From 40468ab11f720e87ab853d05f6362f6f02c93689 Mon Sep 17 00:00:00 2001 From: Anthony Romano Date: Thu, 6 Jul 2017 16:11:53 -0700 Subject: [PATCH] transport: accept connection if matched IP SAN but no DNS match The IP SAN check would always do a DNS SAN check if DNS is given and the connection's IP is verified. Instead, don't check DNS entries if there's a matching iP. Fixes #8206 --- pkg/transport/listener_tls.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pkg/transport/listener_tls.go b/pkg/transport/listener_tls.go index ecc12454899..5d1a9cd44cb 100644 --- a/pkg/transport/listener_tls.go +++ b/pkg/transport/listener_tls.go @@ -142,7 +142,11 @@ func checkCert(ctx context.Context, cert *x509.Certificate, remoteAddr string) e return herr } if len(cert.IPAddresses) > 0 { - if cerr := cert.VerifyHostname(h); cerr != nil && len(cert.DNSNames) == 0 { + cerr := cert.VerifyHostname(h) + if cerr == nil { + return nil + } + if len(cert.DNSNames) == 0 { return cerr } }