cmd/go: disable TLS verification in 'go get -insecure'

[dominikh]

go get -insecure doesn't accept self-signed (or otherwise invalid) TLS certificates. Instead, it falls back to HTTP. This does not work for HTTPS-only hosts. Insecure should accept any insecure medium, not just those that are insecure because they are unencrypted.

Example that is only serving HTTPS, with a self-signed certificate:

$ go get -v -insecure 127.0.0.1/pkg
Fetching https://127.0.0.1/pkg?go-get=1
https fetch failed.
Fetching http://127.0.0.1/pkg?go-get=1
import "127.0.0.1/pkg": http/https fetch: Get http://127.0.0.1/pkg?go-get=1: dial tcp 127.0.0.1:80: getsockopt: connection refused
package 127.0.0.1/pkg: unrecognized import path "127.0.0.1/pkg"

Low priority from my end, as it's a theoretical issue, not one I encountered in the real world. Discovered while looking into #11468

[davecheney]

I don't see how a self signed certificate can be considered secure. The transport is encrypted, but there is no chain of trust.

[bradfitz]

@davecheney, that's the point. He's asking for insecure with the -insecure flag, but it's failing to provide him with the first data source found (insecure https) and instead is trying to fall back to insecure http.

[davecheney]

I'm sorry. I misunderstood the issue report.

On Tue, Nov 10, 2015 at 7:17 PM, Brad Fitzpatrick [email protected]
wrote:

@davecheney https://github.com/davecheney, that's the point. He's
asking for insecure with the -insecure flag, but it's failing to provide
him with the first data source found (insecure https) and instead is trying
to fall back to insecure http.

—
Reply to this email directly or view it on GitHub
#13197 (comment).

[gopherbot]

CL https://golang.org/cl/18324 mentions this issue.