I'm working on a internet restricted environment. Since our internal services we are using Let's Encrypt certificates to avoid the overhead with an internal PKI.
I'm writing a go program which collects informations from all systems and sent the data to a central system. While this works fine for Linux systems, have I have trouble on Windows system.
It seems like that go is using the os native libraries to establish a secured connection for HTTPS requests.
With using the program below
package main
import (
"fmt"
"io"
"log"
"net/http"
"os"
)
func main() {
resp, err := http.Get(os.Args[1])
if err != nil {
log.Fatalln(err)
}
defer resp.Body.Close()
htmlData, err := io.ReadAll(resp.Body)
if err != nil {
log.Fatalln(err)
return
}
fmt.Printf("%v\n", resp.Status)
fmt.Printf(string(htmlData))
}
I'm getting an handshake timeout
2023/09/13 16:19:03 Get "https://google.de": net/http: TLS handshake timeout
It seems like the native libraries tries to contact the CRLs (which are not allowed) and the connection fails here. I inspect the traffic with Wireshark and see HTTP connection to r3.c.lencr.org with User-Agent CryptoAPI.
I also can verify such behavior, if I'm using curl
curl https://google.de
curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
However curl has the option --ssl-no-revoke to skip the specific revoke check. Running curl with the option works fine.
How I can configure go to skip the revoke check? I'm not looking an option that skips the entire ssl validation.
I tried look into the TLSConfig of go, but I could not find such an option.