Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: address the use of InsecureSkipVerify in sample #3966

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

fix: address the use of InsecureSkipVerify in sample #3966

wants to merge 1 commit into from

Conversation

iennae
Copy link
Contributor

@iennae iennae commented Mar 15, 2024

Description

Addresses https://github.com/GoogleCloudPlatform/golang-samples/security/code-scanning/5

Checklist

  • Please merge this PR for me once it is approved

in order for the sample to work, requires this to be set to true. Not a pattern we'd want to encourage in use so adding a comment to help encourage change when copied.

@iennae iennae requested review from a team as code owners March 15, 2024 18:16
@product-auto-label product-auto-label bot added the samples Issues that are directly related to samples. label Mar 15, 2024
enocom
enocom reviewed Mar 18, 2024
View reviewed changes
Copy link
Member

@enocom enocom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is actual a symptom of Cloud SQL's public key infrastructure. By default, the Go TLS stack will attempt to verify the server's identity by inspecting the server's certificate. Because the server's certificate has a non-standard common name (e.g., myinstance:myproject), the verification will fail. Technically there is a pseudo DNS name in the server's certificate, but customers have to inspect their server certificate to know that value. If they knew that value, they could remove InsecureSkipVerify and add a ServerName field in the TLS config.

@iennae
Copy link
Contributor Author

iennae commented Mar 18, 2024

@enocom can you recommend a suggested update to the comment? :)

@enocom
Copy link
Member

enocom commented Mar 25, 2024

How about we move this comment to just above InsecureSkipVerify and say:

InsecureSkipVerify and a custom VerifyPeerCertificate function is required to handle Cloud SQL's custom certificates.
As an alternative it's also possible to inspect the server certificate and extract the SAN field and use that a ServerName
while removing InsecureSkipVerify and VerifyPeerCertificate.

It's not a great situation that Cloud SQL is working on fixing. Until then, the workaround is a headache.

@muncus
Copy link
Collaborator

muncus commented Apr 10, 2024

this PR has been idle for a while, so i'm converting it to draft. Feel free to un-draft it when it is ready for review.

@muncus muncus marked this pull request as draft April 10, 2024 20:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@enocom enocom enocom left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
samples Issues that are directly related to samples.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@iennae @enocom @muncus