Merge pull request #8223 from heyitsanthony/ip-san-exit

transport: accept connection if matched IP SAN but no DNS match
2024-09-27 06:25:44 +00:00 · 2017-07-06 22:46:09 -07:00 · 2017-07-06 22:46:09 -07:00 · 67fa8b823f
commit 67fa8b823f
parent e6f4563ea1 ab95eb0795
1 changed files with 5 additions and 1 deletions
--- a/pkg/transport/listener_tls.go
+++ b/pkg/transport/listener_tls.go
@ -197,7 +197,11 @@ func checkCertSAN(ctx context.Context, cert *x509.Certificate, remoteAddr string
 		return herr
 	}
 	if len(cert.IPAddresses) > 0 {
-		if cerr := cert.VerifyHostname(h); cerr != nil && len(cert.DNSNames) == 0 {
+		cerr := cert.VerifyHostname(h)
+		if cerr == nil {
+			return nil
+		}
+		if len(cert.DNSNames) == 0 {
 			return cerr
 		}
 	}