From 651d3facbef1dce70b08aee371fd8bcaff8a9054 Mon Sep 17 00:00:00 2001 From: Syed Sirajul Islam Anik Date: Mon, 12 Jan 2026 14:02:53 +0600 Subject: [PATCH 1/6] tls config option now available via the client options --- client.go | 3 +++ transport.go | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/client.go b/client.go index 47e53c42d..a920ddd06 100644 --- a/client.go +++ b/client.go @@ -2,6 +2,7 @@ package sentry import ( "context" + "crypto/tls" "crypto/x509" "fmt" "io" @@ -229,6 +230,8 @@ type ClientOptions struct { // This will default to the HTTPS_PROXY environment variable. // HTTPS_PROXY takes precedence over HTTP_PROXY for https requests. HTTPSProxy string + // An optional tls config. + TlsConfig *tls.Config // An optional set of SSL certificates to use. CaCerts *x509.CertPool // MaxErrorDepth is the maximum number of errors reported in a chain of errors. diff --git a/transport.go b/transport.go index 487e54c17..38e75f360 100644 --- a/transport.go +++ b/transport.go @@ -61,7 +61,9 @@ func getProxyConfig(options ClientOptions) func(*http.Request) (*url.URL, error) } func getTLSConfig(options ClientOptions) *tls.Config { - if options.CaCerts != nil { + if options.TlsConfig != nil { + return options.TlsConfig + } else if options.CaCerts != nil { // #nosec G402 -- We should be using `MinVersion: tls.VersionTLS12`, // but we don't want to break peoples code without the major bump. return &tls.Config{ From d129b2d7468d4cf9a5d2e8a89188fcb86910a833 Mon Sep 17 00:00:00 2001 From: Syed Sirajul Islam Anik Date: Sun, 18 Jan 2026 21:53:30 +0600 Subject: [PATCH 2/6] if TlsConfig already specifies CaCerts then the other option gets ignored, but if TlsConfig doesn't and CaCerts does, we need to merge them --- transport.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/transport.go b/transport.go index 38e75f360..79b145d10 100644 --- a/transport.go +++ b/transport.go @@ -62,6 +62,10 @@ func getProxyConfig(options ClientOptions) func(*http.Request) (*url.URL, error) func getTLSConfig(options ClientOptions) *tls.Config { if options.TlsConfig != nil { + if options.TlsConfig.RootCAs == nil && options.CaCerts != nil { + options.TlsConfig.RootCAs = options.CaCerts + } + return options.TlsConfig } else if options.CaCerts != nil { // #nosec G402 -- We should be using `MinVersion: tls.VersionTLS12`, From fe5d6da6b9dce74aeb896726448b68b5e73f43ff Mon Sep 17 00:00:00 2001 From: Syed Sirajul Islam Anik Date: Tue, 20 Jan 2026 09:38:59 +0600 Subject: [PATCH 3/6] mutation of the tlsconfig fix --- transport.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/transport.go b/transport.go index 79b145d10..df8bcc5a3 100644 --- a/transport.go +++ b/transport.go @@ -62,11 +62,12 @@ func getProxyConfig(options ClientOptions) func(*http.Request) (*url.URL, error) func getTLSConfig(options ClientOptions) *tls.Config { if options.TlsConfig != nil { - if options.TlsConfig.RootCAs == nil && options.CaCerts != nil { - options.TlsConfig.RootCAs = options.CaCerts + tlsConfig := options.TlsConfig + if tlsConfig.RootCAs == nil && options.CaCerts != nil { + tlsConfig.RootCAs = options.CaCerts } - return options.TlsConfig + return tlsConfig } else if options.CaCerts != nil { // #nosec G402 -- We should be using `MinVersion: tls.VersionTLS12`, // but we don't want to break peoples code without the major bump. From 620060689ff9db14758877e4715fb6909c330400 Mon Sep 17 00:00:00 2001 From: Syed Sirajul Islam Anik Date: Tue, 20 Jan 2026 10:37:35 +0600 Subject: [PATCH 4/6] mutation of user provided tls config issue fixed --- transport.go | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/transport.go b/transport.go index df8bcc5a3..2d6c9f626 100644 --- a/transport.go +++ b/transport.go @@ -61,22 +61,24 @@ func getProxyConfig(options ClientOptions) func(*http.Request) (*url.URL, error) } func getTLSConfig(options ClientOptions) *tls.Config { + if options.TlsConfig == nil && options.CaCerts == nil { + return nil + } + + var tlsConfig *tls.Config if options.TlsConfig != nil { - tlsConfig := options.TlsConfig - if tlsConfig.RootCAs == nil && options.CaCerts != nil { - tlsConfig.RootCAs = options.CaCerts - } + tlsConfig = options.TlsConfig.Clone() + } else { + tlsConfig = &tls.Config{} + } - return tlsConfig - } else if options.CaCerts != nil { + if tlsConfig.RootCAs == nil && options.CaCerts != nil { // #nosec G402 -- We should be using `MinVersion: tls.VersionTLS12`, // but we don't want to break peoples code without the major bump. - return &tls.Config{ - RootCAs: options.CaCerts, - } + tlsConfig.RootCAs = options.CaCerts } - return nil + return tlsConfig } func getRequestBodyFromEvent(event *Event) []byte { From 807efad74e405b5990ff8c263b513bd5ecba502c Mon Sep 17 00:00:00 2001 From: Syed Sirajul Islam Anik Date: Tue, 20 Jan 2026 23:45:32 +0600 Subject: [PATCH 5/6] TLS config lint issue fix --- client.go | 2 +- transport.go | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/client.go b/client.go index a920ddd06..f19759b6c 100644 --- a/client.go +++ b/client.go @@ -231,7 +231,7 @@ type ClientOptions struct { // HTTPS_PROXY takes precedence over HTTP_PROXY for https requests. HTTPSProxy string // An optional tls config. - TlsConfig *tls.Config + TLSConfig *tls.Config // An optional set of SSL certificates to use. CaCerts *x509.CertPool // MaxErrorDepth is the maximum number of errors reported in a chain of errors. diff --git a/transport.go b/transport.go index 2d6c9f626..cf7ea9e96 100644 --- a/transport.go +++ b/transport.go @@ -61,20 +61,20 @@ func getProxyConfig(options ClientOptions) func(*http.Request) (*url.URL, error) } func getTLSConfig(options ClientOptions) *tls.Config { - if options.TlsConfig == nil && options.CaCerts == nil { + if options.TLSConfig == nil && options.CaCerts == nil { return nil } var tlsConfig *tls.Config - if options.TlsConfig != nil { - tlsConfig = options.TlsConfig.Clone() + if options.TLSConfig != nil { + tlsConfig = options.TLSConfig.Clone() } else { + // #nosec G402 -- We should be using `MinVersion: tls.VersionTLS12`, + // but we don't want to break peoples code without the major bump. tlsConfig = &tls.Config{} } if tlsConfig.RootCAs == nil && options.CaCerts != nil { - // #nosec G402 -- We should be using `MinVersion: tls.VersionTLS12`, - // but we don't want to break peoples code without the major bump. tlsConfig.RootCAs = options.CaCerts } From a2fa69898b4ea88038f90279c1b830688b46cb76 Mon Sep 17 00:00:00 2001 From: Syed Sirajul Islam Anik Date: Tue, 20 Jan 2026 23:48:49 +0600 Subject: [PATCH 6/6] moved tls config from transport.go to utils.go --- transport.go | 22 ---------------------- util.go | 22 ++++++++++++++++++++++ 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/transport.go b/transport.go index cf7ea9e96..3ed4c5b7c 100644 --- a/transport.go +++ b/transport.go @@ -3,7 +3,6 @@ package sentry import ( "bytes" "context" - "crypto/tls" "encoding/json" "errors" "fmt" @@ -60,27 +59,6 @@ func getProxyConfig(options ClientOptions) func(*http.Request) (*url.URL, error) return http.ProxyFromEnvironment } -func getTLSConfig(options ClientOptions) *tls.Config { - if options.TLSConfig == nil && options.CaCerts == nil { - return nil - } - - var tlsConfig *tls.Config - if options.TLSConfig != nil { - tlsConfig = options.TLSConfig.Clone() - } else { - // #nosec G402 -- We should be using `MinVersion: tls.VersionTLS12`, - // but we don't want to break peoples code without the major bump. - tlsConfig = &tls.Config{} - } - - if tlsConfig.RootCAs == nil && options.CaCerts != nil { - tlsConfig.RootCAs = options.CaCerts - } - - return tlsConfig -} - func getRequestBodyFromEvent(event *Event) []byte { body, err := json.Marshal(event) if err == nil { diff --git a/util.go b/util.go index 54524304e..264cce92a 100644 --- a/util.go +++ b/util.go @@ -1,6 +1,7 @@ package sentry import ( + "crypto/tls" "encoding/json" "fmt" "os" @@ -109,3 +110,24 @@ func revisionFromBuildInfo(info *debug.BuildInfo) string { func Pointer[T any](v T) *T { return &v } + +func getTLSConfig(options ClientOptions) *tls.Config { + if options.TLSConfig == nil && options.CaCerts == nil { + return nil + } + + var tlsConfig *tls.Config + if options.TLSConfig != nil { + tlsConfig = options.TLSConfig.Clone() + } else { + // #nosec G402 -- We should be using `MinVersion: tls.VersionTLS12`, + // but we don't want to break peoples code without the major bump. + tlsConfig = &tls.Config{} + } + + if tlsConfig.RootCAs == nil && options.CaCerts != nil { + tlsConfig.RootCAs = options.CaCerts + } + + return tlsConfig +}