From e88d82a8fdd459ef4c3ff11b7af36a074a715f35 Mon Sep 17 00:00:00 2001 From: "Jonathan Hess (he/him)" <103529393+hessjcg@users.noreply.github.com> Date: Fri, 10 Jan 2025 10:25:13 -0700 Subject: [PATCH] chore: Simplify server cert validation logic to distinguish legacy from CA validation (#910) Going forward, both GOOGLE_MANAGED_CAS_CA, CUSTOMER_MANAGED_CAS_CA, and future new kinds of CA will use standard TLS domain name validation using the server certificate SAN records. The certificate validation logic for the original GOOGLE_MANAGED_INTERNAL_CA is now the exception. See implementation in other connectors: feat: Support Private CA for server certificates. https://github.com/GoogleCloudPlatform/cloud-sql-nodejs-connector/pull/408 feat: Support Customer CAS Private CA for server certificates. https://github.com/GoogleCloudPlatform/cloud-sql-jdbc-socket-factory/pull/2095 --- internal/cloudsql/instance.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/internal/cloudsql/instance.go b/internal/cloudsql/instance.go index e3ced10e..e70d5510 100644 --- a/internal/cloudsql/instance.go +++ b/internal/cloudsql/instance.go @@ -241,9 +241,9 @@ func (c ConnectionInfo) TLSConfig() *tls.Config { for _, caCert := range c.ServerCACert { pool.AddCert(caCert) } - if c.ServerCAMode == "GOOGLE_MANAGED_CAS_CA" || - c.ServerCAMode == "CUSTOMER_MANAGED_CAS_CA" { - // For CAS instances, we can rely on the DNS name to verify the server identity. + if c.ServerCAMode != "" && c.ServerCAMode != "GOOGLE_MANAGED_INTERNAL_CA" { + // By default, use Standard TLS hostname verification name to + // verify the server identity. return &tls.Config{ ServerName: c.DNSName, Certificates: []tls.Certificate{c.ClientCertificate}, @@ -251,6 +251,7 @@ func (c ConnectionInfo) TLSConfig() *tls.Config { MinVersion: tls.VersionTLS13, } } + // For legacy instances use the custom TLS validation return &tls.Config{ ServerName: c.ConnectionName.String(), Certificates: []tls.Certificate{c.ClientCertificate},