From 74a61a850d30558ef5c5df317ec5164312c5450c Mon Sep 17 00:00:00 2001
From: Darren Shepherd <darren@rancher.com>
Date: Fri, 17 Apr 2020 19:29:23 -0700
Subject: [PATCH] Always allow configured SANs regardless of the FilterCN

---
 listener.go | 31 ++++++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/listener.go b/listener.go
index 389a4b6..dfd6270 100644
--- a/listener.go
+++ b/listener.go
@@ -49,7 +49,7 @@ func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, c
 			CAKey:        caKey,
 			CN:           config.CN,
 			Organization: config.Organization,
-			FilterCN:     config.FilterCN,
+			FilterCN:     allowDefaultSANs(config.SANs, config.FilterCN),
 		},
 		Listener:  l,
 		storage:   &nonNil{storage: storage},
@@ -81,6 +81,35 @@ func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, c
 	return tlsListener, dynamicListener.cacheHandler(), nil
 }
 
+func allowDefaultSANs(sans []string, next func(...string) []string) func(...string) []string {
+	if next == nil {
+		return nil
+	} else if len(sans) == 0 {
+		return next
+	}
+
+	sanMap := map[string]bool{}
+	for _, san := range sans {
+		sanMap[san] = true
+	}
+
+	return func(s ...string) []string {
+		var (
+			good    []string
+			unknown []string
+		)
+		for _, s := range s {
+			if sanMap[s] {
+				good = append(good, s)
+			} else {
+				unknown = append(unknown, s)
+			}
+		}
+
+		return append(good, next(unknown...)...)
+	}
+}
+
 type cancelClose struct {
 	cancel func()
 	net.Listener