Always allow configured SANs regardless of the FilterCN

2025-06-24 13:51:34 +00:00 · 2020-04-17 19:29:23 -07:00 · 2020-04-17 19:29:23 -07:00 · 74a61a850d
commit 74a61a850d
parent 4436fc6b48
1 changed files with 30 additions and 1 deletions
--- a/listener.go
+++ b/listener.go
@ -49,7 +49,7 @@ func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, c
 			CAKey:        caKey,
 			CN:           config.CN,
 			Organization: config.Organization,
-			FilterCN:     config.FilterCN,
+			FilterCN:     allowDefaultSANs(config.SANs, config.FilterCN),
 		},
 		Listener:  l,
 		storage:   &nonNil{storage: storage},
@ -81,6 +81,35 @@ func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, c
 	return tlsListener, dynamicListener.cacheHandler(), nil
 }

+func allowDefaultSANs(sans []string, next func(...string) []string) func(...string) []string {
+	if next == nil {
+		return nil
+	} else if len(sans) == 0 {
+		return next
+	}
+
+	sanMap := map[string]bool{}
+	for _, san := range sans {
+		sanMap[san] = true
+	}
+
+	return func(s ...string) []string {
+		var (
+			good    []string
+			unknown []string
+		)
+		for _, s := range s {
+			if sanMap[s] {
+				good = append(good, s)
+			} else {
+				unknown = append(unknown, s)
+			}
+		}
+
+		return append(good, next(unknown...)...)
+	}
+}
+
 type cancelClose struct {
 	cancel func()
 	net.Listener