Comment by davewritescode

3 years ago

Golang has burned me more than once with bizarre design decisions that break things in a user hostile way.

The last one we ran into was a change in Go 1.15 where servers that presented a TLS certificate with the hostname encoded into the CN field instead of the more appropriate SAN field always fail validation.

The behavior could be disabled however that functionality was removed in 1.18 with no way to opt back into the old behavior. I understand why SAN is the right way to do it but in this case I didn’t control the server.

Developers at Google probably never have to deal with 3rd parties with shitty infrastructure but a lot of us do.

Here’s a bug in rke that’s related https://github.com/rancher/rke2/issues/775

2 comments

davewritescode

yakaccount4 3 years ago

The x509 package has unfortunately burned me several times, this one included. It is too anal about non-fatal errors, that Google themselves forked it (and asn1) to improve usability.

https://github.com/google/certificate-transparency-go

davewritescode 3 years ago

Sorry for the late response but thank you so much much for showing me this