Details
-
Technical task
-
Resolution: Fixed
-
Major
-
Server 5.5/Vulcan
-
None
-
DOC-S17-Jun01, DOC-S18-Jun19, DOC-S20-Jul13[RC]
-
1
Description
With certificate authentication, during testing we found that the go platform is OOTB more pedantic about matching the SAN in the client certificate than Java and .NET were. This lead to initial tests appearing to be failures, but it was rather just that the process for generating the certificate did not include the necessary details to be compatible with the go platform. This should be documented.
Details are discussed in GOCBC-287
To make sure this is clear, I'd recommend:
1) Adding information on cert creation being clear that if the cert does not directly match the host, the SAN should supply names
2) Add to the documentation that defaults on Java, .NET, OpenSSL based implementations are by default lax on verification of hostnames
3) Add to the documentation that gocb may fail to authenticate if it can't verify the hostname is valid for the cert.