https with self-signed cert

[Brian Ketelsen]

I'm trying to do a manual soap call to an https server with a self-signed cert, and getting an error ("certificate is valid for , not myservice.com")

Where do I tell the http client to ignore certificate errors?

relevant code:

resp, err := httpClient.Post("https://mydotnetserver.com/service.asmx",
"application/soap+xml; charset=utf-8",
strings.NewReader(soapRequestContent))
if err!=nil {
fmt.Println("error1 : " + err.String())
}

I scanned the docs and mailing list but see nothing. What am I missing?

Thanks!

Brian

[Kyle Lemons]

Without more context, this will be difficult to diagnose.  Where is "myservice.com" referenced?  Does a browser/CURL report any certificate issues with that site?

~K

[Brian Ketelsen]

Yes, curl reports the same problem, so I have to use "-k" to ignore the cert error.  I'm looking for the same flag on the http client in Go.

Thanks!

Brian

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:

error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"

 of Certificate Authority (CA) public keys (CA certs). If the default

 bundle file isn't adequate, you can specify an alternate file

 using the --cacert option.

If this HTTPS server uses a certificate signed by a CA represented in

 the bundle, the certificate verification probably failed due to a

 problem with the certificate (it might be expired, or the name might

 not match the domain name in the URL).

If you'd like to turn off curl's verification of the certificate, use

 the -k (or --insecure) option.

[Kyle Lemons]

There does not appear to be a way to disable this without writing your own insecure version of DefaultTransport.  I think your certificate might actually be bad, though, as this looks (from casual inspection) like it should accept self-signed certificates as long as the hostname matches.

http://golang.org/src/pkg/http/transport.go?h=VerifyHostname#L280

[Brian Ketelsen]

I think it is a poorly constructed self-signed cert.  It's a wildcard certificate, which I think causes the problems with host authentication.  I installed the certificate locally as trusted, and can now curl without the -k flag.  Go still fails though, as I don't think it's using the system certificate stores. (I'm on a Mac)

Reading through Go's source, I don't see any easy way to accomplish this without writing my own transport.

Thanks for the help.

Brian

[Kyle Lemons]

Or you could fix the certificate :)

[Brian Ketelsen]

That would be ideal, but it's a vendor, not mine.

I appreciate your help today, thank you.

Brian

[juztin]

Thanks Matt!

I was just browsing through the go source, and did a quick google and found this.

Thanks for the time saver =)

On Friday, June 15, 2012 8:28:16 PM UTC-6, Matthew R Chase wrote:

import ("net/http"; "crypto/tls")

//...

tr := &http.Transport{

TLSClientConfig: &tls.Config{InsecureSkipVerify : true},

}

client := &http.Client{Transport: tr}

resp, err := client.Get("https://someurl:443/)

[Matthew R Chase]

;)

______________________________

Matthew R Chase

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.