diff options
author | Filippo Valsorda <filippo@golang.org> | 2018-09-07 12:58:14 -0400 |
---|---|---|
committer | Filippo Valsorda <filippo@golang.org> | 2018-09-07 22:43:32 +0000 |
commit | 71fce844b529e438eb35ca6f0c5173f7c10981b2 (patch) | |
tree | 1fd556f119800e5aa73953ef7c235e0c96a85621 | |
parent | cd9f60131bb39a58af8fc0e0a7a5e7df9d3c55fd (diff) | |
download | go-71fce844b529e438eb35ca6f0c5173f7c10981b2.tar.gz go-71fce844b529e438eb35ca6f0c5173f7c10981b2.zip |
[release-branch.go1.11] crypto/x509: allow ":" in Common Name hostnames
At least one popular service puts a hostname which contains a ":"
in the Common Name field. On the other hand, I don't know of any name
constrained certificates that only work if we ignore such CNs.
Updates #24151
Change-Id: I2d813e3e522ebd65ab5ea5cd83390467a869eea3
Reviewed-on: https://go-review.googlesource.com/134076
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
(cherry picked from commit 03c703697f321f66d28d6223457622c5879ba37f)
Reviewed-on: https://go-review.googlesource.com/134078
Reviewed-by: Andrew Bonventre <andybons@golang.org>
-rw-r--r-- | src/crypto/x509/verify.go | 4 | ||||
-rw-r--r-- | src/crypto/x509/verify_test.go | 1 |
2 files changed, 3 insertions, 2 deletions
diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go index 210db4c1d0..0b75778a03 100644 --- a/src/crypto/x509/verify.go +++ b/src/crypto/x509/verify.go @@ -894,8 +894,8 @@ func validHostname(host string) bool { if c == '-' && j != 0 { continue } - if c == '_' { - // _ is not a valid character in hostnames, but it's commonly + if c == '_' || c == ':' { + // Not valid characters in hostnames, but commonly // found in deployments outside the WebPKI. continue } diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go index 7684145839..0e24d3b5da 100644 --- a/src/crypto/x509/verify_test.go +++ b/src/crypto/x509/verify_test.go @@ -1881,6 +1881,7 @@ func TestValidHostname(t *testing.T) { {"foo.*.example.com", false}, {"exa_mple.com", true}, {"foo,bar", false}, + {"project-dev:us-central1:main", true}, } for _, tt := range tests { if got := validHostname(tt.host); got != tt.want { |