diff --git a/tlsutil/config.go b/tlsutil/config.go index 0b3f42d46..f3bb580b2 100644 --- a/tlsutil/config.go +++ b/tlsutil/config.go @@ -98,6 +98,10 @@ func (c *Config) KeyPair() (*tls.Certificate, error) { // requests. It will return a nil config if this configuration should // not use TLS for outgoing connections. func (c *Config) OutgoingTLSConfig() (*tls.Config, error) { + // If VerifyServerHostname is true, that implies VerifyOutgoing + if c.VerifyServerHostname { + c.VerifyOutgoing = true + } if !c.VerifyOutgoing { return nil, nil } diff --git a/tlsutil/config_test.go b/tlsutil/config_test.go index 150fddccd..65b96ffd3 100644 --- a/tlsutil/config_test.go +++ b/tlsutil/config_test.go @@ -133,6 +133,29 @@ func TestConfig_OutgoingTLS_ServerName(t *testing.T) { } } +func TestConfig_OutgoingTLS_VerifyHostname(t *testing.T) { + conf := &Config{ + VerifyServerHostname: true, + CAFile: "../test/ca/root.cer", + } + tls, err := conf.OutgoingTLSConfig() + if err != nil { + t.Fatalf("err: %v", err) + } + if tls == nil { + t.Fatalf("expected config") + } + if len(tls.RootCAs.Subjects()) != 1 { + t.Fatalf("expect root cert") + } + if tls.ServerName != "VerifyServerHostname" { + t.Fatalf("expect server name") + } + if tls.InsecureSkipVerify { + t.Fatalf("should not skip built-in verification") + } +} + func TestConfig_OutgoingTLS_WithKeyPair(t *testing.T) { conf := &Config{ VerifyOutgoing: true,