Add tooling to enable strict TLS.

2025-11-18 17:25:49 -08:00
parent 3f92963c74
commit b714c75a43
10 changed files with 217 additions and 101 deletions
--- a/cmd/certser/main.go
+++ b/cmd/certser/main.go
@@ -31,16 +31,23 @@ func serialString(cert *x509.Certificate, mode lib.HexEncodeMode) string {
 }

 func main() {
-	opts := &lib.FetcherOpts{}
+	var skipVerify bool
+	var strictTLS bool
+	lib.StrictTLSFlag(&strictTLS)
 	displayAs := flag.String("d", "int", "display mode (int, hex, uhex)")
 	showExpiry := flag.Bool("e", false, "show expiry date")
-	flag.BoolVar(&opts.SkipVerify, "k", false, "skip server verification")
+	flag.BoolVar(&skipVerify, "k", false, "skip server verification") // #nosec G402
 	flag.Parse()

+	tlsCfg, err := lib.BaselineTLSConfig(skipVerify, strictTLS)
+	die.If(err)
+
 	displayMode := parseDisplayMode(*displayAs)

 	for _, arg := range flag.Args() {
-		cert, err := lib.GetCertificate(arg, opts)
+		var cert *x509.Certificate
+
+		cert, err = lib.GetCertificate(arg, tlsCfg)
 		die.If(err)

 		fmt.Printf("%s: %s", arg, serialString(cert, displayMode))