add InsecureSkipServerNameVerify to tls.Config (#158)

* add InsecureSkipServerNameVerify to tls.Config * Support clone InsecureSkipServerNameVerify, update error message
2025-04-03 20:17:36 +03:00 · 2023-02-04 21:10:59 +00:00 · 2023-02-04 21:10:59 +00:00 · d139a4a652
commit d139a4a652
parent a3b55c90c4
4 changed files with 55 additions and 35 deletions
--- a/common.go
+++ b/common.go
@ -656,6 +656,15 @@ type Config struct {
 	// testing or in combination with VerifyConnection or VerifyPeerCertificate.
 	InsecureSkipVerify bool

+	// InsecureSkipServerNameVerify controls whether a client verifies the
+	// server's certificate chain only without verify host name.
+	// If InsecureSkipServerNameVerify is true, crypto/tls will do normal
+	// certificate validation but ignore certifacate's DNSName. This is intended
+	// to use with spoofed ServerName and VerifyConnection.
+	//
+	// This field is ignored when InsecureSkipVerify is true.
+	InsecureSkipServerNameVerify bool // [uTLS]
+
 	// CipherSuites is a list of enabled TLS 1.0–1.2 cipher suites. The order of
 	// the list is ignored. Note that TLS 1.3 ciphersuites are not configurable.
 	//
@ -797,35 +806,36 @@ func (c *Config) Clone() *Config {
 	c.mutex.RLock()
 	defer c.mutex.RUnlock()
 	return &Config{
-		Rand:                        c.Rand,
-		Time:                        c.Time,
-		Certificates:                c.Certificates,
-		NameToCertificate:           c.NameToCertificate,
-		GetCertificate:              c.GetCertificate,
-		GetClientCertificate:        c.GetClientCertificate,
-		GetConfigForClient:          c.GetConfigForClient,
-		VerifyPeerCertificate:       c.VerifyPeerCertificate,
-		VerifyConnection:            c.VerifyConnection,
-		RootCAs:                     c.RootCAs,
-		NextProtos:                  c.NextProtos,
-		ApplicationSettings:         c.ApplicationSettings,
-		ServerName:                  c.ServerName,
-		ClientAuth:                  c.ClientAuth,
-		ClientCAs:                   c.ClientCAs,
-		InsecureSkipVerify:          c.InsecureSkipVerify,
-		CipherSuites:                c.CipherSuites,
-		PreferServerCipherSuites:    c.PreferServerCipherSuites,
-		SessionTicketsDisabled:      c.SessionTicketsDisabled,
-		SessionTicketKey:            c.SessionTicketKey,
-		ClientSessionCache:          c.ClientSessionCache,
-		MinVersion:                  c.MinVersion,
-		MaxVersion:                  c.MaxVersion,
-		CurvePreferences:            c.CurvePreferences,
-		DynamicRecordSizingDisabled: c.DynamicRecordSizingDisabled,
-		Renegotiation:               c.Renegotiation,
-		KeyLogWriter:                c.KeyLogWriter,
-		sessionTicketKeys:           c.sessionTicketKeys,
-		autoSessionTicketKeys:       c.autoSessionTicketKeys,
+		Rand:                         c.Rand,
+		Time:                         c.Time,
+		Certificates:                 c.Certificates,
+		NameToCertificate:            c.NameToCertificate,
+		GetCertificate:               c.GetCertificate,
+		GetClientCertificate:         c.GetClientCertificate,
+		GetConfigForClient:           c.GetConfigForClient,
+		VerifyPeerCertificate:        c.VerifyPeerCertificate,
+		VerifyConnection:             c.VerifyConnection,
+		RootCAs:                      c.RootCAs,
+		NextProtos:                   c.NextProtos,
+		ApplicationSettings:          c.ApplicationSettings,
+		ServerName:                   c.ServerName,
+		ClientAuth:                   c.ClientAuth,
+		ClientCAs:                    c.ClientCAs,
+		InsecureSkipVerify:           c.InsecureSkipVerify,
+		InsecureSkipServerNameVerify: c.InsecureSkipServerNameVerify,
+		CipherSuites:                 c.CipherSuites,
+		PreferServerCipherSuites:     c.PreferServerCipherSuites,
+		SessionTicketsDisabled:       c.SessionTicketsDisabled,
+		SessionTicketKey:             c.SessionTicketKey,
+		ClientSessionCache:           c.ClientSessionCache,
+		MinVersion:                   c.MinVersion,
+		MaxVersion:                   c.MaxVersion,
+		CurvePreferences:             c.CurvePreferences,
+		DynamicRecordSizingDisabled:  c.DynamicRecordSizingDisabled,
+		Renegotiation:                c.Renegotiation,
+		KeyLogWriter:                 c.KeyLogWriter,
+		sessionTicketKeys:            c.sessionTicketKeys,
+		autoSessionTicketKeys:        c.autoSessionTicketKeys,
 	}
 }

--- a/handshake_client.go
+++ b/handshake_client.go
@ -40,9 +40,13 @@ var testingOnlyForceClientHelloSignatureAlgorithms []SignatureScheme

 func (c *Conn) makeClientHello() (*clientHelloMsg, ecdheParameters, error) {
 	config := c.config
-	if len(config.ServerName) == 0 && !config.InsecureSkipVerify {
-		return nil, nil, errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")
+
+	// [UTLS SECTION START]
+	skipServerNameVerify := config.InsecureSkipVerify || config.InsecureSkipServerNameVerify
+	if len(config.ServerName) == 0 && !skipServerNameVerify {
+		return nil, nil, errors.New("tls: at least one of ServerName, InsecureSkipVerify or InsecureSkipServerNameVerify must be specified in the tls.Config")
 	}
+	// [UTLS SECTION END]

 	nextProtosLength := 0
 	for _, proto := range config.NextProtos {
@ -874,13 +878,18 @@ func (c *Conn) verifyServerCertificate(certificates [][]byte) error {
 	}

 	if !c.config.InsecureSkipVerify {
+		// [UTLS SECTION START]
 		opts := x509.VerifyOptions{
 			Roots:         c.config.RootCAs,
 			CurrentTime:   c.config.time(),
-			DNSName:       c.config.ServerName,
 			Intermediates: x509.NewCertPool(),
 		}

+		if !c.config.InsecureSkipServerNameVerify {
+			opts.DNSName = c.config.ServerName
+		}
+		// [UTLS SECTION END]
+
 		for _, cert := range certs[1:] {
 			opts.Intermediates.AddCert(cert)
 		}
--- a/tls_test.go
+++ b/tls_test.go
@ -814,7 +814,7 @@ func TestCloneNonFuncFields(t *testing.T) {
 			f.Set(reflect.ValueOf("b"))
 		case "ClientAuth":
 			f.Set(reflect.ValueOf(VerifyClientCertIfGiven))
-		case "InsecureSkipVerify", "SessionTicketsDisabled", "DynamicRecordSizingDisabled", "PreferServerCipherSuites":
+		case "InsecureSkipVerify", "InsecureSkipServerNameVerify", "SessionTicketsDisabled", "DynamicRecordSizingDisabled", "PreferServerCipherSuites":
 			f.Set(reflect.ValueOf(true))
 		case "MinVersion", "MaxVersion":
 			f.Set(reflect.ValueOf(uint16(VersionTLS12)))
--- a/u_conn.go
+++ b/u_conn.go
@ -377,8 +377,9 @@ func (c *UConn) clientHandshake(ctx context.Context) (err error) {
 	// [uTLS section begins]
 	// don't make new ClientHello, use hs.hello
 	// preserve the checks from beginning and end of makeClientHello()
-	if len(c.config.ServerName) == 0 && !c.config.InsecureSkipVerify {
-		return errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")
+	skipServerNameVerify := c.config.InsecureSkipVerify || c.config.InsecureSkipServerNameVerify
+	if len(c.config.ServerName) == 0 && !skipServerNameVerify {
+		return errors.New("tls: at least one of ServerName, InsecureSkipVerify or InsecureSkipServerNameVerify must be specified in the tls.Config")
 	}

 	nextProtosLength := 0