Go tip no longer supports CN in certificates
yanske opened this issue · 1 comments
In Veneur's recent go tip tests (tests ran from the latest version of go, our TCP tests has been failing as Golang deprecated support for Common Name fields in certificates:
x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0 time="2020-07-10T15:46:05Z" level=info msg="TLS Handshake failed" error="remote error: tls: bad certificate" peer="127.0.0.1:45906"
In the future if we choose to bump Veneur's Golang version, this would remove support for CN fields when accepting TLS connections (unless we choose to use the GODEBUG flag). However as other devs have pointed out in this thread, the CN field is technically still an accepted backup option for certificates if the SAN field is not present.
Moving forward, we should decide whether to follow Golang's decision in deprecating the CN field (which would require us to update our testdata certificates), or continue to support the CN field (which our OSS users may still rely on).