From 2cab897ce055fd753821a85a2134affe64ffe8cb Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@golang.org>
Date: Fri, 21 Oct 2011 08:14:38 -0700
Subject: [PATCH] http: Transport: with TLS InsecureSkipVerify, skip hostname
 check

Fixes #2386

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/5312045
---
 src/pkg/http/client_test.go | 24 ++++++++++++++++++++++++
 src/pkg/http/transport.go   |  6 ++++--
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/src/pkg/http/client_test.go b/src/pkg/http/client_test.go
index 0ad6cd7c2f..8f61286c46 100644
--- a/src/pkg/http/client_test.go
+++ b/src/pkg/http/client_test.go
@@ -7,6 +7,7 @@
 package http_test
 
 import (
+	"crypto/tls"
 	"fmt"
 	. "http"
 	"http/httptest"
@@ -292,3 +293,26 @@ func TestClientWrites(t *testing.T) {
 		t.Errorf("Post request did %d Write calls, want 1", writes)
 	}
 }
+
+func TestClientInsecureTransport(t *testing.T) {
+	ts := httptest.NewTLSServer(HandlerFunc(func(w ResponseWriter, r *Request) {
+		w.Write([]byte("Hello"))
+	}))
+	defer ts.Close()
+
+	// TODO(bradfitz): add tests for skipping hostname checks too?
+	// would require a new cert for testing, and probably
+	// redundant with these tests.
+	for _, insecure := range []bool{true, false} {
+		tr := &Transport{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: insecure,
+			},
+		}
+		c := &Client{Transport: tr}
+		_, err := c.Get(ts.URL)
+		if (err == nil) != insecure {
+			t.Errorf("insecure=%v: got unexpected err=%v", insecure, err)
+		}
+	}
+}
diff --git a/src/pkg/http/transport.go b/src/pkg/http/transport.go
index edc8448f00..1d4433d14f 100644
--- a/src/pkg/http/transport.go
+++ b/src/pkg/http/transport.go
@@ -362,8 +362,10 @@ func (t *Transport) getConn(cm *connectMethod) (*persistConn, os.Error) {
 		if err = conn.(*tls.Conn).Handshake(); err != nil {
 			return nil, err
 		}
-		if err = conn.(*tls.Conn).VerifyHostname(cm.tlsHost()); err != nil {
-			return nil, err
+		if t.TLSClientConfig == nil || !t.TLSClientConfig.InsecureSkipVerify {
+			if err = conn.(*tls.Conn).VerifyHostname(cm.tlsHost()); err != nil {
+				return nil, err
+			}
 		}
 		pconn.conn = conn
 	}