Bug 1889439

Summary: Relax X.509 CN error when x509ignoreCN
Product: DevTools Reporter: Derek Parker <deparker>
Component: go-toolsetAssignee: David Benoit <dbenoit>
Status: CLOSED DUPLICATE QA Contact: Edjunior Barbosa Machado <emachado>
Severity: high Docs Contact:
Priority: unspecified    
Version: 2021.2CC: tschelle
Target Milestone: rc   
Target Release: 2019.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-29 16:31:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Derek Parker 2020-10-19 16:37:33 UTC 
This bug was initially created as a copy of Bug #1889437

I am copying this bug because: 

This is for RHEL7 tracking.

Description of problem:

Go 1.15 is more strict in the handling of x.509 certs, rejecting those with invalid CN values.

The deprecated, legacy behavior of treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is now disabled by default. It can be temporarily re-enabled by adding the value x509ignoreCN=0 to the GODEBUG environment variable. 


Version-Release number of selected component (if applicable):

1.15.x


How reproducible:

Always.


Steps to Reproduce:
1. Have cert with CN and no SANs
2. Make https request to Go server
3. Cert is rejected and connection closed

Actual results:

Cert is rejected


Expected results:

Cert is accepted but with warning message.


Additional info:
Comment 2 Tilmann Scheller 2020-10-29 16:31:29 UTC 

*** This bug has been marked as a duplicate of bug 1892726 ***