Use default certificate if no certificates match #126
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The default Go TLS implementation always returns the first certificate (that's the "default" or "fallback" certificate) if none of the certificates match (source). Although that may be an issue for the client, the TLS handshake can continue. If no certificate is returned at all, the TLS handshake is aborted and the client gets a TLS failure.
MinIO always returns the default certificate if there is only one certificate (source) or when no server-name is set. If multiple certificates are added and none of them matches then
nil
is returned. Although the function returns an error, this error isn't visible in the console and/ormc admin trace
.This PR changes the behavior, so it always returns the default certificate when none of the certificates match (just like the default Go TLS implementation). Although this may be considered less secure (it provides the server's FQDN when hitting the server with an arbitrary server name), this information is already provided when the attacker hits the server without SNI.