Comment 1 for bug 2043582

Here are a couple of initial comments:

1. Octavia is not just an implementation of HAProxy, so any restrictions or behaviors of HAProxy do not apply to the Octavia API necessarily.
2. We strive to be a standards based project, so the correct behavior should track back to standards documentation. In this case we are talking about the x.509 (ISO/IEC 9594-8:2020) ITU-T recommendation[1].

The subject field (CN is a subset option of subject) is described on page 16. I will excerpt the important two sentences here:

| If the public-key certificate is an end-entity public-key certificate (see clause 7.4), then the
| distinguished name may be an empty sequence providing that the subjectAltName extension is present and
| is flagged as critical (see clause 9.3.2.1). Otherwise, it shall be a non-empty distinguished name.

So the above openssl commands would in fact generate an invalid certificate assuming there is no openssl configuration file present that would meet the above requirements.

All of that said, I also think the get_host_names() code[2] is incorrect. It is valid for the subject field to be empty if the subject alternate name extension is present and mandatory.

So, there is a bug here, it's just a bit more complicated than the test case provided.

[1] https://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-X.509-201910-I!!PDF-E&type=items
[2] https://github.com/openstack/octavia/blob/master/octavia/common/tls_utils/cert_parser.py#L247