THRIFT-3009 TSSLSocket does not use the correct hostname (breaks certificate checks)
Client: Go
Patch: Mathias Gottschlag <mgottschlag@gmail.com>
diff --git a/lib/go/thrift/ssl_socket.go b/lib/go/thrift/ssl_socket.go
index 38f66c4..4faaf8c 100644
--- a/lib/go/thrift/ssl_socket.go
+++ b/lib/go/thrift/ssl_socket.go
@@ -26,7 +26,12 @@
 )
 
 type TSSLSocket struct {
-	conn    net.Conn
+	conn net.Conn
+	// hostPort contains host:port (e.g. "asdf.com:12345"). The field is
+	// only valid if addr is nil.
+	hostPort string
+	// addr is nil when hostPort is not "", and is only used when the
+	// TSSLSocket is constructed from a net.Addr.
 	addr    net.Addr
 	timeout time.Duration
 	cfg     *tls.Config
@@ -35,7 +40,7 @@
 // NewTSSLSocket creates a net.Conn-backed TTransport, given a host and port and tls Configuration
 //
 // Example:
-// 	trans, err := thrift.NewTSocket("localhost:9090")
+// 	trans, err := thrift.NewTSSLSocket("localhost:9090", nil)
 func NewTSSLSocket(hostPort string, cfg *tls.Config) (*TSSLSocket, error) {
 	return NewTSSLSocketTimeout(hostPort, cfg, 0)
 }
@@ -43,12 +48,7 @@
 // NewTSSLSocketTimeout creates a net.Conn-backed TTransport, given a host and port
 // it also accepts a tls Configuration and a timeout as a time.Duration
 func NewTSSLSocketTimeout(hostPort string, cfg *tls.Config, timeout time.Duration) (*TSSLSocket, error) {
-	//conn, err := net.DialTimeout(network, address, timeout)
-	addr, err := net.ResolveTCPAddr("tcp", hostPort)
-	if err != nil {
-		return nil, err
-	}
-	return NewTSSLSocketFromAddrTimeout(addr, cfg, timeout), nil
+	return &TSSLSocket{hostPort: hostPort, timeout: timeout, cfg: cfg}, nil
 }
 
 // Creates a TSSLSocket from a net.Addr
@@ -83,21 +83,29 @@
 
 // Connects the socket, creating a new socket object if necessary.
 func (p *TSSLSocket) Open() error {
-	if p.IsOpen() {
-		return NewTTransportException(ALREADY_OPEN, "Socket already connected.")
-	}
-	if p.addr == nil {
-		return NewTTransportException(NOT_OPEN, "Cannot open nil address.")
-	}
-	if len(p.addr.Network()) == 0 {
-		return NewTTransportException(NOT_OPEN, "Cannot open bad network name.")
-	}
-	if len(p.addr.String()) == 0 {
-		return NewTTransportException(NOT_OPEN, "Cannot open bad address.")
-	}
 	var err error
-	if p.conn, err = tls.Dial(p.addr.Network(), p.addr.String(), p.cfg); err != nil {
-		return NewTTransportException(NOT_OPEN, err.Error())
+	// If we have a hostname, we need to pass the hostname to tls.Dial for
+	// certificate hostname checks.
+	if p.hostPort != "" {
+		if p.conn, err = tls.Dial("tcp", p.hostPort, p.cfg); err != nil {
+			return NewTTransportException(NOT_OPEN, err.Error())
+		}
+	} else {
+		if p.IsOpen() {
+			return NewTTransportException(ALREADY_OPEN, "Socket already connected.")
+		}
+		if p.addr == nil {
+			return NewTTransportException(NOT_OPEN, "Cannot open nil address.")
+		}
+		if len(p.addr.Network()) == 0 {
+			return NewTTransportException(NOT_OPEN, "Cannot open bad network name.")
+		}
+		if len(p.addr.String()) == 0 {
+			return NewTTransportException(NOT_OPEN, "Cannot open bad address.")
+		}
+		if p.conn, err = tls.Dial(p.addr.Network(), p.addr.String(), p.cfg); err != nil {
+			return NewTTransportException(NOT_OPEN, err.Error())
+		}
 	}
 	return nil
 }