The TLS configuration in go-micro now includes a security deprecation warning.
Default: TLS certificate verification is disabled for backward compatibility
- This maintains existing behavior to avoid breaking production deployments
- A deprecation warning is logged once per process startup
Why: Changing the default to secure would be a breaking change that could disrupt:
- Production systems during routine upgrades
- Distributed systems with mixed versions
- Services using self-signed certificates
export MICRO_TLS_SECURE=trueimport (
"go-micro.dev/v5/broker"
mls "go-micro.dev/v5/util/tls"
)
broker := broker.NewHttpBroker(
broker.TLSConfig(mls.SecureConfig()),
)- v5.x (Current): Insecure by default, opt-in security via
MICRO_TLS_SECURE=true - v6.x (Future): Secure by default (breaking change with major version bump)
This addresses the concerns raised about:
- Major version requirements: No breaking change in v5, deferred to v6
- Cross-host compatibility: All hosts use same default behavior
- Production safety: Existing deployments continue working during upgrades
- Migration path: Clear opt-in path with documentation
See SECURITY_MIGRATION.md for detailed migration guide.
For production deployments:
- Test with
MICRO_TLS_SECURE=truein staging - Use proper CA-signed certificates
- Consider service mesh (Istio, Linkerd) for automatic mTLS
- Plan migration before v6 release
Open an issue on GitHub or check the documentation at https://go-micro.dev/docs/