Workiva · brandonbodnar-wk · Feb 4, 2019 · Feb 4, 2019
diff --git a/go/base/context.go b/go/base/context.go
@@ -94,15 +94,16 @@ type MigrationContext struct {
 	AliyunRDS                bool
 	GoogleCloudPlatform      bool
 
-	config            ContextConfig
-	configMutex       *sync.Mutex
-	ConfigFile        string
-	CliUser           string
-	CliPassword       string
-	UseTLS            bool
-	TLSCACertificate  string
-	CliMasterUser     string
-	CliMasterPassword string
+	config                ContextConfig
+	configMutex           *sync.Mutex
+	ConfigFile            string
+	CliUser               string
+	CliPassword           string
+	UseTLS                bool
+	TLSInsecureSkipVerify bool
+	TLSCACertificate      string
+	CliMasterUser         string
+	CliMasterPassword     string
 
 	HeartbeatIntervalMilliseconds       int64
 	defaultNumRetries                   int64

diff --git a/go/cmd/gh-ost/main.go b/go/cmd/gh-ost/main.go
@@ -57,6 +57,7 @@ func main() {
 
 	flag.BoolVar(&migrationContext.UseTLS, "ssl", false, "Enable SSL encrypted connections to MySQL hosts")
 	flag.StringVar(&migrationContext.TLSCACertificate, "ssl-ca", "", "CA certificate in PEM format for TLS connections to MySQL hosts. Requires --ssl")
+	flag.StringVar(&migrationContext.TLSInsecureSkipVerify, "ssl-insecure", false, "Do not verify that the TLS connection is secure. Requires --ssl")
 
 	flag.StringVar(&migrationContext.DatabaseName, "database", "", "database name (mandatory)")
 	flag.StringVar(&migrationContext.OriginalTableName, "table", "", "table name (mandatory)")
@@ -201,6 +202,9 @@ func main() {
 	if migrationContext.TLSCACertificate != "" && !migrationContext.UseTLS {
 		log.Fatalf("--ssl-ca requires --ssl")
 	}
+	if migrationContext.TLSInsecureSkipVerify && !migrationContext.UseTLS {
+		log.Fatalf("--ssl-insecure requires --ssl")
+	}
 	if *replicationLagQuery != "" {
 		log.Warningf("--replication-lag-query is deprecated")
 	}

diff --git a/go/mysql/connection.go b/go/mysql/connection.go
@@ -58,22 +58,30 @@ func (this *ConnectionConfig) Equals(other *ConnectionConfig) bool {
 }
 
 func (this *ConnectionConfig) UseTLS(caCertificatePath string) error {
-	skipVerify := caCertificatePath == ""
 	var rootCertPool *x509.CertPool
-	if !skipVerify {
-		rootCertPool = x509.NewCertPool()
-		pem, err := ioutil.ReadFile(caCertificatePath)
-		if err != nil {
-			return err
-		}
-		if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
-			return errors.New("could not add ca certificate to cert pool")
+	var err error
+
+	if !this.TLSInsecureSkipVerify {
+		if caCertificatePath == "" {
+			rootCertPool, err = x509.SystemCertPool()
+			if err != nil {
+				return err
+			}
+		} else {
+			rootCertPool = x509.NewCertPool()
+			pem, err := ioutil.ReadFile(caCertificatePath)
+			if err != nil {
+				return err
+			}
+			if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
+				return errors.New("could not add ca certificate to cert pool")
+			}
 		}
 	}
 
 	this.tlsConfig = &tls.Config{
 		RootCAs:            rootCertPool,
-		InsecureSkipVerify: skipVerify,
+		InsecureSkipVerify: this.TLSInsecureSkipVerify,
 	}
 
 	return mysql.RegisterTLSConfig(this.Key.StringCode(), this.tlsConfig)