x509 certificate parsing failure due to malformed SAN dNSName

[penicholson]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

A x509 certificate's Subject Alternative Name may contain a trailing dot. Such SAN values are illegal according to RFC2459, however they are widely used in practice. For example, certificates issued for GCP CloudSQL databases contain such trailing dots.

The Go team attempted to enable strict validation of SANs in certificates in Go 1.25.2, however it caused widespread breakage, so they ended up reverting the issue in Go 1.25.3.

It looks like Ory Hydra v25.4.0 was built using Go 1.25.2, which makes it impossible to connect to databases which use an x509 certificate with a SAN DNS name with a trailing dot (in our case CloudSQL Postgres).

Reproducing the bug

Perform a migration against a Postgres database which uses a trailing dot in it's Subject Alternative Name DNS (for example GCP CloudSQL) in its x509 certificate.

docker run -e DSN=postgres://user:password@host/db oryd/hydra:v25.4.0 migrate sql status -e

Relevant log output

time=2026-03-03T13:44:26Z level=info msg=No tracer configured - skipping tracing setup audience=application service_name=Ory Hydra service_version=master                                                                                                       
time=2026-03-03T13:44:26Z level=info msg=Retrying in 0.100000 seconds... audience=application error=map[message:failed to connect to `user=redacted database=redacted`:                                                                                   
        10.229.1.152:5432 (redacted): failed to write startup message: write failed: tls: failed to parse certificate from server: x509: SAN dNSName is malformed
        10.229.1.152:5432 (redacted): server error: FATAL: pg_hba.conf rejects connection for host "redacted", user "redacted", database "redacted", no encryption (SQLSTATE 28000)] service_name=Ory Hydra service_version=master

Relevant configuration

Version

v25.4.0

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

Docker

Additional Context

After forcing a build on Go 1.25.3 (by updating the base image in https://github.com/ory/hydra/blob/v25.4.0/.docker/Dockerfile-local-build#L1 on the v25.4.0 tag) and building the image, the connection to CloudSQL succeeds.