Thanks for the suggestion. Unfortunately VerifyPeerCertificate does not receive the request's Context, so it is not possible to have its behavior depend on per-request data.
As a follow-up, we've opened https://github.com/golang/go/issues/21526 Regards, Gabe On Friday, August 18, 2017 at 9:36:57 PM UTC-7, Joshua Boelter wrote: > > Depending on what you're trying to do, this might get you further > > > https://github.com/golang/go/blob/46f4bfb2d17a3ccb4b3207d086a90cac3c00ea2f/src/crypto/tls/common.go#L417 > https://github.com/golang/go/issues/16363 > > On Thursday, August 17, 2017 at 3:33:14 PM UTC-7, Gabriel Rosenhouse wrote: >> >> Hello, >> >> We're trying to configure a http.Transport such that the client does >> extra validation of the server-provided certificate before sending any >> data. We want this client to compare server-provided certificate fields >> against values present on the request Context. In essence, we'd like to be >> able to write: >> >> tr := http.Transport{ >> DialTLSContext: func(ctx context.Context, network, addr string) (net. >> Conn, err) { >> conn, err := tls.Dial(network, addr, myConfig) >> if err != nil { >> return err >> } >> connState := conn.(*tls.Conn).ConnectionState() >> ok := extraValidation(connState, ctx) >> if !ok { >> return nil, errors.New("extra validation failed") >> } >> return conn >> }, >> } >> >> But DialTLSContext doesn't exist today. We see Transport.DialContext(), >> but if you try to tls.Dial() inside there while leaving DialTLS nil, the >> http.Transport won't know that the conn is already TLS, and it will attempt >> to TLS handshake again [0] >> >> Could anyone suggest a workaround for this, short of modifying the >> `http.Transport` source code itself? >> >> Thank you, >> >> Gabe Rosenhouse >> >> [0] https://golang.org/src/net/http/transport.go#L1063 >> > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
