Go 1.15 requires changes to TLS code for Gemini!

colecmac@protonmail.com <colecmac (a) protonmail.com>

Hello gophers,


If you have written (or are planning on writing) a Gemini application in Go
that validates the server/client cert, you will have to change your code.
Part of validation is validating the hostname, and this has changed in
Go 1.15.

> The deprecated, legacy behavior of treating the CommonName field on X.509
> certificates as a host name when no Subject Alternative Names are present
> is now disabled by default. It can be temporarily re-enabled by adding the
> value x509ignoreCN=0 to the GODEBUG environment variable.

https://golang.org/doc/go1.15#commonname

Apparently using CN without a SAN is deprecated by RFC, at least for
the web. I did not know that! So using cert.VerifyHostname will no longer
work on the majority of Gemini certs that just specify a CN and nothing else.

The solution is to check the CN manually, and then use VerifyHostname if that
fails. If both fail, then the cert is not valid.

If I have an x509.Certificate with the name `cert`, and a hostname called
`hostname`, I can do this to check:

if cert.Subject.CommonName == hostname || cert.VerifyHostname(hostname) == nil {
    // Do something
}


or of course:


if cert.Subject.CommonName != hostname && cert.VerifyHostname(hostname) != nil {
    // Exit, return an error, etc
}


Hope this helps! I will be implementing this in go-gemini (and therefore
gemget and Amfora), but until then do not compile them with Go 1.15.


Cheers,
makeworld

Link to individual message.

---

Previous Thread: Lovell - a Gemini server written for Node.js

Next Thread: [ANN] Fafi, a Racket-based client