add InsecureSkipServerNameVerify to tls.Config

2025-04-03 20:17:36 +03:00 · 2023-02-04 14:20:21 +00:00 · 2023-02-04 14:20:21 +00:00 · da622db4a3
commit da622db4a3
parent 5eb62ee120
3 changed files with 22 additions and 3 deletions
--- a/common.go
+++ b/common.go
@ -656,6 +656,15 @@ type Config struct {
 	// testing or in combination with VerifyConnection or VerifyPeerCertificate.
 	InsecureSkipVerify bool

+	// InsecureSkipServerNameVerify controls whether a client verifies the
+	// server's certificate chain only without verify host name.
+	// If InsecureSkipServerNameVerify is true, crypto/tls will do normal
+	// certificate validation but ignore certifacate's DNSName. This is intended
+	// to use with spoofed ServerName and VerifyConnection.
+	//
+	// This field is ignored when InsecureSkipVerify is true.
+	InsecureSkipServerNameVerify bool // [uTLS]
+
 	// CipherSuites is a list of enabled TLS 1.0–1.2 cipher suites. The order of
 	// the list is ignored. Note that TLS 1.3 ciphersuites are not configurable.
 	//
--- a/handshake_client.go
+++ b/handshake_client.go
@ -40,9 +40,13 @@ var testingOnlyForceClientHelloSignatureAlgorithms []SignatureScheme

 func (c *Conn) makeClientHello() (*clientHelloMsg, ecdheParameters, error) {
 	config := c.config
-	if len(config.ServerName) == 0 && !config.InsecureSkipVerify {
+
+	// [UTLS SECTION START]
+	skipServerNameVerify := config.InsecureSkipVerify || config.InsecureSkipServerNameVerify
+	if len(config.ServerName) == 0 && !skipServerNameVerify {
 		return nil, nil, errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")
 	}
+	// [UTLS SECTION END]

 	nextProtosLength := 0
 	for _, proto := range config.NextProtos {
@ -874,13 +878,18 @@ func (c *Conn) verifyServerCertificate(certificates [][]byte) error {
 	}

 	if !c.config.InsecureSkipVerify {
+		// [UTLS SECTION START]
 		opts := x509.VerifyOptions{
 			Roots:         c.config.RootCAs,
 			CurrentTime:   c.config.time(),
-			DNSName:       c.config.ServerName,
 			Intermediates: x509.NewCertPool(),
 		}

+		if !c.config.InsecureSkipServerNameVerify {
+			opts.DNSName = c.config.ServerName
+		}
+		// [UTLS SECTION END]
+
 		for _, cert := range certs[1:] {
 			opts.Intermediates.AddCert(cert)
 		}
--- a/u_conn.go
+++ b/u_conn.go
@ -377,7 +377,8 @@ func (c *UConn) clientHandshake(ctx context.Context) (err error) {
 	// [uTLS section begins]
 	// don't make new ClientHello, use hs.hello
 	// preserve the checks from beginning and end of makeClientHello()
-	if len(c.config.ServerName) == 0 && !c.config.InsecureSkipVerify {
+	skipServerNameVerify := c.config.InsecureSkipVerify || c.config.InsecureSkipServerNameVerify
+	if len(c.config.ServerName) == 0 && !skipServerNameVerify {
 		return errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")
 	}