Bug 1889439 - Relax X.509 CN error when x509ignoreCN
Summary: Relax X.509 CN error when x509ignoreCN
Status: CLOSED DUPLICATE of bug 1892726
Alias: None
Product: DevTools
Classification: Red Hat
Component: go-toolset
Version: 2021.2
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 2019.3
Assignee: David Benoit
QA Contact: Edjunior Barbosa Machado
Depends On:
TreeView+ depends on / blocked
Reported: 2020-10-19 16:37 UTC by Derek Parker
Modified: 2020-10-29 16:31 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-10-29 16:31:29 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Derek Parker 2020-10-19 16:37:33 UTC
This bug was initially created as a copy of Bug #1889437

I am copying this bug because: 

This is for RHEL7 tracking.

Description of problem:

Go 1.15 is more strict in the handling of x.509 certs, rejecting those with invalid CN values.

The deprecated, legacy behavior of treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is now disabled by default. It can be temporarily re-enabled by adding the value x509ignoreCN=0 to the GODEBUG environment variable. 

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Have cert with CN and no SANs
2. Make https request to Go server
3. Cert is rejected and connection closed

Actual results:

Cert is rejected

Expected results:

Cert is accepted but with warning message.

Additional info:

Comment 2 Tilmann Scheller 2020-10-29 16:31:29 UTC

*** This bug has been marked as a duplicate of bug 1892726 ***

Note You need to log in before you can comment on or make changes to this bug.