Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Restore the 0.2 TLS verification behavior. #233
+244
−22
Conversation
|
This looks good. I agree with all of your reasoning. I can't say I fully get |
|
@armon Thanks! I think these are the tests I wanted, so I'm now happy with this.
|
|
Awesome! Thanks for all your hard work on this! |
added a commit
that referenced
this pull request
Jul 1, 2014
armon
merged commit 746449f
into
hashicorp:master
Jul 1, 2014
1 check failed
continuous-integration/travis-ci
The Travis CI build failed
Details
nelhage
deleted the
nelhage:tls-no-subjname
branch
Jul 1, 2014
armon
referenced this pull request
Jul 2, 2014
Closed
CA verification, without hostname verification #214
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
nelhage commentedJun 28, 2014
cc @armon -- I'd probably like to write more tests before merging this, but can you ACK that this looks like the right track to you before I do so?
Namely, don't check the DNS names in TLS certificates when connecting to
other servers.
As of golang 1.3, crypto/tls no longer natively supports doing partial
verification (verifying the cert issuer but not the hostname), so we
have to disable verification entirely and then do the issuer
verification ourselves. Fortunately, crypto/x509 makes this relatively
straightforward.
If the "server_name" configuration option is passed, we preserve the
existing behavior of checking that server name everywhere.
No option is provided to retain the current behavior of checking the
remote certificate against the local node name, since that behavior
seems clearly buggy and unintentional, and I have difficulty imagining
it is actually being used anywhere. It would be relatively
straightforward to restore if desired, however.