Commit fb142ee9 authored by Russ Cox's avatar Russ Cox

cmd/go: for go get -insecure, skip TLS certificate checking

The flag is already named -insecure. Make it more so.

If we're willing to accept HTTP, it's not much worse to accept
HTTPS man-in-the-middle attacks too. This allows servers
with self-signed certificates to work.

Fixes #13197.

Change-Id: Ia5491410bc886da0a26ef3bce4bf7d732f5e19e4
Reviewed-on: https://go-review.googlesource.com/18324Reviewed-by: default avatarBrad Fitzpatrick <bradfitz@golang.org>
parent c063e342
......@@ -12,6 +12,7 @@
package main
import (
"crypto/tls"
"fmt"
"io"
"io/ioutil"
......@@ -24,8 +25,17 @@ import (
// httpClient is the default HTTP client, but a variable so it can be
// changed by tests, without modifying http.DefaultClient.
var httpClient = http.DefaultClient
var impatientHTTPClient = &http.Client{
// impatientInsecureHTTPClient is used in -insecure mode,
// when we're connecting to https servers that might not be there
// or might be using self-signed certificates.
var impatientInsecureHTTPClient = &http.Client{
Timeout: time.Duration(5 * time.Second),
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
},
},
}
type httpError struct {
......@@ -71,7 +81,7 @@ func httpsOrHTTP(importPath string, security securityMode) (urlStr string, body
log.Printf("Fetching %s", urlStr)
}
if security == insecure && scheme == "https" { // fail earlier
res, err = impatientHTTPClient.Get(urlStr)
res, err = impatientInsecureHTTPClient.Get(urlStr)
} else {
res, err = httpClient.Get(urlStr)
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment