GODRIVER-1636 Ensure SNI is always enabled (#418)

Divjot Arora · Divjot Arora · commit a10006ac149c · 2020-06-10T17:39:45.000-04:00
diff --git a/mongo/testatlas/main.go b/mongo/testatlas/main.go
@@ -10,6 +10,7 @@ import (
 	"context"
 	"flag"
 	"fmt"
+	"time"
 
 	"go.mongodb.org/mongo-driver/bson"
 	"go.mongodb.org/mongo-driver/mongo"
@@ -22,34 +23,45 @@ func main() {
 	ctx := context.Background()
 
 	for idx, uri := range uris {
-		client, err := mongo.Connect(ctx, options.Client().ApplyURI(uri))
-		if err != nil {
-			panic(createErrorMessage(idx, "Connect error: %v", err))
-		}
+		// Set a low server selection timeout so we fail fast if there are errors.
+		clientOpts := options.Client().
+			ApplyURI(uri).
+			SetServerSelectionTimeout(1 * time.Second)
 
-		defer func() {
-			if err = client.Disconnect(ctx); err != nil {
-				panic(createErrorMessage(idx, "Disconnect error: %v", err))
-			}
-		}()
-
-		db := client.Database("test")
-		err = db.RunCommand(
-			ctx,
-			bson.D{{"isMaster", 1}},
-		).Err()
-		if err != nil {
-			panic(createErrorMessage(idx, "isMaster error: %v", err))
+		// Run basic connectivity test.
+		if err := runTest(ctx, clientOpts); err != nil {
+			panic(fmt.Sprintf("error running test with TLS at index %d: %v", idx, err))
 		}
 
-		coll := db.Collection("test")
-		if err = coll.FindOne(ctx, bson.D{{"x", 1}}).Err(); err != nil && err != mongo.ErrNoDocuments {
-			panic(createErrorMessage(idx, "FindOne error: %v", err))
+		// Run the connectivity test with InsecureSkipVerify to ensure SNI is done correctly even if verification is
+		// disabled.
+		clientOpts.TLSConfig.InsecureSkipVerify = true
+		if err := runTest(ctx, clientOpts); err != nil {
+			panic(fmt.Sprintf("error running test with tlsInsecure at index %d: %v", idx, err))
 		}
 	}
 }
 
-func createErrorMessage(idx int, msg string, args ...interface{}) string {
-	msg = fmt.Sprintf(msg, args...)
-	return fmt.Sprintf("error for URI at index %d: %s", idx, msg)
+func runTest(ctx context.Context, clientOpts *options.ClientOptions) error {
+	client, err := mongo.Connect(ctx, clientOpts)
+	if err != nil {
+		return fmt.Errorf("Connect error: %v", err)
+	}
+
+	defer func() {
+		_ = client.Disconnect(ctx)
+	}()
+
+	db := client.Database("test")
+	cmd := bson.D{{"isMaster", 1}}
+	err = db.RunCommand(ctx, cmd).Err()
+	if err != nil {
+		return fmt.Errorf("isMaster error: %v", err)
+	}
+
+	coll := db.Collection("test")
+	if err = coll.FindOne(ctx, bson.D{{"x", 1}}).Err(); err != nil && err != mongo.ErrNoDocuments {
+		return fmt.Errorf("FindOne error: %v", err)
+	}
+	return nil
 }
diff --git a/x/mongo/driver/topology/connection.go b/x/mongo/driver/topology/connection.go
@@ -496,17 +496,16 @@ var notMasterCodes = []int32{10107, 13435}
 var recoveringCodes = []int32{11600, 11602, 13436, 189, 91}
 
 func configureTLS(ctx context.Context, nc net.Conn, addr address.Address, config *tls.Config) (net.Conn, error) {
-	if !config.InsecureSkipVerify {
-		hostname := addr.String()
-		colonPos := strings.LastIndex(hostname, ":")
-		if colonPos == -1 {
-			colonPos = len(hostname)
-		}
-
-		hostname = hostname[:colonPos]
-		config.ServerName = hostname
+	// Ensure config.ServerName is always set for SNI.
+	hostname := addr.String()
+	colonPos := strings.LastIndex(hostname, ":")
+	if colonPos == -1 {
+		colonPos = len(hostname)
 	}
 
+	hostname = hostname[:colonPos]
+	config.ServerName = hostname
+
 	client := tls.Client(nc, config)
 
 	errChan := make(chan error, 1)
