From ab95eb0795c605eeb0afbc005587026aa583de1b Mon Sep 17 00:00:00 2001 From: Anthony Romano Date: Thu, 6 Jul 2017 16:11:53 -0700 Subject: [PATCH] transport: accept connection if matched IP SAN but no DNS match The IP SAN check would always do a DNS SAN check if DNS is given and the connection's IP is verified. Instead, don't check DNS entries if there's a matching iP. Fixes #8206 --- pkg/transport/listener_tls.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pkg/transport/listener_tls.go b/pkg/transport/listener_tls.go index 85630aab67a..545e0c43db3 100644 --- a/pkg/transport/listener_tls.go +++ b/pkg/transport/listener_tls.go @@ -197,7 +197,11 @@ func checkCertSAN(ctx context.Context, cert *x509.Certificate, remoteAddr string return herr } if len(cert.IPAddresses) > 0 { - if cerr := cert.VerifyHostname(h); cerr != nil && len(cert.DNSNames) == 0 { + cerr := cert.VerifyHostname(h) + if cerr == nil { + return nil + } + if len(cert.DNSNames) == 0 { return cerr } }