Home Explore Help
Register Sign In
publics
/
etcd-io__etcd
0
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

transport: accept connection if matched IP SAN but no DNS match

The IP SAN check would always do a DNS SAN check if DNS is given
and the connection's IP is verified. Instead, don't check DNS
entries if there's a matching iP.

Fixes #8206
Anthony Romano 8 years ago
parent
2e7615281e
commit
ab95eb0795
1 changed files with 5 additions and 1 deletions
Split View Show Diff Stats
  1. 5 1
      pkg/transport/listener_tls.go

+ 5 - 1
pkg/transport/listener_tls.go
View File 

@@ -197,7 +197,11 @@ func checkCertSAN(ctx context.Context, cert *x509.Certificate, remoteAddr string
 
 		return herr
 
 	}
 
 	if len(cert.IPAddresses) > 0 {
 
-		if cerr := cert.VerifyHostname(h); cerr != nil && len(cert.DNSNames) == 0 {
 
+		cerr := cert.VerifyHostname(h)
 
+		if cerr == nil {
 
+			return nil
 
+		}
 
+		if len(cert.DNSNames) == 0 {
 
 			return cerr
 
 		}
 
 	}