in transport/tlscommon/tls_config.go [354:397]
func verifyHostname(cert *x509.Certificate, hostname string) error {
if hostname == "" {
return nil
}
// check if the server name is an IP
ip := hostname
if len(ip) >= 3 && ip[0] == '[' && ip[len(ip)-1] == ']' {
ip = ip[1 : len(ip)-1]
}
parsedIP := net.ParseIP(ip)
if parsedIP != nil {
for _, certIP := range cert.IPAddresses {
if parsedIP.Equal(certIP) {
return nil
}
}
parsedCNIP := net.ParseIP(cert.Subject.CommonName)
if parsedCNIP != nil {
if parsedIP.Equal(parsedCNIP) {
return nil
}
}
return x509.HostnameError{Certificate: cert, Host: hostname}
}
dnsnames := cert.DNSNames
if len(dnsnames) == 0 || len(dnsnames) == 1 && dnsnames[0] == "" {
if cert.Subject.CommonName != "" {
dnsnames = []string{cert.Subject.CommonName}
}
}
for _, name := range dnsnames {
if matchHostnames(name, hostname) {
if !validHostname(name, true) {
return fmt.Errorf("invalid hostname in cert")
}
return nil
}
}
return x509.HostnameError{Certificate: cert, Host: hostname}
}