jdkuki commented on a change in pull request #238:
URL: https://github.com/apache/pulsar-client-go/pull/238#discussion_r696050924
##########
File path: pulsar/internal/connection.go
##########
@@ -711,8 +711,46 @@ func (c *connection) getTLSConfig() (*tls.Config, error) {
}
}
- if c.tlsOptions.ValidateHostname {
- tlsConfig.ServerName = c.physicalAddr.Hostname()
+ tlsConfig.ServerName = c.physicalAddr.Hostname()
+
+ if tlsConfig.InsecureSkipVerify {
+ // Solution is credited to
https://github.com/golang/go/issues/21971
+ // Code is adapted from the original implementation of
handshake_client.go at
+ //
https://github.com/golang/go/blob/master/src/crypto/tls/handshake_client.go#L804
+ // disable the default verification; use customized
VerifyPeerCertificate
+ tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte,
certChain [][]*x509.Certificate) error {
+ // If this is the first handshake on a connection,
process and
+ // (optionally) verify the server's certificates.
+ certs := make([]*x509.Certificate, len(rawCerts))
+ for i, asn1Data := range rawCerts {
+ cert, err := x509.ParseCertificate(asn1Data)
+ if err != nil {
+ return fmt.Errorf("tls: failed to parse
server certificate error: %s", err.Error())
+ }
+ certs[i] = cert
+ }
+
+ if tlsConfig.RootCAs == nil {
+ return nil
+ }
Review comment:
Just ran into this. As-is verification will return success when no roots
are loaded.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
