Add support to match domainComponent (DC) in RDNSequence with TLS Auth

Currently when using TLS based authentication, any domain components that could be present in the cert will be omitted since Go's ToRDNSequence is not including them: 202c43b2ad/src/crypto/x509/pkix/pkix.go (L226-L245) This commit adds support to include the domain components in case present, also roughly following the order suggested at: https://tools.ietf.org/html/rfc2253 Signed-off-by: Waldemar Quevedo <wally@synadia.com>
2026-04-02 03:38:42 -07:00 · 2020-05-09 15:23:03 -07:00
parent 80b4857cd7
commit 9a2d095885
12 changed files with 412 additions and 0 deletions
--- a/server/auth.go
+++ b/server/auth.go
@@ -15,6 +15,8 @@ package server

 import (
 	"crypto/tls"
+	"crypto/x509/pkix"
+	"encoding/asn1"
 	"encoding/base64"
 	"fmt"
 	"net"
@@ -527,6 +529,26 @@ func (s *Server) processClientOrLeafAuthentication(c *client) bool {
 	return false
 }

+func getTLSAuthDCs(rdns *pkix.RDNSequence) string {
+	dcOID := asn1.ObjectIdentifier{0, 9, 2342, 19200300, 100, 1, 25}
+	dcs := []string{}
+	for _, rdn := range *rdns {
+		if len(rdn) == 0 {
+			continue
+		}
+		for _, atv := range rdn {
+			value, ok := atv.Value.(string)
+			if !ok {
+				continue
+			}
+			if atv.Type.Equal(dcOID) {
+				dcs = append(dcs, "DC="+value)
+			}
+		}
+	}
+	return strings.Join(dcs, ",")
+}
+
 func checkClientTLSCertSubject(c *client, fn func(string) bool) bool {
 	tlsState := c.GetTLSConnectionState()
 	if tlsState == nil {
@@ -568,6 +590,22 @@ func checkClientTLSCertSubject(c *client, fn func(string) bool) bool {
 		}
 	}

+	// Try to get the full RDN Sequence that includes the domain components.
+	var rdns pkix.RDNSequence
+	if _, err := asn1.Unmarshal(cert.RawSubject, &rdns); err == nil {
+		// If found domain components then include roughly following
+		// the order from https://tools.ietf.org/html/rfc2253
+		rdn := cert.Subject.ToRDNSequence().String()
+		dcs := getTLSAuthDCs(&rdns)
+		if len(dcs) > 0 {
+			u := strings.Join([]string{rdn, dcs}, ",")
+			if fn(u) {
+				c.Debugf("Using RDNSequence for auth [%q]", u)
+				return true
+			}
+		}
+	}
+
 	// Use the subject of the certificate.
 	u := cert.Subject.String()
 	c.Debugf("Using certificate subject for auth [%q]", u)
--- a/test/configs/certs/rdns/ca.key
+++ b/test/configs/certs/rdns/ca.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpgIBAAKCAQEAwIYeRgshZUbWnsnVFYqJvMlRwmYKpHGq1cxG2HIKJZMMJO4c
+Tipguyt0bPJMQiGzsPUpzUIi3m1tNlQnQhmpBo4C1NSSRhx8My4z1796OkzerCMV
+MKEP8weC9Vhz2mUMBQbrRvAcNJhoPksWJ2kSGxdUdKIqoFGDMu40ir5zxHyCA410
+vG7IIJlaDKpwuXl1IFjEaI5DWnDUAvSxciG86yZVaekRYEJNSPSPL1Er5ee40ukP
+C66JCYas9a+4Lk5rQhlYSoUsimPebagKP99T+oNVyQSSQ0rqaNNV+7i0uEx9KH+7
+OC8B8+fUlE891hjnAJ20P0wJnMC/pFzzsvI8rQIDAQABAoIBAQCrKJFRhCO0fj3f
+/V/LPtclV3WwdjeP6t4OJQX296u9q/Vn/6h6dYJ55DAli2PwhzXRZKQ9L0cAqBgn
+7LjaMyXqBebOgA1q93gTqEe+zyRDIIP2VVpJWWdskIkExhZ5WsxMy9HvxxfMSpKi
+ju6rKuZF33/eES4ESXNynANqNdeGHf5ZWI2BI8ekPLbS6EE+PcJPq2vK8gkhFFyb
+ie9qqgU9DthSwJhqT7dilTllLz6gOj3dtYODaji4yLNkalRWe6JGO1v/ZxqWgpnk
+ZHTATxgiyjWJ0AJGH1tqxHBU1MmKHEEsc3lXdxC+FWbAnfbMgQq+BZSBjcyAOip6
+0FHdrvKhAoGBAPWI7b1Yo2Ov2iJtH4VJh2vqX5q+EQchO9XCKW82lOfoXXCGrG7g
+n5uuQuCAfEHzkeHDMVzDvoLJAHUz74eLuYm1voKLW+CjT+L9LYZMvLs3ygJvq5g9
+5pYPZbP2bax2sV2coXs/tv2gyMIYyrsPtln6ngW9y/SrC13j7ibffaJ/AoGBAMi6
+xzH8n2Fz2y76Vw3/JwFQNJY3qZy7jjcFd3KCTSzbDAHzMOpwRjSrecacF//G/bn+
+BaeOWowFZSh6ps7g3jyLWIpWS1Azk9t9+8sbt4bcX5XV92GeCu91X5gjSfwiXfJ7
+Ar7itX5zFMl74jBoJcd7ikS1BUZozcOon6x2F7LTAoGBAOqXYU4/mhxsr+WkjTE0
+B4c77wxR/MLrJdgeIqh3Zd4NTPluMuHdC6Ia5RrKp+37Ya5qaIdRHnymvyE79edz
+wFmqo9Lmg2olnvYpH43pU4kszH13ZGOZAO7u1yUSlcbpwJzIQiEXxyacsDOCrG/9
+myRtJv4lUPD7W2jhlXDep5LRAoGBAKuEJXcJ9CnyNCRVFpPIJM0Teous7koVXPSY
+wDLhMg6U8RKteWupGeQhbYGOmVcd8mm9q5k7oxUn+wL2opf9PwgezT4PdHUITVvs
+r30iptQec7J1TNdlktR/x3oZFTvTJdFu2K7AyvJMZUOwjlpsc3OblU8WGnbKUJ/R
+8vYLRj6vAoGBANoD3vrUz4Zq0tAfn31X4iNBe8TF6c0lx+NOcQ4IJHKHulxx+rHS
+h8UjublG5rx8qL62D4SiVp+m12ibSrLaJpC5IqSy6cFjHNUzXcok4Oou7dpMsMkn
+2uHsmL4iJJkUBIowADJ2mAyPnnOj0yQilna9o+pDqoW+bG0+7NoyHcV0
+-----END RSA PRIVATE KEY-----
--- a/test/configs/certs/rdns/ca.pem
+++ b/test/configs/certs/rdns/ca.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtTCCAp2gAwIBAgIUd2k/q8WQFq6AZFyTtYu651Ds+cgwDQYJKoZIhvcNAQEL
+BQAwajELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcM
+C0xvcyBBbmdlbGVzMQ0wCwYDVQQKDAROQVRTMQ0wCwYDVQQLDAROQVRTMRIwEAYD
+VQQDDAlsb2NhbGhvc3QwHhcNMjAwNTA5MjEwNTExWhcNMjUwNTA5MjEwNTExWjBq
+MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9z
+IEFuZ2VsZXMxDTALBgNVBAoMBE5BVFMxDTALBgNVBAsMBE5BVFMxEjAQBgNVBAMM
+CWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMCGHkYL
+IWVG1p7J1RWKibzJUcJmCqRxqtXMRthyCiWTDCTuHE4qYLsrdGzyTEIhs7D1Kc1C
+It5tbTZUJ0IZqQaOAtTUkkYcfDMuM9e/ejpM3qwjFTChD/MHgvVYc9plDAUG60bw
+HDSYaD5LFidpEhsXVHSiKqBRgzLuNIq+c8R8ggONdLxuyCCZWgyqcLl5dSBYxGiO
+Q1pw1AL0sXIhvOsmVWnpEWBCTUj0jy9RK+XnuNLpDwuuiQmGrPWvuC5Oa0IZWEqF
+LIpj3m2oCj/fU/qDVckEkkNK6mjTVfu4tLhMfSh/uzgvAfPn1JRPPdYY5wCdtD9M
+CZzAv6Rc87LyPK0CAwEAAaNTMFEwHQYDVR0OBBYEFJQ0pEcUeNZleMh6GxA51NW4
+7MsIMB8GA1UdIwQYMBaAFJQ0pEcUeNZleMh6GxA51NW47MsIMA8GA1UdEwEB/wQF
+MAMBAf8wDQYJKoZIhvcNAQELBQADggEBABluyDWCpMpIZxCO223YsqVLCFAA+3Ns
+ZAFLRyurMfZrBp7lJdrcZzkPcp6Hea0WJ9Rif/7gBGSYdVqlyPNj4W8nfJfys9Vr
+X9xfO4PyWE89Sa8aH1JQUifDeK0SMsj9HBRAiFqNuLdC6a2plQvQHhIyN/mnfQZs
+a0EVC09zEBrlZaXlZpf/cUok6VLEPmBqL4Y4IJFAFHPSMZRigXL/We7x+Dsumzkh
+5szEvBbktZNteZZcxnikBcS1ezmbGnz3l5OI65KM5JSkyxlvX5LnCNUl84z4dk/i
+1CTi8YUaJtSfe1lfUlDZY/QKPCLKgwz/DQqhnwsWC8uplJtiN9lIOtU=
+-----END CERTIFICATE-----
--- a/test/configs/certs/rdns/client-a.key
+++ b/test/configs/certs/rdns/client-a.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA05xm/LJ7bvzFltT1sHSfSSmqAqhgKLwLB4f49bYn7vvfz2tR
+BY9N8ecPGh9s3ZYjEAFiLIGGhLDtShdHQxvXoM3V1N9VpFXFe5FzOrSe5ZVx71BS
+GZbWKJijtjDHq+OH7RF62d9+p6jvJT/DEGzpHGS33GAoiBBnSBYfp8uio4F/v1o8
+4qaK1iTjaWa1E2SbUor3Zl88IK9olXrsX8P8wYflaxIlSD5KBXJoXIyY6SFNwklj
+qPq1Cq0gS0axcVU+osCt/iClunF6kV9r4www88w4XRPCFJM+QyYtPFy+CUR0BOua
+XbWs1hCyNeTrk1efQjY1qJOahZG+qdbiFt8lAwIDAQABAoIBAEjQfaOgatbTBc6T
+8wLH7nOHcae+dnAt3IG36RPrnSwf4XCHFfcay5BcmJa9j4FkAyajwztbSoVoOA6R
+mgTelMERcu3v95E3rl+JuiPOOQr49J6LfeSuQXzwoQy1Fk/wWDpcFHDZ9cQNXlTr
+7tw9Da2mfpnHQMspEdD9Q+FCMfGeoq8A4aSm0KDXqChB+HhPZlPNt9TA8/It8imN
+NzniziQ797QicD7i7Yy9OeJEzQ+mUY3Sew1yxI4wmF+vsv2NAqgQgTMKyQ0Vv5js
+aqR0URD182qDLbJ5PvmYyLc+TJyaixU0Qf5PgIbrBirBuV7UBOfraFkOXuV6Iyd6
+i/nt8CECgYEA74Tr5YyAciH0xpBza8PLoxnxP1UQDsp+sDL4STR8Y/lOUX/yYiqq
+om2NNM4FauEB63GqoYFqnEwTXwy4yU4vaOhjg86098mp2BdPo6ANLO+maK7+YvvW
+uAQwy25wG1IjqBH3yltOiOx/zCwoIfr1+xbbx68JiPCzLrUFn0YC3DMCgYEA4ivh
+9FRLESLMjiRQq+CnzKweTcAWfQbLmovFTJMSMkufpQ8TCyblE/PQvOkwZql3BP/f
+ZfzzB5p6B+Vzhz6nXue/YTPQZM0AHV3OZj/lw0ifgDuuohD45p2ASDpY+y7VbDKI
+Bcn3W8hJcqWf/0umBIa2AOYnOhlEllz8uQrBw/ECgYB7T2dTCn6mQ60M/RkvBeI0
+2gpFnLljpASNGfCRX6AaqCMV+lUDDQxECzqDUP2hBK5EVISQGVyVkuT2LkqD+OiX
+jeyN00F/wCbcxUOO7btawxZdFpqIwzbMDfxA/15f8m3A/V8gotlPzNIOfz06IUW6
+Ow5zQz4ZbjIRfcijMxwN2QKBgCcIB7CQs3u7k62cGsfut0adFYW5dqgQ+iYrpNr4
+LpW7c0ua9GBiT/pHg2h2ncG50S5tsfH52z8eq5ydPnjCmUPJnr95n6clsbVfsPT4
+ZgBzkgMhSZvybeHuoGrWlvCSPoazmcHV/vg58mL0rk3yki4JyXMSRQbDwZBpb7vH
+XXUhAoGBAOkqak1DcPZVSinpb/irgvBPd2GzeWyaNh9MKBcGMeG7h3w6Dy/0Gkv3
+DyyEf4BLxPKZ3QNx0Ni2lJ810Al2Kd7j4esDzTZDNmv8buC2jXV+aIL3XvfYjyix
+SDyE50LcqLiPJwmADpoHMDYvO6sOm8RmhbzbkdJgwZOvh/so3CZX
+-----END RSA PRIVATE KEY-----
--- a/test/configs/certs/rdns/client-a.pem
+++ b/test/configs/certs/rdns/client-a.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDdTCCAl0CAQEwDQYJKoZIhvcNAQELBQAwajELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcyBBbmdlbGVzMQ0wCwYDVQQKDARO
+QVRTMQ0wCwYDVQQLDAROQVRTMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjAwNTA5
+MjEwNTE2WhcNMzAwNTA3MjEwNTE2WjCBljELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+CkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcyBBbmdlbGVzMQ0wCwYDVQQKDAROQVRT
+MQ0wCwYDVQQLDAROQVRTMRIwEAYDVQQDDAlsb2NhbGhvc3QxFDASBgoJkiaJk/Is
+ZAEZFgRmb28xMRQwEgYKCZImiZPyLGQBGRYEZm9vMjCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBANOcZvyye278xZbU9bB0n0kpqgKoYCi8CweH+PW2J+77
+389rUQWPTfHnDxofbN2WIxABYiyBhoSw7UoXR0Mb16DN1dTfVaRVxXuRczq0nuWV
+ce9QUhmW1iiYo7Ywx6vjh+0Retnffqeo7yU/wxBs6Rxkt9xgKIgQZ0gWH6fLoqOB
+f79aPOKmitYk42lmtRNkm1KK92ZfPCCvaJV67F/D/MGH5WsSJUg+SgVyaFyMmOkh
+TcJJY6j6tQqtIEtGsXFVPqLArf4gpbpxepFfa+MMMPPMOF0TwhSTPkMmLTxcvglE
+dATrml21rNYQsjXk65NXn0I2NaiTmoWRvqnW4hbfJQMCAwEAATANBgkqhkiG9w0B
+AQsFAAOCAQEArO7c3bIBfy/U0HOiqiWkFrfly/tbOSQecdV8PW3SaY2P/VLINi67
+NLfe4dhWw6nRE8zdLCOoXc5F60cfx1jYZd7vF44q6Mwn52atcoX49m17+1EmDeOS
+TJFkm3FU993O8jTSTRO6ysoiuIHImHWrWCnEY8lhhQoHQVDWiCtdxTkahqXvS+VD
+5xcxGWG2uY9sJx0ISXpyYkcoh24H92xEaswGlYFQEUEmf1tLRRbRqkq93qqlfHrn
+VPRQ4y/sINmBMwk+ftMhZtKiDu5xb1yP+ePoczgkKfsbJy8rh7rZJPvor4avX+7F
+9dn3Vm8IGdmqrNp2K9Du/zIWyXtkVJ7Wyw==
+-----END CERTIFICATE-----
--- a/test/configs/certs/rdns/client-b.key
+++ b/test/configs/certs/rdns/client-b.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAtnCJemodpMZaQ0HecKito1c2uVz/FNg4k2PlRHy5QVqVtQ10
+/KosU5UR/IdKQim+DXwpE1rs199aZG/JR6uo8wZlOdLFEzAI4OHRT9Gh0VNaldbV
+BeEB/HL7icXMJuBjoO4+XandE6XYRxWIxODfjSfLfFe7Hf1XUNQoemJNU8QYPBuS
+al8YaqnxLHp/7ZW6u+EnKJUdjF4t6Q4UF9tXELeXG5BgHkCUjFlfJtepEebdktUJ
+0Gfmopa/apLAHjH2nOSs9/02UPZEWOXNeQ0S/C+KhMdagBfrKQi17x7CtFptP2zp
+icvZNmt8Lup+JBbr1w8Im6tgr5tFz+Bodm7KywIDAQABAoIBAGHfIYGQZ/K7jjTC
+o2hgtTYJVYw/fYBbNo6rapVBK8kJpYKJg5cAW+NC93E3yviPmCt3zjlZ7/EnG0EC
+T0KprmshpTBOB/dxL3Ik8rsVRPAc/V2g8IrE2OHrdVHF0O2SNyBgbwikVbtynwIT
+ZVnpIUSCcsFz9yfxfuQXzNdK4RzsDxG1uMBQh4BdD67s0wO4bp8XIMbCezIKPsU+
+fDco7g8jJgei4YAujAEWYRT3Cw6sTHyCmyTbGcdh1QMoFYdY5HKf842ihkRXRLgq
+jDfy6bvUH2Vu1fXvgykaIdgnHEl9TzoAtOPffnCsbrym9wRP8kRhNTBNcHnHa9Xp
+NmuQgQECgYEA7ObxBZ9AiIOBev2YaaW9uV0B3BA/UrynDxkwTLW++W2mGhXNABin
+pKttfIGcR7lqCVAP6UMZ84mudG7cO3Jfru5PoZ0tNPmVN2KybyoH8B9BfWJuaI4M
+r490Su/MhyMvWHbKsBnAdO9QttbtkIpHUKELx/c94w0/TXv5fHlGH4sCgYEAxSWg
+m4QlN/sL+fZYt17mmEYs7cM/+jljJSpDYzy79ywjsq5KzRb4dAn4pCHJdH9yp+WE
+KjYHFQ3mlg/f3yd4qW5i5zo0rcYELP1QCjCtbTNrae6H/MoHcEEwQzHvRml5ExIA
+cHsfv45tTX+OsJ3wlj4gxkY+y/G6OTXDj5UDacECgYBl1fCNxiNri3xBbnnyEDk6
+UWzXOHTAEDCQIPfOQeJSPnxEglKZU//cnYR3HRAdFOssDaqJTzr8oZbInk81jrjq
+7a51fqdMOm2WXWrutlarNgRk7ccgUs/JOBV5kROOk+VqVcZTZP6CRc2gi0ub8pUt
+Z800rGeCDtPDbyOUCl3GeQKBgCSm0i0XbDP0IE3gVq4Anq5Anam2WvaSJLSMHusc
+J3XUZu6ZKJ7oXlh0Yh1hiqp150L/kIqocLihVPUhDmXWWMBnHUwPriuAXNZgYbkD
+Q7rBjH6tMer1RFzCQc68Qde9VB0Pg7VlrolWWUvHIygCtO+5rS4vcQ1Ja22naSwQ
+cAoBAoGARzbjMI91d647stZN7zynPg9081XZmr0oqLaXStl0GudZXMxu4B6V+dlp
+g9EBCUDi8XuM/5hv8kgc+QjTqe5Vtea+h8u3jHs4+u9pYdInBDY7dY4SoFbpBeb7
+zPpzGxgxgANDUceTlYdXZFURrefVcqxzz/ar94dkv1RAjilVoN8=
+-----END RSA PRIVATE KEY-----
--- a/test/configs/certs/rdns/client-b.pem
+++ b/test/configs/certs/rdns/client-b.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSDCCAjACAQEwDQYJKoZIhvcNAQELBQAwajELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcyBBbmdlbGVzMQ0wCwYDVQQKDARO
+QVRTMQ0wCwYDVQQLDAROQVRTMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjAwNTA5
+MjEwNTE5WhcNMzAwNTA3MjEwNTE5WjBqMQswCQYDVQQGEwJVUzETMBEGA1UECAwK
+Q2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9zIEFuZ2VsZXMxDTALBgNVBAoMBE5BVFMx
+DTALBgNVBAsMBE5BVFMxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALZwiXpqHaTGWkNB3nCoraNXNrlc/xTYOJNj5UR8
+uUFalbUNdPyqLFOVEfyHSkIpvg18KRNa7NffWmRvyUerqPMGZTnSxRMwCODh0U/R
+odFTWpXW1QXhAfxy+4nFzCbgY6DuPl2p3ROl2EcViMTg340ny3xXux39V1DUKHpi
+TVPEGDwbkmpfGGqp8Sx6f+2VurvhJyiVHYxeLekOFBfbVxC3lxuQYB5AlIxZXybX
+qRHm3ZLVCdBn5qKWv2qSwB4x9pzkrPf9NlD2RFjlzXkNEvwvioTHWoAX6ykIte8e
+wrRabT9s6YnL2TZrfC7qfiQW69cPCJurYK+bRc/gaHZuyssCAwEAATANBgkqhkiG
+9w0BAQsFAAOCAQEAXqrZXT2sWalVn8n7pBsK7KMLtECyhYNMtfLRwkJvjA691DDZ
+6/w402H3tl2+dfU8CYkB/kx2rVATiQCl7aYcJnIHthNYN2YBU99w8+7r9xYIHye4
+3ErtsgSuAtxmxKGHk/FeR4mqzuRfsv7NGuKqZRspEMH3c2sTgA0mnkBjfjuZo4wf
+K8u77kFAMrwVl4Jr5sgXgjS4xCJVEGhvjrrLWfOrP4Cj6apd8ZFT7LQ2iDuSH73v
+596HEPVO2nb5ONbWsbTtqbxldyTA/v7TGKBIncEzDnkHC0DLEscqkNBV+/yzCDk4
+3gt8QB1W0IrfVnC2y9odAPuZige8nqUIBMsdog==
+-----END CERTIFICATE-----
--- a/test/configs/certs/rdns/client-c.key
+++ b/test/configs/certs/rdns/client-c.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAsF8xq2j6IKnpLC038+BTOUNJsP5shUWY0c/nAXHHHlksGJNa
+rmmnf8AuScWqRlu8VtG4SYosxLDR+wC6+rdrk1sUiGDNBOk8BppdhHHh362UKuqn
+TtKttuI9Bz+qoP9zA9qXdRCuVURYHgu9Xo9mrTDvg5w7Af2dVZeMbzk2jf8eZbpk
+cz7DmqVsChj3t/F2dxGmzqaYrophO1ubP27CfCyeMSyNagzU3UJwR/PQ+3rJnPxx
+dBZxqVjRJdjIHXeagldxYAO9RL0HDfVPI3sahAGnNatPWFUlr9tvRtWU9n2QmnVT
+86O3jT/cHb7bmtajg01a3DUrYmSd2XR733PjGQIDAQABAoIBADKcPm6Hgy8YUrbA
+iwvKVVdbPawydgWQQRgD5q/9bDwDLqomrqDZ5Jy+EwpMVF44OMVZDN7dbZdLfhXe
+0cjcFVyFiFDSJkLAgt8KMMeuvjgnYRsnlrcBsaOHLCgGVvo4E1MJyOhozv3czMRi
+bgbSc45DOpeznyMlGZ7UDBJmgocgMhCJhQlP7GXWlblAjlHdKLFDPeETrD2jU389
+7VLllVHyfdsbWDrnyYdNVOsNsVKheHHHwhbk4ycuQHtezwvmfhXsseqHsBkrGRV0
+sSBZklDS5bX8gKISl6GbIWEDsYp+3LwJ0+apHBvgnC4/Be5uzdSgKpt2FxLBv5N9
+EgNzk/kCgYEA3jFK0l8RBtfyuEW0KKWF/NI6+lmI3M2UKL7fsUzncbJN+Ei1OB7D
+wG00JipY3yppbnYWsX1z8i9+ngCgidBg60GNZZMtxhgYMN1xhh+wA9TStHcsGWZG
+ZDaMv3QG/kQJ7kNblPqwxpN2YBYtSgmHLcMEBGN/o+xHJhfNLAMrDD8CgYEAyzUf
+QvpUKAEjv3L1fX/DkZ+qqXVXDXSObBIRZovuXE+vVUWkZnFRrVkC7vy1bgOrPxDJ
+p7JeFHq7Tbj0QYgCs4yL+XX3ECDdwu8Dfc3gq1RQ3R17t6qg/LaptwlFM7P/gFLR
+i5B4t1p7UdiIt8ym0pHy71jRl1l2fXvyprq/mqcCgYAkfzpIFf+I/T3MUP7H0nCQ
+18OCTeSySD529utthzFZNq2iA+dogX0sBYQUZM5WUfQhhdoya2X5OR32PCoimQzi
+d9EPBz70lA6dMDKuklPqPTIjHJQs0+TqHx+9bwSbDXgIIB5R+V/CLoS6QcpMqAYB
+WVA2nFViCrShKDW2bgrLJwKBgGO4WPQEZoIPNRzBbGk+5pky8owgUiz/Mtkj8LgT
+GVDhpdhBydCf8YYQ9ViUWPB5CnNzaJJL/NEt/XbBudPiy/iSkypDUo/uoQUFSABX
+pNZPFTO9QTY7nK8HcLeq6/PYdBzkB4Lmzeakl3ntugIAgyk4iDAetRQByh0AU26w
+nFBnAoGAJk48iCBKwffii65B6HehKGD8thmum9CkJz/qnNNqMTDpXJshpTlStfGl
+23KPuzs9GYD4QQGePHvCexcIlrZ7ah3HDXc1viRgxABOr1In3KuthxyA/QcCEZjB
+SUZwe0qjrgsuWzr3zqIFjNtUU2znqpuMrDGRZp/PMe8qAEZlH5g=
+-----END RSA PRIVATE KEY-----
--- a/test/configs/certs/rdns/client-c.pem
+++ b/test/configs/certs/rdns/client-c.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDdTCCAl0CAQEwDQYJKoZIhvcNAQELBQAwajELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcyBBbmdlbGVzMQ0wCwYDVQQKDARO
+QVRTMQ0wCwYDVQQLDAROQVRTMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjAwNTA5
+MjEwNjUxWhcNMzAwNTA3MjEwNjUxWjCBljELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+CkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcyBBbmdlbGVzMQ0wCwYDVQQKDAROQVRT
+MQ0wCwYDVQQLDAROQVRTMRIwEAYDVQQDDAlsb2NhbGhvc3QxFDASBgoJkiaJk/Is
+ZAEZFgRmb28zMRQwEgYKCZImiZPyLGQBGRYEZm9vNDCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALBfMato+iCp6SwtN/PgUzlDSbD+bIVFmNHP5wFxxx5Z
+LBiTWq5pp3/ALknFqkZbvFbRuEmKLMSw0fsAuvq3a5NbFIhgzQTpPAaaXYRx4d+t
+lCrqp07SrbbiPQc/qqD/cwPal3UQrlVEWB4LvV6PZq0w74OcOwH9nVWXjG85No3/
+HmW6ZHM+w5qlbAoY97fxdncRps6mmK6KYTtbmz9uwnwsnjEsjWoM1N1CcEfz0Pt6
+yZz8cXQWcalY0SXYyB13moJXcWADvUS9Bw31TyN7GoQBpzWrT1hVJa/bb0bVlPZ9
+kJp1U/Ojt40/3B2+25rWo4NNWtw1K2Jkndl0e99z4xkCAwEAATANBgkqhkiG9w0B
+AQsFAAOCAQEACO/mR49RwjJ9pDbo2ioffxe+1R7DBFhx8NGkb+ISZGArOPlC+Uee
+2oEs5ejDhTu4SuU1ODJ/asMCQxHfHZ2US1EwajFNw0ZYUTrQiiI1aamMZ/XIwUrA
+i+Z5s4Ne8AsZQMAGZLfNXpNUMRKSfOK37SlCa0eqAoJhzoqzYxQ9JgSLJhEo5id
+8dAfICsShye1irzKXZ/QwLNHG/gS9SGfzf54B9sQRT3OOYr4eyEqcS2pmdQDyV4T
+6OtWcaXGzxSPmJNcaI25RW2F+DWyF+mS8y8XhQZd2nG8ET0FWAFCDX3eT4W5MRmn
+pglI/8UnHuseZos7GwHo80eTiUyBzvspYw==
+-----END CERTIFICATE-----
--- a/test/configs/certs/rdns/server.key
+++ b/test/configs/certs/rdns/server.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAxFbauT5Ge2uniUGkZwu3/3pH03DbIjZe7FfukBnD7DbEcOJT
+M1w9uTzh6bOIpX7VLVifWk64w62bELCX+g7Bp1zKy0htsdmnDh6OH4m0lOwcpT77
+ZxCbnRNrwzLoia+hSIyyyMIPUPPJMm3BblGasU1K5P4c957wLbPal+83ipTa4anM
+IQWcqPpoPGlcxJcB5Xw6rb8cLlju5hZLlaKkmxZrmuEu4KX3waKeNsY0eoDJwpSn
+nbfuyOxVreHE/GclxPzODnx0UZh8zGKcxL/Yq+YaF+OsL/oPfh0igPARMmOua25V
+n0Ra+f9CsvM4lt3giZ3mKLHJ2TsObohIw6qUzQIDAQABAoIBAGppqKI93nWGI4eA
+zFoNP+x3mfY/dIVWcpwmDGaNkGK2TEHiaLWtiMac+NRxOd54n5G0Nqn7gKiNrz2c
+eMJOvSa4ZDFJUCrUjHZamSz+taEBV4U4XYm+tpirrfxd2yrExeVMXJnyk9qMRr/O
+PMhN8kmmWrFCCPEsc4BRumgefzvb/W+4CqmY1CYCEV+Lmwwr+ur6ADDfz2dAfHtr
+UGkixUrzFO684qSTGTyn5oUdc4qN1XR63V/o411zbVfXIWMmiiVKv5ctq/RfshHD
+h9700/RAo0j08iwqDtLXyx1eolnIO6AfLzYcLrPzHFv460HPa3AIoQVfBs0IM2TJ
+8aAyFQECgYEA+L+5FvywmVKUJBc9XHJ/sTkGVL4i4I6TWbGTSN0urlAe1IEgq8Cq
+VYLZiOZkuh47uJ76HjFJMo7SQrLot92ofhz3506ZSa4d3LVLEAbaxKgOHDHfM9XP
+U4ZHEZdzj2s1IdW3v73NnIv2gnKVbL7gpIpeX0rhxHeFgAFwzykSolcCgYEAyhAG
+43yjcZZay/mavjBeTFtbwaYKAtaMIP8uDaS2DJCsLMRKTda3YgQydWSlzC02E22/
+xTHOp2ytI4Eq6pEUlZT08+Gxyf1XStyWNjzD9jK+c+mIbQsWeZGef7FfcxKFksBq
+0/9dG/MYUPqQBYoTDH24QR13XwKUzcGFjg6S83sCgYEAp+dZ+08zsTqRbk8Vhypu
+UOTqBheVmTgD9D4t6bgKw3Snas+CiwxwrWm2hnbltM+lhjghInIoM20+NfFnrnx7
+OC07lLF0PMy/sXPaKAZIcwfxBk0PmYCQApQXsqMlSMCXy6/j6RQoDqxXB7Rqck3h
+eo8/plj4TdJTlZTjXaIext8CgYEAxqcRDq+nxHFMXMLNlnPZEXqz7+M8bmPdqkcW
+UMWBUUMecnickIArFEsKDI3hzqUYR+ubINSB1eorIf/IYIo30YN7exWFhA70th29
+9B6zjaV/xldvD71Z4DUAvYt1Sp2IAqn3nOqu8F6DpoFf/IItjhc/gYzlodvYzZyX
+n/zGDmcCgYAumnP2HqQr0fFrHc/p+KWP3+YXi9b/gUiMK/i7k2r/vf4SbStogKJf
+SlFD2S+H+FJxVRxUhssz4SH3PYZJwAMX0DP9ZNpwa5rwSbx0a7H72u0O3r42nFXi
+LNt+4To/VB7frJsNKl4Oh46gUHMsMyoqsF5FNQpPQ4zTEio3U0FASQ==
+-----END RSA PRIVATE KEY-----
--- a/test/configs/certs/rdns/server.pem
+++ b/test/configs/certs/rdns/server.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSDCCAjACAQEwDQYJKoZIhvcNAQELBQAwajELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcyBBbmdlbGVzMQ0wCwYDVQQKDARO
+QVRTMQ0wCwYDVQQLDAROQVRTMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjAwNTA5
+MjEwNTI0WhcNMzAwNTA3MjEwNTI0WjBqMQswCQYDVQQGEwJVUzETMBEGA1UECAwK
+Q2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9zIEFuZ2VsZXMxDTALBgNVBAoMBE5BVFMx
+DTALBgNVBAsMBE5BVFMxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAMRW2rk+Rntrp4lBpGcLt/96R9Nw2yI2XuxX7pAZ
+w+w2xHDiUzNcPbk84emziKV+1S1Yn1pOuMOtmxCwl/oOwadcystIbbHZpw4ejh+J
+tJTsHKU++2cQm50Ta8My6ImvoUiMssjCD1DzyTJtwW5RmrFNSuT+HPee8C2z2pfv
+N4qU2uGpzCEFnKj6aDxpXMSXAeV8Oq2/HC5Y7uYWS5WipJsWa5rhLuCl98GinjbG
+NHqAycKUp5237sjsVa3hxPxnJcT8zg58dFGYfMxinMS/2KvmGhfjrC/6D34dIoDw
+ETJjrmtuVZ9EWvn/QrLzOJbd4Imd5iixydk7Dm6ISMOqlM0CAwEAATANBgkqhkiG
+9w0BAQsFAAOCAQEArl6zUvvu+RF6tqAiHqN5d/mmuhiczsaRReNXe1yJ7llXuDzl
+jS/GAYu4nkDX/ejyWAwEnNOhjqNI5LMKNVJo+ZfOVH4jgiGZHaHzL6tY8tI6RYdO
+ZUL5aLLDIGNYgR4BWFP2b6dk767iBOsmzB/gjGNi/ROAPQOw72vdXuxFL0xVwIG7
+Dk2u5f3B9nVdJz5gWFMHTE/cSSbyYJ1zZhwauzDaeploSTFlDsjPWUpCWCiE1jKh
+jsgeF+HtlHcWlLhAAX/181SUoUilb9FBFCRLpPOuGYiKZ3KSQYzISkzvfE0u6/bs
+uGL3UWDsGNQe6AhKMp9V2LxDq+fRIa9pTklb7g==
+-----END CERTIFICATE-----
--- a/test/tls_test.go
+++ b/test/tls_test.go
@@ -17,6 +17,7 @@ import (
 	"bufio"
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
 	"fmt"
 	"io/ioutil"
 	"net"
@@ -1128,3 +1129,137 @@ func TestTLSHandshakeFailureMemUsage(t *testing.T) {
 		})
 	}
 }
+
+func TestTLSClientAuthWithRDNSequence(t *testing.T) {
+	for _, test := range []struct {
+		name   string
+		config string
+		certs  nats.Option
+		err    error
+		rerr   error
+	}{
+		{
+			"connect with tls using full RDN sequence",
+			`
+				port: -1
+				%s
+
+				authorization {
+				  users = [
+				    { user = "CN=localhost,OU=NATS,O=NATS,L=Los Angeles,ST=California,C=US,DC=foo1,DC=foo2" }
+				  ]
+				}
+			`,
+			// C=US/ST=California/L=Los Angeles/O=NATS/OU=NATS/CN=localhost/DC=foo1/DC=foo2
+			nats.ClientCert("./configs/certs/rdns/client-a.pem", "./configs/certs/rdns/client-a.key"),
+			nil,
+			nil,
+		},
+		{
+			"connect with tls using partial RDN sequence has different permissions",
+			`
+				port: -1
+				%s
+
+				authorization {
+				  users = [
+				    { user = "CN=localhost,OU=NATS,O=NATS,L=Los Angeles,ST=California,C=US,DC=foo1,DC=foo2" },
+				    { user = "CN=localhost,OU=NATS,O=NATS,L=Los Angeles,ST=California,C=US",
+                                      permissions = { subscribe = { deny = ">" }} }
+				  ]
+				}
+			`,
+			// C=US/ST=California/L=Los Angeles/O=NATS/OU=NATS/CN=localhost
+			nats.ClientCert("./configs/certs/rdns/client-b.pem", "./configs/certs/rdns/client-b.key"),
+			nil,
+			errors.New("nats: timeout"),
+		},
+		{
+			"connect with tls and RDN sequence partially matches",
+			`
+				port: -1
+				%s
+
+				authorization {
+				  users = [
+				    { user = "CN=localhost,OU=NATS,O=NATS,L=Los Angeles,ST=California,C=US,DC=foo1,DC=foo2" }
+				    { user = "CN=localhost,OU=NATS,O=NATS,L=Los Angeles,ST=California,C=US"},
+				  ]
+				}
+			`,
+			//
+			// C=US/ST=California/L=Los Angeles/O=NATS/OU=NATS/CN=localhost/DC=foo3/DC=foo4
+			//
+			// but it will actually match the 2nd user so will not get an error (backwards compatible behavior)
+			//
+			// CN=localhost,OU=NATS,O=NATS,L=Los Angeles,ST=California,C=US
+			//
+			nats.ClientCert("./configs/certs/rdns/client-c.pem", "./configs/certs/rdns/client-c.key"),
+			nil,
+			nil,
+		},
+		{
+			"connect with tls and RDN sequence does not match",
+			`
+				port: -1
+				%s
+
+				authorization {
+				  users = [
+				    { user = "CN=localhost,OU=NATS,O=NATS,L=Los Angeles,ST=California,C=US,DC=foo1,DC=foo2" }
+				  ]
+				}
+			`,
+			// C=US/ST=California/L=Los Angeles/O=NATS/OU=NATS/CN=localhost/DC=foo3/DC=foo4
+			//
+			nats.ClientCert("./configs/certs/rdns/client-c.pem", "./configs/certs/rdns/client-c.key"),
+			errors.New("nats: Authorization Violation"),
+			nil,
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			content := fmt.Sprintf(test.config, `
+				tls {
+					cert_file: "configs/certs/rdns/server.pem"
+					key_file: "configs/certs/rdns/server.key"
+					ca_file: "configs/certs/rdns/ca.pem"
+					timeout: 5
+					verify_and_map: true
+				}
+			`)
+			conf := createConfFile(t, []byte(content))
+			defer os.Remove(conf)
+			s, opts := RunServerWithConfig(conf)
+			defer s.Shutdown()
+
+			nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port),
+				test.certs,
+				nats.RootCAs("./configs/certs/rdns/ca.pem"),
+			)
+			if test.err == nil && err != nil {
+				t.Errorf("Expected to connect, got %v", err)
+			} else if test.err != nil && err == nil {
+				t.Errorf("Expected error on connect")
+			} else if test.err != nil && err != nil {
+				// Error on connect was expected
+				if test.err.Error() != err.Error() {
+					t.Errorf("Expected error %s, got: %s", test.err, err)
+				}
+				return
+			}
+			defer nc.Close()
+
+			nc.Subscribe("ping", func(m *nats.Msg) {
+				m.Respond([]byte("pong"))
+			})
+			nc.Flush()
+
+			_, err = nc.Request("ping", []byte("ping"), 250*time.Millisecond)
+			if test.rerr != nil && err == nil {
+				t.Errorf("Expected error getting response")
+			} else if test.rerr == nil && err != nil {
+				t.Errorf("Expected response")
+			}
+		})
+	}
+}