boulder

History

Aaron Gable a1a7a7f7e6 Reject all CSRs with an IP in the CN (#8282 ) Although https://github.com/letsencrypt/boulder/pull/8231 fixed csr.CNFromCSR to ignore Common Names that are valid IPs, that didn't fully solve our issue: identifier.FromCSR still extracts the CN and assumes that it is a dnsName, leading to a mismatch between the CSR's identifiers and the Order's identifiers. Instead, let's outright reject all CSRs which carry an IP in their Subject Common Name. Although this doesn't have the elegance of rejecting such CNs on a profile-by-profile basis, it matches our ongoing effort to do away with CNs entirely.	2025-06-30 16:07:11 -07:00
..
csr.go	Reject all CSRs with an IP in the CN (#8282 )	2025-06-30 16:07:11 -07:00
csr_test.go	Reject all CSRs with an IP in the CN (#8282 )	2025-06-30 16:07:11 -07:00

Reject all CSRs with an IP in the CN (#8282 )

Although https://github.com/letsencrypt/boulder/pull/8231 fixed
csr.CNFromCSR to ignore Common Names that are valid IPs, that didn't
fully solve our issue: identifier.FromCSR still extracts the CN and
assumes that it is a dnsName, leading to a mismatch between the CSR's
identifiers and the Order's identifiers.

Instead, let's outright reject all CSRs which carry an IP in their
Subject Common Name. Although this doesn't have the elegance of
rejecting such CNs on a profile-by-profile basis, it matches our ongoing
effort to do away with CNs entirely.

2025-06-30 16:07:11 -07:00

csr.go

Reject all CSRs with an IP in the CN (#8282 )

2025-06-30 16:07:11 -07:00

csr_test.go

Reject all CSRs with an IP in the CN (#8282 )

2025-06-30 16:07:11 -07:00