Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
crypto/tls: enforce that either ServerName or InsecureSkipVerify be g…
…iven. crypto/tls has two functions for creating a client connection: Dial, which most users are expected to use, and Client, which is the lower-level API. Dial does what you expect: it gives you a secure connection to the host that you specify and the majority of users of crypto/tls appear to work fine with it. Client gives more control but needs more care. Specifically, if it wasn't given a server name in the tls.Config then it didn't check that the server's certificates match any hostname - because it doesn't have one to check against. It was assumed that users of the low-level API call VerifyHostname on the certificate themselves if they didn't supply a hostname. A review of the uses of Client both within Google and in a couple of external libraries has shown that nearly all of them got this wrong. Thus, this change enforces that either a ServerName or InsecureSkipVerify is given. This does not affect tls.Dial. See discussion at https://groups.google.com/d/msg/golang-nuts/4vnt7NdLvVU/b1SJ4u0ikb0J. Fixes #7342. LGTM=bradfitz R=golang-codereviews, bradfitz CC=golang-codereviews https://golang.org/cl/67010043
- Loading branch information
fca335e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about making this the default behaviour but having a "SkipHostnameVerification" option? I have a situation where we are using certs signed by our own private CA. The hostname verification won't work since we pre-generate certs using a CN that isn't an actual DSN/Host name. I still want to validate that other servers certs are at least signed by the same private CA as the client; but JUST want to skip the hostnameVerify check.