]> Cypherpunks repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: feccfb8)
crypto/tls: don't use CN in BuildNameToCertificate if SANs are present
authorFilippo Valsorda <filippo@golang.org>
Fri, 30 Oct 2020 15:12:13 +0000 (16:12 +0100)
committerFilippo Valsorda <filippo@golang.org>
Mon, 9 Nov 2020 15:09:37 +0000 (15:09 +0000)
Change-Id: I18d5b9fc392a6a52fbdd240254d6d9db838073a4
Reviewed-on: https://go-review.googlesource.com/c/go/+/266540
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
src/crypto/tls/common.go patch | blob | history

diff --git a/src/crypto/tls/common.go b/src/crypto/tls/common.go
index 66d2c005a7cf6bb402dcb0c7e0ddd370247af664..86dc0dd3b2e8c0d370511f7d1c726c3b33538f49 100644 (file)
--- a/src/crypto/tls/common.go
+++ b/src/crypto/tls/common.go
@@ -1263,7 +1263,9 @@ func (c *Config) BuildNameToCertificate() {
                if err != nil {
                        continue
                }
-               if len(x509Cert.Subject.CommonName) > 0 {
+               // If SANs are *not* present, some clients will consider the certificate
+               // valid for the name in the Common Name.
+               if x509Cert.Subject.CommonName != "" && len(x509Cert.DNSNames) == 0 {
                        c.NameToCertificate[x509Cert.Subject.CommonName] = cert
                }
                for _, san := range x509Cert.DNSNames {
Go GOST TLS 1.3