Skip to content

Commit fdb7930

Browse files
pourtorabehsanpourtorabehsan
committed
Reject tls=true&tls-verify=ca
1 parent e612245 commit fdb7930

File tree

3 files changed

+22
-29
lines changed

3 files changed

+22
-29
lines changed

driver_test.go

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1522,7 +1522,6 @@ func TestTLS(t *testing.T) {
15221522
runTests(t, dsn+"&tls=custom-skip-verify", tlsTestReq)
15231523

15241524
// Test tls-verify parameter with system CA
1525-
runTests(t, dsn+"&tls=true&tls-verify=ca", tlsTestReq)
15261525
runTests(t, dsn+"&tls=true&tls-verify=identity", tlsTestReq)
15271526

15281527
// Test tls-verify parameter with custom TLS config

dsn.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -205,12 +205,12 @@ func (cfg *Config) normalize() error {
205205
case "false", "":
206206
// don't set anything
207207
case "true":
208-
// System CA pool
208+
// Reject tls=true with tls-verify=ca since it provides minimal security
209209
if cfg.TLSVerify == "ca" {
210-
cfg.TLS = createVerifyCAConfig(nil, nil)
211-
} else {
212-
cfg.TLS = &tls.Config{}
210+
return errors.New("tls-verify=ca requires a custom TLS config with specific CA certificates (use tls=<config-name>); tls=true is not supported with tls-verify=ca")
213211
}
212+
// System CA pool with full verification (identity check)
213+
cfg.TLS = &tls.Config{}
214214
case "skip-verify":
215215
cfg.TLS = &tls.Config{InsecureSkipVerify: true}
216216
case "preferred":

dsn_test.go

Lines changed: 18 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -82,9 +82,6 @@ var testDSNs = []struct {
8282
}, {
8383
"foo:bar@tcp(192.168.1.50:3307)/baz?timeout=10s&connectionAttributes=program_name:MySQLGoDriver%2FTest,program_version:1.2.3",
8484
&Config{User: "foo", Passwd: "bar", Net: "tcp", Addr: "192.168.1.50:3307", DBName: "baz", Loc: time.UTC, Timeout: 10 * time.Second, MaxAllowedPacket: defaultMaxAllowedPacket, Logger: defaultLogger, AllowNativePasswords: true, CheckConnLiveness: true, ConnectionAttributes: "program_name:MySQLGoDriver/Test,program_version:1.2.3"},
85-
}, {
86-
"user:password@tcp(localhost:5555)/dbname?tls=true&tls-verify=ca",
87-
&Config{User: "user", Passwd: "password", Net: "tcp", Addr: "localhost:5555", DBName: "dbname", Loc: time.UTC, MaxAllowedPacket: defaultMaxAllowedPacket, Logger: defaultLogger, AllowNativePasswords: true, CheckConnLiveness: true, TLSConfig: "true", TLSVerify: "ca"},
8885
}, {
8986
"user:password@tcp(localhost:5555)/dbname?tls=true&tls-verify=identity",
9087
&Config{User: "user", Passwd: "password", Net: "tcp", Addr: "localhost:5555", DBName: "dbname", Loc: time.UTC, MaxAllowedPacket: defaultMaxAllowedPacket, Logger: defaultLogger, AllowNativePasswords: true, CheckConnLiveness: true, TLSConfig: "true", TLSVerify: "identity"},
@@ -442,7 +439,6 @@ func TestTLSVerifySystemCA(t *testing.T) {
442439
name string
443440
dsn string
444441
}{
445-
{"ca with system CA", "tcp(example.com:1234)/?tls=true&tls-verify=ca"},
446442
{"identity with system CA (explicit)", "tcp(example.com:1234)/?tls=true&tls-verify=identity"},
447443
{"identity with system CA (default)", "tcp(example.com:1234)/?tls=true"},
448444
}
@@ -457,26 +453,12 @@ func TestTLSVerifySystemCA(t *testing.T) {
457453
t.Error("cfg.TLS should not be nil")
458454
}
459455

460-
if cfg.TLSVerify == "ca" {
461-
if !cfg.TLS.InsecureSkipVerify {
462-
t.Error("ca mode should have InsecureSkipVerify=true")
463-
}
464-
if cfg.TLS.VerifyPeerCertificate == nil {
465-
t.Error("ca mode should have VerifyPeerCertificate callback set")
466-
}
467-
// ca mode does not auto-set ServerName (hostname verification is skipped)
468-
// ServerName remains empty unless explicitly set
469-
if cfg.TLS.ServerName != "" {
470-
t.Errorf("ca mode with system CA should not have ServerName set, got %q", cfg.TLS.ServerName)
471-
}
472-
} else {
473-
// identity (default) should set ServerName
474-
if cfg.TLS.ServerName != "example.com" {
475-
t.Errorf("identity mode should set ServerName to 'example.com', got %q", cfg.TLS.ServerName)
476-
}
477-
if cfg.TLS.VerifyPeerCertificate != nil {
478-
t.Error("identity mode should not have VerifyPeerCertificate callback set")
479-
}
456+
// identity (default) should set ServerName
457+
if cfg.TLS.ServerName != "example.com" {
458+
t.Errorf("identity mode should set ServerName to 'example.com', got %q", cfg.TLS.ServerName)
459+
}
460+
if cfg.TLS.VerifyPeerCertificate != nil {
461+
t.Error("identity mode should not have VerifyPeerCertificate callback set")
480462
}
481463
})
482464
}
@@ -591,6 +573,18 @@ func TestTLSVerifyInvalidValue(t *testing.T) {
591573
}
592574
}
593575

576+
func TestTLSTrueWithVerifyCAIsRejected(t *testing.T) {
577+
dsn := "tcp(example.com:1234)/?tls=true&tls-verify=ca"
578+
_, err := ParseDSN(dsn)
579+
if err == nil {
580+
t.Error("expected error for tls=true with tls-verify=ca")
581+
}
582+
expectedMsg := "tls-verify=ca requires a custom TLS config"
583+
if err != nil && !strings.Contains(err.Error(), expectedMsg) {
584+
t.Errorf("error message should contain %q, got: %v", expectedMsg, err)
585+
}
586+
}
587+
594588
func TestTLSVerifyPreservesCustomConfig(t *testing.T) {
595589
// Register a custom TLS config with various settings
596590
customConfig := &tls.Config{

0 commit comments

Comments
 (0)