crypto/x509: Other Names in x509 Certificate SAN causing certificate verification failure #35467
Labels
FrozenDueToAge
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
Attempted to bind to an LDAP Server over 636 w/ TLS
What did you expect to see?
Successful binding
What did you see instead?
LDAP Result Code 200 "Network Error": x509: certificate is not valid for any names, but wanted to match
By debugging I determine that the source of this error is that my LDAP host is serving a certificate without a
DNSName
in the SAN but with twoOther Name
elements. These two elements are related to OID 1.3.6.1.5.2.2 (Kerberos/Microsoft NT Principal Name). In this scenario, hasSANExtension() ==true
which makes commonNameAsHostName() ==false
. Because of this, the x509's verify function expects to find the hostname in the SAN but cannot, and throws an error. Interestingly, the hostname is parsable from the Microsoft NT Principal Name.When I look at RFC 6125:
My question is: is there a way to call my own custom middleware or function for hostname verification in support of the above-mentioned "application-specific identifier types" like my Kerberos application? Speaking to the issuer of my certificate, it sounds like I am unlikely to get them to modify the certificate anytime soon.
Any guidance is appreciated. Thank you!
The text was updated successfully, but these errors were encountered: