Hello gophers,
If you have written (or are planning on writing) a Gemini application in Go
that validates the server/client cert, you will have to change your code.
Part of validation is validating the hostname, and this has changed in
Go 1.15.
> The deprecated, legacy behavior of treating the CommonName field on X.509
> certificates as a host name when no Subject Alternative Names are present
> is now disabled by default. It can be temporarily re-enabled by adding the
> value x509ignoreCN=0 to the GODEBUG environment variable.
https://golang.org/doc/go1.15#commonname
Apparently using CN without a SAN is deprecated by RFC, at least for
the web. I did not know that! So using cert.VerifyHostname will no longer
work on the majority of Gemini certs that just specify a CN and nothing else.
The solution is to check the CN manually, and then use VerifyHostname if that
fails. If both fail, then the cert is not valid.
If I have an x509.Certificate with the name `cert`, and a hostname called
`hostname`, I can do this to check:
if cert.Subject.CommonName == hostname || cert.VerifyHostname(hostname) == nil {
// Do something
}
or of course:
if cert.Subject.CommonName != hostname && cert.VerifyHostname(hostname) != nil {
// Exit, return an error, etc
}
Hope this helps! I will be implementing this in go-gemini (and therefore
gemget and Amfora), but until then do not compile them with Go 1.15.
Cheers,
makeworld
![Atom Feed](data:image/svg+xml,<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg"
id="RSSicon"
viewBox="0 0 8 8" width="16" height="16">
<title>RSS feed icon</title>
<style type="text/css">
.button {stroke: none; fill: orange;}
.symbol {stroke: none; fill: white;}
</style>
<rect class="button" width="8" height="8" rx="1.5" />
<circle class="symbol" cx="2" cy="6" r="1" />
<path class="symbol" d="m 1,4 a 3,3 0 0 1 3,3 h 1 a 4,4 0 0 0 -4,-4 z" />
<path class="symbol" d="m 1,2 a 5,5 0 0 1 5,5 h 1 a 6,6 0 0 0 -6,-6 z" />
</svg>)