tls.Dial() validates hostname, no need to do that manually

Handshake() is still needed for tls.Client() code path. See https://github.com/kubernetes/kubernetes/pull/109750
This commit is contained in:
Mikhail Mazurskiy 2022-05-16 23:26:15 +10:00
parent 22a21f974f
commit 29dc50c149

View File

@ -24,10 +24,9 @@ import (
"net/http"
"net/url"
"k8s.io/klog/v2"
utilnet "k8s.io/apimachinery/pkg/util/net"
"k8s.io/apimachinery/third_party/forked/golang/netutil"
"k8s.io/klog/v2"
)
// dialURL will dial the specified URL using the underlying dialer held by the passed
@ -109,21 +108,6 @@ func dialURL(ctx context.Context, url *url.URL, transport http.RoundTripper) (ne
}
}
// Return if we were configured to skip validation
if tlsConfig != nil && tlsConfig.InsecureSkipVerify {
return tlsConn, nil
}
// Verify
host, _, _ := net.SplitHostPort(dialAddr)
if tlsConfig != nil && len(tlsConfig.ServerName) > 0 {
host = tlsConfig.ServerName
}
if err := tlsConn.VerifyHostname(host); err != nil {
tlsConn.Close()
return nil, err
}
return tlsConn, nil
default:
return nil, fmt.Errorf("Unknown scheme: %s", url.Scheme)