From 5c5a954b68a046010e9ddb33a9de4c8295a9f15b Mon Sep 17 00:00:00 2001 From: I-HSIN Cheng <57989092+vax-r@users.noreply.github.com> Date: Wed, 9 Aug 2023 10:17:26 +0800 Subject: [PATCH] fix(tls): Honor client.insecure when doing TLS checks (#547) * fix(watchdog): Add functions to avoid dangling file descriptors * Change function name and add comment under core/endpoint.go - change the function name of CloseHTTPConnection() to Close() - add some comments above Close() function * Update core/endpoint.go * Update core/endpoint.go * fix(client): Honor client.insecure when doing TLS checking * add features in client/client.go to enable client.insecure when doing TLS checking --------- Co-authored-by: Richard Cheng Co-authored-by: TwiN --- client/client.go | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/client/client.go b/client/client.go index 3083b4c5..1388fea4 100644 --- a/client/client.go +++ b/client/client.go @@ -143,14 +143,20 @@ func CanPerformStartTLS(address string, config *Config) (connected bool, certifi // CanPerformTLS checks whether a connection can be established to an address using the TLS protocol func CanPerformTLS(address string, config *Config) (connected bool, certificate *x509.Certificate, err error) { - connection, err := tls.DialWithDialer(&net.Dialer{Timeout: config.Timeout}, "tcp", address, nil) + connection, err := tls.DialWithDialer(&net.Dialer{Timeout: config.Timeout}, "tcp", address, &tls.Config{ + InsecureSkipVerify: config.Insecure, + }) if err != nil { return } defer connection.Close() verifiedChains := connection.ConnectionState().VerifiedChains + // If config.Insecure is set to true, verifiedChains will be an empty list [] + // We should get the parsed certificates from PeerCertificates, it can't be empty on the client side + // Reference: https://pkg.go.dev/crypto/tls#PeerCertificates if len(verifiedChains) == 0 || len(verifiedChains[0]) == 0 { - return + peerCertificates := connection.ConnectionState().PeerCertificates + return true, peerCertificates[0], nil } return true, verifiedChains[0][0], nil }