Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: disable TLS verification in 'go get -insecure' #13197

Closed
dominikh opened this issue Nov 9, 2015 · 4 comments
Closed

cmd/go: disable TLS verification in 'go get -insecure' #13197

dominikh opened this issue Nov 9, 2015 · 4 comments
Labels
FrozenDueToAge
Milestone
Go1.6Maybe

Comments

@dominikh
Copy link
Member

dominikh commented Nov 9, 2015

go get -insecure doesn't accept self-signed (or otherwise invalid) TLS certificates. Instead, it falls back to HTTP. This does not work for HTTPS-only hosts. Insecure should accept any insecure medium, not just those that are insecure because they are unencrypted.

Example that is only serving HTTPS, with a self-signed certificate:

$ go get -v -insecure 127.0.0.1/pkg
Fetching https://127.0.0.1/pkg?go-get=1
https fetch failed.
Fetching http://127.0.0.1/pkg?go-get=1
import "127.0.0.1/pkg": http/https fetch: Get http://127.0.0.1/pkg?go-get=1: dial tcp 127.0.0.1:80: getsockopt: connection refused
package 127.0.0.1/pkg: unrecognized import path "127.0.0.1/pkg"

Low priority from my end, as it's a theoretical issue, not one I encountered in the real world. Discovered while looking into #11468
@davecheney
Copy link
Contributor

I don't see how a self signed certificate can be considered secure. The transport is encrypted, but there is no chain of trust.

@bradfitz
Copy link
Contributor

@davecheney, that's the point. He's asking for insecure with the -insecure flag, but it's failing to provide him with the first data source found (insecure https) and instead is trying to fall back to insecure http.

@davecheney
Copy link
Contributor

I'm sorry. I misunderstood the issue report.

On Tue, Nov 10, 2015 at 7:17 PM, Brad Fitzpatrick notifications@github.com
wrote:

@davecheney https://github.com/davecheney, that's the point. He's
asking for insecure with the -insecure flag, but it's failing to provide
him with the first data source found (insecure https) and instead is trying
to fall back to insecure http.


Reply to this email directly or view it on GitHub
#13197 (comment).

@rsc rsc changed the title cmd/go: go get -insecure does not work with self-signed, HTTPS-only vanity domains cmd/go: disable TLS verification in 'go get -insecure' Dec 28, 2015
@rsc rsc added this to the Go1.6Maybe milestone Dec 28, 2015
@gopherbot
Copy link

CL https://golang.org/cl/18324 mentions this issue.

@rsc rsc closed this as completed in fb142ee Jan 7, 2016
@golang golang locked and limited conversation to collaborators Jan 19, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Go1.6Maybe
Development

No branches or pull requests
5 participants
@bradfitz @davecheney @dominikh @rsc @gopherbot