http: Transport: with TLS InsecureSkipVerify, skip hostname check

Fixes #2386

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/5312045

diff --git a/src/pkg/http/client_test.go b/src/pkg/http/client_test.go
index 0ad6cd7c2f3246bbca36347c606c269e30c6a230..8f61286c46abc3c222e225d9562a52d23bb010b5 100644 (file)
--- a/src/pkg/http/client_test.go
+++ b/src/pkg/http/client_test.go
@@ -7,6 +7,7 @@
 package http_test
 
 import (
+       "crypto/tls"
        "fmt"
        . "http"
        "http/httptest"
@@ -292,3 +293,26 @@ func TestClientWrites(t *testing.T) {
                t.Errorf("Post request did %d Write calls, want 1", writes)
        }
 }
+
+func TestClientInsecureTransport(t *testing.T) {
+       ts := httptest.NewTLSServer(HandlerFunc(func(w ResponseWriter, r *Request) {
+               w.Write([]byte("Hello"))
+       }))
+       defer ts.Close()
+
+       // TODO(bradfitz): add tests for skipping hostname checks too?
+       // would require a new cert for testing, and probably
+       // redundant with these tests.
+       for _, insecure := range []bool{true, false} {
+               tr := &Transport{
+                       TLSClientConfig: &tls.Config{
+                               InsecureSkipVerify: insecure,
+                       },
+               }
+               c := &Client{Transport: tr}
+               _, err := c.Get(ts.URL)
+               if (err == nil) != insecure {
+                       t.Errorf("insecure=%v: got unexpected err=%v", insecure, err)
+               }
+       }
+}

diff --git a/src/pkg/http/transport.go b/src/pkg/http/transport.go
index edc8448f005a205ec45f84d9d63d0f1f98fd0d69..1d4433d14f6e66cd945f522023fd8112dc5b9d69 100644 (file)
--- a/src/pkg/http/transport.go
+++ b/src/pkg/http/transport.go
@@ -362,8 +362,10 @@ func (t *Transport) getConn(cm *connectMethod) (*persistConn, os.Error) {
                if err = conn.(*tls.Conn).Handshake(); err != nil {
                        return nil, err
                }
-               if err = conn.(*tls.Conn).VerifyHostname(cm.tlsHost()); err != nil {
-                       return nil, err
+               if t.TLSClientConfig == nil || !t.TLSClientConfig.InsecureSkipVerify {
+                       if err = conn.(*tls.Conn).VerifyHostname(cm.tlsHost()); err != nil {
+                               return nil, err
+                       }
                }
                pconn.conn = conn
        }