This document provides guidance for migrating to secure TLS certificate verification in go-micro v5.
Default Behavior: TLS certificate verification is disabled by default (InsecureSkipVerify: true)
Reason: Backward compatibility with existing deployments to avoid breaking production systems during routine upgrades.
Security Risk: The default behavior is vulnerable to man-in-the-middle (MITM) attacks.
Set the environment variable to enable certificate verification:
export MICRO_TLS_SECURE=trueThis enables proper TLS certificate verification while maintaining compatibility with v5.
In your code, explicitly use the secure configuration:
import (
"go-micro.dev/v5/broker"
mls "go-micro.dev/v5/util/tls"
)
// Create broker with secure TLS config
b := broker.NewHttpBroker(
broker.TLSConfig(mls.SecureConfig()),
)For fine-grained control, provide your own TLS configuration:
import (
"crypto/tls"
"crypto/x509"
"go-micro.dev/v5/broker"
"io/ioutil"
)
// Load CA certificates
caCert, err := ioutil.ReadFile("/path/to/ca-cert.pem")
if err != nil {
log.Fatal(err)
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
// Create custom TLS config
tlsConfig := &tls.Config{
RootCAs: caCertPool,
MinVersion: tls.VersionTLS12,
}
// Create broker with custom config
b := broker.NewHttpBroker(
broker.TLSConfig(tlsConfig),
)The current implementation maintains backward compatibility, allowing safe rolling upgrades:
- Mixed Version Deployments: v5 instances can communicate regardless of TLS security settings
- No Immediate Breaking Changes: Systems continue working with existing behavior
- Gradual Migration: Enable security incrementally across your infrastructure
-
Test in Staging:
# In staging environment export MICRO_TLS_SECURE=true
-
Deploy with Feature Flag: Use environment-based configuration for gradual rollout
-
Monitor for Issues: Watch for TLS handshake failures or certificate validation errors
-
Full Production Rollout: Once validated, enable across all services
Certificate Trust: When enabling secure mode, ensure:
- All hosts trust the same root CAs
- Self-signed certificates are properly distributed if used
- Certificate validity periods are monitored
- Certificate chains are complete
Service Mesh Alternative: Consider using a service mesh (Istio, Linkerd, etc.) for:
- Automatic mTLS between services
- Certificate management and rotation
- No application code changes required
In go-micro v6, the default will change to secure by default:
InsecureSkipVerify: false(certificate verification enabled)- Breaking change requiring major version bump
- Migration completed before v6 release avoids disruption
package main
import (
"fmt"
mls "go-micro.dev/v5/util/tls"
"os"
)
func main() {
os.Setenv("MICRO_TLS_SECURE", "true")
config := mls.Config()
fmt.Printf("InsecureSkipVerify: %v (should be false)\n", config.InsecureSkipVerify)
}Create a test service and verify it:
- Accepts valid certificates
- Rejects invalid/self-signed certificates (when not in CA)
- Properly validates certificate chains
Cause: The server certificate is not signed by a trusted CA
Solution:
- Add the CA certificate to the trusted root CAs
- Use a properly signed certificate
- For development only: Use
InsecureConfig()explicitly
Cause: Server certificate has expired
Solution:
- Renew the certificate
- Implement certificate rotation
- Monitor certificate expiry dates
Cause: Mixed certificate authorities or missing certificates
Solution:
- Ensure all services use certificates from the same CA
- Distribute CA certificates to all nodes
- Verify certificate SANs match service addresses
For issues or questions about TLS security migration, please:
- Open an issue on GitHub
- Check the documentation at https://go-micro.dev/docs/
- Review the security guidelines