include::../summary.adoc[]

== Why is this an issue?

include::../rationale.adoc[]

include::../impact.adoc[]

== How to fix it

=== Code examples

include::../common/fix/code-rationale.adoc[]

==== Noncompliant code example

It is strongly recommended to avoid using `++InsecureSkipVerify++` to skip the certificate checks. +

[source,go,diff-id=1,diff-type=noncompliant]
----
conf := &tls.Config{
	InsecureSkipVerify: true, // Noncompliant
}
----

If additional checks are implemented using `++VerifyPeerCertificate++` or `++VerifyConnection++`, they must return an error on some conditions.

[source,go,diff-id=2,diff-type=noncompliant]
----
conf := &tls.Config{
	VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
		return nil // Noncompliant: function never errors
	},
}
----

==== Compliant solution

The recommended solution to let `crypto/tls` verify the certificate. +

[source,go,diff-id=1,diff-type=compliant]
----
conf := &tls.Config{
	InsecureSkipVerify: false,
}
----

If additional checks are implemented using `++VerifyPeerCertificate++` or `++VerifyConnection++`, they must return an error on some conditions.

[source,go,diff-id=2,diff-type=compliant]
----
conf := &tls.Config{
	VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
		if len(rawCerts) > 1 {
			return fmt.Errorf("Server sent more than 2 certs")
		}
		return nil
	},
}
----

=== How does this work?

include::../common/fix/validation.adoc[]


== Resources

include::../common/resources/standards.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]