Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: Transport VerifyHostname should be optional when using TLS #11076

Closed
agj32mrgibbits opened this issue Jun 4, 2015 · 6 comments

Comments

Projects
None yet
3 participants
@agj32mrgibbits
Copy link

commented Jun 4, 2015

There should be an option to verify the certificate chain without verifying the hostname. Currently you can only disable both certificate and hostname verification using InsecureSkipVerify.

https://tools.ietf.org/html/rfc6125#appendix-B.2

...
If the client has external information as to the expected identity of
the server, the hostname check MAY be omitted.  (For instance, a
client may be connecting to a machine whose address and hostname are
dynamic but the client knows the certificate that the server will
present.)
...

A new boolean should be added to tls.Config named InsecureHostnameSkipVerify.

@bradfitz

This comment has been minimized.

Copy link
Member

commented Jun 5, 2015

Why?

@bradfitz

This comment has been minimized.

Copy link
Member

commented Jun 5, 2015

Why can't you just use Transport.DialTLS?

@agj32mrgibbits

This comment has been minimized.

Copy link
Author

commented Jun 5, 2015

Are there examples anywhere?

@bradfitz

This comment has been minimized.

Copy link
Member

commented Jun 5, 2015

Let's move this to the golang-nuts mailing list. We don't use our bug tracker for support requests.

@bradfitz bradfitz closed this Jun 5, 2015

@agj32mrgibbits

This comment has been minimized.

Copy link
Author

commented Jun 5, 2015

That's OK, we just found it cheaper to patch 6 lines in the golang source for our project vs implementing a new method.

@bradfitz

This comment has been minimized.

Copy link
Member

commented Jun 5, 2015

That sounds like a bad idea and a painful maintenance cost going forward. You're now running a forked version of Go instead of using the mechanisms it already provides. The Transport.DialTLS does exactly what you want.

But like I said, this should be discussed on the golang-nuts list. I'm just leaving this note here in case anybody finds this and considers making your same mistake.

@golang golang locked and limited conversation to collaborators Jun 5, 2015

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.