net/http: respect tls.Config.ServerName in Transport

When making an HTTPS client request, respect the ServerName field in the tls.Config. Fixes #5829 R=golang-dev, agl, adg CC=golang-dev https://golang.org/cl/11691043

net/http: respect tls.Config.ServerName in Transport
When making an HTTPS client request, respect the ServerName field in the tls.Config. Fixes #5829 R=golang-dev, agl, adg CC=golang-dev https://golang.org/cl/11691043
baa9ca03 · Brad Fitzpatrick · a293065a · baa9ca03 · baa9ca03
Commit baa9ca03 authored Jul 22, 2013 by Brad Fitzpatrick
Hide whitespace changes
Inline Side-by-side

Showing with 32 additions and 2 deletions

src/pkg/net/http/client_test.go src/pkg/net/http/client_test.go +30 -0

src/pkg/net/http/transport.go src/pkg/net/http/transport.go +2 -2

No files found.
--- a/src/pkg/net/http/client_test.go
+++ b/src/pkg/net/http/client_test.go
@@ -666,6 +666,36 @@ func TestClientWithIncorrectTLSServerName(t *testing.T) {
 	}
 }

+// Test for golang.org/issue/5829; the Transport should respect TLSClientConfig.ServerName
+// when not empty.
+//
+// tls.Config.ServerName (non-empty, set to "example.com") takes
+// precedence over "some-other-host.tld" which previously incorrectly
+// took precedence. We don't actually connect to (or even resolve)
+// "some-other-host.tld", though, because of the Transport.Dial hook.
+//
+// The httptest.Server has a cert with "example.com" as its name.
+func TestTransportUsesTLSConfigServerName(t *testing.T) {
+	defer afterTest(t)
+	ts := httptest.NewTLSServer(HandlerFunc(func(w ResponseWriter, r *Request) {
+		w.Write([]byte("Hello"))
+	}))
+	defer ts.Close()
+
+	tr := newTLSTransport(t, ts)
+	tr.TLSClientConfig.ServerName = "example.com" // one of httptest's Server cert names
+	tr.Dial = func(netw, addr string) (net.Conn, error) {
+		return net.Dial(netw, ts.Listener.Addr().String())
+	}
+	defer tr.CloseIdleConnections()
+	c := &Client{Transport: tr}
+	res, err := c.Get("https://some-other-host.tld/")
+	if err != nil {
+		t.Fatal(err)
+	}
+	res.Body.Close()
+}
+
 // Verify Response.ContentLength is populated. http://golang.org/issue/4126
 func TestClientHeadContentLength(t *testing.T) {
 	defer afterTest(t)

--- a/src/pkg/net/http/transport.go
+++ b/src/pkg/net/http/transport.go
@@ -514,8 +514,8 @@ func (t *Transport) dialConn(cm *connectMethod) (*persistConn, error) {
 		if err = conn.(*tls.Conn).Handshake(); err != nil {
 			return nil, err
 		}
-		if t.TLSClientConfig == nil || !t.TLSClientConfig.InsecureSkipVerify {
-			if err = conn.(*tls.Conn).VerifyHostname(cm.tlsHost()); err != nil {
+		if !cfg.InsecureSkipVerify {
+			if err = conn.(*tls.Conn).VerifyHostname(cfg.ServerName); err != nil {
 				return nil, err
 			}
 		}