From ae10e2fdd9fdcf1983c06a3b447e4f257427ddf0 Mon Sep 17 00:00:00 2001 From: Adam Langley Date: Wed, 19 Feb 2014 11:17:09 -0500 Subject: [PATCH] crypto/tls: improve documentation for ServerName. Users of the low-level, Client function are frequenctly missing the fact that, unless they pass a ServerName to the TLS connection then it cannot verify the certificates against any name. This change makes it clear that at least one of InsecureSkipVerify and ServerName should always be set. LGTM=bradfitz R=golang-codereviews, bradfitz CC=golang-codereviews https://golang.org/cl/65440043 --- common.go | 5 +++-- tls.go | 5 ++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/common.go b/common.go index 3382853..7ce2077 100644 --- a/common.go +++ b/common.go @@ -231,8 +231,9 @@ type Config struct { // NextProtos is a list of supported, application level protocols. NextProtos []string - // ServerName is included in the client's handshake to support virtual - // hosting. + // ServerName is used to verify the hostname on the returned + // certificates unless InsecureSkipVerify is given. It is also included + // in the client's handshake to support virtual hosting. ServerName string // ClientAuth determines the server's policy for diff --git a/tls.go b/tls.go index 6c67506..40156a0 100644 --- a/tls.go +++ b/tls.go @@ -27,9 +27,8 @@ func Server(conn net.Conn, config *Config) *Conn { // Client returns a new TLS client side connection // using conn as the underlying transport. -// Client interprets a nil configuration as equivalent to -// the zero configuration; see the documentation of Config -// for the defaults. +// The config cannot be nil: users must set either ServerHostname or +// InsecureSkipVerify in the config. func Client(conn net.Conn, config *Config) *Conn { return &Conn{conn: conn, config: config, isClient: true} }