THRIFT-3009 TSSLSocket does not use the correct hostname (breaks certificate checks)
Client: Go
Patch: Mathias Gottschlag <mgottschlag@gmail.com>
diff --git a/lib/go/thrift/ssl_socket.go b/lib/go/thrift/ssl_socket.go
index 38f66c4..4faaf8c 100644
--- a/lib/go/thrift/ssl_socket.go
+++ b/lib/go/thrift/ssl_socket.go
@@ -26,7 +26,12 @@
)
type TSSLSocket struct {
- conn net.Conn
+ conn net.Conn
+ // hostPort contains host:port (e.g. "asdf.com:12345"). The field is
+ // only valid if addr is nil.
+ hostPort string
+ // addr is nil when hostPort is not "", and is only used when the
+ // TSSLSocket is constructed from a net.Addr.
addr net.Addr
timeout time.Duration
cfg *tls.Config
@@ -35,7 +40,7 @@
// NewTSSLSocket creates a net.Conn-backed TTransport, given a host and port and tls Configuration
//
// Example:
-// trans, err := thrift.NewTSocket("localhost:9090")
+// trans, err := thrift.NewTSSLSocket("localhost:9090", nil)
func NewTSSLSocket(hostPort string, cfg *tls.Config) (*TSSLSocket, error) {
return NewTSSLSocketTimeout(hostPort, cfg, 0)
}
@@ -43,12 +48,7 @@
// NewTSSLSocketTimeout creates a net.Conn-backed TTransport, given a host and port
// it also accepts a tls Configuration and a timeout as a time.Duration
func NewTSSLSocketTimeout(hostPort string, cfg *tls.Config, timeout time.Duration) (*TSSLSocket, error) {
- //conn, err := net.DialTimeout(network, address, timeout)
- addr, err := net.ResolveTCPAddr("tcp", hostPort)
- if err != nil {
- return nil, err
- }
- return NewTSSLSocketFromAddrTimeout(addr, cfg, timeout), nil
+ return &TSSLSocket{hostPort: hostPort, timeout: timeout, cfg: cfg}, nil
}
// Creates a TSSLSocket from a net.Addr
@@ -83,21 +83,29 @@
// Connects the socket, creating a new socket object if necessary.
func (p *TSSLSocket) Open() error {
- if p.IsOpen() {
- return NewTTransportException(ALREADY_OPEN, "Socket already connected.")
- }
- if p.addr == nil {
- return NewTTransportException(NOT_OPEN, "Cannot open nil address.")
- }
- if len(p.addr.Network()) == 0 {
- return NewTTransportException(NOT_OPEN, "Cannot open bad network name.")
- }
- if len(p.addr.String()) == 0 {
- return NewTTransportException(NOT_OPEN, "Cannot open bad address.")
- }
var err error
- if p.conn, err = tls.Dial(p.addr.Network(), p.addr.String(), p.cfg); err != nil {
- return NewTTransportException(NOT_OPEN, err.Error())
+ // If we have a hostname, we need to pass the hostname to tls.Dial for
+ // certificate hostname checks.
+ if p.hostPort != "" {
+ if p.conn, err = tls.Dial("tcp", p.hostPort, p.cfg); err != nil {
+ return NewTTransportException(NOT_OPEN, err.Error())
+ }
+ } else {
+ if p.IsOpen() {
+ return NewTTransportException(ALREADY_OPEN, "Socket already connected.")
+ }
+ if p.addr == nil {
+ return NewTTransportException(NOT_OPEN, "Cannot open nil address.")
+ }
+ if len(p.addr.Network()) == 0 {
+ return NewTTransportException(NOT_OPEN, "Cannot open bad network name.")
+ }
+ if len(p.addr.String()) == 0 {
+ return NewTTransportException(NOT_OPEN, "Cannot open bad address.")
+ }
+ if p.conn, err = tls.Dial(p.addr.Network(), p.addr.String(), p.cfg); err != nil {
+ return NewTTransportException(NOT_OPEN, err.Error())
+ }
}
return nil
}