From 2c920dbfc851be08fcc679be584e289d4d68cbe4 Mon Sep 17 00:00:00 2001 From: Marten Seemann Date: Tue, 20 Jun 2017 09:29:56 +0200 Subject: [PATCH] remove obsolete check for tls.Config.ServerName when verifying the cert The hostname is set to tls.Config.ServerName in the client already, thus we don't have to read that value again when verifying the certificate. --- crypto/cert_manager.go | 5 ++-- crypto/cert_manager_test.go | 52 +++---------------------------------- 2 files changed, 5 insertions(+), 52 deletions(-) diff --git a/crypto/cert_manager.go b/crypto/cert_manager.go index b0abf2ef..5aaa1877 100644 --- a/crypto/cert_manager.go +++ b/crypto/cert_manager.go @@ -107,15 +107,14 @@ func (c *certManager) Verify(hostname string) error { var opts x509.VerifyOptions if c.config != nil { opts.Roots = c.config.RootCAs - opts.DNSName = c.config.ServerName if c.config.Time == nil { opts.CurrentTime = time.Now() } else { opts.CurrentTime = c.config.Time() } - } else { - opts.DNSName = hostname } + // we don't need to care about the tls.Config.ServerName here, since hostname has already been set to that value in the session setup + opts.DNSName = hostname // the first certificate is the leaf certificate, all others are intermediates if len(c.chain) > 1 { diff --git a/crypto/cert_manager_test.go b/crypto/cert_manager_test.go index c2ea9ca0..8bad8f95 100644 --- a/crypto/cert_manager_test.go +++ b/crypto/cert_manager_test.go @@ -268,52 +268,6 @@ var _ = Describe("Cert Manager", func() { Expect(err).ToNot(HaveOccurred()) }) - It("uses a different hostname from a client TLS config", func() { - if runtime.GOOS == "windows" { - // certificate validation works different on windows, see https://golang.org/src/crypto/x509/verify.go line 238 - Skip("windows") - } - - template := &x509.Certificate{ - SerialNumber: big.NewInt(1), - NotBefore: time.Now().Add(-time.Hour), - NotAfter: time.Now().Add(time.Hour), - Subject: pkix.Name{CommonName: "google.com"}, - } - - _, leafCert := getCertificate(template) - cm.chain = []*x509.Certificate{leafCert} - cm.config = &tls.Config{ - ServerName: "google.com", - } - err := cm.Verify("quic.clemente.io") - _, ok := err.(x509.UnknownAuthorityError) - Expect(ok).To(BeTrue()) - }) - - It("rejects certificates with a different hostname than specified in the client TLS config", func() { - if runtime.GOOS == "windows" { - // certificate validation works different on windows, see https://golang.org/src/crypto/x509/verify.go line 238 - Skip("windows") - } - - template := &x509.Certificate{ - SerialNumber: big.NewInt(1), - NotBefore: time.Now().Add(-time.Hour), - NotAfter: time.Now().Add(time.Hour), - Subject: pkix.Name{CommonName: "quic.clemente.io"}, - } - - _, leafCert := getCertificate(template) - cm.chain = []*x509.Certificate{leafCert} - cm.config = &tls.Config{ - ServerName: "google.com", - } - err := cm.Verify("quic.clemente.io") - _, ok := err.(x509.HostnameError) - Expect(ok).To(BeTrue()) - }) - It("uses the time specified in a client TLS config", func() { if runtime.GOOS == "windows" { // certificate validation works different on windows, see https://golang.org/src/crypto/x509/verify.go line 238 @@ -324,6 +278,7 @@ var _ = Describe("Cert Manager", func() { SerialNumber: big.NewInt(1), NotBefore: time.Now().Add(-25 * time.Hour), NotAfter: time.Now().Add(-23 * time.Hour), + Subject: pkix.Name{CommonName: "quic.clemente.io"}, } _, leafCert := getCertificate(template) cm.chain = []*x509.Certificate{leafCert} @@ -384,10 +339,9 @@ var _ = Describe("Cert Manager", func() { cm.chain = []*x509.Certificate{leafCert} cm.config = &tls.Config{ - RootCAs: rootCAPool, - ServerName: "google.com", + RootCAs: rootCAPool, } - err = cm.Verify("quic.clemente.io") + err = cm.Verify("google.com") Expect(err).ToNot(HaveOccurred()) }) })