Skip to content

fix(tls): warn on hostname-check bypass regardless of custom CA cert#462

Merged
nanomad merged 2 commits into
developfrom
fix/tls-insecure-requires-custom-ca
Jun 24, 2026
Merged

fix(tls): warn on hostname-check bypass regardless of custom CA cert#462
nanomad merged 2 commits into
developfrom
fix/tls-insecure-requires-custom-ca

Conversation

@nanomad

@nanomad nanomad commented Jun 24, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

The Skipping hostname check warning was only emitted when a custom CA cert path was also configured. Users with self-signed certs (no CA file) or connecting by IP would silence hostname verification without any log message.

  • Moved the warning outside the tls_server_cert_path block — it now fires whenever tls_server_cert_check_hostname=False for any TLS connection
  • Dropped the unrelated tls_server_cert_path guard that was incorrectly added to tls_insecure

Behaviour

tls_insecure is True whenever the user sets check_hostname=False with TLS, regardless of whether a custom CA cert is provided. The warning is now always emitted in that case.

Test plan

  • 293 tests passing
  • mypy clean

nanomad added 2 commits June 24, 2026 23:09
@nanomad
fix(tls): only apply tls_insecure when a custom CA cert is configured
2070279 
tls_insecure was set for any TLS connection where hostname checking was
disabled, not just the self-signed/custom-CA scenario it was intended for.
With a public CA cert (the default case), hostname verification should
never be bypassed. The warning log already required tls_server_cert_path;
align the tls_insecure condition to match.
@nanomad
fix(tls): warn on hostname-check bypass regardless of custom CA cert
c16515e 
The warning "Skipping hostname check" was only emitted when a custom CA
cert path was also configured. Users connecting with self-signed certs
(no CA file) or by IP address would disable hostname verification silently.

Move the warning outside the tls_server_cert_path block so it fires for
any TLS connection where tls_server_cert_check_hostname=False, and drop
the spurious tls_server_cert_path guard on tls_insecure.
@nanomad nanomad changed the title fix(tls): only apply tls_insecure when a custom CA cert is configured fix(tls): warn on hostname-check bypass regardless of custom CA cert Jun 24, 2026
@nanomad nanomad merged commit d806387 into develop Jun 24, 2026
6 checks passed
@nanomad nanomad deleted the fix/tls-insecure-requires-custom-ca branch June 24, 2026 21:12
@nanomad nanomad mentioned this pull request Jun 24, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nanomad