http.NewRequest stopped to check SSL certificate validity every time

[Vasily Korytov]

Hi,

I've got code like:

client := &http.Client{}

req, _ := http.NewRequest("GET", "https://localhost", nil)

resp, err := client.Do(req)

I believe that prior to Golang 1.6 or something like this this bailed out with err when the SSL certificate is not valid (expired or other things). That is: the app was running, while the cert was OK there was no error and once it expired there was an error.

But now (1.7.3) it does not, when the app is running and the certificate expires, it does not make a `certificate expired' error. However, the app restart makes it to fail, I get `x509: certificate has expired or is not yet valid'.

So the question is: how do I get the old behaviour: that is expired SSL certificate should generate en error without restarting my app.

The complete code is here: https://github.com/chillum/jsonmon/blob/master/main.go#L349

Thanks.

[Vasily Korytov]

P.S. I would like to line out things that changed since the SSL certificate check was working:

1. Newer Go runtime

2. HTTP/2 connection

3. I used http.Get(url) before and now I use http.Client.Do (I use this for customizing the User-Agent header)

All the other things did not change, so the changed behaviour is a surprise for me.

Would appreciate any clues.

[James Bardin]

Chances are that you're getting better reuse of the client connections. If you want to ensure that you reconnect periodically use Request.Close when you don't want the connection maintained, or call Transport.CloseIdleConnections occasionally between requests to force the connections to close. 

[Vasily Korytov]

On Saturday, November 19, 2016 at 6:21:49 PM UTC+2, James Bardin wrote:

Chances are that you're getting better reuse of the client connections. If you want to ensure that you reconnect periodically use Request.Close when you don't want the connection maintained, or call Transport.CloseIdleConnections occasionally between requests to force the connections to close.

It stays there for days, so I'm not sure. And the client is supposed to be created and destroyed in a function that terminates, so I'm really surprised by that.

I've reverted http.Get instead of request.Do and now I get correct SSL checks.

Will check with Request.Close as well, thanks for the suggestion.

[James Bardin]

On Sat, Nov 19, 2016 at 11:33 AM, Vasily Korytov <vkor...@4tifier.com> wrote:

It stays there for days, so I'm not sure. And the client is supposed to be created and destroyed in a function that terminates, so I'm really surprised by that.

The connection can stay there for as long as the server and client want it to. SSL handshakes are expensive, and normally you try to avoid them when possible. 

The client doesn't maintain the connection, the Transport does, and you're using the DefaultTransport. I'm not sure why http.Get would work differently, since it's just calling DefaultClient.Get.