~egtann/sum

7143d724211374d6c2faa7dec4cca6941e832b52 — Evan Tann 2 months ago 2660c9c master
add go1.15 workaround for broken google tls certs
1 files changed, 24 insertions(+), 0 deletions(-)

M mysql/store.go
M mysql/store.go => mysql/store.go +24 -0
@@ 404,6 404,30 @@ func newTLSConfig(
			RootCAs:      rootCertPool,
			Certificates: clientCert,
			ServerName:   serverName,

			// This is taken from
			// https://github.com/golang/go/issues/40748#issuecomment-673612108
			// as a workaround from Google issuing invalid TLS
			// certs in Cloud SQL.
			//
			// Set InsecureSkipVerify to skip the default validation we are
			// replacing. This will not disable VerifyConnection.
			InsecureSkipVerify: true,
			VerifyConnection: func(cs tls.ConnectionState) error {
				commonName := cs.PeerCertificates[0].Subject.CommonName
				if commonName != cs.ServerName {
					return fmt.Errorf("invalid certificate name %q, expected %q", commonName, cs.ServerName)
				}
				opts := x509.VerifyOptions{
					Roots:         rootCertPool,
					Intermediates: x509.NewCertPool(),
				}
				for _, cert := range cs.PeerCertificates[1:] {
					opts.Intermediates.AddCert(cert)
				}
				_, err := cs.PeerCertificates[0].Verify(opts)
				return err
			},
		},
	}
	return conf, nil