hcashd
hcashd copied to clipboard
httpclient skips cert check for TLS
cmd/hcashctl/httpclient.go
// Configure TLS if needed.
[.............]
pool := x509.NewCertPool()
if ok := pool.AppendCertsFromPEM(pem); !ok {
return nil, fmt.Errorf("invalid certificate file: %v",
cfg.RPCCert)
}
tlsConfig = &tls.Config{
RootCAs: pool,
InsecureSkipVerify: cfg.TLSSkipVerify, // HERE
}
}
This opens up MITM attacks as the certificate is not checked. If you all choose to accept this risk, or fix it using a proper certificate, it at least should be noted in the comments of the code or documentation.
// InsecureSkipVerify controls whether a client verifies the
// server's certificate chain and host name.
// If InsecureSkipVerify is true, TLS accepts any certificate
// presented by the server and any host name in that certificate.
// In this mode, TLS is susceptible to man-in-the-middle attacks.
// This should be used only for testing.
InsecureSkipVerify bool
References: https://golang.org/pkg/crypto/tls/ https://info.checkmarx.com/hubfs/GOwhitepaper0504.pdf