libnodelay VS certificate-transparency-go

> not to mention nearly 50% of every packet was literally packet headers

I was just looking at a similar issue with grpc-go, where it would somehow send a HEADERS frame, a DATA frame, and a terminal HEADERS frame in 3 different packets. The grpc server is a golang binary (lightstep collector), which definitely disables Nagle's algorithm as shown by strace output, and the flag can't be flipped back via the LD_PRELOAD trick (e.g. with a flipped version of https://github.com/sschroe/libnodelay) as the binary is statically linked.

I can't reproduce this with a dummy grpc-go server, where all 3 frames would be sent in the same packet. So I can't blame Nagle's algorithm, but I am still not sure why the lightstep collector behaves differently.

If you're talking about a certificate honored by a browser, these days they'd have to put it in a CT log, or at least obtain a "signed certificate timestamp" from a CT log: https://certificate.transparency.dev/

>This feels like this might actually be a use-case for a blockchain or a Merkle Tree.

A few years ago, this idea[0] had been explored by Google as a possible application of their Trillian[1] distributed ledger, which is based on Merkle Trees.

I don't know if they've advanced adoption of Trillian for firmware, however, the website lists Go packaging[2], Certificate Transparency [3], and SigStore[4] as current applications.

have used Trillian as the basis for their Certificate Transparency implementation.[2]

[0] https://github.com/google/trillian-examples/tree/master/bina...

[1] https://transparency.dev/

[2] https://go.googlesource.com/proposal/+/master/design/25530-s...

[3] https://certificate.transparency.dev/

[4] https://www.sigstore.dev/

You can find more about certificate monitoring and who are involved here

https://certificate.transparency.dev/

Excellent question! The sctcheck command from https://github.com/google/certificate-transparency-go/ can be used to check the signatures of embedded SCTs.

I've also got an online tool which you can use to test a site for CT policy compliance: https://sslmate.com/labs/ct_policy_analyzer/

Example of a working site: https://sslmate.com/labs/ct_policy_analyzer/?sslmate.com

Example of one of the sites affected by the Let's Encrypt incident: https://sslmate.com/labs/ct_policy_analyzer/?thecandyshake.c...

The x509 package has unfortunately burned me several times, this one included. It is too anal about non-fatal errors, that Google themselves forked it (and asn1) to improve usability.

https://github.com/google/certificate-transparency-go

ogClient, err := client.New( l.URI, &http.Client{ Timeout: 10 * time.Second, Transport: &http.Transport{ TLSHandshakeTimeout: 30 * time.Second, ResponseHeaderTimeout: 30 * time.Second, MaxIdleConnsPerHost: 10, DisableKeepAlives: false, MaxIdleConns: 100, IdleConnTimeout: 90 * time.Second, ExpectContinueTimeout: 1 * time.Second, }, }, jsonclient.Options{UserAgent: "ct-go-scanlog/1.0"}, ) if err != nil { fmt.Fprintf(os.Stderr, "%s -> Failed to create new client: %s\n", l.Name, err) return } sth, err := logClient.GetSTH(context.TODO()) if err != nil { fmt.Fprintf(os.Stderr, "%s -> Failed to get SignedTreeHead: %s\n", l.Name, err) return } fmt.Printf("%s -> Number of logs: %d\n", l.Name, sth.TreeSize) index := uint64(0) // Logs MAY return fewer than the number of leaves requested. Only complete // if we actually got all the leaves we were expecting. // See more: https://github.com/google/certificate-transparency-go/blob/52d94d8cbab94d6698621839ab1a439d17ebbfb2/scanner/fetcher.go#L263 for index <= sth.TreeSize { fmt.Printf("%s -> New fetch start with index %d-%d\n", l.Name, index, index+100) entries, err := logClient.GetRawEntries(context.TODO(), int64(index), int64(index)+100) if err != nil { fmt.Fprintf(os.Stderr, "%s -> Failed to get raw entries: %s\n", l.Name, err) return } if entries == nil { fmt.Fprintf(os.Stderr, "%s -> entries is nil", l.Name) return } if DEBUG { fmt.Printf("%s -> Got %d leaf entry\n", l.Name, len(entries.Entries)) } for i := range entries.Entries { rawLogE, err := ct.RawLogEntryFromLeaf(int64(index), &entries.Entries[i]) if err != nil { fmt.Fprintf(os.Stderr, "%s -> Failed to parse leaf to raw entry at index %d: %s\n", l.Name, index, err) index++ continue } logE, err := rawLogE.ToLogEntry() if err != nil { fmt.Printf("%s -> Failed to convert raw log to log at index %d: %s\n", l.Name, index, err) index++ continue } /* * This check is true most of the time. */ if logE.X509Cert == nil { fmt.Printf("%s -> Failed to read log cert at index %d: X509Cert is nil\n", l.Name, index) index++ continue } if DEBUG { fmt.Printf("%s -> Leaf entry at %d is parsed successfuly!\n", l.Name, index) } entryChan <- *logE index++ } }

Yes, you can use the certificate-transparency go code to pull down from the trillian API https://github.com/google/certificate-transparency-go/blob/m...

You would need to know the index, or you could just iterate over a range