Why Does My Go TLS Dial Fail with \'x509: certificate relies on legacy Common Name field\'?

Go TLS Dial: Failed to Connect with X509 Certificate Relying on Legacy Common Name Field

This issue arises when attempting to connect to a server using TLS in Golang, and the server's certificate relies on the legacy Common Name (CN) field for identification. The standard Golang library checks for Subject Alternative Names (SANs) instead.

Cause:

By default, the Golang runtime verifies that server certificates present SANs, as per best security practices. If a certificate lacks SANs and instead relies on the CN field for identification, the Go runtime rejects the connection, displaying the error message:

failed to connect: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

Resolution:

To resolve this issue, you have two options:

1. Modify the Server Certificate to Use SANs:

Regenerate the server certificate to include SANs corresponding to the hostname or IP address that the client will use to connect. This involves using certificate authorities (CAs) and OpenSSL commands to create a certificate with appropriate SANs.

2. Disable CN Matching Temporarily:

You can temporarily disable the Go runtime's check for SANs by setting the GODEBUG environment variable like so:

GODEBUG=x509ignoreCN=0 go run your_program.go

Note: Disabling CN matching is not a recommended solution, as it reduces the security of your TLS connection by allowing certificates with CNs but no SANs to be accepted.

The above is the detailed content of Why Does My Go TLS Dial Fail with \'x509: certificate relies on legacy Common Name field\'?. For more information, please follow other related articles on the PHP Chinese website!