Remove x509 name constraints

These were only added as SPIFFE intends to use the in the future but currently does not mandate their usage due to patch support in common TLS implementations and some ambiguity over how to use them with URI SAN certificates. We included them because until now everything seem fine with it, however we've found the latest version of `openssl` (1.1.0h) fails to validate our certificats if its enabled. LibreSSL as installed on OS X by default doesn’t have these issues. For now it's most compatible not to have them and later we can find ways to add constraints with wider compatibility testing.
2018-06-21 12:40:56 -04:00 · 2018-06-21 12:40:56 -04:00 · b3ba709b3d
parent 8b27c3268a
commit b3ba709b3d
2 changed files with 2 additions and 6 deletions
--- a/agent/connect/ca/provider_consul.go
+++ b/agent/connect/ca/provider_consul.go
@ -352,8 +352,6 @@ func (c *ConsulProvider) generateCA(privateKey string, sn uint64) (string, error
 		SerialNumber: serialNum,
 		Subject:      pkix.Name{CommonName: name},
 		URIs:         []*url.URL{id.URI()},
-		PermittedDNSDomainsCritical: true,
-		PermittedDNSDomains:         []string{id.URI().Hostname()},
 		BasicConstraintsValid: true,
 		KeyUsage: x509.KeyUsageCertSign |
 			x509.KeyUsageCRLSign |
--- a/agent/connect/testing_ca.go
+++ b/agent/connect/testing_ca.go
@ -56,8 +56,6 @@ func TestCA(t testing.T, xc *structs.CARoot) *structs.CARoot {
 		SerialNumber: sn,
 		Subject:      pkix.Name{CommonName: result.Name},
 		URIs:         []*url.URL{id.URI()},
-		PermittedDNSDomainsCritical: true,
-		PermittedDNSDomains:         []string{id.URI().Hostname()},
 		BasicConstraintsValid: true,
 		KeyUsage: x509.KeyUsageCertSign |
 			x509.KeyUsageCRLSign |