Howto fix x509: cannot validate certificate for <ip> because it doesn't contain any IP SANs

Question

I'm using go http client to connect to iot device which has self-signed cert. I already have

    TLSClientConfig: &tls.Config{
        RootCAs:            certPool,
        Certificates:       []tls.Certificate{tlsClientCert},
        InsecureSkipVerify: true,
    },

Nevertheless although InsecureSkipVerify=true go still tries to verify the certificate:

x509: cannot validate certificate for <ip> because it doesn't contain any IP SANs

As I can't change the cert on the device- what part of the TLS client config can I modify to accept it?

UPDATE

The go error can be reproduced running https://github.com/jbardin/gotlsscan/blob/master/main.go against the device:

Testing TLS1.2
    ...
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA            [NOT SUPPORTED]
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256       [NOT SUPPORTED] x509: cannot validate certificate for 192.168.1.145 because it doesn't contain any IP SANs
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256         [NOT SUPPORTED]
    ...
    

This is what openssl says when running openssl s_client -connect <ip:port>:

CONNECTED(00000003)
depth=0 C = DE, O = Bebro, OU = ULK High GEN 1, CN = ICCPD...
verify error:num=18:self signed certificate
verify return:1
depth=0 C = DE, O = Bebro, OU = ULK High GEN 1, CN = ICCPD...
verify return:1
4460842604:error:1401E410:SSL routines:CONNECT_CR_FINISHED:sslv3 alert handshake failure:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.140.1/libressl-2.8/ssl/ssl_pkt.c:1200:SSL alert number 40
4460842604:error:1401E0E5:SSL routines:CONNECT_CR_FINISHED:ssl handshake failure:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.140.1/libressl-2.8/ssl/ssl_pkt.c:585:
---
Certificate chain
0 s:/C=DE/O=Bebro/OU=ULK High GEN 1/CN=ICCPD...
  i:/C=DE/O=Bebro/OU=ULK High GEN 1/CN=ICCPD...
---
Server certificate
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
subject=/C=DE/O=Bebro/OU=ULK High GEN 1/CN=ICCPD...
issuer=/C=DE/O=Bebro/OU=ULK High GEN 1/CN=ICCPD...
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 969 bytes and written 178 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-SHA256
    Session-ID: 9C7D...
    Session-ID-ctx:
    Master-Key: AC9E...
    Start Time: 1600892515
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---

UPDATE I'm running latest go 1.15.2

Answer 1

This might work,

In certificate there is a field called "SANs", we need to add 'hostname' in this SAN list.

once this is added the same name should be added in TLS configuration using "ServerName" filed. after this configuration this will be resolved. In SANS property I've added "test.com" so I configured TLS as follows,

        ServerName:   "test.com",
        RootCAs:      pool,
        Certificates: []tls.Certificate{clientCert},
        MinVersion:   tls.VersionTLS12,

Since the certificate you;re using may not contain any SANs, this error is occurred. I'm still exploring on it, If you guys any comments on this ,kindly leave a reply.