client TLS should not set InsecureSkipVerify
if need to verify Common Name
#53357
Labels
affects-5.4
This bug affects the 5.4.x(LTS) versions.
affects-6.1
This bug affects the 6.1.x(LTS) versions.
affects-6.5
This bug affects the 6.5.x(LTS) versions.
affects-7.1
This bug affects the 7.1.x(LTS) versions.
affects-7.5
This bug affects the 7.5.x(LTS) versions.
affects-8.1
This bug affects the 8.1.x(LTS) versions.
severity/moderate
sig/sql-infra
SIG: SQL Infra
type/bug
The issue is confirmed as a bug.
in https://github.com/pingcap/tidb/pull/37479/files#r962687063 I always set
InsecureSkipVerify
and think as the comment ofInsecureSkipVerify
said, ourVerifyPeerCertificate
is enough.However, the comment of
VerifyPeerCertificate
saidFor the client, if our verify functions need to read
verifiedChains
,InsecureSkipVerify
should be false. We only haveWithVerifyCommonName
needs to readverifiedChains
, and tidb repo does not use this function, so the issue is not found before. And I found this issue when portingWithVerifyCommonName
to tiflow repo.The text was updated successfully, but these errors were encountered: