From c4c43a90407be2d8937b8af9931f7ad1b1112aff Mon Sep 17 00:00:00 2001 From: Tom Dohrmann Date: Mon, 4 Nov 2024 13:44:35 +0100 Subject: [PATCH] e2e/openssl: set hostname explicitly As of Go 1.23, crypto/x509 no longer allows bare wildcard SANs [^1]. We don't connect directly to the pod, we connect to the local end of a port-forwarding, so the hostname expected by crypto/x509 is localhost. localhost is not one of the SAN values in the certificate. Instead, override the expected ServerName to match the one in the certificate. [^1]: https://github.com/golang/go/commit/375031d8dcec9ae74d2dbc437b201107dba3bb5f --- e2e/openssl/openssl_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/e2e/openssl/openssl_test.go b/e2e/openssl/openssl_test.go index a69728b010..88bd3b6116 100644 --- a/e2e/openssl/openssl_test.go +++ b/e2e/openssl/openssl_test.go @@ -102,7 +102,7 @@ func TestOpenSSL(t *testing.T) { require.NoError(ct.Kubeclient.WaitFor(ctx, kubeclient.Ready, kubeclient.Pod{}, ct.Namespace, "port-forwarder-openssl-frontend")) require.NoError(ct.Kubeclient.WithForwardedPort(ctx, ct.Namespace, "port-forwarder-openssl-frontend", "443", func(addr string) error { - dialer := &tls.Dialer{Config: &tls.Config{RootCAs: pool}} + dialer := &tls.Dialer{Config: &tls.Config{RootCAs: pool, ServerName: opensslFrontend}} conn, err := dialer.DialContext(ctx, "tcp", addr) if err == nil { conn.Close()