cmd/go: for go get -insecure, skip TLS certificate checking

The flag is already named -insecure. Make it more so. If we're willing to accept HTTP, it's not much worse to accept HTTPS man-in-the-middle attacks too. This allows servers with self-signed certificates to work. Fixes #13197. Change-Id: Ia5491410bc886da0a26ef3bce4bf7d732f5e19e4 Reviewed-on: https://go-review.googlesource.com/18324 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2024-11-19 20:54:39 -07:00 · 2016-01-06 13:52:48 -05:00 · 2016-01-06 13:52:48 -05:00 · fb142ee9b9
commit fb142ee9b9
parent c063e342f8
1 changed files with 12 additions and 2 deletions
--- a/src/cmd/go/http.go
+++ b/src/cmd/go/http.go
@ -12,6 +12,7 @@
 package main

 import (
+	"crypto/tls"
 	"fmt"
 	"io"
 	"io/ioutil"
@ -24,8 +25,17 @@ import (
 // httpClient is the default HTTP client, but a variable so it can be
 // changed by tests, without modifying http.DefaultClient.
 var httpClient = http.DefaultClient
-var impatientHTTPClient = &http.Client{
+
+// impatientInsecureHTTPClient is used in -insecure mode,
+// when we're connecting to https servers that might not be there
+// or might be using self-signed certificates.
+var impatientInsecureHTTPClient = &http.Client{
 	Timeout: time.Duration(5 * time.Second),
+	Transport: &http.Transport{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true,
+		},
+	},
 }

 type httpError struct {
@ -71,7 +81,7 @@ func httpsOrHTTP(importPath string, security securityMode) (urlStr string, body
 			log.Printf("Fetching %s", urlStr)
 		}
 		if security == insecure && scheme == "https" { // fail earlier
-			res, err = impatientHTTPClient.Get(urlStr)
+			res, err = impatientInsecureHTTPClient.Get(urlStr)
 		} else {
 			res, err = httpClient.Get(urlStr)
 		}