diff --git a/observer/probers/tls/tls.go b/observer/probers/tls/tls.go index 7b3885a0530..2b311cd3ca6 100644 --- a/observer/probers/tls/tls.go +++ b/observer/probers/tls/tls.go @@ -4,6 +4,7 @@ import ( "context" "crypto/tls" "crypto/x509" + "crypto/x509/pkix" "encoding/base64" "errors" "fmt" @@ -139,8 +140,12 @@ func checkCRL(ctx context.Context, cert, issuer *x509.Certificate, want int) (bo // Return an error if the root settings are nonempty and do not match the // expected root. -func (p TLSProbe) checkRoot(rootOrg, rootCN string) error { - if (p.rootCN == "" && p.rootOrg == "") || (rootOrg == p.rootOrg && rootCN == p.rootCN) { +func (p TLSProbe) checkRoot(root pkix.Name) error { + var rootOrg string + if len(root.Organization) > 0 { + rootOrg = root.Organization[0] + } + if (p.rootCN == "" && p.rootOrg == "") || (rootOrg == p.rootOrg && root.CommonName == p.rootCN) { return nil } return fmt.Errorf("Expected root does not match.") @@ -205,7 +210,7 @@ func (p TLSProbe) probeExpired(ctx context.Context) error { } root := peers[len(peers)-1].Issuer - err = p.checkRoot(root.Organization[0], root.CommonName) + err = p.checkRoot(root) if err != nil { p.exportMetrics(peers[0], rootDidNotMatch) return err @@ -257,7 +262,7 @@ func (p TLSProbe) probeUnexpired(ctx context.Context) error { // tls.Dialer.DialContext is documented to always return *tls.Conn peers := conn.(*tls.Conn).ConnectionState().PeerCertificates root := peers[len(peers)-1].Issuer - err = p.checkRoot(root.Organization[0], root.CommonName) + err = p.checkRoot(root) if err != nil { p.exportMetrics(peers[0], rootDidNotMatch) return err