Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x509: certificate relies on legacy Common Name field, use SANs instead #276

Closed
atc0005 opened this issue Mar 8, 2022 · 4 comments
Closed

x509: certificate relies on legacy Common Name field, use SANs instead #276

atc0005 opened this issue Mar 8, 2022 · 4 comments
Assignees
@atc0005
Labels
app/lscert bug Something isn't working plugin/check_cert
Milestone
v0.6.0

Comments

@atc0005
Copy link
Owner

atc0005 commented Mar 8, 2022

Overview

Recent versions of check_cert and lscert emit this error message when encountering certificates missing Subject Alternate Names (SANs) entries:

x509: certificate relies on legacy Common Name field, use SANs instead

As detailed by GH-70, Go deprecated support for using the Common Name field to verify hostnames when encountering an empty SANs list. Go 1.16 reiterated this deprecation and Go 1.17 removed the support.

This project switched to Go 1.17 for the v0.5.4 release in preparation for Go 1.16 going EOL in Q1 2022.

While restoring Common Name verification is technically possible, it's not a viable direction for this project. Instead, we should attempt to gracefully handle this scenario when encountered and provide useful feedback to the user so that they can best decide next steps to resolve the issue.

Workarounds:

  • use binaries from the v0.5.3 release
  • rebuild current codebase using Go 1.16

References
@atc0005 atc0005 added bug Something isn't working plugin/check_cert app/lscert labels Mar 8, 2022
@atc0005 atc0005 added this to the Next Release milestone Mar 8, 2022
@atc0005 atc0005 self-assigned this Mar 8, 2022
@atc0005
Copy link
Owner Author

atc0005 commented Mar 8, 2022
edited
Loading

One potential workaround is to conditionally disable hostname verification (if requested) when the SANs list is empty. Perhaps something like, --disable-hostname-verification-if-empty-sans. The flag name is overly verbose, but pretty clear what the expected behavior should be.

@atc0005
Copy link
Owner Author

atc0005 commented Mar 8, 2022

One potential workaround is to conditionally disable hostname verification (if requested) when the SANs list is empty. Perhaps something like, --disable-hostname-verification-if-empty-sans. The flag name is overly verbose, but pretty clear what the expected behavior should be.

Going with this option. It's not ideal, but it will work for now.

atc0005 added a commit that referenced this issue Mar 8, 2022
@atc0005
Allow skipping hostname verify for empty SANs list
2e93f68 
- update README coverage
- add new (intentionally verbose) flag to disable hostname
  verification is a certificate's SANs list is empty
- update hostname verification handling to skip verification
  if the SANs list is empty AND the new flag is specified
- append "trailer" text noting use of the flag WHEN the
  SANs list is empty (skipped otherwise)

refs GH-276
@atc0005
Copy link
Owner Author

atc0005 commented Mar 8, 2022

While lscert is technically affected, it only doesn't "block" when encountering the error, just notes that it occurred. I currently consider this to be a desirable outcome when evaluating the certs for a specified system.

What may not be desirable is how/when the error is emitted. Will rely on further use of the tool and potential user feedback before making changes to that tool related to this GH issue.

atc0005 added a commit that referenced this issue Mar 8, 2022
@atc0005
Allow skipping hostname verify for empty SANs list
d0ce23a 
- update README coverage
- add new (intentionally verbose) flag to disable hostname
  verification is a certificate's SANs list is empty
- update hostname verification handling to skip verification
  if the SANs list is empty AND the new flag is specified
- append "trailer" text noting use of the flag WHEN the
  SANs list is empty (skipped otherwise)

refs GH-276
@atc0005 atc0005 mentioned this issue Mar 8, 2022
Merged
atc0005 added a commit that referenced this issue Mar 8, 2022
@atc0005
Allow skipping hostname verify for empty SANs list
02fcf72 
- update README coverage
- add new (intentionally verbose) flag to disable hostname
  verification is a certificate's SANs list is empty
- update hostname verification handling to skip verification
  if the SANs list is empty AND the new flag is specified
- append "trailer" text noting use of the flag WHEN the
  SANs list is empty (skipped otherwise)

refs GH-276
@atc0005
Copy link
Owner Author

atc0005 commented Mar 8, 2022

Fixed per #277.

@atc0005 atc0005 closed this as completed Mar 8, 2022
atc0005 added a commit that referenced this issue Mar 8, 2022
@atc0005
Update output for hostname verification failure
88131d7 
Note that the flag is used to skip hostname verification
if the SANs list is found to be empty, not ignore errors
that occur. This text is a holdover from an earlier iteration
that I abandoned.

refs GH-276
@atc0005 atc0005 mentioned this issue Mar 8, 2022
Merged
@atc0005 atc0005 mentioned this issue Feb 26, 2023
Open
@atc0005 atc0005 modified the milestones: v0.6.0, v0.8.0 Feb 26, 2023
@atc0005 atc0005 mentioned this issue Dec 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@atc0005 atc0005

Labels
app/lscert bug Something isn't working plugin/check_cert
Projects
None yet
Milestone
v0.6.0
Development

No branches or pull requests
1 participant
@atc0005