that the client establishing the TLS connection is the same client that signed the CSR.
This is from RFC 7030 - Section 3.5 (EST Protocol)
[What I am using]
I'm experimenting with the GlobalSign EST Go packages, but they don't seem to include this functionality.
Their EST client seems to create a http client for each EST operation, I thought I could change this behavior and have one client to send all requests to.
However, since the client accepts the RoundTripper interface, I cannot use the underlying connection's information outside of the implementation.
One approach requires making some small changes to the global symbol EST package.
Like I said before, the current implementation creates a new http client for each EST operation (CACerts, CSRAttrs, Enroll, etc.)
1- Let's use a http client for all EST operations.
2- Either way, we need to call to get the CA certificate before registering the CSR.
3- The http response to any client request exposes the field http.Response.TLS.TLSUnique
.
4- Have the client include it in the certificate request, sign it and register it.
When I think about global symbols in the EST package and why they choose to create a new http client every time.
(Unless just waiting for examples to be used according to user wishes)
The above is the detailed content of Get TLS information from client. For more information, please follow other related articles on the PHP Chinese website!