Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: reject UTF-8 names #26362

FiloSottile opened this Issue Jul 13, 2018 · 4 comments


None yet
5 participants
Copy link

FiloSottile commented Jul 13, 2018

Certificates should only have punycode in them, but we tolerate and match UTF-8 if provided. Make this stricter after checking it doesn't break a lot of CT and BoringSSL already rejects them.

@FiloSottile FiloSottile added this to the Go1.12 milestone Jul 13, 2018


This comment has been minimized.

Copy link

robpike commented Jul 13, 2018

Can you please be more precise in what the restrictions should be? "UTF-8 names" is not a clear target, as ASCII for instance is a subset of UTF-8.


This comment has been minimized.

Copy link

mdp commented Sep 18, 2018

The restriction is that certain x509 extensions should be encoded as an IA5String, which is a restricted character set(Essentially 0x0-0x80 ASCII). Currently, golang's x509 package performs validation checks on IA5String encoding, but it's not complete. It's still possible to encode several of the Subject Alternative Name extensions ("Domains" "EmailAddresses") as non-IA5Stings. There's also no check on the "URIs" field, but due to URL.String() being called before encoding, it's escaped and therefore won't contain any characters outside of the IA5String set.

One thing to be aware of, the Common Name on an X509 certificate doesn't actually have an IA5String restriction on encoding. You need to use punycode if you're creating an SSL certificate, but RFC 5280 states that "Standard naming attributes, such as common name, employ the DirectoryString type, which supports internationalized names through a variety of language encodings. Conforming implementations MUST support UTF8String and PrintableString."


This comment has been minimized.

Copy link

mdp commented Sep 19, 2018

As far as comparisons go, Certificate.VerifyHostname(host string) will not reject comparisons for non-punycode hostnames in the latest release of go - Go Playground example

However, a recent change (4f9ec2c#diff-14a36701d822b09a804f852a229dfc23R910), was introduced which will result in the rejection of CommonName's with non-ASCII characters in them - caused by validHostname(c.Subject.CommonName)

That being said, if the certificate has a non-ASCII character in the DNSName SAN extension, it will still do the comparison and match. Example below:

c := &x509.Certificate{
        DNSNames: []string{"göö"},
	Subject: pkix.Name{
		CommonName: "göö",

err := c.VerifyHostname("göö")
if err == nil {
	fmt.Println("VerifyHostname(göö should have failed, did not")
} else {
	fmt.Printf("VerifyHostname(göö failed - %q", err)

This comment has been minimized.

Copy link

gopherbot commented Oct 12, 2018

Change mentions this issue: crypto/x509: reject UTF-8 names from VerifyHost

@andybons andybons modified the milestones: Go1.12, Go1.13 Feb 12, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.