crypto/tls: don't use CN in BuildNameToCertificate if SANs are present

FiloSottile · FiloSottile · commit 564ec4867bd8 · 2020-11-09T15:09:37.000Z
Change-Id: I18d5b9fc392a6a52fbdd240254d6d9db838073a4 Reviewed-on: https://go-review.googlesource.com/c/go/+/266540 Trust: Filippo Valsorda <filippo@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Katie Hockman <katie@golang.org>
diff --git a/src/crypto/tls/common.go b/src/crypto/tls/common.go
@@ -1263,7 +1263,9 @@ func (c *Config) BuildNameToCertificate() {
 		if err != nil {
 			continue
 		}
-		if len(x509Cert.Subject.CommonName) > 0 {
+		// If SANs are *not* present, some clients will consider the certificate
+		// valid for the name in the Common Name.
+		if x509Cert.Subject.CommonName != "" && len(x509Cert.DNSNames) == 0 {
 			c.NameToCertificate[x509Cert.Subject.CommonName] = cert
 		}
 		for _, san := range x509Cert.DNSNames {

Original file line number	Diff line number	Diff line change
`@@ -1263,7 +1263,9 @@ func (c *Config) BuildNameToCertificate() {`
`1263`	`1263`	`if err != nil {`
`1264`	`1264`	`continue`
`1265`	`1265`	`}`
`1266`		`- if len(x509Cert.Subject.CommonName) > 0 {`
	`1266`	`+ // If SANs are not present, some clients will consider the certificate`
	`1267`	`+ // valid for the name in the Common Name.`
	`1268`	`+ if x509Cert.Subject.CommonName != "" && len(x509Cert.DNSNames) == 0 {`
`1267`	`1269`	`c.NameToCertificate[x509Cert.Subject.CommonName] = cert`
`1268`	`1270`	`}`
`1269`	`1271`	`for _, san := range x509Cert.DNSNames {`