diff options
author | Filippo Valsorda <filippo@golang.org> | 2020-10-30 16:12:13 +0100 |
---|---|---|
committer | Filippo Valsorda <filippo@golang.org> | 2020-11-09 15:09:37 +0000 |
commit | 564ec4867bd867ccf37d149243d016abfa5a857c (patch) | |
tree | d74613131e1696fae48e50ea5378dcae339c0463 /src/crypto | |
parent | feccfb8adaf5a0ce93a0dafa31336ccb6f41c618 (diff) | |
download | go-564ec4867bd867ccf37d149243d016abfa5a857c.tar.gz go-564ec4867bd867ccf37d149243d016abfa5a857c.zip |
crypto/tls: don't use CN in BuildNameToCertificate if SANs are present
Change-Id: I18d5b9fc392a6a52fbdd240254d6d9db838073a4
Reviewed-on: https://go-review.googlesource.com/c/go/+/266540
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Diffstat (limited to 'src/crypto')
-rw-r--r-- | src/crypto/tls/common.go | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/crypto/tls/common.go b/src/crypto/tls/common.go index 66d2c005a7..86dc0dd3b2 100644 --- a/src/crypto/tls/common.go +++ b/src/crypto/tls/common.go @@ -1263,7 +1263,9 @@ func (c *Config) BuildNameToCertificate() { if err != nil { continue } - if len(x509Cert.Subject.CommonName) > 0 { + // If SANs are *not* present, some clients will consider the certificate + // valid for the name in the Common Name. + if x509Cert.Subject.CommonName != "" && len(x509Cert.DNSNames) == 0 { c.NameToCertificate[x509Cert.Subject.CommonName] = cert } for _, san := range x509Cert.DNSNames { |