Skip to content

crypto/x509: x509ignoreCN=1 breaks TestCertificateParse #34252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tmthrgd opened this issue Sep 12, 2019 · 1 comment
Closed

crypto/x509: x509ignoreCN=1 breaks TestCertificateParse #34252

tmthrgd opened this issue Sep 12, 2019 · 1 comment
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. Testing An issue that has been verified to require only test changes, not just a test failure.
Milestone
Go1.15

Comments

@tmthrgd
Copy link
Contributor

tmthrgd commented Sep 12, 2019

What version of Go are you using (go version)?

$ go version
go version go1.13 linux/amd64

Does this issue reproduce with the latest release?

Yes, both with go1.13 and tip (88076eb).

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/tom/.cache/go-build"
GOENV="/home/tom/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/tom/go"
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/home/tom/sdk/go1.13"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/home/tom/sdk/go1.13/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build966808818=/tmp/go-build -gno-record-gcc-switches"

What did you do?

I spotted this running ./all.bash against tip, but it can be reproduced with:

$ GODEBUG=x509ignoreCN=1 go test -count 1 crypto/x509

What did you expect to see?

ok  	crypto/x509	0.330s

What did you see instead?

--- FAIL: TestCertificateParse (0.00s)
    x509_test.go:444: x509: certificate is not valid for any names, but wanted to match mail.google.com
FAIL
FAIL	crypto/x509	0.315s
FAIL

I understand that x509ignoreCN=1 is experimental, but it is documented—and noted that it may become the default—so it seems like the test should be made to pass.

x509.NameConstraintsWithoutSANs:

// You can avoid this error by setting the experimental GODEBUG environment
// variable to "x509ignoreCN=1", disabling Common Name matching entirely.
// This behavior might become the default in the future.

/cc @FiloSottile
@FiloSottile FiloSottile added the NeedsFix The path to resolution is known, but the work has not been done. label Sep 12, 2019
@FiloSottile FiloSottile added this to the Go1.14 milestone Sep 12, 2019
@FiloSottile FiloSottile added the Testing An issue that has been verified to require only test changes, not just a test failure. label Oct 1, 2019
@rsc rsc modified the milestones: Go1.14, Backlog Oct 9, 2019
@FiloSottile FiloSottile self-assigned this Mar 31, 2020
@FiloSottile FiloSottile modified the milestones: Backlog, Go1.15 Mar 31, 2020
@FiloSottile
Copy link
Contributor

Fixed in CL 231379.

@golang golang locked and limited conversation to collaborators May 8, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. Testing An issue that has been verified to require only test changes, not just a test failure.
Projects
None yet
Milestone
Go1.15
Development

No branches or pull requests
4 participants
@rsc @tmthrgd @FiloSottile @gopherbot