Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: Transport VerifyHostname should be optional when using TLS #11076

Closed
agj32mrgibbits opened this issue Jun 4, 2015 · 6 comments
Closed

net/http: Transport VerifyHostname should be optional when using TLS #11076

agj32mrgibbits opened this issue Jun 4, 2015 · 6 comments
Labels
FrozenDueToAge

Comments

@agj32mrgibbits
Copy link

There should be an option to verify the certificate chain without verifying the hostname. Currently you can only disable both certificate and hostname verification using InsecureSkipVerify.

https://tools.ietf.org/html/rfc6125#appendix-B.2

...
If the client has external information as to the expected identity of
the server, the hostname check MAY be omitted.  (For instance, a
client may be connecting to a machine whose address and hostname are
dynamic but the client knows the certificate that the server will
present.)
...

A new boolean should be added to tls.Config named InsecureHostnameSkipVerify.
@bradfitz
Copy link
Contributor

bradfitz commented Jun 5, 2015

Why?

@bradfitz
Copy link
Contributor

bradfitz commented Jun 5, 2015

Why can't you just use Transport.DialTLS?

@agj32mrgibbits
Copy link
Author

Are there examples anywhere?

@bradfitz
Copy link
Contributor

bradfitz commented Jun 5, 2015

Let's move this to the golang-nuts mailing list. We don't use our bug tracker for support requests.

@bradfitz bradfitz closed this as completed Jun 5, 2015
@agj32mrgibbits
Copy link
Author

That's OK, we just found it cheaper to patch 6 lines in the golang source for our project vs implementing a new method.

@bradfitz
Copy link
Contributor

bradfitz commented Jun 5, 2015

That sounds like a bad idea and a painful maintenance cost going forward. You're now running a forked version of Go instead of using the mechanisms it already provides. The Transport.DialTLS does exactly what you want.

But like I said, this should be discussed on the golang-nuts list. I'm just leaving this note here in case anybody finds this and considers making your same mistake.

@golang golang locked and limited conversation to collaborators Jun 5, 2015
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bradfitz @agj32mrgibbits @gopherbot