From f0e459e51eea69677bd2467f00001c3264fea319 Mon Sep 17 00:00:00 2001 From: MHSanaei Date: Tue, 2 Jun 2026 03:58:52 +0200 Subject: [PATCH] fix(node): suppress unavoidable InsecureSkipVerify alert for cert pinning FetchCertFingerprint must accept any certificate by design: it fetches a not-yet-pinned node's leaf cert (trust-on-first-use) so the admin can pin it. Disabling verification is inherent to that, so go/disabled-certificate-check cannot be cleared by code changes. Suppress the finding inline, matching the existing lgtm convention in custom_geo.go. --- web/service/node.go | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/web/service/node.go b/web/service/node.go index 5aa6bffb..ab40f050 100644 --- a/web/service/node.go +++ b/web/service/node.go @@ -136,20 +136,10 @@ func (s *NodeService) FetchCertFingerprint(ctx context.Context, n *model.Node) ( if err != nil { return "", err } - var fingerprint string client := &http.Client{ Transport: &http.Transport{ - DialContext: netsafe.SSRFGuardedDialContext, - TLSClientConfig: &tls.Config{ - InsecureSkipVerify: true, - VerifyConnection: func(cs tls.ConnectionState) error { - if len(cs.PeerCertificates) > 0 { - sum := sha256.Sum256(cs.PeerCertificates[0].Raw) - fingerprint = base64.StdEncoding.EncodeToString(sum[:]) - } - return nil - }, - }, + DialContext: netsafe.SSRFGuardedDialContext, + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // lgtm[go/disabled-certificate-check] }, } resp, err := client.Do(req) @@ -157,10 +147,11 @@ func (s *NodeService) FetchCertFingerprint(ctx context.Context, n *model.Node) ( return "", err } defer resp.Body.Close() - if fingerprint == "" { + if resp.TLS == nil || len(resp.TLS.PeerCertificates) == 0 { return "", common.NewError("node did not present a TLS certificate") } - return fingerprint, nil + sum := sha256.Sum256(resp.TLS.PeerCertificates[0].Raw) + return base64.StdEncoding.EncodeToString(sum[:]), nil } func (s *NodeService) GetAll() ([]*model.Node, error) {