From 35dcd13d963c747b78bfdeda1f1756dddc029809 Mon Sep 17 00:00:00 2001
From: Jonathan Hess <hessjc@google.com>
Date: Thu, 9 Jan 2025 11:53:26 -0700
Subject: [PATCH] chore: Simplify server cert validation logic to distinguish
 legacy from CA validation

---
 internal/cloudsql/instance.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/internal/cloudsql/instance.go b/internal/cloudsql/instance.go
index e3ced10e..e70d5510 100644
--- a/internal/cloudsql/instance.go
+++ b/internal/cloudsql/instance.go
@@ -241,9 +241,9 @@ func (c ConnectionInfo) TLSConfig() *tls.Config {
 	for _, caCert := range c.ServerCACert {
 		pool.AddCert(caCert)
 	}
-	if c.ServerCAMode == "GOOGLE_MANAGED_CAS_CA" ||
-		c.ServerCAMode == "CUSTOMER_MANAGED_CAS_CA" {
-		// For CAS instances, we can rely on the DNS name to verify the server identity.
+	if c.ServerCAMode != "" && c.ServerCAMode != "GOOGLE_MANAGED_INTERNAL_CA" {
+		// By default, use Standard TLS hostname verification name to
+		// verify the server identity.
 		return &tls.Config{
 			ServerName:   c.DNSName,
 			Certificates: []tls.Certificate{c.ClientCertificate},
@@ -251,6 +251,7 @@ func (c ConnectionInfo) TLSConfig() *tls.Config {
 			MinVersion:   tls.VersionTLS13,
 		}
 	}
+	// For legacy instances use the custom TLS validation
 	return &tls.Config{
 		ServerName:   c.ConnectionName.String(),
 		Certificates: []tls.Certificate{c.ClientCertificate},