http: Transport: with TLS InsecureSkipVerify, skip hostname check

Fixes #2386

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/5312045

src/pkg/http/client_test.go

@@ -7,6 +7,7 @@
 package http_test
 
 import (
+	"crypto/tls"
 	"fmt"
 	. "http"
 	"http/httptest"
@@ -292,3 +293,26 @@ func TestClientWrites(t *testing.T) {
 		t.Errorf("Post request did %d Write calls, want 1", writes)
 	}
 }
+
+func TestClientInsecureTransport(t *testing.T) {
+	ts := httptest.NewTLSServer(HandlerFunc(func(w ResponseWriter, r *Request) {
+		w.Write([]byte("Hello"))
+	}))
+	defer ts.Close()
+
+	// TODO(bradfitz): add tests for skipping hostname checks too?
+	// would require a new cert for testing, and probably
+	// redundant with these tests.
+	for _, insecure := range []bool{true, false} {
+		tr := &Transport{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: insecure,
+			},
+		}
+		c := &Client{Transport: tr}
+		_, err := c.Get(ts.URL)
+		if (err == nil) != insecure {
+			t.Errorf("insecure=%v: got unexpected err=%v", insecure, err)
+		}
+	}
+}

src/pkg/http/transport.go

@@ -362,8 +362,10 @@ func (t *Transport) getConn(cm *connectMethod) (*persistConn, os.Error) {
 		if err = conn.(*tls.Conn).Handshake(); err != nil {
 			return nil, err
 		}
-		if err = conn.(*tls.Conn).VerifyHostname(cm.tlsHost()); err != nil {
-			return nil, err
+		if t.TLSClientConfig == nil || !t.TLSClientConfig.InsecureSkipVerify {
+			if err = conn.(*tls.Conn).VerifyHostname(cm.tlsHost()); err != nil {
+				return nil, err
+			}
 		}
 		pconn.conn = conn
 	}