hashicorp · fatelei · Aug 22, 2023
@@ -28,6 +28,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/x509"
+	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -483,7 +484,7 @@ func baseRetryPolicy(resp *http.Response, err error) (bool, error) {
 			if notTrustedErrorRe.MatchString(v.Error()) {
 				return false, v
 			}
-			if _, ok := v.Err.(x509.UnknownAuthorityError); ok {
+			if errors.As(v.Err, &x509.UnknownAuthorityError{}) {
 				return false, v
 			}
 		}

@@ -3,6 +3,7 @@ module github.com/hashicorp/go-retryablehttp
 require (
 	github.com/hashicorp/go-cleanhttp v0.5.2
 	github.com/hashicorp/go-hclog v0.9.2
+	github.com/stretchr/testify v1.2.2
 )
 
 go 1.13
@@ -5,7 +5,10 @@ package retryablehttp
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"errors"
+	"github.com/stretchr/testify/assert"
 	"io/ioutil"
 	"net"
 	"net/http"
@@ -132,6 +135,34 @@ func TestRoundTripper_TransportFailureErrorHandling(t *testing.T) {
 	}
 }
 
+func TestHTTPClientWithTLSFailure(t *testing.T) {
+	// Create a mock server with a handler
+	mockServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte("Mock Response"))
+	}))
+	defer mockServer.Close()
+
+	// Set up the HTTP client with retryablehttp using a custom transport without InsecureSkipVerify
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{},
+	}
+
+	// Set up the retryable HTTP client with the custom transport
+	client := NewClient()
+	client.HTTPClient.Transport = tr
+	client.RetryMax = 2
+
+	// Make a GET request using the retryable HTTP client
+	_, err := client.Get(mockServer.URL)
+
+	// Check that the error is indeed related to x509 certificate validation
+	var x509Error *x509.CertificateInvalidError
+	if assert.Error(t, err) && errors.As(err, &x509Error) {
+		assert.Contains(t, x509Error.Error(), "x509: certificate is not valid for any names")
+	}
+}
+
 func normalizeError(err error) error {
 	var dnsError *net.DNSError