+ If either the name on the certificate or the name being verified (with
+ VerifyOptions.DNSName
+ or VerifyHostname)
+ are invalid, they will now be compared case-insensitively without further
+ processing (without honoring wildcards or stripping trailing dots).
+ Invalid names include those with any characters other than letters,
+ digits, hyphens and underscores, those with empty labels, and names on
+ certificates with trailing dots.
+
+ The deprecated, legacy behavior of treating the CommonName
+ field as a hostname when no Subject Alternative Names are present is now
+ disabled by default. It can be temporarily re-enabled by adding the value
+ x509ignoreCN=0 to the GODEBUG environment
+ variable. If the CommonName is an invalid hostname, it's
+ always ignored.
+
+ The new CreateRevocationList
+ function and RevocationList type
+ allow creating RFC 5280-compliant X.509 v2 Certificate Revocation Lists.
+
+ CreateCertificate
+ now automatically generates the SubjectKeyId if the template
+ is a CA and doesn't explicitly specify one.
+
+ CreateCertificate
+ now returns an error if the template specifies MaxPathLen but is not a CA.
+
- TODO: https://golang.org/cl/205237: load roots from colon separated SSL_CERT_DIR in loadSystemRoots
+ On Unix systems other than macOS, the SSL_CERT_DIR
+ environment variable can now be a colon-separated list.
+
+ On macOS, binaries are now always linked against
+ Security.framework to extract the system trust roots,
+ regardless of whether cgo is available. The resulting behavior should be
+ more consistent with the OS verifier.