Radar Agent Support for HTTPS Common Name in X509 Certificates

As of Radar Agent version 1.9, the Common Name (CN) field in X509 certificates is no longer supported. This article describes the background, implications, and workaround for the change.


Background

Radar Agent versions 1.9 and higher are built using Golang 1.19.1, which affects the type of X509 certificates that are supported when making HTTPS requests.

RFC 2818, published in May 2000, deprecates the use of the Common Name (CN) field in HTTPS certificates for subject name verification. It recommends using the “Subject Alternative Name” extension (SAN) of the “dns name” type.

In Golang 1.15, the recommendations from RFC 2818 were implemented and support for X509 certificates that use the Common Name field without a SAN extension entry was deprecated, with it scheduled to be removed in later versions.

With Golang 1.17 and later, this deprecated support of X509 certificates without a SAN extension entry was finally removed.

Implications

When Radar Agent version 1.9 or higher sends a HTTPS request to an endpoint, the X509 certificate presented by the target server will be validated for a SAN extension. If the target server's domain name only appears in the Common Name field of the certificate, the following error will be raised:

x509: certificate relies on legacy Common Name field, use SANs instead

How to Test Certificate of Target Server

Use openssl to verify if the certificate of your target server is valid (contains a SAN extension entry).

To test your server validity:

  1. From a terminal, set the following variables to indicate the host and port of the target server:
    host=example.com
    port=443
  2. Then run the openssl s_client command to inspect the certificate of the target server:
    openssl s_client -showcerts -servername "$host" -connect "$host:$port" </dev/null 2>/dev/null  | openssl x509 -noout -ext subjectAltName
  3. If the output is empty, then the certificate has no SAN extension entries and must be replaced.

Fixing Invalid Target Server Certificates

If the target server's certificate is invalid and does not contain a SAN extension entry, consider the following:

  • Replace the invalid certificate. SAN extension entries can only be added by issuing a new certificate signing request with the appropriate extensions, and getting the CA to issue the certificate again.
  • If unable to replace the invalid certificate, turn of the Validate SSL behavior setting for a test, as follows:
    1. Go to your test Editor.
    2. Expand Test Settings and navigate to Behaviors tab,
    3. Turn off the Validate SSL behavior. This will allow the Radar agent to communicate with the target server and ignore any SSL/TLS certificate issues.

      disable validate ssl on test runs