crypto/x509: treat certificate names with trailing dots as invalid - go - Fork of Go programming language with my patches.

diff options

author	Filippo Valsorda <filippo@golang.org>	2020-04-30 21:24:25 -0400
committer	Filippo Valsorda <filippo@golang.org>	2020-05-08 00:05:42 +0000
commit	95c5ec67ea2c2760c15ffd771e52f5e31f3e116f (patch)
tree	7c9cd77561028ee617e99d8255a967b5420d49ca /src/encoding
parent	d65e1b2e41deb810565c94555d791e7384618da0 (diff)
download	go-95c5ec67ea2c2760c15ffd771e52f5e31f3e116f.tar.xz

crypto/x509: treat certificate names with trailing dots as invalid

Trailing dots are not allowed in certificate fields like CN and SANs (while they are allowed and ignored as inputs to verification APIs). Move to considering names with trailing dots in certificates as invalid hostnames. Following the rule of CL 231378, these invalid names lose wildcard processing, but can still match if there is a 1:1 match, trailing dot included, with the VerifyHostname input. They also become ignored Common Name values regardless of the GODEBUG=x509ignoreCN=X value, because we have to ignore invalid hostnames in Common Name for #24151. The error message automatically accounts for this, and doesn't suggest the environment variable. You don't get to use a legacy deprecated field AND invalid hostnames. (While at it, also consider wildcards in VerifyHostname inputs as invalid hostnames, not that it should change any observed behavior.) Change-Id: Iecdee8927df50c1d9daf904776b051de9f5e76ad Reviewed-on: https://go-review.googlesource.com/c/go/+/231380 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Katie Hockman <katie@golang.org>

Diffstat (limited to 'src/encoding')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: