You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
// Configure TLS if needed.
[.............]
pool := x509.NewCertPool()
if ok := pool.AppendCertsFromPEM(pem); !ok {
return nil, fmt.Errorf("invalid certificate file: %v",
cfg.RPCCert)
}
tlsConfig = &tls.Config{
RootCAs: pool,
InsecureSkipVerify: cfg.TLSSkipVerify, // HERE
}
}
This opens up MITM attacks as the certificate is not checked. If you all choose to accept this risk, or fix it using a proper certificate, it at least should be noted in the comments of the code or documentation.
// InsecureSkipVerify controls whether a client verifies the
// server's certificate chain and host name.
// If InsecureSkipVerify is true, TLS accepts any certificate
// presented by the server and any host name in that certificate.
// In this mode, TLS is susceptible to man-in-the-middle attacks.
// This should be used only for testing.
InsecureSkipVerify bool
cmd/hcashctl/httpclient.go
This opens up MITM attacks as the certificate is not checked. If you all choose to accept this risk, or fix it using a proper certificate, it at least should be noted in the comments of the code or documentation.
References:
https://golang.org/pkg/crypto/tls/
https://info.checkmarx.com/hubfs/GOwhitepaper0504.pdf
The text was updated successfully, but these errors were encountered: