cmd/go: for go get -insecure, skip TLS certificate checking

The flag is already named -insecure. Make it more so.

If we're willing to accept HTTP, it's not much worse to accept
HTTPS man-in-the-middle attacks too. This allows servers
with self-signed certificates to work.

Fixes #13197.

Change-Id: Ia5491410bc886da0a26ef3bce4bf7d732f5e19e4
Reviewed-on: https://go-review.googlesource.com/18324
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

diff --git a/src/cmd/go/http.go b/src/cmd/go/http.go
index 13d5c46706587aff2166263fc84ced2e5cbc7400..3a6f19db8482ca2e3ead6e10d0e927b2fd64cd5c 100644 (file)
--- a/src/cmd/go/http.go
+++ b/src/cmd/go/http.go
@@ -12,6 +12,7 @@
 package main
 
 import (
+       "crypto/tls"
        "fmt"
        "io"
        "io/ioutil"
@@ -24,8 +25,17 @@ import (
 // httpClient is the default HTTP client, but a variable so it can be
 // changed by tests, without modifying http.DefaultClient.
 var httpClient = http.DefaultClient
-var impatientHTTPClient = &http.Client{
+
+// impatientInsecureHTTPClient is used in -insecure mode,
+// when we're connecting to https servers that might not be there
+// or might be using self-signed certificates.
+var impatientInsecureHTTPClient = &http.Client{
        Timeout: time.Duration(5 * time.Second),
+       Transport: &http.Transport{
+               TLSClientConfig: &tls.Config{
+                       InsecureSkipVerify: true,
+               },
+       },
 }
 
 type httpError struct {
@@ -71,7 +81,7 @@ func httpsOrHTTP(importPath string, security securityMode) (urlStr string, body
                        log.Printf("Fetching %s", urlStr)
                }
                if security == insecure && scheme == "https" { // fail earlier
-                       res, err = impatientHTTPClient.Get(urlStr)
+                       res, err = impatientInsecureHTTPClient.Get(urlStr)
                } else {
                        res, err = httpClient.Get(urlStr)
                }