tunnel: automatically enable TLS insecure skip verify if there are no root CAs

2026-05-15 06:06:03 -06:00 · 2017-11-28 22:30:08 +01:00 · 2017-11-28 22:30:08 +01:00 · 0a860143c2
commit 0a860143c2
parent 44b2e72dd6
4 changed files with 7 additions and 11 deletions
--- a/README.md
+++ b/README.md
@ -80,7 +80,6 @@ looks like this

 ```yaml
    server_addr: SERVER_IP:5223
-    insecure_skip_verify: true
    tunnels:
      webui:
        proto: http
@ -96,7 +95,6 @@ looks like this
 Configuration options:

 * `server_addr`: server TCP address, i.e. `54.12.12.45:5223`
-* `insecure_skip_verify`: controls whether a client should skip the verification of the server's certificate chain and host name. If set to `true` the client will accept *any* server certificate as valid, *default:* `false`
 * `tls_crt`: path to client TLS certificate, *default:* `client.crt` *in the config file directory*
 * `tls_key`: path to client TLS certificate key, *default:* `client.key` *in the config file directory*
 * `root_ca`: path to trusted root certificate authority pool file, *default* is the host's root CA set
--- a/cmd/tunnel/config.go
+++ b/cmd/tunnel/config.go
@ -42,13 +42,12 @@ type Tunnel struct {

 // ClientConfig is a tunnel client configuration.
 type ClientConfig struct {
-	ServerAddr         string             `yaml:"server_addr"`
-	InsecureSkipVerify bool               `yaml:"insecure_skip_verify"`
-	TLSCrt             string             `yaml:"tls_crt"`
-	TLSKey             string             `yaml:"tls_key"`
-	RootCA             string             `yaml:"root_ca"`
-	Backoff            BackoffConfig      `yaml:"backoff"`
-	Tunnels            map[string]*Tunnel `yaml:"tunnels"`
+	ServerAddr string             `yaml:"server_addr"`
+	TLSCrt     string             `yaml:"tls_crt"`
+	TLSKey     string             `yaml:"tls_key"`
+	RootCA     string             `yaml:"root_ca"`
+	Backoff    BackoffConfig      `yaml:"backoff"`
+	Tunnels    map[string]*Tunnel `yaml:"tunnels"`
 }

 func loadClientConfigFromFile(file string) (*ClientConfig, error) {
--- a/cmd/tunnel/options.go
+++ b/cmd/tunnel/options.go
@ -28,7 +28,6 @@ Examples:

 config.yaml:
 	server_addr: SERVER_IP:5223
-	insecure_skip_verify: true
 	tunnels:
 	  webui:
 	    proto: http
--- a/cmd/tunnel/tunnel.go
+++ b/cmd/tunnel/tunnel.go
@ -141,7 +141,7 @@ func tlsConfig(config *ClientConfig) (*tls.Config, error) {
 	return &tls.Config{
 		ServerName:         host,
 		Certificates:       []tls.Certificate{cert},
-		InsecureSkipVerify: config.InsecureSkipVerify,
+		InsecureSkipVerify: roots == nil,
 		RootCAs:            roots,
 	}, nil
 }