From 0a860143c2180df746bb8bd0e3f72828b30ee5a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Matczuk?= <michal@scylladb.com>
Date: Tue, 28 Nov 2017 22:30:08 +0100
Subject: [PATCH] tunnel: automatically enable TLS insecure skip verify if
 there are no root CAs

---
 README.md             |  2 --
 cmd/tunnel/config.go  | 13 ++++++-------
 cmd/tunnel/options.go |  1 -
 cmd/tunnel/tunnel.go  |  2 +-
 4 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/README.md b/README.md
index c631345..5bf1e96 100644
--- a/README.md
+++ b/README.md
@@ -80,7 +80,6 @@ looks like this
 
 ```yaml
     server_addr: SERVER_IP:5223
-    insecure_skip_verify: true
     tunnels:
       webui:
         proto: http
@@ -96,7 +95,6 @@ looks like this
 Configuration options:
 
 * `server_addr`: server TCP address, i.e. `54.12.12.45:5223`
-* `insecure_skip_verify`: controls whether a client should skip the verification of the server's certificate chain and host name. If set to `true` the client will accept *any* server certificate as valid, *default:* `false`
 * `tls_crt`: path to client TLS certificate, *default:* `client.crt` *in the config file directory*
 * `tls_key`: path to client TLS certificate key, *default:* `client.key` *in the config file directory*
 * `root_ca`: path to trusted root certificate authority pool file, *default* is the host's root CA set
diff --git a/cmd/tunnel/config.go b/cmd/tunnel/config.go
index 65e9b55..da20ffd 100644
--- a/cmd/tunnel/config.go
+++ b/cmd/tunnel/config.go
@@ -42,13 +42,12 @@ type Tunnel struct {
 
 // ClientConfig is a tunnel client configuration.
 type ClientConfig struct {
-	ServerAddr         string             `yaml:"server_addr"`
-	InsecureSkipVerify bool               `yaml:"insecure_skip_verify"`
-	TLSCrt             string             `yaml:"tls_crt"`
-	TLSKey             string             `yaml:"tls_key"`
-	RootCA             string             `yaml:"root_ca"`
-	Backoff            BackoffConfig      `yaml:"backoff"`
-	Tunnels            map[string]*Tunnel `yaml:"tunnels"`
+	ServerAddr string             `yaml:"server_addr"`
+	TLSCrt     string             `yaml:"tls_crt"`
+	TLSKey     string             `yaml:"tls_key"`
+	RootCA     string             `yaml:"root_ca"`
+	Backoff    BackoffConfig      `yaml:"backoff"`
+	Tunnels    map[string]*Tunnel `yaml:"tunnels"`
 }
 
 func loadClientConfigFromFile(file string) (*ClientConfig, error) {
diff --git a/cmd/tunnel/options.go b/cmd/tunnel/options.go
index ad16489..c492d03 100644
--- a/cmd/tunnel/options.go
+++ b/cmd/tunnel/options.go
@@ -28,7 +28,6 @@ Examples:
 
 config.yaml:
 	server_addr: SERVER_IP:5223
-	insecure_skip_verify: true
 	tunnels:
 	  webui:
 	    proto: http
diff --git a/cmd/tunnel/tunnel.go b/cmd/tunnel/tunnel.go
index 4b12f53..56b0fd6 100644
--- a/cmd/tunnel/tunnel.go
+++ b/cmd/tunnel/tunnel.go
@@ -141,7 +141,7 @@ func tlsConfig(config *ClientConfig) (*tls.Config, error) {
 	return &tls.Config{
 		ServerName:         host,
 		Certificates:       []tls.Certificate{cert},
-		InsecureSkipVerify: config.InsecureSkipVerify,
+		InsecureSkipVerify: roots == nil,
 		RootCAs:            roots,
 	}, nil
 }