improve tls client config

alibabacloud-go · Jun 28, 2023 · e3922d2 · e3922d2
1 parent 5ef2fcc
commit e3922d2
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 23 deletions.
diff --git a/tea/tea.go b/tea/tea.go
@@ -415,28 +415,30 @@ func getHttpTransport(req *Request, runtime *RuntimeObject) (*http.Transport, er
 	if err != nil {
 		return nil, err
 	}
-	if strings.ToLower(*req.Protocol) == "https" &&
-		runtime.Key != nil && runtime.Cert != nil {
-		cert, err := tls.X509KeyPair([]byte(StringValue(runtime.Cert)), []byte(StringValue(runtime.Key)))
-		if err != nil {
-			return nil, err
-		}
-
-		trans.TLSClientConfig = &tls.Config{
-			Certificates:       []tls.Certificate{cert},
-			InsecureSkipVerify: BoolValue(runtime.IgnoreSSL),
-		}
-		if runtime.CA != nil {
-			clientCertPool := x509.NewCertPool()
-			ok := clientCertPool.AppendCertsFromPEM([]byte(StringValue(runtime.CA)))
-			if !ok {
-				return nil, errors.New("Failed to parse root certificate")
+	if strings.ToLower(*req.Protocol) == "https" {
+		if BoolValue(runtime.IgnoreSSL) != true {
+			trans.TLSClientConfig = &tls.Config{
+				InsecureSkipVerify: false,
+			}
+			if runtime.Key != nil && runtime.Cert != nil && StringValue(runtime.Key) != "" && StringValue(runtime.Cert) != "" {
+				cert, err := tls.X509KeyPair([]byte(StringValue(runtime.Cert)), []byte(StringValue(runtime.Key)))
+				if err != nil {
+					return nil, err
+				}
+				trans.TLSClientConfig.Certificates = []tls.Certificate{cert}
+			}
+			if runtime.CA != nil && StringValue(runtime.CA) != "" {
+				clientCertPool := x509.NewCertPool()
+				ok := clientCertPool.AppendCertsFromPEM([]byte(StringValue(runtime.CA)))
+				if !ok {
+					return nil, errors.New("Failed to parse root certificate")
+				}
+				trans.TLSClientConfig.RootCAs = clientCertPool
+			}
+		} else {
+			trans.TLSClientConfig = &tls.Config{
+				InsecureSkipVerify: true,
 			}
-			trans.TLSClientConfig.RootCAs = clientCertPool
-		}
-	} else {
-		trans.TLSClientConfig = &tls.Config{
-			InsecureSkipVerify: BoolValue(runtime.IgnoreSSL),
 		}
 	}
 	if httpProxy != nil {

diff --git a/tea/tea_test.go b/tea/tea_test.go
@@ -542,20 +542,32 @@ func Test_DoRequest(t *testing.T) {
 
 	runtimeObj["key"] = "private rsa key"
 	runtimeObj["cert"] = "private certification"
+	runtimeObj["ca"] = "private ca"
 	runtimeObj["ignoreSSL"] = true
 	resp, err = DoRequest(request, runtimeObj)
+	utils.AssertNil(t, err)
+	utils.AssertNotNil(t, resp)
+
+	// update the host is to restart a client
+	request.Headers["host"] = String("a.com")
+	runtimeObj["ignoreSSL"] = false
+	resp, err = DoRequest(request, runtimeObj)
 	utils.AssertNotNil(t, err)
+	utils.AssertEqual(t, "tls: failed to find any PEM data in certificate input", err.Error())
 	utils.AssertNil(t, resp)
 
+	// update the host is to restart a client
+	request.Headers["host"] = String("b.com")
 	runtimeObj["key"] = key
 	runtimeObj["cert"] = cert
 	runtimeObj["ca"] = "private ca"
-	runtimeObj["socks5Proxy"] = "socks5://someuser:somepassword@cs.aliyun.com"
 	_, err = DoRequest(request, runtimeObj)
 	utils.AssertNotNil(t, err)
+	utils.AssertEqual(t, "Failed to parse root certificate", err.Error())
 
+	// update the host is to restart a client
+	request.Headers["host"] = String("c.com")
 	runtimeObj["ca"] = ca
-	runtimeObj["socks5Proxy"] = "socks5://someuser:somepassword@cs.aliyuncs.com"
 	resp, err = DoRequest(request, runtimeObj)
 	utils.AssertNil(t, err)
 	utils.AssertEqual(t, "test", StringValue(resp.Headers["tea"]))