Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: Transport VerifyHostname w/ TLS currently non optional #2386

Closed
kardianos opened this issue Oct 20, 2011 · 8 comments
Closed

net/http: Transport VerifyHostname w/ TLS currently non optional #2386

kardianos opened this issue Oct 20, 2011 · 8 comments
Labels
FrozenDueToAge

Comments

@kardianos
Copy link
Contributor 

Before filing a bug, please check whether it has been fixed since
the latest release: run "hg pull", "hg update default", rebuild, and
retry
what you did to
reproduce the problem.  Thanks.

What steps will reproduce the problem?
Attempt to use the http.Client using the default Transport when
hitting a server who's TLS cert hostname does not match the DNS name.

What is the expected output?
The transport will fail with an error.

What do you see instead?
Optionally allow such a connection to succeed.
(disable the check in http/transport.go:365)

Which compiler are you using (5g, 6g, 8g, gccgo)?
6g

Which operating system are you using?
Linux

Which revision are you using?  (hg identify)
99ea0887e633+ tip

Please provide any additional information below.
Suggest adding an field in either http.Transport or tls.Config like DisableHostnameCheck.
@rsc
Copy link
Contributor

rsc commented Oct 20, 2011

Comment 1:

i am not sure we need a new variable.  
it could work for http to look at
TLSClientConfig.InsecureSkipVerify.

Owner changed to @bradfitz.

Status changed to Accepted.

@bradfitz
Copy link
Contributor

Comment 2:

This issue was closed by revision 2cab897.

Status changed to Fixed.

@gopherbot
Copy link

Comment 3 by jtolds:

Is there any way we can re-open this issue?
I'm working on a distributed system in which none of the hosts have stable
hostnames/IPs/ports. However, we still want to use SSL with both client and server
certificate verification.
Disabling hostname check only when InsecureSkipVerify doesn't do it for us. Is there a
way we can disable the hostname check without setting InsecureSkipVerify?

@gopherbot
Copy link

Comment 4 by jtolds:

(Before you worry whether or not my system is vulnerable to MITM attacks, members of
this distributed system are identified by their public key)

@mikioh mikioh changed the title http.Transport VerifyHostname w/ TLS currently non optional net/http: Transport VerifyHostname w/ TLS currently non optional Jan 14, 2015
@agj32mrgibbits
Copy link

Can we please re-open this issue? There should be an option to verify the certificate chain without verifying the hostname.

https://tools.ietf.org/html/rfc6125#appendix-B.2

...
If the client has external information as to the expected identity of
the server, the hostname check MAY be omitted.  (For instance, a
client may be connecting to a machine whose address and hostname are
dynamic but the client knows the certificate that the server will
present.)
...

@minux
Copy link
Member

minux commented Jun 4, 2015 via email

@agj32mrgibbits
Copy link

I do not wish to cause a duplicate issue with identical title, identical problem, and identical suggested solution "adding an field in either http.Transport or tls.Config like DisableHostnameCheck".

@minux
Copy link
Member

minux commented Jun 4, 2015 via email

@golang golang locked and limited conversation to collaborators Jun 24, 2016
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@bradfitz @rsc @minux @kardianos @agj32mrgibbits @gopherbot