Skip hostname validation for all encryption modes when certificate is provided

Copilot · shueybubbles · Copilot · commit 415045c6ca37 · 2026-01-09T23:04:08.000Z
Co-authored-by: shueybubbles &lt;2224906+shueybubbles@users.noreply.github.com&gt;
diff --git a/msdsn/conn_str.go b/msdsn/conn_str.go
@@ -280,11 +280,11 @@ func parseTLS(params map[string]string, host string) (Encryption, *tls.Config, e
 		skipHostnameValidation := false
 		if encrypt == "strict" {
 			trustServerCert = false
-			// When a certificate is provided with strict encryption, skip hostname validation
-			// The certificate itself will still be validated against the provided CA
-			if len(certificate) > 0 {
-				skipHostnameValidation = true
-			}
+		}
+		// When a certificate is provided with any encryption mode (strict, true/required, mandatory),
+		// skip hostname validation. The certificate itself will still be validated against the provided CA
+		if len(certificate) > 0 {
+			skipHostnameValidation = true
 		}
 		tlsConfig, err := SetupTLS(certificate, trustServerCert, host, tlsMin, skipHostnameValidation)
 		if err != nil {
diff --git a/msdsn/conn_str_test.go b/msdsn/conn_str_test.go
@@ -379,10 +379,17 @@ QSkVdAJg8mHKYGNZ6pIYMFr7RoBLGqMnKLPMYn3VqFvMccPx7A0hKQFJBR/qV8lh
 f0kGHKQEAFYGJLqJdK4KsGQDKLfZr9fqvXCCAA==
 -----END CERTIFICATE-----`
 
-	pemfile, _ := os.CreateTemp("", "*.pem")
+	pemfile, err := os.CreateTemp("", "*.pem")
+	if err != nil {
+		t.Fatalf("failed to create temporary certificate file: %v", err)
+	}
 	defer os.Remove(pemfile.Name())
-	pemfile.WriteString(pemCert)
-	pemfile.Close()
+	if _, err := pemfile.WriteString(pemCert); err != nil {
+		t.Fatalf("failed to write certificate to file: %v", err)
+	}
+	if err := pemfile.Close(); err != nil {
+		t.Fatalf("failed to close certificate file: %v", err)
+	}
 
 	// Test 1: encrypt=strict with certificate should skip hostname validation
 	connStr := "server=differenthostname;encrypt=strict;certificate=" + pemfile.Name()
@@ -402,11 +409,13 @@ f0kGHKQEAFYGJLqJdK4KsGQDKLfZr9fqvXCCAA==
 	assert.NotNil(t, config2.TLSConfig, "Expected TLSConfig to be set")
 	assert.False(t, config2.TLSConfig.InsecureSkipVerify, "Expected InsecureSkipVerify to be false when no certificate is provided")
 
-	// Test 3: encrypt=required with certificate should still validate hostname
+	// Test 3: encrypt=required with certificate should also skip hostname validation
 	connStr3 := "server=somehost;encrypt=true;certificate=" + pemfile.Name()
 	config3, err := Parse(connStr3)
 	assert.Nil(t, err, "Expected no error parsing connection string")
 	assert.Equal(t, Encryption(EncryptionRequired), config3.Encryption, "Expected EncryptionRequired")
 	assert.NotNil(t, config3.TLSConfig, "Expected TLSConfig to be set")
-	assert.False(t, config3.TLSConfig.InsecureSkipVerify, "Expected InsecureSkipVerify to be false for encrypt=true")
+	// When a certificate is provided, hostname validation is skipped for any encryption mode
+	assert.False(t, config3.TLSConfig.InsecureSkipVerify, "Expected InsecureSkipVerify to be false")
+	assert.NotNil(t, config3.TLSConfig.VerifyConnection, "Expected VerifyConnection callback to be set for encrypt=true with certificate")
 }
