Further secure TLS communications

[saroshali-dbx]

Closes #96

[saroshali-dbx]

gentle ping @roidelapluie @SuperQ :)

For context, here's the issue created for the downstream dependency - weaveworks/common#242

[SuperQ]

I thought most certificate validation has moved to verifying SANs, not CNs.

[saroshali-dbx]

I thought most certificate validation has moved to verifying SANs, not CNs.

Yeah, thats the intention with SANs to be able to get around the limitation of only being able to specify a single server-name in CN. I ported this functionality from etcd -- and my organization still utilizes common-name -- but I can update this PR to check SANs first and then fallback to CNs. How does that sound?

[roidelapluie]

Actually that's a good point @SuperQ , even go uses SAN's and has removed support for CN. I think we should follow go and use SANs

[SuperQ]

Common Name is deprecated for validation. This needs to use SANs.

From RFC 2818, May 2000:

Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.

Chrome-based browsers dropped CN-only in 2017.

[bboreham]

@saroshali-dbx are you likely to return to this, or shall we close it?

[logopk]

Just a question: isn't SAN or any other DNS unusual for client certs? I usually create them with

C = DE, ST = xxx, L = xx, O = xxx, OU = xxx, CN=me@myself.de

Thus given the 3.2
SHOULD check the identity as described above

leads me to
Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used