net/http: remove extraneous call to VerifyHostname

VerifyHostname is called by tls.Conn during Handshake and does not need to be called explicitly.

Change-Id: I22b7fa137e76bb4be3d0018813a571acfb882219
Reviewed-on: https://go-review.googlesource.com/98618
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>

diff --git a/src/net/http/transport.go b/src/net/http/transport.go
index 9e9f8b11aa61c1a9fcef156fc3f92aab7a080616..dbfef80ff0098eadd1697d3a0b96004812b64e42 100644 (file)
--- a/src/net/http/transport.go
+++ b/src/net/http/transport.go
@@ -1078,12 +1078,6 @@ func (pconn *persistConn) addTLS(name string, trace *httptrace.ClientTrace) erro
                }
                return err
        }
-       if !cfg.InsecureSkipVerify {
-               if err := tlsConn.VerifyHostname(cfg.ServerName); err != nil {
-                       plainConn.Close()
-                       return err
-               }
-       }
        cs := tlsConn.ConnectionState()
        if trace != nil && trace.TLSHandshakeDone != nil {
                trace.TLSHandshakeDone(cs, nil)

diff --git a/src/net/http/transport_test.go b/src/net/http/transport_test.go
index 5588077425694868b14f87151d47ef86f53fb4cd..f69d71abf6daac31c0dbb87a8e8c19d9e87e8332 100644 (file)
--- a/src/net/http/transport_test.go
+++ b/src/net/http/transport_test.go
@@ -16,6 +16,7 @@ import (
        "context"
        "crypto/rand"
        "crypto/tls"
+       "crypto/x509"
        "encoding/binary"
        "errors"
        "fmt"
@@ -3716,6 +3717,64 @@ func testTransportEventTrace(t *testing.T, h2 bool, noHooks bool) {
        }
 }
 
+func TestTransportEventTraceTLSVerify(t *testing.T) {
+       var mu sync.Mutex
+       var buf bytes.Buffer
+       logf := func(format string, args ...interface{}) {
+               mu.Lock()
+               defer mu.Unlock()
+               fmt.Fprintf(&buf, format, args...)
+               buf.WriteByte('\n')
+       }
+
+       ts := httptest.NewTLSServer(HandlerFunc(func(w ResponseWriter, r *Request) {
+               t.Error("Unexpected request")
+       }))
+       defer ts.Close()
+
+       certpool := x509.NewCertPool()
+       certpool.AddCert(ts.Certificate())
+
+       c := &Client{Transport: &Transport{
+               TLSClientConfig: &tls.Config{
+                       ServerName: "dns-is-faked.golang",
+                       RootCAs:    certpool,
+               },
+       }}
+
+       trace := &httptrace.ClientTrace{
+               TLSHandshakeStart: func() { logf("TLSHandshakeStart") },
+               TLSHandshakeDone: func(s tls.ConnectionState, err error) {
+                       logf("TLSHandshakeDone: ConnectionState = %v \n err = %v", s, err)
+               },
+       }
+
+       req, _ := NewRequest("GET", ts.URL, nil)
+       req = req.WithContext(httptrace.WithClientTrace(context.Background(), trace))
+       _, err := c.Do(req)
+       if err == nil {
+               t.Error("Expected request to fail TLS verification")
+       }
+
+       mu.Lock()
+       got := buf.String()
+       mu.Unlock()
+
+       wantOnce := func(sub string) {
+               if strings.Count(got, sub) != 1 {
+                       t.Errorf("expected substring %q exactly once in output.", sub)
+               }
+       }
+
+       wantOnce("TLSHandshakeStart")
+       wantOnce("TLSHandshakeDone")
+       wantOnce("err = x509: certificate is valid for example.com")
+
+       if t.Failed() {
+               t.Errorf("Output:\n%s", got)
+       }
+}
+
 var (
        isDNSHijackedOnce sync.Once
        isDNSHijacked     bool