qbit/go
1
0
Fork 0
mirror of https://github.com/golang/go synced 2024-09-24 23:20:12 -06:00
Code Releases Activity
The Go programming language
18,594 Commits 58 Branches 402 Tags 522 MiB
Go 89.6%
Assembly 5.2%
HTML 4.8%
C 0.2%
Shell 0.1%
fca335e91a
Go to file
Adam Langley fca335e91a crypto/tls: enforce that either ServerName or InsecureSkipVerify be given. 
crypto/tls has two functions for creating a client connection: Dial,
which most users are expected to use, and Client, which is the
lower-level API.

Dial does what you expect: it gives you a secure connection to the host
that you specify and the majority of users of crypto/tls appear to work
fine with it.

Client gives more control but needs more care. Specifically, if it
wasn't given a server name in the tls.Config then it didn't check that
the server's certificates match any hostname - because it doesn't have
one to check against. It was assumed that users of the low-level API
call VerifyHostname on the certificate themselves if they didn't supply
a hostname.

A review of the uses of Client both within Google and in a couple of
external libraries has shown that nearly all of them got this wrong.

Thus, this change enforces that either a ServerName or
InsecureSkipVerify is given. This does not affect tls.Dial.

See discussion at https://groups.google.com/d/msg/golang-nuts/4vnt7NdLvVU/b1SJ4u0ikb0J.

Fixes #7342.

LGTM=bradfitz
R=golang-codereviews, bradfitz
CC=golang-codereviews
https://golang.org/cl/67010043
2014-02-21 15:56:41 -05:00
api api: update next.txt 2014-02-19 15:56:42 -05:00
doc crypto/tls: enforce that either ServerName or InsecureSkipVerify be given. 2014-02-21 15:56:41 -05:00
include cmd/gc: correct liveness for fat variables 2014-02-15 10:58:55 -05:00
lib codereview: fix for Mercurial 2.9 2014-02-14 15:56:58 -08:00
misc misc/emacs: add support for ff-find-other-file 2014-02-18 22:23:55 -05:00
src crypto/tls: enforce that either ServerName or InsecureSkipVerify be given. 2014-02-21 15:56:41 -05:00
test cmd/gc: make embedded, unexported fields read-only. 2014-02-20 11:32:55 -08:00
.hgignore lib9: enable on Plan 9 2014-02-13 20:06:41 +01:00
.hgtags tag go1.2 2013-12-02 09:06:41 +11:00
AUTHORS A+C: Jay Weisskopf (individual CLA) 2014-02-21 15:28:44 -05:00
CONTRIBUTORS A+C: Jay Weisskopf (individual CLA) 2014-02-21 15:28:44 -05:00
favicon.ico godoc: update favicon 2012-10-11 17:02:36 +11:00
LICENSE doc: update licensing text one more time 2012-03-27 15:09:13 +11:00
PATENTS LICENSE: separate, change PATENTS text 2010-12-06 16:31:59 -05:00
README README: Fix installation instructions 2013-11-20 13:47:37 -08:00
robots.txt godoc: serve robots.txt raw 2011-02-19 05:46:20 +11:00

README 

This is the source code repository for the Go programming language.  

For documentation about how to install and use Go,
visit http://golang.org/ or load doc/install-source.html
in your web browser.

After installing Go, you can view a nicely formatted
doc/install-source.html by running godoc --http=:6060
and then visiting http://localhost:6060/doc/install/source.

Unless otherwise noted, the Go source files are distributed
under the BSD-style license found in the LICENSE file.

--

Binary Distribution Notes

If you have just untarred a binary Go distribution, you need to set
the environment variable $GOROOT to the full path of the go
directory (the one containing this README).  You can omit the
variable if you unpack it into /usr/local/go, or if you rebuild
from sources by running all.bash (see doc/install.html).
You should also add the Go binary directory $GOROOT/bin
to your shell's path.

For example, if you extracted the tar file into $HOME/go, you might
put the following in your .profile:

    export GOROOT=$HOME/go
    export PATH=$PATH:$GOROOT/bin

See doc/install.html for more details.