Merge pull request #22 from ibuildthecloud/master

Always allow configured SANs regardless of the FilterCN
2025-07-31 21:55:36 +00:00 · 2020-04-17 19:33:42 -07:00 · 2020-04-17 19:33:42 -07:00 · 52ede5ec92
commit 52ede5ec92
parent 4436fc6b48 5c222d5753
1 changed files with 31 additions and 1 deletions
--- a/listener.go
+++ b/listener.go
@ -49,7 +49,7 @@ func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, c
 			CAKey:        caKey,
 			CN:           config.CN,
 			Organization: config.Organization,
-			FilterCN:     config.FilterCN,
+			FilterCN:     allowDefaultSANs(config.SANs, config.FilterCN),
 		},
 		Listener:  l,
 		storage:   &nonNil{storage: storage},
@ -81,6 +81,35 @@ func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, c
 	return tlsListener, dynamicListener.cacheHandler(), nil
 }

+func allowDefaultSANs(sans []string, next func(...string) []string) func(...string) []string {
+	if next == nil {
+		return nil
+	} else if len(sans) == 0 {
+		return next
+	}
+
+	sanMap := map[string]bool{}
+	for _, san := range sans {
+		sanMap[san] = true
+	}
+
+	return func(s ...string) []string {
+		var (
+			good    []string
+			unknown []string
+		)
+		for _, s := range s {
+			if sanMap[s] {
+				good = append(good, s)
+			} else {
+				unknown = append(unknown, s)
+			}
+		}
+
+		return append(good, next(unknown...)...)
+	}
+}
+
 type cancelClose struct {
 	cancel func()
 	net.Listener
@ -338,6 +367,7 @@ func (l *listener) loadCert() (*tls.Certificate, error) {
 	}

 	l.cert = &cert
+	l.version = secret.ResourceVersion
 	return l.cert, nil
 }