small nits

nacx · nacx · commit e2d24e21613a · 2024-02-23T17:19:12.000+01:00
diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
@@ -15,19 +15,6 @@ The following software and tools are needed to build the project and run the tes
 * [Helm](https://helm.sh/docs/intro/install/) (needed to run the Istio e2e test suite)
 
 
-## Generating the API code
-
-The configuration options are defined in the [config](config/) directory using [Protocol Buffers](https://protobuf.dev/).
-To generate the configuration API code after doing changes to the `.proto` files, run:
-
-```bash
-$ make generate
-```
-
-There is no need to run `generate` after checking out the code; it's only needed when changes are made to
-the `.proto` files.
-
-
 ## Building the binary
 
 To build the binary simply run:
@@ -59,6 +46,19 @@ You can use the `DOCKER_TARGETS` environment variable to control the operating s
 you want to build the Docker images for.
 
 
+## Generating the API code
+
+The configuration options are defined in the [config](config/) directory using [Protocol Buffers](https://protobuf.dev/).
+To generate the configuration API code after doing changes to the `.proto` files, run:
+
+```bash
+$ make generate
+```
+
+There is no need to run `generate` after checking out the code; it's only needed when changes are made to
+the `.proto` files.
+
+
 ## Testing
 
 The main testing targets are:
diff --git a/e2e/testclient.go b/e2e/testclient.go
@@ -390,47 +390,3 @@ func (m firstFormMatcher) matches(n *html.Node) bool {
 func (m firstFormMatcher) String() string {
 	return "first form"
 }
-
-// NewSkipHostnameVerificationConfig returns a TLS configuration that
-// doesn't perform the default certificate verification because it
-// will verify the hostname. Instead, it verifies the server's
-// certificate chain in VerifyPeerCertificate and ignores the server
-// name.
-//
-// See https://github.com/golang/go/issues/21971#issuecomment-332693931
-// and https://pkg.go.dev/crypto/tls?tab=doc#example-Config-VerifyPeerCertificate
-// for more info.
-func NewSkipHostnameVerificationConfig(rootCAs *x509.CertPool) *tls.Config {
-	// Disable "G402 (CWE-295): TLS InsecureSkipVerify set true. (Confidence: HIGH, Severity: HIGH)"
-	// #nosec G402
-	return &tls.Config{
-		// Set to true because otherwise the certs AND the hostname are verified.
-		// Instead, the certificate verification will be done by the custom
-		// VerifyPeerCertificate, ignoring the server name,
-		InsecureSkipVerify: true,
-		VerifyPeerCertificate: func(certificates [][]byte, _ [][]*x509.Certificate) error {
-			certs := make([]*x509.Certificate, len(certificates))
-			for i, asn1Data := range certificates {
-				cert, err := x509.ParseCertificate(asn1Data)
-				if err != nil {
-					return fmt.Errorf("failed to parse certificate from server: %w", err)
-				}
-				certs[i] = cert
-			}
-
-			// Leave DNSName empty to skip hostname verification.
-			opts := x509.VerifyOptions{
-				Roots:         rootCAs,
-				Intermediates: x509.NewCertPool(),
-			}
-			// Skip the first cert because it's the leaf. All others
-			// are intermediates.
-			for _, cert := range certs[1:] {
-				opts.Intermediates.AddCert(cert)
-			}
-
-			_, err := certs[0].Verify(opts)
-			return err
-		},
-	}
-}
