Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: DialTLS is not used w/ proxy (by design) #9126

gopherbot opened this issue Nov 18, 2014 · 4 comments

net/http: DialTLS is not used w/ proxy (by design) #9126

gopherbot opened this issue Nov 18, 2014 · 4 comments


Copy link

by joshua.boelter:

What does 'go version' print?

go version go1.4rc1 [windows/amd64 | linux/amd64]

What steps reproduce the problem?

transport.DialTLS not used when an HTTPS connection is proxied.

Equally concerned developers will introduce unintended security bugs if/when an app is
executed in an environment with a proxy.

What happened?

DialTLS not used (by design) when a proxy is present.

What should have happened instead?

Need support to reject connections based on factors outside hostname when a proxy is
present.  e.g. a Verify(...) callback on tls.Config executed after the handshake and
other verification steps have executed.

Please provide any additional information below.

The issue that added DialTLS:

Patch set #3 (or similar) would address the need.
Copy link

Comment 1:

Labels changed: added repo-main, release-none.

@bradfitz bradfitz removed the new label Dec 18, 2014
Copy link

Brad - are you open to accepting a patch akin to patchset #3 ( for go1.5?

Copy link

I'm having a hard time understanding the original bug report.

Can you start over in English without referencing old bugs or submitted CLs, starting with where we're at now in Go 1.4? What isn't possible?

Copy link

1.4 introduced an optional DialTLS function on http.Transport. However, it is not used when a proxy is in use.

I'm calling REST APIs over https and I need to check for acceptable server certificates (a whitelist) after the handshake w/ or w/o a proxy present on the client.


Add an optional verification callback to tls.Config that lets the callee inspect the certs. This would be called during the handshake for client or server.

// VerifyPeerCertificate optionally defines a function to add
// further restrictions on certificate validity.
// The provided peer certificates and chains are the result 
// of the handshake and x509.Certificate.Verify calls and should
// not be modified. The chains param will be nil if InsecureSkipVerify 
// is true. If the function returns an error, the certificate is
// considered invalid and the connection will close.
VerifyPeerCertificate func(peer []*x509.Certificate, chains [][]*x509.Certificate) error

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

No branches or pull requests

5 participants