From b3ba709b3d5c94942f572a3b08d86b2369f8ecb8 Mon Sep 17 00:00:00 2001
From: Matt Keeler <mjkeeler7@gmail.com>
Date: Thu, 21 Jun 2018 12:40:56 -0400
Subject: [PATCH] Remove x509 name constraints
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

These were only added as SPIFFE intends to use the in the future but currently does not mandate their usage due to patch support in common TLS implementations and some ambiguity over how to use them with URI SAN certificates. We included them because until now everything seem fine with it, however we've found the latest version of `openssl` (1.1.0h) fails to validate our certificats if its enabled. LibreSSL as installed on OS X by default doesn’t have these issues. For now it's most compatible not to have them and later we can find ways to add constraints with wider compatibility testing.
---
 agent/connect/ca/provider_consul.go | 4 +---
 agent/connect/testing_ca.go         | 4 +---
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/agent/connect/ca/provider_consul.go b/agent/connect/ca/provider_consul.go
index 99bc3158a..3d2f4ceeb 100644
--- a/agent/connect/ca/provider_consul.go
+++ b/agent/connect/ca/provider_consul.go
@@ -352,9 +352,7 @@ func (c *ConsulProvider) generateCA(privateKey string, sn uint64) (string, error
 		SerialNumber: serialNum,
 		Subject:      pkix.Name{CommonName: name},
 		URIs:         []*url.URL{id.URI()},
-		PermittedDNSDomainsCritical: true,
-		PermittedDNSDomains:         []string{id.URI().Hostname()},
-		BasicConstraintsValid:       true,
+		BasicConstraintsValid: true,
 		KeyUsage: x509.KeyUsageCertSign |
 			x509.KeyUsageCRLSign |
 			x509.KeyUsageDigitalSignature,
diff --git a/agent/connect/testing_ca.go b/agent/connect/testing_ca.go
index cc015af81..67babf866 100644
--- a/agent/connect/testing_ca.go
+++ b/agent/connect/testing_ca.go
@@ -56,9 +56,7 @@ func TestCA(t testing.T, xc *structs.CARoot) *structs.CARoot {
 		SerialNumber: sn,
 		Subject:      pkix.Name{CommonName: result.Name},
 		URIs:         []*url.URL{id.URI()},
-		PermittedDNSDomainsCritical: true,
-		PermittedDNSDomains:         []string{id.URI().Hostname()},
-		BasicConstraintsValid:       true,
+		BasicConstraintsValid: true,
 		KeyUsage: x509.KeyUsageCertSign |
 			x509.KeyUsageCRLSign |
 			x509.KeyUsageDigitalSignature,