From: Adam Langley <agl@golang.org>
Date: Fri, 30 Sep 2016 21:16:12 +0000 (-0700)
Subject: crypto/x509: return better error when a certificate contains no names.
X-Git-Tag: go1.8beta1~1080
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=49aa1d791be26de71ba7ed02d6c6cd1dd0092b71;p=gostls13.git

crypto/x509: return better error when a certificate contains no names.

Currently, if a certificate contains no names (that we parsed),
verification will return the confusing error:
    x509: certificate is valid for , not example.com.

This change improves the error for that situation.

Fixes #16834.

Change-Id: I2ed9ed08298d7d50df758e503bdb55277449bf55
Reviewed-on: https://go-review.googlesource.com/30152
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
---

diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
index 4a6c952a96..484c951fc9 100644
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@ -87,6 +87,10 @@ func (h HostnameError) Error() string {
 			valid = c.Subject.CommonName
 		}
 	}
+
+	if len(valid) == 0 {
+		return "x509: certificate is not valid for any names, but wanted to match " + h.Host
+	}
 	return "x509: certificate is valid for " + valid + ", not " + h.Host
 }