From 49aa1d791be26de71ba7ed02d6c6cd1dd0092b71 Mon Sep 17 00:00:00 2001
From: Adam Langley <agl@golang.org>
Date: Fri, 30 Sep 2016 14:16:12 -0700
Subject: [PATCH] crypto/x509: return better error when a certificate contains
 no names.

Currently, if a certificate contains no names (that we parsed),
verification will return the confusing error:
    x509: certificate is valid for , not example.com.

This change improves the error for that situation.

Fixes #16834.

Change-Id: I2ed9ed08298d7d50df758e503bdb55277449bf55
Reviewed-on: https://go-review.googlesource.com/30152
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
---
 src/crypto/x509/verify.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
index 4a6c952a96..484c951fc9 100644
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@ -87,6 +87,10 @@ func (h HostnameError) Error() string {
 			valid = c.Subject.CommonName
 		}
 	}
+
+	if len(valid) == 0 {
+		return "x509: certificate is not valid for any names, but wanted to match " + h.Host
+	}
 	return "x509: certificate is valid for " + valid + ", not " + h.Host
 }
 
-- 
2.50.0