Implement support of Optional TLS #900
Conversation
dsn.go
Outdated
| @@ -560,7 +560,7 @@ func parseDSNParams(cfg *Config, params string) (err error) { | |||
| } else { | |||
| cfg.TLSConfig = "false" | |||
| } | |||
| } else if vl := strings.ToLower(value); vl == "skip-verify" { | |||
| } else if vl := strings.ToLower(value); vl == "skip-verify" || vl == "optional" { | |||
There was a problem hiding this comment.
Should this really set cfg.tls = &tls.Config{InsecureSkipVerify: true} ?
There was a problem hiding this comment.
It doesn't have to. but then there should be an option to set tls=optional and also supply a config for the CA etc.
There was a problem hiding this comment.
This option is not for security. If security is matter, they shouldn't allow unencrypted connection. In unencrypted connection, there are no verify for host.
This option is very silly behavior. It useful only for situations described in #899.
So InsecureSkipVerify: true make sense.
There was a problem hiding this comment.
Please add a note to the README that using this option does not add any security.
Indeed, a Man-in-the-Middle attacker could remove TLS entirely with this option, whether InsecureSkipVerify: true is used or not.
|
This also fixes the test: If a empty string was returned instead of a cipher this was not seen as an error |
There was a problem hiding this comment.
As discussed in #899, this option should use "preferred" instead of "optional".
Please also add a note regarding the security of this option. Other than that, this PR seems fine.
Issue: go-sql-driver#899 Add `preferred` config value to the `tls` config variable on the DSN. This results in a TLS connection when the server advertises this by the flag send in the initial packet.
Description
Add
optionalconfig value to thetlsconfig variable on the DSN.This results in a TLS connection when the server advertises this by the flag
send in the initial packet.
Closes: #899
Checklist