From 17393e09be218c150216faa0ab3e81ba352c4c80 Mon Sep 17 00:00:00 2001
From: Denton Gentry <dgentry@tailscale.com>
Date: Sat, 7 Jan 2023 22:11:26 -0800
Subject: [PATCH] cmd/tailscale: disable HTTPS verification for QNAP auth.

QNAP's "Force HTTPS" mode redirects even localhost HTTP to
HTTPS, but uses a self-signed certificate which fails
verification. We accommodate this by disabling checking
of the cert.

Fixes https://github.com/tailscale/tailscale/issues/6903

Signed-off-by: Denton Gentry <dgentry@tailscale.com>
---
 cmd/tailscale/cli/web.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/cmd/tailscale/cli/web.go b/cmd/tailscale/cli/web.go
index 1bf319dc74a59..241b495cf5e88 100644
--- a/cmd/tailscale/cli/web.go
+++ b/cmd/tailscale/cli/web.go
@@ -247,7 +247,13 @@ func qnapAuthnSid(r *http.Request, user, sid string) (string, *qnapAuthResponse,
 }
 
 func qnapAuthnFinish(user, url string) (string, *qnapAuthResponse, error) {
-	resp, err := http.Get(url)
+	// QNAP Force HTTPS mode uses a self-signed certificate.
+	// https://github.com/tailscale/tailscale/issues/6903
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	}
+	client := &http.Client{Transport: tr}
+	resp, err := client.Get(url)
 	if err != nil {
 		return "", nil, err
 	}