Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proposal: net/http: add GO_SKIP_TLS_CHECK #59283

Closed
droopy4096 opened this issue Mar 27, 2023 · 4 comments
Closed

proposal: net/http: add GO_SKIP_TLS_CHECK #59283

droopy4096 opened this issue Mar 27, 2023 · 4 comments
Labels
FrozenDueToAge Proposal Proposal-Crypto Proposal related to crypto packages or other security issues
Milestone
Proposal

Comments

@droopy4096
Copy link

droopy4096 commented Mar 27, 2023
edited

for debugging purposes it is often beneficial to have ability to disable strict TLS checks temporarily. Adding something like GO_SKIP_TLS_CHECK environment variable to disable strict checking (akin to curl's -k switch) would help a lot when dealing with quite a few 3rd party components. Also useful when using MITM proxies. Since #18733 has not moved forward it would be nice to have some means to troubleshoot existing app stacks
@gopherbot gopherbot added this to the Proposal milestone Mar 27, 2023
@droopy4096
Copy link
Author

related issue: #19215

@ianlancetaylor ianlancetaylor changed the title proposal: affected/package: http add GO_SKIP_TLS_CHECK proposal: net/http add GO_SKIP_TLS_CHECK Mar 27, 2023
@ianlancetaylor ianlancetaylor changed the title proposal: net/http add GO_SKIP_TLS_CHECK proposal: net/http: add GO_SKIP_TLS_CHECK Mar 27, 2023
@ianlancetaylor
Copy link
Contributor

CC @neild @bradfitz

If I understand this correctly, setting this environment variable would make all net/http connections insecure even if they appeared to be secure. That's a pretty broad scope for security attacks. It doesn't sound like a good idea to make it quite that easy to make all Go programs that use net/http less secure.

That said, if we do use an environment variable, it should be GODEBUG, a variable that we already use.

But better than an environment variable might be some sort of programmatic option somewhere. Then at least the insecurity would be limited to a program that uses that feature, rather than all Go programs that use net/http.

@seankhliao seankhliao added the Proposal-Crypto Proposal related to crypto packages or other security issues label Mar 28, 2023
@neild
Copy link
Contributor

neild commented Mar 28, 2023

You can disable certificate verification by setting tls.Config.InsecureSkipVerify. I believe this matches the effect of curl's -k flag on TLS connections.

I don't think we'd want to support an environment variable that disables TLS validation; that seems tremendously risky. It's simple enough to wire up an environment variable to InsecureSkipVerify in user code if you want that behavior.

@ianlancetaylor
Copy link
Contributor

Thanks. I'm going to preemptively close this proposal. I don't see any way that we would do this. Please comment if you disagree.

@ianlancetaylor ianlancetaylor closed this as not planned Won't fix, can't repro, duplicate, stale Mar 28, 2023
@golang golang locked and limited conversation to collaborators Mar 27, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge Proposal Proposal-Crypto Proposal related to crypto packages or other security issues
Projects
None yet
Milestone
Proposal
Development

No branches or pull requests
5 participants
@neild @droopy4096 @ianlancetaylor @gopherbot @seankhliao