cmd/go: for go get -insecure, skip TLS certificate checking

The flag is already named -insecure. Make it more so.

If we're willing to accept HTTP, it's not much worse to accept
HTTPS man-in-the-middle attacks too. This allows servers
with self-signed certificates to work.

Fixes #13197.

Change-Id: Ia5491410bc886da0a26ef3bce4bf7d732f5e19e4
Reviewed-on: https://go-review.googlesource.com/18324Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

src/cmd/go/http.go

@@ -12,6 +12,7 @@
 package main
 
 import (
+	"crypto/tls"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -24,8 +25,17 @@ import (
 // httpClient is the default HTTP client, but a variable so it can be
 // changed by tests, without modifying http.DefaultClient.
 var httpClient = http.DefaultClient
-var impatientHTTPClient = &http.Client{
+
+// impatientInsecureHTTPClient is used in -insecure mode,
+// when we're connecting to https servers that might not be there
+// or might be using self-signed certificates.
+var impatientInsecureHTTPClient = &http.Client{
 	Timeout: time.Duration(5 * time.Second),
+	Transport: &http.Transport{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true,
+		},
+	},
 }
 
 type httpError struct {
@@ -71,7 +81,7 @@ func httpsOrHTTP(importPath string, security securityMode) (urlStr string, body
 			log.Printf("Fetching %s", urlStr)
 		}
 		if security == insecure && scheme == "https" { // fail earlier
-			res, err = impatientHTTPClient.Get(urlStr)
+			res, err = impatientInsecureHTTPClient.Get(urlStr)
 		} else {
 			res, err = httpClient.Get(urlStr)
 		}