~egtann/migrate

7841022c93100eee020fe8edfde60526599efd64 — Evan Tann 3 months ago b0073e6
add workaround for broken google tls certs
1 files changed, 24 insertions(+), 0 deletions(-)

M mysql/mysql.go
M mysql/mysql.go => mysql/mysql.go +24 -0
@@ 271,6 271,30 @@ func newTLSConfig(
			RootCAs:      rootCertPool,
			Certificates: clientCert,
			ServerName:   serverName,

			// This is taken from
			// https://github.com/golang/go/issues/40748#issuecomment-673612108
			// as a workaround from Google issuing invalid TLS
			// certs in Cloud SQL.
			//
			// Set InsecureSkipVerify to skip the default validation we are
			// replacing. This will not disable VerifyConnection.
			InsecureSkipVerify: true,
			VerifyConnection: func(cs tls.ConnectionState) error {
				commonName := cs.PeerCertificates[0].Subject.CommonName
				if commonName != cs.ServerName {
					return fmt.Errorf("invalid certificate name %q, expected %q", commonName, cs.ServerName)
				}
				opts := x509.VerifyOptions{
					Roots:         rootCertPool,
					Intermediates: x509.NewCertPool(),
				}
				for _, cert := range cs.PeerCertificates[1:] {
					opts.Intermediates.AddCert(cert)
				}
				_, err := cs.PeerCertificates[0].Verify(opts)
				return err
			},
		},
	}
	return conf, nil