Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(103)

Issue 67010043: code review 67010043: crypto/tls: enforce that either ServerName or InsecureS... (Closed)

Can't Edit
Can't Publish+Mail
Start Review
Created:
10 years, 9 months ago by agl1
Modified:
10 years, 9 months ago
Reviewers:
gobot, josharian, bradfitz
CC:
golang-codereviews, bradfitz
Visibility:
Public.

Description

crypto/tls: enforce that either ServerName or InsecureSkipVerify be given. crypto/tls has two functions for creating a client connection: Dial, which most users are expected to use, and Client, which is the lower-level API. Dial does what you expect: it gives you a secure connection to the host that you specify and the majority of users of crypto/tls appear to work fine with it. Client gives more control but needs more care. Specifically, if it wasn't given a server name in the tls.Config then it didn't check that the server's certificates match any hostname - because it doesn't have one to check against. It was assumed that users of the low-level API call VerifyHostname on the certificate themselves if they didn't supply a hostname. A review of the uses of Client both within Google and in a couple of external libraries has shown that nearly all of them got this wrong. Thus, this change enforces that either a ServerName or InsecureSkipVerify is given. This does not affect tls.Dial. See discussion at https://groups.google.com/d/msg/golang-nuts/4vnt7NdLvVU/b1SJ4u0ikb0J. Fixes issue 7342.

Patch Set 1 #

Patch Set 2 : diff -r b5eda189b974 https://code.google.com/p/go/ #

Patch Set 3 : diff -r b5eda189b974 https://code.google.com/p/go/ #

Patch Set 4 : diff -r b5eda189b974 https://code.google.com/p/go/ #

Patch Set 5 : diff -r 66cd12a7ded0 https://code.google.com/p/go/ #

Unified diffs Side-by-side diffs Delta from patch set Stats (+5 lines, -0 lines) Patch
M doc/go1.3.txt View 1 2 3 1 chunk +1 line, -0 lines 0 comments Download
M src/pkg/crypto/tls/handshake_client.go View 1 1 chunk +4 lines, -0 lines 0 comments Download

Messages

Total messages: 6
agl1
Hello golang-codereviews@googlegroups.com, I'd like you to review this change to https://code.google.com/p/go/
10 years, 9 months ago (2014-02-21 16:24:43 UTC) #1
bradfitz
LGTM but update doc/go1.3.txt On Fri, Feb 21, 2014 at 8:24 AM, <agl@golang.org> wrote: > ...
10 years, 9 months ago (2014-02-21 18:14:03 UTC) #2
agl1
On Fri, Feb 21, 2014 at 1:14 PM, Brad Fitzpatrick <bradfitz@golang.org> wrote: > LGTM but ...
10 years, 9 months ago (2014-02-21 20:56:21 UTC) #3
agl1
*** Submitted as https://code.google.com/p/go/source/detail?r=d3d43f270632 *** crypto/tls: enforce that either ServerName or InsecureSkipVerify be given. crypto/tls ...
10 years, 9 months ago (2014-02-21 20:56:50 UTC) #4
gobot
This CL appears to have broken the darwin-386-cheney builder.
10 years, 9 months ago (2014-02-21 21:14:47 UTC) #5
josharian
10 years, 9 months ago (2014-02-21 21:46:40 UTC) #6
That's https://code.google.com/p/go/issues/detail?id=7370.

On Fri, Feb 21, 2014 at 1:14 PM,  <gobot@golang.org> wrote:
> This CL appears to have broken the darwin-386-cheney builder.
>
>
> https://codereview.appspot.com/67010043/
>
> --
> You received this message because you are subscribed to the Google Groups
> "golang-codereviews" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to golang-codereviews+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
Sign in to reply to this message.

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b