crypto/tls: don't use CN in BuildNameToCertificate if SANs are present

Change-Id: I18d5b9fc392a6a52fbdd240254d6d9db838073a4 Reviewed-on: https://go-review.googlesource.com/c/go/+/266540 Trust: Filippo Valsorda <filippo@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Katie Hockman <katie@golang.org>
author: Filippo Valsorda <filippo@golang.org> 2020-10-30 16:12:13 +0100
committer: Filippo Valsorda <filippo@golang.org> 2020-11-09 15:09:37 +0000
commit: 564ec4867bd867ccf37d149243d016abfa5a857c (patch)
tree: d74613131e1696fae48e50ea5378dcae339c0463 /src/crypto
parent: feccfb8adaf5a0ce93a0dafa31336ccb6f41c618 (diff)
download: go-564ec4867bd867ccf37d149243d016abfa5a857c.tar.gz
go-564ec4867bd867ccf37d149243d016abfa5a857c.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/src/crypto/tls/common.go b/src/crypto/tls/common.go
index 66d2c005a7..86dc0dd3b2 100644
--- a/src/crypto/tls/common.go
+++ b/src/crypto/tls/common.go
@@ -1263,7 +1263,9 @@ func (c *Config) BuildNameToCertificate() {
 		if err != nil {
 			continue
 		}
-		if len(x509Cert.Subject.CommonName) > 0 {
+		// If SANs are *not* present, some clients will consider the certificate
+		// valid for the name in the Common Name.
+		if x509Cert.Subject.CommonName != "" && len(x509Cert.DNSNames) == 0 {
 			c.NameToCertificate[x509Cert.Subject.CommonName] = cert
 		}
 		for _, san := range x509Cert.DNSNames {
author	Filippo Valsorda <filippo@golang.org>	2020-10-30 16:12:13 +0100
committer	Filippo Valsorda <filippo@golang.org>	2020-11-09 15:09:37 +0000
commit	564ec4867bd867ccf37d149243d016abfa5a857c (patch)
tree	d74613131e1696fae48e50ea5378dcae339c0463 /src/crypto
parent	feccfb8adaf5a0ce93a0dafa31336ccb6f41c618 (diff)
download	go-564ec4867bd867ccf37d149243d016abfa5a857c.tar.gz go-564ec4867bd867ccf37d149243d016abfa5a857c.zip