When OpenTofu is acting as a TLS client authenticating a certificate chain provided by a TLS server, an excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard [SANs](https://en.wikipedia.org/wiki/Public_key_certificate#Subject_Alternative_Name_certificate) in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. ### Details When acting as a TLS client, OpenTofu relies on the implementation of TLS certificate verification from the standard library…
GHSA-mjcp-gpgx-ggcg: OpenTofu incorrectly validates excluded subdomain constraint in conjunction with TLS certificates containing wildcard SANs
OpenTofu TLS client fails to properly validate excluded subdomain constraints with wildcard SANs in certificate chains, potentially allowing unauthorized access.