Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: x509ignoreCN=1 breaks TestCertificateParse #34252

Open
tmthrgd opened this issue Sep 12, 2019 · 0 comments

Comments

@tmthrgd
Copy link
Contributor

commented Sep 12, 2019

What version of Go are you using (go version)?

$ go version
go version go1.13 linux/amd64

Does this issue reproduce with the latest release?

Yes, both with go1.13 and tip (88076eb).

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/tom/.cache/go-build"
GOENV="/home/tom/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/tom/go"
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/home/tom/sdk/go1.13"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/home/tom/sdk/go1.13/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build966808818=/tmp/go-build -gno-record-gcc-switches"

What did you do?

I spotted this running ./all.bash against tip, but it can be reproduced with:

$ GODEBUG=x509ignoreCN=1 go test -count 1 crypto/x509

What did you expect to see?

ok  	crypto/x509	0.330s

What did you see instead?

--- FAIL: TestCertificateParse (0.00s)
    x509_test.go:444: x509: certificate is not valid for any names, but wanted to match mail.google.com
FAIL
FAIL	crypto/x509	0.315s
FAIL

I understand that x509ignoreCN=1 is experimental, but it is documented—and noted that it may become the default—so it seems like the test should be made to pass.

x509.NameConstraintsWithoutSANs:

// You can avoid this error by setting the experimental GODEBUG environment
// variable to "x509ignoreCN=1", disabling Common Name matching entirely.
// This behavior might become the default in the future.

/cc @FiloSottile

@FiloSottile FiloSottile added this to the Go1.14 milestone Sep 12, 2019
@FiloSottile FiloSottile added the Testing label Oct 1, 2019
@rsc rsc modified the milestones: Go1.14, Backlog Oct 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.