CodeQL documentation

Disabled TLS certificate check

ID: go/disabled-certificate-check
Kind: problem
Severity: warning
Precision: high
Tags:
   - security
   - external/cwe/cwe-295
Query suites:
   - go-code-scanning.qls
   - go-security-extended.qls
   - go-security-and-quality.qls

Click to see the query in the CodeQL repository

The field InsecureSkipVerify controls whether a TLS client verifies the server’s certificate chain and host name. If set to true, the client will accept any certificate and any host name in that certificate, making it susceptible to man-in-the-middle attacks.

Recommendation

Do not set InsecureSkipVerify to true except in tests.

Example

The following code snippet shows a function that performs an HTTP request over TLS with certificate verification disabled:

package main

import (
	"crypto/tls"
	"net/http"
)

func doAuthReq(authReq *http.Request) *http.Response {
	tr := &http.Transport{
		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
	}
	client := &http.Client{Transport: tr}
	res, _ := client.Do(authReq)
	return res
}

While this is acceptable in a test, it should not be used in production code. Instead, certificates should be configured such that verification can be performed.

References