Descriptioncrypto/tls: enforce that either ServerName or InsecureSkipVerify be given.
crypto/tls has two functions for creating a client connection: Dial,
which most users are expected to use, and Client, which is the
lower-level API.
Dial does what you expect: it gives you a secure connection to the host
that you specify and the majority of users of crypto/tls appear to work
fine with it.
Client gives more control but needs more care. Specifically, if it
wasn't given a server name in the tls.Config then it didn't check that
the server's certificates match any hostname - because it doesn't have
one to check against. It was assumed that users of the low-level API
call VerifyHostname on the certificate themselves if they didn't supply
a hostname.
A review of the uses of Client both within Google and in a couple of
external libraries has shown that nearly all of them got this wrong.
Thus, this change enforces that either a ServerName or
InsecureSkipVerify is given. This does not affect tls.Dial.
See discussion at https://groups.google.com/d/msg/golang-nuts/4vnt7NdLvVU/b1SJ4u0ikb0J.
Fixes issue 7342.
Patch Set 1 #Patch Set 2 : diff -r b5eda189b974 https://code.google.com/p/go/ #Patch Set 3 : diff -r b5eda189b974 https://code.google.com/p/go/ #Patch Set 4 : diff -r b5eda189b974 https://code.google.com/p/go/ #Patch Set 5 : diff -r 66cd12a7ded0 https://code.google.com/p/go/ #
MessagesTotal messages: 6
|