diff options
author | Filippo Valsorda <filippo@golang.org> | 2020-06-05 12:48:26 -0400 |
---|---|---|
committer | Filippo Valsorda <filippo@golang.org> | 2020-06-08 17:32:00 +0000 |
commit | 063ce0f2f774563ff2143bd8b974ce7f89caa365 (patch) | |
tree | e9ed848391619a3c5361cdbca6c84e07e6ba8b32 /doc | |
parent | 5716ae6c9610f31e2cdefd07eea78174414c3dca (diff) | |
download | go-063ce0f2f774563ff2143bd8b974ce7f89caa365.tar.gz go-063ce0f2f774563ff2143bd8b974ce7f89caa365.zip |
doc/go1.15: add release notes for crypto/x509
Updates #37419
Change-Id: Iedfd4b238980675be115c7e6e0a327d7745b5bed
Reviewed-on: https://go-review.googlesource.com/c/go/+/236737
Reviewed-by: Katie Hockman <katie@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/go1.15.html | 47 |
1 files changed, 46 insertions, 1 deletions
diff --git a/doc/go1.15.html b/doc/go1.15.html index 7506a6aa49..10b245fd8f 100644 --- a/doc/go1.15.html +++ b/doc/go1.15.html @@ -425,8 +425,53 @@ TODO <dl id="crypto/x509"><dt><a href="/pkg/crypto/x509/">crypto/x509</a></dt> <dd> + <p><!-- CL 231378, CL 231380, CL 231381 --> + If either the name on the certificate or the name being verified (with + <a href="/pkg/crypto/x509/#VerifyOptions.DNSName"><code>VerifyOptions.DNSName</code></a> + or <a href="/pkg/crypto/x509/#Certificate.VerifyHostname"><code>VerifyHostname</code></a>) + are invalid, they will now be compared case-insensitively without further + processing (without honoring wildcards or stripping trailing dots). + Invalid names include those with any characters other than letters, + digits, hyphens and underscores, those with empty labels, and names on + certificates with trailing dots. + </p> + + <p><!-- CL 231379 --> + The deprecated, legacy behavior of treating the <code>CommonName</code> + field as a hostname when no Subject Alternative Names are present is now + disabled by default. It can be temporarily re-enabled by adding the value + <code>x509ignoreCN=0</code> to the <code>GODEBUG</code> environment + variable. If the <code>CommonName</code> is an invalid hostname, it's + always ignored. + </p> + + <p><!-- CL 217298 --> + The new <a href="/pkg/crypto/x509/#CreateRevocationList"><code>CreateRevocationList</code></a> + function and <a href="/pkg/crypto/x509/#RevocationList"><code>RevocationList</code></a> type + allow creating RFC 5280-compliant X.509 v2 Certificate Revocation Lists. + </p> + + <p><!-- CL 227098 --> + <a href="/pkg/crypto/x509/#CreateCertificate"><code>CreateCertificate</code></a> + now automatically generates the <code>SubjectKeyId</code> if the template + is a CA and doesn't explicitly specify one. + </p> + + <p><!-- CL 228777 --> + <a href="/pkg/crypto/x509/#CreateCertificate"><code>CreateCertificate</code></a> + now returns an error if the template specifies <code>MaxPathLen</code> but is not a CA. + </p> + <p><!-- CL 205237 --> - TODO: <a href="https://golang.org/cl/205237">https://golang.org/cl/205237</a>: load roots from colon separated SSL_CERT_DIR in loadSystemRoots + On Unix systems other than macOS, the <code>SSL_CERT_DIR</code> + environment variable can now be a colon-separated list. + </p> + + <p><!-- CL 227037 --> + On macOS, binaries are now always linked against + <code>Security.framework</code> to extract the system trust roots, + regardless of whether cgo is available. The resulting behavior should be + more consistent with the OS verifier. </p> </dd> </dl><!-- crypto/x509 --> |