InsecureSkipVerify doesn't affect the callback VerifyConnection, just 
whether the stdlib TLS verification logic is executed.
I don't like it but I don't see another way to disable the initial HTTP 400 
being sent for failed TLS verifications.

The example for VerifyConnection on that same godocs page you link also 
mentions this.

https://pkg.go.dev/crypto/tls#example-Config-VerifyConnection


On Sunday, August 10, 2025 at 6:14:41 PM UTC-4 Jason E. Aten wrote:

Parenthetically, I'm assuming you are talking about implementing your own

VerifyPeerCertificate
or 
VerifyConnection callback
as set in your tls.Config

See https://pkg.go.dev/crypto/tls#Config for reference.

On Sunday, August 10, 2025 at 11:06:47 PM UTC+1 Jason E. Aten wrote:

Umm, I don't think you want to set InsecureSkipVerify=true. (I think you 
need to keep verification on). Otherwise
none of the custom verification callbacks will be called at all, if I'm 
recalling correctly. 

TLS and HTTP are pretty separate layers; I use TLS alot without HTTP for 
instance. So it shouldn't be
too difficult to customize a web server's response on TLS handshake fail...

On Tuesday, August 5, 2025 at 10:10:10 PM UTC+1 Daniel Lockhart wrote:

Question regarding crypto/tls. Unfortunately, in the name of supporting 
legacy hardware,  I need to change the HTTP 400 status code Go returns on a 
TLS verification failure to something else dynamically, based on the 
certificate.

https://github.com/golang/go/blob/4ee0df8c466861bcd258ec55b58283f276d3b3d5/src/net/http/server.go#L2070

Is the only option I have to set InsecureSkipVerify to true and rewrite the 
verification logic within my own TLSConfig.VerifyConnection?

or is there a better way to do this? 
CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use 
of the intended recipient and may contain material that is proprietary, 
confidential, privileged or otherwise legally protected or restricted under 
applicable government laws. Any review, disclosure, distributing or other 
use without expressed permission of the sender is strictly prohibited. If 
you are not the intended recipient, please contact the sender and delete 
all copies without reading, printing, or saving. 


-- 
CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use 
of the intended recipient and may contain material that is proprietary, 
confidential, privileged or otherwise legally protected or restricted under 
applicable government laws. Any review, disclosure, distributing or other 
use without expressed permission of the sender is strictly prohibited. If 
you are not the intended recipient, please contact the sender and delete 
all copies without reading, printing, or saving. 

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/golang-nuts/0026137a-812d-4b4a-ac20-85730ce91278n%40googlegroups.com.

Reply via email to