Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
crypto/x509: Verify failed on some valid certificates with SubjectAlternateNames #24293
What version of Go are you using (
Found the corresponding commit:
@agl your comment is:
Why should CN be ignored, even if no DNS names where present?
As our certificate is validated correctly by most other tool, it is not clear to me which approach is correct.
I don't have a definitive RFC reference at hand, but https://www.digicert.com/subject-alternative-name-compatibility.htm says: "If a SSL Certificate has a Subject Alternative Name (SAN) field, then SSL clients are supposed to ignore the Common Name value and seek a match in the SAN list. This is why DigiCert always repeats the common name as the first SAN in our certificates."
I also find among StackExchange search hits the following -
See also https://tools.ietf.org/html/rfc6125#section-6.4.4 "Checking of Common Names":