Add tooling to enable strict TLS.

2025-11-18 17:25:49 -08:00
parent 3f92963c74
commit b714c75a43
10 changed files with 217 additions and 101 deletions
--- a/cmd/certdump/main.go
+++ b/cmd/certdump/main.go
@@ -7,6 +7,7 @@ import (
 	"crypto/elliptic"
 	"crypto/rsa"
 	"crypto/sha256"
+	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"flag"
@@ -350,14 +351,11 @@ func main() {
 	flag.BoolVar(&leafOnly, "l", false, "only show the leaf certificate")
 	flag.Parse()

-	opts := &lib.FetcherOpts{
-		SkipVerify: true,
-		Roots:      nil,
-	}
+	tlsCfg := &tls.Config{InsecureSkipVerify: true} // #nosec G402 - tool intentionally inspects broken TLS

 	for _, filename := range flag.Args() {
 		fmt.Fprintf(os.Stdout, "--%s ---%s", filename, "\n")
-		certs, err := lib.GetCertificateChain(filename, opts)
+		certs, err := lib.GetCertificateChain(filename, tlsCfg)
 		if err != nil {
 			_, _ = lib.Warn(err, "couldn't read certificate")
 			continue