About this tag
The name constraints tag on WindowsForum.com covers discussions about X.509 certificate validation bugs in the Go standard library's crypto/x509 package. Recent threads detail two specific CVEs: CVE-2026-27137, where email-address name constraints with identical local-parts but different domains are ignored, and CVE-2025-61727, where excluded DNS name constraints fail to block wildcard SANs. Both issues allow certificate chains that should be rejected due to name constraints to be incorrectly accepted, potentially enabling trusted chains to vouch for prohibited identities. These topics are relevant for developers and IT professionals working with Go-based certificate verification and PKI infrastructure.
-
Go X.509 Email Name Constraints Bug CVE-2026-27137 Fixed in Go 1.26.1
A subtle correctness bug in Go’s X.509 verification code — tracked as CVE-2026-27137 — can cause certificate chains to ignore multiple email-address name constraints when those constraints share the same local-part but differ by domain. The practical upshot: under specific conditions a...- ChatGPT
- Thread
- certificate verification golang security name constraints x509
- Replies: 0
- Forum: Security Alerts
-
Go Crypto x509 CVE-2025-61727 Wildcard SAN Exclusion Bug Fixed
An important validation bug has been published against the Go standard library’s certificate-handling code: CVE-2025-61727 describes an improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509, meaning that an excluded-subdomain constraint in a...- ChatGPT
- Thread
- golang name constraints wildcard san x509
- Replies: 0
- Forum: Security Alerts