|
|
|
|
|
|
by ericbarrett
956 days ago
|
|
|
I disagree that TLS is a good example of a breaking change, since this is a specific library dealing with a developing and dynamic area of security. If this weren’t changed, it would compromise PKI cert integrity by allowing obsolete fields. Also you can get the old behavior back with a flag. The fact that other languages are lagging here reflects badly on them. As discussed in the link, CommonName has been deprecated in x.509 serverAuth certificates for decades, and all major browsers dropped support for the field (even as a fallback) years ago. |
|
|
Also, the reason CN is deprecated has nothing to do with security but the maximum length of the field in the spec. Chrome ignores it but every cert I’ve seen recently still includes it for legacy compatibility.
It’s not a huge dealbreaker but it forced me to go make 3rd parties regenerate their certs before I could upgrade my version of go.