From fb142ee9b99b208d59079e8830fb45131b961991 Mon Sep 17 00:00:00 2001 From: Russ Cox Date: Wed, 6 Jan 2016 13:52:48 -0500 Subject: [PATCH] cmd/go: for go get -insecure, skip TLS certificate checking The flag is already named -insecure. Make it more so. If we're willing to accept HTTP, it's not much worse to accept HTTPS man-in-the-middle attacks too. This allows servers with self-signed certificates to work. Fixes #13197. Change-Id: Ia5491410bc886da0a26ef3bce4bf7d732f5e19e4 Reviewed-on: https://go-review.googlesource.com/18324 Reviewed-by: Brad Fitzpatrick --- src/cmd/go/http.go | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/src/cmd/go/http.go b/src/cmd/go/http.go index 13d5c46706..3a6f19db84 100644 --- a/src/cmd/go/http.go +++ b/src/cmd/go/http.go @@ -12,6 +12,7 @@ package main import ( + "crypto/tls" "fmt" "io" "io/ioutil" @@ -24,8 +25,17 @@ import ( // httpClient is the default HTTP client, but a variable so it can be // changed by tests, without modifying http.DefaultClient. var httpClient = http.DefaultClient -var impatientHTTPClient = &http.Client{ + +// impatientInsecureHTTPClient is used in -insecure mode, +// when we're connecting to https servers that might not be there +// or might be using self-signed certificates. +var impatientInsecureHTTPClient = &http.Client{ Timeout: time.Duration(5 * time.Second), + Transport: &http.Transport{ + TLSClientConfig: &tls.Config{ + InsecureSkipVerify: true, + }, + }, } type httpError struct { @@ -71,7 +81,7 @@ func httpsOrHTTP(importPath string, security securityMode) (urlStr string, body log.Printf("Fetching %s", urlStr) } if security == insecure && scheme == "https" { // fail earlier - res, err = impatientHTTPClient.Get(urlStr) + res, err = impatientInsecureHTTPClient.Get(urlStr) } else { res, err = httpClient.Get(urlStr) } -- 2.50.0